LLAKEP: A Low-Latency Authentication and Key Exchange Protocol for Energy Internet of Things in the Metaverse Era

Abstract

The authenticated key exchange (AKE) protocol can ensure secure communication between a client and a server in the electricity transaction of the Energy Internet of things (EIoT). Park proposed a two-factor authentication protocol 2PAKEP, whose computational burden of authentication is evenly shared by both sides. However, the computing capability of the client device is weaker than that of the server. Therefore, based on 2PAKEP, we propose an authentication protocol that transfers computational tasks from the client to the server. The client has fewer computing tasks in this protocol than the server, and the overall latency will be greatly reduced. Furthermore, the security of the proposed protocol is analyzed by using the ROR model and GNY logic. We verify the low-latency advantage of the proposed protocol through various comparative experiments and use it for EIoT electricity transaction systems in a Metaverse scenario.

1. Introduction

Authentication schemes in the traditional Energy Internet of Things (EIoT) are generally implemented with the help of Public Key Infrastructure (PKI). To simplify the management of public-key certificates, Shamir [1] introduced the identity-based cryptography scheme (IBC). This scheme directly uses the identity to generate the public key, without certificates or public key directories.

ID-based single-factor authentication scheme is not secure [2]. Attackers can compromise this scheme by dictionary attacks [3], rainbow tables [4], or social engineering techniques [5].

Thus, researchers have proposed two-factor authentication (2FA) [6,7], which combines representative data (ID/password) with personal possession factors (i.e., smart cards or mobile phones) to provide stronger security protection.

When ID-based 2FA authentication scheme is applied in EIoT, latency becomes an issue that has not been well studied [8,9]. Especially when electricity transactions based on EIoT are realized in Metaverse in the near future, high latency will affect the validity of data information (i.e., payment information data) [10]. Therefore, compared with the traditional payment systems, the EIoT payment systems in the Metaverse should meet higher requirements regarding the latency [11].

At present, the Metaverse devices are typically virtual helmets and smart glasses. A two-factor authentication protocol using smart cards (security chips that are embeded in these devices) can enhance the security of the protocol. In related work, we found that 2PAKEP is more secure than previous protocols [12,13,14,15,16]. In order to satisfy the requirement of low latency in EIoT (or future EIoT in Metaverse), we propose a low-latency ID-based two-factor authentication protocol LLAKEP. Our main contributions are summarized below.

• A low-latency ID-based two-factor authentication protocol LLAKEP has been proposed. In the case of unbalanced computing capability between the two parties of the protocol, LLAKEP reduces the computational burden on one side. Compared with 2PAKEP [17], experimental results show that LLAKEP requires less computation time and less running time;
• The security of LLAKEP is analyzed by using the ROR (Real-or-Random) model and GNY (Gong–Needham–Yahalom) logic. Analysis results show that LLAKEP achieves the security goals of an AKE protocol;
• A use case has been implemented. We applied LLAKEP to EIoT electricity transaction systems in a Metaverse scenario. Results show that LLAKEP will effectively reduce latency.

The rest of this paper is organized as follows. Section 2 reviews the related work. Section 3 introduces the soultion methodology. Section 4 introduces the preliminaries. Section 5 proposes the LLAKEP. In Section 6, the security of the LLAKEP is analyzed. The experiment results of LLAKEP are shown in Section 7. Finally, a conclusion is summarized in Section 8.

2. Related Work

Das [12] designed an ID-based authentication protocol (the D protocol) using bilinear pairings. However, the D protocol is subject to forgery attacks [18]. Many improved protocols have been proposed based on D protocol [13,14,15,16,17].

Table 1. Comparison of the characteristics, limitations, and disadvantages of different protocols.

Protocol	Characteristics	Limitations and Disadvantages
D protocol [12]	Based on pairing and smart card	Not resistant to forgery attacks
YC protocol [13]	Based on identity	Prone to simulated attacks Cannot provide perfect forward security
YY protocol [14]	An improved ID-based mobile device key authentication scheme based on elliptic curves	Cannot provide perfect forward security
HDB protocol [15]	A key agreement remote mutual authentication protocol based on identity	Unable to resist impersonation attacks and unknown key sharing attacks
QC protocol [16]	Based on elliptic curves in mobile environments	Not resistant to impersonated user attacks, password changes, insider attacks, and offline password guessing attacks
2PAKEP [17]	Two-factor authentication, based on identity	Not efficient
LLAKEP	A low-latency ID-based two-factor authentication protocol	∖

lists the characteristics, limitations, and disadvantages of different protocols.

Because of the inefficiency of bilinear pairing cryptography, researchers have proposed many ID-based authentication protocols using scalar multiplication. Yang and Chang [13] proposed an authentication protocol based on ID (the YC protocol) in 2009. However, Yoon and Yoo [14] found that the YC protocol [13] is prone to simulated attacks. In addition, the YC protocol cannot provide perfect forward security. Therefore, an improved ID-based protocol (the YY protocol) is proposed by Yoon and Yoo. The YY protocol can eliminate the defects of the YC protocol [13]. However, the YY protocol cannot provide perfect forward security. In 2012, He [15] proposed a protocol (the HDB protocol). The HDB protocol can guarantee perfect forward security. However, in 2013, Chou [19] showed that the HDB protocol [15] has defects concerning the private key verification process, and legitimate users cannot confirm whether the private key of the other party is correct. Thus, two improved security protocols (the C1 protocol, and the C2 protocol) were proposed. In 2015, Yang [20] proved that the HDB protocol [15] cannot resist simulation attacks and unknown key sharing attacks, and then Yang proposed an improved ID-based authentication key exchange protocol (the Y protocol).

However, there are some defects in the above-mentioned ID-based authenticated protocols. Their protocols have issues concerning clock synchronization and user anonymity [16]. To solve the issues, Qi and Chen [16] proposed an ID-based two-factor mutual authentication protocol with smart cards (the QC protocol). Qi and Chen claim the QC protocol is resistant to many attacks. However, in 2018, Park [17] proved that the QC protocol is not resistant to simulated user attacks, password change attacks, insider attacks, and offline password guessing attacks. Thus, Park [17] proposed an improved protocol 2PAKEP and proved that it could solve these security issues. LLAKEP uses an improved algorithm to reduce the latency of 2PAKEP. In addition, LLAKEP uses a security chip.

At present, smart cards are widely used in medical, educational, and other scenarios [21,22,23]. Using smart cards as an authentication factor can improve the security of system authentication. The most widely used smart cards in payment systems are mainly microprocessor chips. In addition, the Trustzone [24,25] is included in the microprocessor chip, which provides security features for smart wearable devices [26].

3. Solution Methodology

3.1. Research Methods

We research the low latency algorithms based on 2PAKEP. Meanwhile, we use security analysis and performance analysis to verify the advantages of LLAKEP.

3.2. Security Analysis Methods

First, we prove the security of LLAKEP in the ROR model. Second, we use GNY logic to prove the security of LLAKEP. Finally, we verify the security of the protocol using Prolog.

3.3. Performance Analysis Methods

We use a Raspberry Pi and a laptop to simulate two communication parties. The protocol is implemented in Python. The running time and computation time of LLAKEP and other protocols are compared by experiments.

4. Preliminaries

The system model, ROR model, and computational assumptions are introduced in this section.

4.1. System Model

In the EIoT, LLAKEP can be used to secure the key agreement for the communication of electricity transactions. A specific example is shown in Figure 1, where the electric bike rider is ready to swap his battery, and their device (smart glasses) and the battery swap station will establish a secure link through LLAKEP. The communication of transaction information, such as battery types and payment information, can then be encrypted through the session key. One thing to note is that the smart glasses in the example are the user’s Metaverse interface, which implies that a "gap" in computing capabilities exists between the two ends of these common communication devices. More specifically, the smart glasses with a microprocessor have weaker computing capabilities than the battery swap station.

Before the electric bike rider uses the smart glasses to enter the Metaverse for electricity transactions, some user information needs to be stored in the memory of the smart glasses in the initial stage. Assuming that the electric bike rider has obtained a registered microprocessor chip, and has a password, and the microprocessor chip is equipped in the user’s smart glass, then, as an initiator, the smart glasses authenticate with an energy device.

