An Efficient Authenticated Key Agreement Scheme Supporting Privacy-Preservation for Internet of Drones Communications

In recent years, due to the rapid development of Internet of things (IoTs), various physical things (objects) in IoTs are smart enough to make their own decisions without the involvement of humans. The smart devices embedded in a drone can sense, collect, and transmit real-time data back to the controller from a designated environment via wireless communication technologies. The mobility, flexibility, reliability and energy efficiency of drones makes them more widely used in IoT environments such as commercial, military, entertainment applications, traffic surveillance and aerial photography. In a generalized IoD architecture, we have communications among the drones in a flying zone, among the drones and the control server, and also among the drones and authorized user. IoD still has many critical issues that need to be addressed, such as data access being carried out through a public channel and battery operated drones. To address these concerns in IoD communications, in this paper, an efficient authentication and secure communication scheme with privacy preservation is proposed and it only uses secure one-way hash function and bitwise XOR operations when control server, drone and user mutually authenticate each other. After the successful authentication, both IoD-based participants can agree on a common session key to secure the subsequent communication messages. The widely accepted ProVerif and BAN logic analysis have been used to assure that the proposed scheme is provably secure against existing well-known security attacks and ensures privacy. Finally, a comparative analysis is presented to demonstrate the proposed scheme preserves efficiency when compared to existing competitive schemes.


Introduction
For the past few years, as information and communication technology (ICT) advances and smart devices increase dramatically, the Internet of Things (IoT) has become a muchtalked-about topic among many experts and large ICT companies [1]. Due to its capability 1.
For civilian purposes [9]: i. For photography purposes: Allowing TV/film producers to take aerial photography in a new manner by using drones, thus enhancing the aerial view to a higher extent. ii.
For natural disaster assessment and control purposes: After Hurricane Katrina hit the United States in 2005, drones were used for disaster control and assessment to observe which roads were blocked by fallen trees, cars, and road barriers, or to search for missing, injured, and trapped people. iii. For emergency response purposes: Like ambulances, drones can be used as portable medical kits which can send medical supplies to emergency units on site, particularly when the emergency site is inaccessible for vehicles. Furthermore, affected by the recent COVID-19 pandemic, drones have been deployed on the streets of Spain and China (mainly Wuhan), to raise people's awareness of the crisis via cameras and broadcasters, or aerial spraying for disinfection. Furthermore, drones can be used as a means of delivering food and medication to infected patients, aiming to transport tested samples at a higher speed, and reduce human contact. iv. For environmental monitoring purposes: Drones can be used to perform tasks of measuring environmental pollution, such as those for air quality measurement and analysis; perform agricultural tasks, such as soil analysis, crop/livestock management/disease, and pest control; perform animal protection tasks, such as nature/wildlife protection/anti-poaching/endangered species protection.

2.
For police purposes [10]: i. For traffic monitoring purposes: Drones can be used to monitor traffic and accident scenes. For example, the Spanish government has adopted drones to monitor traffic bottlenecks since 2015. ii.
For criminal-tracking purposes: Drones can be used to monitor crime scenes and prison fugitives. For example, the Ohio State Police Station used a drone to track an escaped prisoner and track him down in 2016. iii. For forensic search-and-rescue purposes: Drones can be used to tackle crimes, such as the missing person and murder case of Ms. Tara Grinstead in 2015, for whom Georgia police used a fixed-wing drone called Spectra to search.

3.
For military purposes [11]: i. For aerial surveillance/reconnaissance purposes: Drones can be deployed in the air to collect intelligence and information and further identify and track the locations of terrorist camps, vehicles, weapons, plants, and improvised explosive devices. For example, Russia collected new drone footage that unveiled how Turkey used artillery operations to attack the Syrian army in 2020. ii.
For airstrike purposes: As early as 2002, the U.S. military used drones for airstrike missions and then developed them for application with British allies in the global anti-terrorism war. In addition, Israel also made use of drones to conduct airstrikes against military installations/key targets/people in Iraq and Syria on the west coast. iii. For drone hijacking purposes: Drone hijacking is mainly achieved via GPS intervention/spoofing, which was used to resolve the conflict in Ukraine and stood up to the threat from the Islamic State until the city of Mosul was finally liberated from the Islamic State in 2017.