4.2. ROR Model

Abdalla, Fouque, and Pointcheval initially proposed the ROR model for password-based key exchange [27]. One of its significant features is that the attacker no longer has a Reveal query compared with the BPR model [28], but instead performs a simulation of a compromise caused by the misuse of a session key via the uniform Test query. This Test query can be called multiple times. Furthermore, the ROR model has been proved to be stronger than the BPR security model [27].

We introduce the primary components associated with the ROR model below.

Participants and instances. Let oracles ${\mathsf{\Pi }}_{EBR}^t$ and ${\mathsf{\Pi }}_{BSS}^s$ be the instances t and s of participants $EBR$ and $BSS$ running protocol $\mathsf{\Pi }$, respectively.

Instance state.${\mathsf{\Pi }}_{EBR}^t$ will be in the accepted state if it has received the final message according the protocol $\mathsf{\Pi }$. The session identification $sid$ of ${\mathsf{\Pi }}_{EBR}^t$ is the cocatenation of exchanged messages in the session.

Partnering. We say that ${\mathsf{\Pi }}_{EBR}^t$ and ${\mathsf{\Pi }}_{BSS}^s$ are the partners if the following two conditions are satisfied: (1) both ${\mathsf{\Pi }}_{EBR}^t$ and ${\mathsf{\Pi }}_{BSS}^s$ are in the accepted state, (2) ${\mathsf{\Pi }}_{EBR}^t$ and ${\mathsf{\Pi }}_{BSS}^s$ have the same $sid$ and mutually authenticated each other.

Freshness. If the session key $SK$ of ${\mathsf{\Pi }}_{EBR}^t$ and ${\mathsf{\Pi }}_{BSS}^s$ is not compromised by a reveal query or $EMD/EMC$ query defined below, we say ${\mathsf{\Pi }}_{EBR}^t$ and ${\mathsf{\Pi }}_{BSS}^s$ are fresh.

Adversary. An active adversary $\mathcal{A}$ may intercept, delete, modify, or inject the messages over public channels by the given queries:

• $Execute({\mathsf{\Pi }}_{EBR}^t,{\mathsf{\Pi }}_{BSS}^s):$ This query models the eavesdropping attack that permits $\mathcal{A}$ to learn the messages exchanged between $EBR$ and $BSS$.
• $Send({\mathsf{\Pi }}_{EBR}^t,Msg):$ This query models the active attack that permits $\mathcal{A}$ to transmit a message $Msg$ to a participant’s instance ${\mathsf{\Pi }}_{EBR}^t$.
• $EMD/EMC\left({\mathsf{\Pi }}_{EBR}^t\right):$ This query models another active attack that permits $\mathcal{A}$ to extract all the sensitive secret parameters stored in a mobile device ($EMD\left({\mathsf{\Pi }}_{EBR}^t\right)$) or microprocessor chip ($EMC\left({\mathsf{\Pi }}_{EBR}^t\right)$).
• $Test\left({\mathsf{\Pi }}_{EBR}^t\right):$ Before the game starts, an unbiased coin b is flipped. If ${\mathsf{\Pi }}_{EBR}^t$ is fresh, this query returns the real session key $SK$ if $b=1$, or a random key in the key space of $\mathsf{\Pi }$ if $b=0$; otherwise, if ${\mathsf{\Pi }}_{EBR}^t$ is not fresh, this query returns the invalid symbol ⊥.

We restrict $\mathcal{A}$ to access a limited number of $EMD/EMC\left({\mathsf{\Pi }}_{EBR}^t\right)$ queries in a formal security analysis. At the same time, $\mathcal{A}$ is permitted to access an infinite number of $Test\left({\mathsf{\Pi }}_{EBR}^t\right)$ queries.

Semantic security. Let $\mathcal{A}$’s guesse be $b^{\prime }$, and $Succ$ be the winning probability in the game. A polynomial t time adversary $\mathcal{A}$’s advantage in breaking the semantic security of session key $SK$ is denoted by

$$Ad{v}_{SK}\left(t\right)=|2Pr\left[Succ\right]-1|.$$

Random oracle. We model the public one-way cryptographic hash function $h(·)$ as a random oracle ($Hash$).

4.3. Computational Assumption

We use elliptic curve cryptography because it is one of the best candidates among the existing public key cryptographic techniques. Two relevant hardness assumptions are described below.

Definition 1 

(Elliptic curve discrete logarithm problem (ECDLP)). Given an elliptic curve E over finit field $F_p$, and $P,Q\in E$, find the discrete logarithm d, such that $Q=dP$.

Definition 2 

(Elliptic curve decisional Diffie–Hellman problem (ECDDHP)). Given an elliptic curve E over finite field $F_p$, a generator P of E, and three random elements $k_{1}P,k_{2}P$, and $k_{3}P$, distinguish the triples $(k_{1}P,k_{2}P,k_{3}P)$ and $(k_{1}P,k_{2}P,k_1{k}_{2}P)$.

The ECDLP and ECDDHP are computationally hard problems when p is large.

5. The Low-Latency Protocol

In this section, we mainly introduce the process of LLAKEP. The symbols used in LLAKEP are shown in

Table 2. Symbols used in LLAKEP.

Symbol	Meaning
$EBR$	Electric bike riders
$MC$	Microprocessor chip
$BSS$	Battery swap station
$\mathcal{A}$	Adversary
$I{D}_{EBR}$	Identity of an electric bike rider $EBR$
$P{W}_{EBR}$	Password of an electric bike rider $EBR$
$s{k}_X$	Private key of X
$p{k}_X$	Public key of X
$SK$	Session key
$E/F_p$	An elliptic curve E over a prime finite field $F_p$ with p being a large prime
n	Order of base point P
$Z_n^{*}$	{1, 2, ⋯, $n-1$}
$kP$	Scalar multiplication on elliptic curves and P is a base point in $E/F_p$
$A\left|\right|B$	Concatenation operation between A and B
$A\oplus B$	XOR operation between A and B
$kdf\left(Msg\right)$	Derivate key from $Msg$
$H\left(Msg\right)$	A one-way hash function that generates $Msg$ digests
$X⤏Y:Msg$	X sends message $Msg$ to Y by using a secure channel, where X and Y are two entities.
$X\to Y:Msg$	X sends message $Msg$ to Y by using a public channel

.

5.1. Initialization Phase

This phase is performed in the battery swap station $BSS$. The specific process is described as follows.

BSS-1:$BSS$ selects an elliptic curve $E/F_p$ whose base point is P. Meanwhile, the order of p is set to n.

BSS-2:$BSS$ generates a private key $s{k}_{BSS}$ from $Z_n^{*}$, and calculates the public key $p{k}_{BSS}$ by $p{k}_{BSS}=s{k}_{BSS}P$.

BSS-3:$BSS$ chooses two hash functions (collision-resistant) $H_1(·)$ and $H_2(·)$. At the end, $BSS$ publishes the system parameters $\left\{E/F_p,P,n,p{k}_{BSS},H_1(·),H_2(·)\right\}$.

5.2. User Registration Phase

Electric bike rider $EBR$ needs to register with battery swap station $BSS$ before swapping batteries. The registration takes place in a secure channel, and the specific process (

Table 3. User registration phase.

Electric Bike Riders/Microprocesser Chip ($\mathit{EBR}/\mathit{MC}$)	Battery Swap Station ($\mathit{BSS}$)
EBR inputs $I{D}_{EBR}$ and $P{W}_{EBR}$
MC generates $a_{MC}$ and $b_{MC}$
MC computes $HIP,v,d,C$
$\stackrel{Msg1=\left\{p{k}_{EBR},I{D}_{EBR},d\right\}}{⤏}$
	Checks whether $H_2\left(I{D}_{EBR}\right)$ and $I{D}_{EBR}$ are valid
	Calculates $l=H_1\left(s{k}_{BSS}\right)\oplus d\oplus H_2(s{k}_{BSS}\left|\right|I{D}_{EBR})$ and stores $H_2(s{k}_{BSS}\left|\right|I{D}_{EBR}),I{D}_{EBR}$
	$\stackrel{Msg2=\left\{l\right\}}{⤎}$
Calculates $l^{\prime }=l\oplus b_{MC}$
Stores $l^{\prime }$, v and C secretly

) is described as follows.

EBR-1:$EBR$ inputs the $I{D}_{EBR}$ and $P{W}_{EBR}$ on the smart glasses. After the input is completed, the microprocessor chip $MC$ generates two random numbers $a_{MC},b_{MC}$ and calculates $HIP=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR}),v=HIP\oplus a_{MC},d=HIP\oplus b_{MC}$ and $C=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR}\left|\right|a_{MC})$. Finally, $EBR$ submits:

$$\begin{array}{c}\hfill Msg1=\left\{p{k}_{EBR},I{D}_{EBR},d\right\}\end{array}$$

to the $BSS$ by using a secure channel.

BSS-2:$BSS$ checks whether $H_2\left(I{D}_{EBR}\right)$ and $I{D}_{EBR}$ are valid after receiving $Msg1$. If they already exist in the database, $BSS$ returns a message to $EBR$ asking for a new $ID$.

BSS-3:$BSS$ calculates $l=H_1\left(s{k}_{BSS}\right)\oplus d\oplus H_2(s{k}_{BSS}\left|\right|I{D}_{EBR})$. After that, $BSS$ stores $H_2(s{k}_{BSS}\left|\right|I{D}_{EBR}),I{D}_{EBR}$ and sends $Msg2=\left\{l\right\}$ to $EBR$ by using a secure channel.

EBR-4: After receiving $Msg2$, $EBR$ calculates $l^{\prime }=l\oplus b_{MC}=H_1\left(s{k}_{BSS}\right)\oplus HIP\oplus H_2(s{k}_{BSS}\left|\right|I{D}_{EBR})$ and stores $l^{\prime }$, v, and C in the microprocessor chip.

5.3. Authentication and Key Exchange (AKE) Phase

After registration, when electric bike rider $EBR$ wants to swap batteries, he needs to send some information for identity authentication. The key algorithms of this phase are shown in Algorithms 1 and 2. $ECC\_ScalarMul$ denotes scalar multiplication on an elliptic curve, and its computation is time-consuming. $ECC\_Add$ represents addition on an elliptic curves, and $ECC\_Neg$ represents negation operations on an elliptic curves. These two cryptographic operations take less time. $kdf$ represents the key derivation function. We transferred a scalar multiplication on the $EBR$ side in the original protocol algorithm to the $BSS$ side. The specific process (

Table 4. Mutual authentication and key exchange phase.

Electric Bike Riders/Microprocesser Chip ($\mathit{EBR}/\mathit{MC}$)	Battery Swap Station ($\mathit{BSS}$)
EBR inputs identity $I{D}_{EBR}$ and password $P{W}_{EBR}$
MC calculates $HIP$, $a_{MC}$ and $C_{EBR}^{\prime }$
MC Checks whether $C?=C_{EBR}^{\prime }$
Generates $r_{MC}\in Z_n^{*}$ and $T_{MC}$
Computes $U_{EBR}=r_{MC}+s{k}_{EBR}$, $R=r_{MC}p{k}_{BSS}$,
$CI{D}_{EBR}=l^{\prime }\oplus HIP$
and $Aut{h}_{EBR}=H_2(I{D}_{EBR}\left|\right|R\left|\right|CI{D}_{EBR}\left|\right|T_{MC})$
$\stackrel{Msg1=\left\{Aut{h}_{EBR},CI{D}_{EBR},U_{EBR},T_{MC}\right\}}{\to }$
	Validates the received timestamp $T_{MC}$
	Computes $H_2(s{k}_{BSS}\left|\right|I{D}_{EBR})=CI{D}_{EBR}\oplus H_1\left(s{k}_{BSS}\right)$
	Computes $R_{EBR}=U_{EBR}P-p{k}_{EBR}=r_{MC}P$ and $R^{*}=s{k}_{BSS}{R}_{EBR}$,
	$Aut{h}_{EBR}^{*}=H_2(I{D}_{EBR}\left|\right|R^{*}\left|\right|CI{D}_{EBR}\left|\right|T_{MC})$
	Checks whether $Aut{h}_{EBR}^{*}?=Aut{h}_{EBR}$
	Generates $r_{BSS}\in Z_n^{*}$ and $T_{BSS}$
	Computes $R_{BSS}=r_{BSS}P$, $S{K}_{BSS}=r_{BSS}{R}_{EBR}$
	$Aut{h}_{BSS}=H_2(I{D}_{EBR}\left|\right|R^{*}\left|\right|S{K}_{BSS}\left|\right|T_{BSS})$
	$\stackrel{Msg2=\left\{Aut{h}_{BSS},R_{BSS},T_{BSS}\right\}}{\leftarrow }$
Verifies the received timestamp $T_{BSS}$
Calculates $S{K}_{EBR}=r_{MC}{R}_{BSS}$
$Aut{h}_{BSS}^{*}=H_2(I{D}_{EBR}\left|\right|R\left|\right|S{K}_{EBR}\left|\right|T_{BSS})$
Checks whether $Aut{h}_{BSS}^{*}?=Aut{h}_{BSS}$
Generates $T_{MC}^{\prime }$ and computes
$SK=kdf\left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right),$
$Aut{h}_{EB}=H_2(I{D}_{EBR}\left|\right|R\left|\right|SK\left|\right|T_{MC}^{\prime })$
$\stackrel{Msg3=\left\{Aut{h}_{EB},T_{MC}^{\prime }\right\}}{\to }$
	Validates the timestamp $T_{MC}^{\prime }$
	Calculates the session key
	$S{K}^{\prime }=kdf(I{D}_{EBR}\left|\right|S{K}_{BSS}\left|\right|T_{MC}\left|\right|T_{BSS})$
	$Aut{h}_{EB}^{*}=H_2(I{D}_{EBR}\left|\right|R^{*}\left|\right|S{K}^{\prime }\left|\right|T_{MC}^{\prime })$
	Checks whether $Aut{h}_{EB}^{*}?=Aut{h}_{EB}$

) of the AKE phase is described as follows.

Algorithm 1 $EBR$ calculates $SK=kdf(I{D}_{EBR},S{K}_{EBR},T_{MC},T_{BSS})$

Input:  $E,r_{MC},p{k}_{BSS},R_{BSS},s{k}_{EBR},T_{MC},T_{BSS}$ Output:  The session key $SK$  1: $U_{EBR}=ECC\_Add(r_{MC},s{k}_{EBR},E)$  2: $R=ECC\_ScalarMul(r_{MC},p{k}_{BSS},E)$  3: $S{K}_{EBR}=ECC\_ScalarMul(r_{MC},R_{BSS},E)$  4: $SK=kdf(I{D}_{EBR},S{K}_{EBR},T_{MC},T_{BSS})$

Algorithm 2 $BSS$ calculates $SK=kdf(I{D}_{EBR},S{K}_{BSS},T_{MC},T_{BSS})$

Input:  $E,U_{EBR},p{k}_{EBR},s{k}_{BSS},r_{BSS},I{D}_{EBR},T_{MC},T_{BSS}$ Output:  The temporary secret R  1: $temp1=ECC\_Neg(p{k}_{EBR},E)$  2: $temp2=ECC\_ScalarMul(U_{EBR},P,E)$  3: $R_{EBR}=ECC\_Add(temp1,temp2,E)$  4: $R=ECC\_ScalarMul(R_{EBR},s{k}_{BSS},E)$  5: $R_{BSS}=ECC\_ScalarMul(r_{BSS},P,E)$  6: $S{K}_{BSS}=ECC\_ScalarMul(r_{BSS},R_{EBR},E)$  7: $SK=kdf(I{D}_{EBR},S{K}_{BSS},T_{MC},T_{BSS})$

EBR-1:$EBR$ inputs $I{D}_{EBR}$ and $P{W}_{EBR}$ using a smart glasses. Then $MC$ calculates $HIP=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR})$, $a_{MC}=v\oplus HIP$ and $C_{EBR}^{\prime }=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR}\left|\right|a_{MC})$. After that, $EBR$ checks whether $C_{EBR}^{\prime }$ is equal to C. After successful verification, $MC$ generates a random number $r_{MC}\in Z_n^{*}$ and a current timestamp $T_{MC}$, and computes $U_{EBR}=r_{MC}+s{k}_{EBR}$, $R=r_{MC}p{k}_{BSS}$, $CI{D}_{EBR}=l^{\prime }\oplus HIP=H_1\left(s{k}_{BSS}\right)\oplus H_2(s{k}_{BSS}\left|\right|I{D}_{EBR})$ and $Aut{h}_{EBR}=H_2(I{D}_{EBR}\left|\right|R\left|\right|CI{D}_{EBR}\left|\right|T_{MC})$. Then, $EBR$ sends:

$$\begin{array}{c}\hfill Msg1=\left\{Aut{h}_{EBR},CI{D}_{EBR},U_{EBR},T_{MC}\right\}\end{array}$$

to the $BSS$ by using a public channel.