4.
For criminal attack purposes [12]: i. Physical attacks: Drones can easily be used to destroy people's privacy and threaten their private property by crashing into people or their property intentionally or unintentionally to cause them serious damage. Moreover, some drones can fly as high as 500 m in the air, just like bird strikes, which can cause serious damages to aircrafts in flight.

ii.
Logical attacks: They include spoofing a hotspot of a mobile Wi-Fi network, allowing the victim users to connect and monitor their sensitive messages, such as account passwords and credit card data, or implanting malware into smartphones and mobile devices that are connected to the malicious hotspot. Furthermore, a Raspberry Pi device connected to a drone can also be maliciously coded to intercept or hijack other drones nearby.
From the perspective of security and threat analysis, drone-assisted public safety networks require a stricter manner rather than traditional wireless networks such as wireless sensor networks (WSN) [13] and mobile ad hoc networks (MANET) [14] to restrict the unauthorized collection of images and videos by drones. Though drones carry less information and less power, they can cover a wider range than WSNs and MANETs. As a result, the challenge of drone network security is how to provide communication channels with confidentiality, integrity, availability, authentication, and non-repudiation over the resource constraints and latency constraints of drones. Actually, kinds of technologies for drone operations and their specific properties are being explored and misused for potential attacks including performing terrorist attacks and reconnaissance, tracking specific people, and monitoring certain properties, thus arousing security and privacy concerns. Furthermore, if a drone is out of order and crashes into nearby private houses, public facilities, parked cars, or civilians, it could also lead to casualties and damage to property. On the other hand, drones mainly make use of Wi-Fi, short-range Wi-Fi, Bluetooth, or other wireless devices, such as Bluetooth-connected keyboards, while, if there are inadequate security measures for connection to these devices, such as insecure single factor authentication and easy-to-break typical passwords, the attackers can easily intercept messages and destroy private buildings and public areas.
In plenty of authentication and key agreement (AKA) schemes [15][16][17][18][19][20][21][22][23], symmetric and asymmetric cryptosystems have been proposed to implement a comprehensive authentication on the use of IoT and IoD environments. However, with the resource-constrained nature of drones, it cannot consume a high amount of energy for executing complex cryptographic operations on large datasets and AKA scheme shall be sufficiently lightweight both in terms of computational complexity, communication overhead and memory demand. Turkanović et al. first proposed an IoT-based AKA scheme [24] for WSNs and their scheme is highly efficient as it only uses lightweight hash and bitwise XOR computations. Although it achieves the condition of lightweight authentication, Farash et al. [25] pointed out that their devised scheme is prone to man-in-the-middle attack, node impersonation attack, and additionally does not render nodes anonymity and user traceability. In order to provide better security, Wazid et al. designed a novel AKA scheme [26] for UAV distributed networks. However, the protocol was pointed out by Lei et al. [27] as not being provided to perfect forward secrecy. Meanwhile, Rodrigues et al. [28] designed two methods for the drone communication environment. The first one is modified based on the AKA scheme of Farash et al. [25], allowing for a direct connection between a drone and another one; the second one is modified based on the AKA scheme of Jiang et al. [18], which allows a drone to communicate with another one through a ground control station. However, their AKA schemes fail to resist ephemeral secret leakage (ESL) attacks under the Canetti-Krawczyk (CK) threat model. Recently, Zhang et al. proposed a lightweight AKA scheme [29] with anonymity and untraceability for IoD environments and their AKA scheme can be proven secure under random oracle model. All the drones and the users are registered with a central trusted authority, control server (namely CS) prior to their deployment. By verifying the validation of the transmitted messages, all participants in IoD can ensure mutual authentication and establish a common session key securely. In this paper, we will propose an improved version of Zhang et al.'s scheme that not only provides the same level of security with anonymity and untraceability but also protects the scheme from various known attacks.
In order to achieve the aforementioned security requirements of previous authentication schemes in IoD environments, in this paper, we propose a lightweight mutual authentication and privacy preservation scheme to resist several security attacks and provide a series of important features cited above. The main contributions of this paper are given as follows: (1) In our lightweight authentication scheme, the properties of drone anonymity and drone untraceability can be guaranteed at authentication and key agreement phase when involved participants transmitted messages via a public IoD channel. (2) In comparison with existing IoT-assisted authentication schemes for IoD communications, our proposed scheme can not only maintain the efficiency of computational and computation overheads, but also achieve basic security features mentioned in prior studies. (3) Informal security analysis and BAN logic analysis are performed and ProVerif-based formal security simulation is implemented, to demonstrate that our scheme is secure against various security attacks.
The remainder of the paper is organized as follows. Section 2 presents a new security architecture along with the threat model for IoD communication environments. Section 3 introduces our authentication and key agreement scheme with privacy preserving for IoD communications. The informal security analysis with the formal security verification using the widely accepted ProVerif simulation and BAN logic of the proposed scheme are given in Section 4. An in-depth performance comparison of the proposed scheme with existing IoD authentication schemes is given in Section 5. Finally this paper is concluded in Section 6.