BSS-2:$BSS$ verifies whether the difference between $T_{MC}$ and the reception time $T_{MC}^{*}$ is less than the maximum transmission latency $\Delta T$ after receiving $Ms{g}_1$. If it is greater than $\Delta T$, the protocol will stop running. Otherwise, $BSS$ calculates $H_2(s{k}_{BSS}\left|\right|I{D}_{EBR})=CI{D}_{EBR}\oplus H_1\left(s{k}_{BSS}\right)$. After that, $BSS$ computes $R_{EBR}=U_{EBR}P-p{k}_{EBR}=r_{MC}P$ and $R^{*}=s{k}_{BSS}{R}_{EBR}$, $Aut{h}_{EBR}^{*}=H_2(I{D}_{EBR}\left|\right|R^{*}\left|\right|CI{D}_{EBR}\left|\right|T_{MC})$ and checks whether $Aut{h}_{EBR}^{*}$ is equal to $Aut{h}_{EBR}$. After successful verification, $BSS$ generates a random number $r_{BSS}\in Z_n^{*}$ and a current timestamp $T_{BSS}$. Then $BSS$ computes $R_{BSS}=r_{BSS}P$, $S{K}_{BSS}=r_{BSS}{R}_{EBR}$ and $Aut{h}_{BSS}=H_2(I{D}_{EBR}\left|\right|R^{*}\left|\right|S{K}_{BSS}\left|\right|T_{BSS})$. At the end, $BSS$ sends:

$$\begin{array}{c}\hfill Ms{g}_2=\left\{Aut{h}_{BSS},R_{BSS},T_{BSS}\right\}\end{array}$$

to $EBR$ by using a public channel.

EBR-3: After receiving $Ms{g}_2$, $EBR$ first verifies whether the difference between $T_{BSS}$ and the reception time $T_{BSS}^{*}$ is less than $\Delta T$. If it is greater than $\Delta T$, the protocol will stop running. Otherwise, $EBR$ calculates $S{K}_{EBR}=r_{MC}{R}_{BSS}$, $Aut{h}_{BSS}^{*}=H_2(I{D}_{EBR}\left|\right|R\left|\right|S{K}_{EBR}\left|\right|T_{BSS})$, and checks whether $Aut{h}_{BSS}^{*}$ is equal to $Aut{h}_{BSS}$. After successful verification, $MC$ generates the current timestamp $T_{MC}^{\prime }$, and computes the session key $SK=kdf\left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right||T_{MC}$$\left|\right|T_{BSS})$. At the end, $EBR$ calculates $Aut{h}_{EB}=H_2(I{D}_{EBR}\left|\right|R\left|\right|SK\left|\right|T_{MC}^{\prime })$, and $EBR$ sends:

$$\begin{array}{c}\hfill Ms{g}_3=\left\{Aut{h}_{EB},T_{MC}^{\prime }\right\}\end{array}$$

to the $BSS$ through a public channel.

BSS-4: After receiving $Ms{g}_3$, $BSS$ verifies whether the difference between $T_{MC}^{\prime }$ and the reception time $T_{MC}^{″}$ is less than $\Delta T$. If it is greater than $\Delta T$, the protocol will stop running. Otherwises $BSS$ computes the session key $S{K}^{\prime }=kdf(I{D}_{EBR}\left|\right|S{K}_{BSS}\left|\right|T_{MC}\left|\right|T_{BSS})$, $Aut{h}_{EB}^{*}=H_2(I{D}_{EBR}\left|\right|R^{*}\left|\right|S{K}^{\prime }\left|\right|T_{MC}^{\prime })$ and checks whether $Aut{h}_{EB}^{*}$ is equal to $Aut{h}_{EB}$. If they are equal, the mutual authentication and session key agreement phase have successfully be completed. Finally, the same session key $SK(=S{K}^{\prime })$ will be store, and it will be used for secure commucations of $EBR$ and $BSS$.

5.4. Password Change

Electric bike riders can change their password at any time. The specific process (

Table 5. Password change activity.

Electric Bike Riders ($\mathit{EBR}$)	Microprocesser Chip ($\mathit{MC}$)
EBR inputs $I{D}_{EBR}$ and $P{W}_{EBR}$
	MC Computes
	$HIP=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR})$,
	$a_{MC}=v\oplus HIP$ and
	$C^{\prime }=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR}\left|\right|a_{MC})$
	Checks if $C=C^{\prime }$
	Asks $EBR$ to input a new password
Chooses a new password $P{W}_{new}$
	Calculate
	$HI{P}_{new}=H_2(I{D}_{EBR}\left|\right|P{W}_{new})$,
	$v_{new}=HI{P}_{new}\oplus a_{MC}$,
	$C_{new}=H_2(I{D}_{EBR}\left|\right|P{W}_{new}\left|\right|a_{MC})$
	and $l_{new}=l^{\prime }\oplus HIP\oplus HI{P}_{new}=H_1\left(s{k}_{BSS}\right)\oplus HI{P}_{new}\oplus H_2(s{k}_{BSS}\left|\right|I{D}_{EBR})$.
Stores $l_{new}$, $v_{new}$ and $C_{new}$, deletes old parameters

) is described as follows.

EBR-1:$EBR$ first inputs $I{D}_{EBR}$ and old password $P{W}_{EBR}$ through a microprocessor chip.

MC-2:$MC$ computes $HIP=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR})$, $a_{MC}=v\oplus HIP$. After that, $MC$ calculates $C^{\prime }=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR}\left|\right|a_{MC})$, and then verifies C is equal to $C^{\prime }$ or not. If it is satisfied, $MC$ asks $EBR$ to input a new password.

MC-3: After receiving the new password, $MC$ calculate $HI{P}_{new}=H_2(I{D}_{EBR}\left|\right|P{W}_{new})$, $v_{new}=HI{P}_{new}\oplus a_{MC}$, $d_{new}=HI{P}_{new}\oplus b_{MC}$, $C_{new}=H_2(I{D}_{EBR}\left|\right|P{W}_{new}\left|\right|a_{MC})$ and $l_{new}=l^{\prime }\oplus HIP\oplus HI{P}_{new}=H_1\left(s{k}_{BSS}\right)\oplus HI{P}_{new}\oplus H_2(s{k}_{BSS}\left|\right|I{D}_{EBR})$. Finally, $EBR$ store $l_{new}$, $v_{new}$ and $C_{new}$ in the microprocessor chip and delete old parameters.

5.5. Comparison of LLAKEP and Other Protocols

From the experimental results of He et al.’s scheme [15], it can be obtained that the most time spent is on the elliptic curve scalar multiplication operation, followed by the execution of a map-to-point hash function and a modular inversion operation, while the time spent on the execution of a hash operation, a dissimilarity operation, a message authentication code operation, and a key derivation function is very short. The main cryptographic operations involved in the authentication phase of the relevant protocols and LLAKEP are shown in

Table 6. Comparison of computation costs.

Protocol	$\mathit{Client}$	$\mathit{Server}$
YC protocol [13]	$4\mathcal{M}+3\mathcal{H}+\mathcal{P}$	$4\mathcal{M}+3\mathcal{H}+\mathcal{P}$
YY protocol [14]	$4\mathcal{M}+3\mathcal{H}+\mathcal{P}$	$4\mathcal{M}+4\mathcal{H}+\mathcal{P}$
HDB protocol [15]	$3\mathcal{M}+2\mathcal{H}+2\mathcal{C}$	$3\mathcal{M}+3\mathcal{H}+\mathcal{C}+\mathcal{I}$
QC protocol [16]	$3\mathcal{M}+4\mathcal{H}+3\mathcal{X}+\mathcal{K}$	$3\mathcal{M}+4\mathcal{H}+\mathcal{X}+\mathcal{K}$
2PAKEP [17]	$3\mathcal{M}+6\mathcal{H}+2\mathcal{X}+\mathcal{K}$	$3\mathcal{M}+4\mathcal{H}+3\mathcal{X}+\mathcal{K}$
LLAKEP	$2\mathcal{M}+6\mathcal{H}+2\mathcal{X}+\mathcal{K}$	$4\mathcal{M}+4\mathcal{H}+3\mathcal{X}+\mathcal{K}$

Note: $\mathcal{M}$: the time for an elliptic curve point scalar multiplication operation; $\mathcal{H}$: the time for a hash operation; $\mathcal{P}$: the time for a map-to-point hash operation; $\mathcal{X}$: the time for a XOR operation; $\mathcal{C}$: the time for a message authentication code operation; $\mathcal{I}$: the time for executing a modular inversion operation; $\mathcal{K}$: the time for a key derivation function.

. $Client$ denotes the device with limited computing power, and $Server$ denotes the device with strong computing power.

We can see that the total number of elliptic curve scalar multiplication required by LLAKEP is fewer than that of the protocols proposed in [13,14], so the total computing time of LLAKEP is less than theirs. Compared to the protocols proposed in [15,16,17], $Client$ of LLAKEP needs to perform fewer elliptic curve scalar multiplications, which leads to the computing time being cut, thus reducing the overall latency.

6. Security Analysis

This section proves the security of LLAKEP in the ROR model.

6.1. Security Proof

The security of LLAKEP in the ROR model is shown in Theorem 1.

Theorem 1.

Let $Ad{v}_{LLAKEP}\left(t\right)$ be the advantage of a polynomial-time t adversary $\mathcal{A}$ in breaking the security of LLAKEP, then

$$Ad{v}_{LLAKEP}\left(t\right)\le \frac{q_h^2}{\left|Hash\right|}+2\left(\frac{q_s}{\left|D\right|}+Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right)\right),$$

where $\left|Hash\right|,q_s,q_h,\left|D\right|$ and $Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right)$ are the number of $Hash$ queries, the number of $Send$ queries, the number of $Hash$ queries, the size of password dictionary D in LLAKEP, and the advantage of $\mathcal{A}$ in breaking the ECDDHP in time t, respectively.

Proof. 

Let $G_j$, where $j=0,1,2,3,4$, be a sequence of games, and $Suc{c}_{G_j}$ be the event that an adversary $\mathcal{A}$ wins the game $G_j$, the probability of which is denoted by $Pr\left[Suc{c}_{G_j}\right]$. Those five games are defined as follows:

• $G_0:$ This game models the original protocol LLAKEP in the ROR model, and an unbiased coin b is filpped. Therefore,

  $$\begin{array}{c}\hfill Ad{v}_{LLAKEP}\left(t\right)=|2Pr\left[Suc{c}_{G_0}\right]-1|.\end{array}$$

  (1)
• $G_1:$ This game excludes the eavesdropping attacks. $\mathcal{A}$ may use the $Execute$ query in this game, and once the instance is accepted, $\mathcal{A}$ proceeds to the $Test$ query. In LLAKEP, $SK$ and $S{K}^{\prime }$ are calculated as $SK=kdf(I{D}_{EBR}\left|\right|S{K}_{EBR}\left|\right|T_{MC}\left|\right|T_{BSS})=kdf(I{D}_{EBR}\left|\right|S{K}_{BSS}\left|\right|T_{MC}\left|\right|T_{BSS})(=S{K}^{\prime }),$ where $S{K}_{EBR}=r_{MC}{R}_{BSS}=r_{MC}\left(r_{BSS}P\right)=r_{BSS}\left(r_{MC}P\right)=S{K}_{BSS}.$ For getting the session key, $\mathcal{A}$ needs ephemeral secrets $\{r_{MC},r_{BSS}\}$ and the permanent secret identity $I{D}_{EBR}$. Hence, $\mathcal{A}$ has no advantage in winning the game $G_1$ through eavesdropping attack. Therefore,

  $$\begin{array}{c}\hfill Pr\left[Suc{c}_{G_1}\right]=Pr\left[Suc{c}_{G_0}\right].\end{array}$$

  (2)
• $G_2:$ This game models the $Send$ and $Hash$ queries. $\mathcal{A}$ may mount an active attack to intercept messages $Msg1=\{Aut{h}_{EBR},CI{D}_{EBR},U_{EBR},T_{MC}\}$, $Msg2=\{Aut{h}_{BSS},R_{BSS},T_{BSS}\}$, and $Msg3=\{Aut{h}_{EB},T_{MC}^{\prime }\}.$ Note that all these messages involve the random nonces and the current timestamps, the only advantage $\mathcal{A}$ can take is making the $Hash$ queries to find collisions. Therefore, by the birthday paradox,

  $$\begin{array}{c}\hfill |Pr\left[Suc{c}_{G_2}\right]-Pr\left[Suc{c}_{G_1}\right]|\le \frac{q_h^2}{2\left|Hash\right|}.\end{array}$$

  (3)
• $G_3:$ This game models the $EMD/EMC$ query wherein $\mathcal{A}$ can extract all the credentials $l^{\prime },v$ and C from a lost or stolen device or a microprocessor chip, where $l^{\prime }=l\oplus b_{MC}=H_1\left(s{k}_{BSS}\right)\oplus HIP\oplus H_2(s{k}_{BSS}\left|\right|I{D}_{EBR}),v=HIP\oplus a_{MC}$ and $C=H_2(I{D}_{EBR}\left|\right|P{W}_{EBR}\left|\right|a_{MC}).$ Note that since $\mathcal{A}$ could not get the secret crentials $a_{MC}$ and $s{k}_{BSS}$ using the $Send$ queries, guessing is the only way to obtain the password $P{W}_{EBR}$ and identity $I{D}_{EBR}$ of a registered user $EBR$ from $l^{\prime }$, v, and C. Therefore,

  $$\begin{array}{c}\hfill |Pr\left[Suc{c}_{G_3}\right]-Pr\left[Suc{c}_{G_2}\right]|\le \frac{q_s}{\left|D\right|}.\end{array}$$

  (4)
• $G_4$: This game models an active attack. To derive the session key SK of $EBR$ and $BSS(SK=kdf(I{D}_{EBR}\left|\right|S{K}_{EBR}\left|\right|T_{MC}\left|\right|T_{BSS})=kdf(I{D}_{EBR}\left|\right|S{K}_{BSS}\left|\right|T_{MC}\left|\right|T_{BSS}=S{K}^{\prime })$, $\mathcal{A}$ may use $Send$ queries to obtain all the intercepted messages $Msg1,Msg2$, and $Msg3$, and then try to derive $S{K}_{EBR}=r_{MC}{R}_{BSS}=r_{MC}\left(r_{BSS}P\right)=r_{BSS}\left(r_{MC}P\right)=S{K}_{BSS}$. Note that $\mathcal{A}$ can derive $S{K}_{EBR}=r_{MC}{R}_{BSS}$ or $S{K}_{BSS}=r_{BSS}(U_{EBR}P-p{k}_{EBR})$. However, this problem is essentially the same as solving an ECDDHP. Therefore,

  $$\begin{array}{cc}\hfill & |Pr\left[Suc{c}_{G_4}\right]-Pr\left[Suc{c}_{G_3}\right]|\hfill \\ \hfill & \le Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right).\hfill \end{array}$$

  (5)

After executing the games, $\mathcal{A}$ guesses the bit b:

$$\begin{array}{c}\hfill Pr\left[Suc{c}_{G_4}\right]=\frac{1}{2}.\end{array}$$

(6)

According to (1) and (2), we have:

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{LLAKEP}\left(t\right)& =|Pr\left[Suc{c}_{G_0}\right]-\frac{1}{2}|\hfill \\ \hfill & =|Pr\left[Suc{c}_{G_1}\right]-\frac{1}{2}|.\hfill \end{array}$$

(7)

According to (6) and (7), we have:

$$\begin{array}{c}\hfill \frac{1}{2}Ad{v}_{LLAKEP}\left(t\right)=|Pr\left[Suc{c}_{G_1}\right]-Pr\left[Suc{c}_{G_4}\right]|.\end{array}$$

(8)

Using the triangular inequality, we have the following result:

$$\begin{array}{cc}\hfill & |Pr\left[Suc{c}_{G_1}\right]-Pr\left[Suc{c}_{G_4}\right]|\hfill \\ \hfill & \le |Pr\left[Suc{c}_{G_1}\right]-Pr\left[Suc{c}_{G_3}\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_{G_3}\right]-Pr\left[Suc{c}_{G_4}\right]|\hfill \\ \hfill & \le |Pr\left[Suc{c}_{G_1}\right]-Pr\left[Suc{c}_{G_2}\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_{G_2}\right]-Pr\left[Suc{c}_{G_3}\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_{G_3}\right]-Pr\left[Suc{c}_{G_4}\right]|\hfill \\ \hfill & \le \frac{q_h^2}{2\left|Hash\right|}+\le \frac{q_s}{\left|D\right|}\hfill \\ \hfill & +Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right).\hfill \end{array}$$

(9)

From (8) and (9), we have:

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{LLAKEP}\left(t\right)& \le \frac{q_h^2}{2\left|Hash\right|}+\le \frac{q_s}{\left|D\right|}\hfill \\ \hfill & +Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right).\hfill \end{array}$$

(10)

Then, we obtain the required result:

$$Ad{v}_{LLAKEP}\left(t\right)\le \frac{q_h^2}{\left|Hash\right|}+2\left(\frac{q_s}{\left|D\right|}+Ad{v}_{\mathcal{A}}^{ECDDHP}\left(t\right)\right).$$

Theorem 1 is proved. □

6.2. GNY Logic Proof

We introduce the symbols and meanings used in the GNY logic [29] in

Table 7. GNY Expression.

Symbol	Meaning
$(A,B)$	Conjunction of A and B.
$H\left(A\right)$	A one-way hash function of A.
$*A$	A is a not-originated-here formula.
$P◃A$	P is told A.
$P\ni A$	A possesses, or is capable of possessing A.
$P\mid \sim A$	P once said A.
$P\mid \equiv ♯\left(A\right)$	P believes that A is fresh, that is, A has not been used before
$P\mid \equiv \varnothing \left(A\right)$	P can recognize A, that is, P has certain expectations for the content of A.
$P\mid \equiv P\stackrel{Key}{⟷}Q$	P believes that $Key$ is a suitable secret
	for P and Q.

, and then prove the mutual authentication between electric bike rider $EBR$ and battery swap station $BSS$ in LLAKEP.

6.2.1. Protocol Paraphrase

LLAKEP consists of the following messages between $EBR$ and $BSS$.

1. $EBR\to BSS:Aut{h}_{EBR},CI{D}_{EBR},U_{EBR},T_{MC}$

2. $BSS\to EBR:Aut{h}_{BSS},R_{BSS},T_{BSS}$

3. $EBR\to BSS:Aut{h}_{EB},T_{MC}^{{}^{\prime }}$

6.2.2. Description of Protocol

The parser algorithm would describe the protocol as follows.

$Ms{g}_1:BSS◃*Aut{h}_{EBR},*CI{D}_{EBR},*U_{EBR},*T_{MC}$

$Ms{g}_2:EBR◃*Aut{h}_{BSS},*R_{BSS},*T_{BSS}$

$Ms{g}_3:BSS◃*Aut{h}_{EB},*T_{MC}^{{}^{\prime }}$

6.2.3. Goal

We need to show that LLAKEP achieves the following goals.

$\mathbf{Goal}\mathbf{1}:EBR\mid \equiv ♯SK$

$\mathbf{Goal}\mathbf{2}:EBR\mid \equiv \varphi SK$

$\mathbf{Goal}\mathbf{3}:EBR\mid \equiv BSS\ni SK$

$\mathbf{Goal}\mathbf{4}:BSS\mid \equiv ♯SK$

$\mathbf{Goal}\mathbf{5}:BSS\mid \equiv \varphi SK$

$\mathbf{Goal}\mathbf{6}:BSS\mid \equiv EBR\ni SK$

6.2.4. Initialization Assumption

The initialization assumptions for $EBR$ and $BSS$ are as follows.

$A1:EBR\mid \equiv ♯r_{MC}$

$A2:EBR\mid \equiv \varphi r_{MC}$

$A3:EBR\ni r_{MC},p{k}_{BSS},I{D}_{EBR},s{k}_{BSS},T_{BSS},P$

$A4:EBR\mid \equiv EBR\stackrel{I{D}_{EBR}}{\leftrightarrow }BSS$

$A5:BSS\mid \equiv ♯r_{BSS},s{k}_{BSS}$

$A6:BSS\mid \equiv \varphi r_{BSS}$

$A7:BSS\ni r_{BSS},p{k}_{EBR},I{D}_{EBR}$

$A8:BSS\mid \equiv EBR\stackrel{I{D}_{EBR}}{\leftrightarrow }BSS$

6.2.5. Proof

The proof of the goals are as follows.

According to rules T1 and P1, we can infer that $EBR$ possesses $Aut{h}_{BSS},R_{BSS},T_{BSS}$, and $BSS$ possesses $Aut{h}_{EBR},CI{D}_{EBR},U_{EBR},T_{MC},Aut{h}_{EB},T_{MC}^{{}^{\prime }}$.

$$\frac{EBR◃*Aut{h}_{BSS},*R_{BSS},*T_{BSS}}{\frac{EBR◃Aut{h}_{BSS},R_{BSS},T_{BSS}}{EBR\ni Aut{h}_{BSS},R_{BSS},T_{BSS}}\left(P1\right)}\left(T1\right)$$

$$\frac{BSS◃*Aut{h}_{EBR},*CI{D}_{EBR},*U_{EBR},*T_{MC},*Aut{h}_{EB},*T_{MC}^{{}^{\prime }}}{\frac{BSS◃Aut{h}_{EBR},CI{D}_{EBR},U_{EBR},T_{MC},Aut{h}_{EB},T_{MC}^{{}^{\prime }}}{BSS\ni Aut{h}_{EBR},CI{D}_{EBR},U_{EBR},T_{MC},Aut{h}_{EB},T_{MC}^{{}^{\prime }}}\left(P1\right)}\left(T1\right)$$

Goal 1 According to A1 and the rule F1, we can infer that $EBR$ believes that $S{K}_{EBR}$ is fresh, and $S{K}_{EBR}=R_{BSS}*r_{MC}$.

$$\frac{EBR\mid \equiv ♯r_{MC}}{EBR\mid \equiv ♯R_{BSS}*r_{MC}}\left(F1\right)$$

According to the rule F1, we can infer that $EBR$ believes that $SK$ is fresh, and $SK=kdf\left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right)$. Goal 1 is proved.

$$\frac{EBR\mid \equiv ♯S{K}_{EBR}}{EBR\mid \equiv ♯\left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right)}\left(F1\right)$$

Goal 2 According to A2 and the rule R1, we can infer that $EBR$ believes that $S{K}_{EBR}$ is recognizable, and $S{K}_{EBR}=R_{BSS}*r_{MC}$.

$$\frac{EBR\mid \equiv \varphi r_{MC}}{EBR\mid \equiv \varphi R_{BSS}*r_{MC}}\left(R1\right)$$

According to the rule R1, we can infer that $EBR$ believes that $SK$ is recognizable, and $SK=kdf\left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right)$. Goal 2 is proved.

$$\frac{EBR\mid \equiv \varphi S{K}_{EBR}}{EBR\mid \equiv \varphi \left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right)}\left(R1\right)$$

Goal 3 According to the rule P2, we can infer that $EBR$ possesses $S{K}_{EBR}$, and $S{K}_{EBR}=R_{BSS}*r_{MC}$.

$$\frac{EBR\ni r_{MC},EBR\ni R_{BSS}}{EBR\ni R_{BSS}*r_{MC}}\left(P2\right)$$

According to A3 and the rule P2, we can infer that $EBR$ possesses R, and $R=r_{MC}*p{k}_{BSS}$.

$$\frac{EBR\ni r_{MC},EBR\ni p{k}_{BSS}}{EBR\ni r_{MC}*p{k}_{BSS}}\left(P2\right)$$

According to A3 and the rule P2, we can infer that $EBR$ possesses $\left(I{D}_{EBR}\right|\left|R\right|\left|S{K}_{EBR}\right|\left|T_{BSS}\right)$.

$$\frac{EBR\ni I{D}_{EBR},EBR\ni R,EBR\ni S{K}_{EBR},EBR\ni T_{BSS}}{EBR\ni \left(I{D}_{EBR}\right|\left|R\right|\left|S{K}_{EBR}\right|\left|T_{BSS}\right)}\left(P2\right)$$

According to the rule F1, we can infer that $EBR$ believes that R is fresh, and $R=r_{MC}*p{k}_{BSS}$.

$$\frac{EBR\mid \equiv ♯r_{MC}}{EBR\mid \equiv ♯r_{MC}*p{k}_{BSS}}\left(F1\right)$$

According to the rule F1, we can infer that $EBR$ believes that $\left(I{D}_{EBR}\right|\left|R\right|\left|S{K}_{EBR}\right|\left|T_{BSS}\right)$ is fresh.

$$\frac{EBR\mid \equiv ♯R}{EBR\mid \equiv ♯\left(I{D}_{EBR}\right|\left|R\right|\left|S{K}_{EBR}\right|\left|T_{BSS}\right)}\left(F1\right)$$

According to A4 and the rule I3, we can infer that $EBR$ believes that $BSS$ once said $S{K}_{EBR}$.

$$\frac{EBR◃*H_2(I{D}_{EBR}\left|\right|R\left|\right|S{K}_{EBR}\left|\right|T_{BSS}),EBR\ni (I{D}_{EBR}\left|\right|R\left|\right|S{K}_{EBR}\left|\right|T_{BSS}),EBR\mid \equiv EBR\stackrel{I{D}_{EBR}}{\leftrightarrow }BSS,EBR\mid \equiv ♯(I{D}_{EBR}\left|\right|R\left|\right|S{K}_{EBR}\left|\right|T_{BSS})}{EBR\mid \equiv BSS\sim \left(I{D}_{EBR}\right|\left|R\right|\left|S{K}_{EBR}\right|\left|T_{BSS}\right)}\left(I3\right)$$

$$\frac{EBR\mid \equiv BSS\sim \left(I{D}_{EBR}\right|\left|R\right|\left|S{K}_{EBR}\right|\left|T_{BSS}\right)}{EBR\mid \equiv BSS\sim S{K}_{EBR}}\left(I7\right)$$

According to the rule I6, we can infer that $EBR$ believes that $BSS$ possesses $S{K}_{EBR}$.

$$\frac{EBR\mid \equiv BSS\mid \sim S{K}_{EBR},EBR\mid \equiv ♯S{K}_{EBR}}{EBR\mid \equiv BSS\ni S{K}_{EBR}}\left(I6\right)$$

According to the rule J6, we can infer that $EBR$ believes that $BSS$ possesses $SK$, and $SK=kdf\left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right)$. Goal 3 is proved.

$$\frac{EBR\mid \equiv BSS\ni I{D}_{EBR},EBR\mid \equiv BSS\ni S{K}_{EBR},EBR\mid \equiv BSS\ni T_{MC},EBR\mid \equiv BSS\ni T_{BSS}}{EBR\mid \equiv BSS\ni \left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right)}\left(J6\right)$$

$$\frac{EBR\mid \equiv BSS\ni \left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right)}{EBR\mid \equiv BSS\ni kdf\left(I{D}_{EBR}\right|\left|S{K}_{EBR}\right|\left|T_{MC}\right|\left|T_{BSS}\right)}\left(J6\right)$$

Goal 4 According to A5 and the rule F1, we can infer that $BSS$ believes that $S{K}_{BSS}$ is fresh, and $S{K}_{BSS}=R_{EBR}*r_{BSS}$.

$$\frac{BSS\mid \equiv ♯r_{BSS}}{BSS\mid \equiv ♯R_{EBR}*r_{BSS}}\left(F1\right)$$

According to the rule F1, we can infer that $BSS$ believes that $SK$ is fresh, and $SK=kdf\left(I{D}_{EBR}\right|\left|S{K}_{BSS}\right|\left|T_{MC}\right|\left|T_{BSS}\right)$. Goal 4 is proved.

$$\frac{BSS\mid \equiv ♯S{K}_{BSS}}{BSS\mid \equiv ♯\left(I{D}_{EBR}\right|\left|S{K}_{BSS}\right|\left|T_{MC}\right|\left|T_{BSS}\right)}\left(F1\right)$$

Goal 5 According to A6 and the rule R1, we can infer that $BSS$ believes that $S{K}_{BSS}$ is recognizable, and $S{K}_{BSS}=R_{EBR}*r_{BSS}$.

$$\frac{BSS\mid \equiv \varphi r_{BSS}}{BSS\mid \equiv ♯R_{EBR}*r_{BSS}}\left(R1\right)$$

According to the rule R1, we can infer that $BSS$ believes that $SK$ is recognizable, and $SK=kdf\left(I{D}_{EBR}\right|\left|S{K}_{BSS}\right|\left|T_{MC}\right|\left|T_{BSS}\right)$. Goal 5 is proved.

$$\frac{BSS\mid \equiv \varphi S{K}_{BSS}}{BSS\mid \equiv \varphi \left(I{D}_{EBR}\right|\left|S{K}_{BSS}\right|\left|T_{MC}\right|\left|T_{BSS}\right)}\left(R1\right)$$

Goal 6 According to A7 and the rule P2, we can infer that $BSS$ possesses $R_{EBR}$ and R, and $R_{EBR}=U_{EBR}P-p{k}_{EBR},R=s{k}_{BSS}*R_{EBR}$.

$$\frac{BSS\ni P,BSS\ni U_{EBR},BSS\ni p{k}_{EBR}}{BSS\ni (U_{EBR}P-p{k}_{EBR})}\left(P2\right)$$

$$\frac{BSS\ni s{k}_{BSS},BSS\ni R_{EBR}}{BSS\ni (s{k}_{BSS}*R_{EBR})}\left(P2\right)$$

According to the rule P2, we can infer that $BSS$ possesses $S{K}_{BSS}$, and $S{K}_{BSS}=r_{BSS}*R_{EBR}$.

$$\frac{BSS\ni r_{BSS},BSS\ni R_{EBR}}{BSS\ni r_{BSS}*R_{EBR}}\left(F1\right)$$

According to A7 and the rule P2, we can infer that $BSS$ possesses $SK$.

$$\frac{BSS\ni I{D}_{EBR},BSS\ni S{K}_{BSS},BSS\ni T_{MC},BSS\ni T_{BSS}}{BSS\ni kdf\left(I{D}_{EBR}\right|\left|S{K}_{BSS}\right|\left|\right|T_{MC}\left|T_{BSS}\right)}\left(P2\right)$$

According to the rule P2, we can infer that $BSS$ possesses $\left(R\right|\left|SK\right|\left|T_{MC}^{{}^{\prime }}\right)$.

$$\frac{BSS\ni R,BSS\ni SK,BSS\ni T_{MC}^{{}^{\prime }}}{BSS\ni \left(R\right|\left|SK\right|\left|T_{MC}^{{}^{\prime }}\right)}\left(P2\right)$$

According to the rule F1, we can infer that $BSS$ believes that R is fresh, and $R=s{k}_{BSS}*R_{EBR}$.

$$\frac{BSS\mid \equiv ♯s{k}_{BSS}}{BSS\mid \equiv ♯s{k}_{BSS}*R_{EBR}}\left(F1\right)$$

According to the rule F1, we can infer that $BSS$ believes that $\left(R\right|\left|SK\right|\left|T_{MC}^{{}^{\prime }}\right)$ is fresh.

$$\frac{BSS\mid \equiv ♯R}{BSS\mid \equiv ♯\left(R\right|\left|SK\right|\left|T_{MC}^{{}^{\prime }}\right)}\left(F1\right)$$

According to A8 and the rule I3, we can infer that $BSS$ believes that $EBR$ once said $SK$.

$$\frac{BSS◃*H_2(I{D}_{EBR}\left|\right|R\left|\right|SK\left|\right|T_{MC}^{{}^{\prime }}),BSS\ni (I{D}_{EBR}\left|\right|R\left|\right|SK\left|\right|T_{MC}^{{}^{\prime }}),BSS\mid \equiv EBR\stackrel{I{D}_{EBR}}{\leftrightarrow }BSS,BSS\mid \equiv ♯(I{D}_{EBR}\left|\right|R\left|\right|SK\left|\right|T_{MC}^{{}^{\prime }})}{BSS\mid \equiv EBR\sim \left(I{D}_{EBR}\right|\left|R\right|\left|SK\right|\left|T_{MC}^{{}^{\prime }}\right)}\left(I3\right)$$

$$\frac{BSS\mid \equiv EBR\sim \left(I{D}_{EBR}\right|\left|R\right|\left|SK\right|\left|T_{MC}^{{}^{\prime }}\right)}{BSS\mid \equiv EBR\sim SK}\left(I3\right)$$

According to the rule I6, we can infer that $BSS$ believes that $EBR$ possesses $SK$. Goal 6 is proved.

$$\frac{BSS\mid \equiv EBR\sim SK,BSS\mid \equiv ♯SK}{BSS\mid \equiv EBR\ni SK}\left(I6\right)$$

6.3. Formal Verification

We use Prolog to verify that our protocol achieves the session key security goals (the freshness and the recognizability of the session key, and the belief that the two authenticating parties have the session key). Prolog is a logic verification tool. Write the flow of the protocol as Prolog code, and Prolog can verify whether the protocol achieves our required security goals.

The execution results of Prolog are shown in Figure 2, and we can see that several security goals regarding the protocol returned “True”, which indicates that the LLAKEP can achieve the required security goals.

7. Performance Analysis

We mainly analyze the advantages of the LLAKEP and provide a use case of LLAKEP in this section. Furthermore, we test the computation time, the total running time and the bit rate of different protocols. The experimental environment is shown in

Table 8. Experiment devices and environments.

	Device	CPU	Core	RAM	Programming Language
Experiment I	Laptop	i5-8250U 1.8 GHz	4	16 GB	Python
	Laptop	i5-8250U 1.8 GHz	4	16 GB	Python
Experiment II/III/IV/V	Laptop	i5-8250U 1.8 GHz	4	16 GB	Python
	Raspberry Pi	1.2 GHz ARM	4	1 GB	Python

. We use $T_A^D$ to represent the time of running A on device D.

7.1. Experiment I

We use two identically configured laptops to represent the correspondents of the LLAKEP and test under the elliptic curves recommended by the National Institute of Standards and Technology Federal Information Processing Standard [30] (i.e., curves P-192, P-224, P-256, P-384, and P-521). From Figure 3, the following are some verified results:

For the average computing time on the $EBR$ side:

$$T_{LLAKEP}^{EBR}<T_{2PAKEP}^{EBR}.$$

The results show that LLAKEP does reduce the computational burden on the EBR’s side.

7.2. Experiment II

We use a Raspberry Pi to represent the smart glasses and a laptop to represent the energy device. Smart glasses have less computing capability than laptops. We test LLAKEP under the same conditions as the elliptic curve of Experiment I. From Figure 4, the following are some verified results:

• For the average computing time on the $EBR$ side:

  $$T_{LLAKEP}^{EBR}<T_{2PAKEP}^{EBR}.$$
• For the average total computing time:

  $$T_{LLAKEP}<T_{2PAKEP}.$$

It shows that the weaker device (i.e., smart glasses) in LLAKEP has shorter computation time. Further, LLAKEP has shorter total computation time compared with 2PAKEP.

7.3. Experiment III

This experiment measures the total running time of LLAKEP on two communicating parties (a Raspberry Pi and a laptop). From Figure 5, the following are some verified results:

For the average total time:

$$T_{LLAKEP}<T_{2PAKEP}.$$

The results show that LLAKEP still has shorter total running time compared with 2PAKEP.

7.4. Experiment IV

We assume bits of different messages in

Table 9. Bits of different messages.

Message	Number of Bits
Identity	160
Message digest	160
Nonce	160
Timestamp	160
Elliptic curve point	320

.

Therefore, in the authentication phase of the LLAKEP, $Msg1$ needs (160 + 160 + 160 + 32) = 512 bits, $Msg2$ needs (160 + 320 +32) = 512 bits and $Msg3$ needs (160 + 32) = 192 bits. The total bits of LLAKEP is 1216 bits. Combining the total runtime of the protocol in Experiment III with the elliptic curve P-256, we can calculate the bit rate. The higher the bit rate, the faster the data transfer speed. The results are shown in

Table 10. Bit rate comparison.

Protocol	Number of Bits	Bit Rate (Bit per Second)
2PAKEP [17]	1376	6048.8
LLAKEP	1216	6197.8

.

For the bit rate $Br$:

$$B{r}_{LLAKEP}>B{r}_{2PAKEP}.$$

Therefore, the transmission latency of LLAKEP is lower.

7.5. Experiment V: Use Case Study

This section illustrates usages and advantages of LLAKEP via a use case in a batterty swap cabinets scenario.

7.5.1. Scenario Description

At present, there are more than 300 million electric bikes in China. In order to meet a large number of battery swap needs, China Tower has built an intelligent power exchange system. They have also deployed battery swap stations (Figure 6).

In the future, with the development of the Metaverse, electric bike riders will use smart glasses to interact with battery swap cabinets. During the peak period, a large number of riders will need to authenticate and pay at the same time.

7.5.2. Application of LLAKEP

The following steps explain how we can use LLAKEP.

Initialization: devices A and B should support LLAKEP. Specifically, device A is smart glasses; device B is a battery swap cabinet.

Secure Handshake: suppose there are N smart glasses in the battery swap cabinet scenarios.

Secure Messaging: A and B use the generated session key to send the message (battery type and payment information) securely.

7.5.3. Advantages

In this part, we analyze the advantages of LLAKEP. According to the statistics from the battery swap station management system (Figure 7 and Figure 8), the number of battery swap stations in Taiyuan city is 270. One battery swap station has 10 battery swap cabinets. In the peak time, 2700 riders use smart glasses to authenticate. After successful authentication, the rider will pay for the swap of a battery. Taking P-256 as an example, Figure 9 shows the authentication protocol running time of battery swap stations in the peak time. Experiment results show that LLAKEP can reduce latency effectively.

8. Conclusions

This paper proposes a secure, low-latency authentication protocol LLAKEP for the EIoT. LLAKEP reduces the computational burden on weaker devices by changing the time-consuming cryptographic operations needed in the algorithms for both sides of communication. In addition, a provable security model and a logic analysis are used to analyze LLAKEP. Results show that the security of LLAKEP is guaranteed. When the computing capability of both parties is unbalanced, experimental results show that LLAKEP can reduce the computing time of the device with weaker computing capability. It can improve the efficiency of authentication. Finally in the use case, we apply LLAKEP for EIoT electricity transaction system in the Metaverse.

In the future, we will continue to optimize the low-latency algorithm, and design more low-latency AKE protocols suitable for Metaverse scenarios.