System Architecture in IoD Communications
In this section, we will illustrate the proposed system architecture for the IoD paradigm. Subsequently we define two adversary models to evaluate its security and usability.

System Model
In terms of the design, the main participants in this paper were control server (CS), the trusted registration authority, users who could access IoD data using mobile devices, some mobile-type drone nodes deployed in the application fields to collect and broadcast data from the fly zone. CS is a trusted unit responsible for registering and issuing unique identifiers and generating secret parameters for users and drones. By deploying drone nodes via CS in fly zones for authority control, these drone nodes can be seen as cluster heads for a specific fly zone, providing an efficient and well-designed communication and authentication mechanism for IoD environments to avoid the single point of failure of traditional single centralized certificate centers. An external user can access certain specific drone nodes in the IoD environment via Internet communication and his/her mobile device, given that he/she is authenticated and authorized by the CR to access these drones. In this paper, the IoD communication and authentication mechanism for IoD applications included three modes, namely CS-to-Drone communication, CS-to-User communication, and User-to-Drone communication. The overall communication architecture diagram of IoD is illustrated in Figure 1.

Threat Model
According to the system architecture shown in Figure 1, drones, mobile users and control servers can communicate with each other and all communications of IoD take place over the public channels. In threat model, we will adopt the widely-used Dolev-Yao (DY) threat model and Canetti-Krawczyk (CK) adversary model. According to the definition of DY model, the communication channel between any two entities is open and insecure, and also the end-point entities are not trusted. An adversary can eavesdrop and collect on the messages exchanged on IoD network, and can also delete or tamper the transmitted messages over public channel. According to the definition of CK model, the mobile device of an U i may be lost or stolen. The system parameters stored in that device can be also extracted by using power analysis attack. Furthermore, an adversary may physically capture some drone node V j and extract the stored parameters in V j with the help of complicated power analysis attack. Therefore, the compromised data will be used to undermine the security of IoD communications such as session key exposure, impersonation attack, replay attack, privacy exposure attack and man-in-the-middle attack etc. Note that CS is a trusted party and it will not be compromised by adversaries.

The Proposed Scheme
In this section, we propose a new lightweight authentication and key agreement scheme with privacy preservation for IoD communications. The proposed scheme consists of the following four phases: system setup, user registration, drone registration, and authentication and key agreement phase. The details of the proposed scheme are described in the following subsections. The notations used in the proposed scheme are summarized as follows.
• U i : The ith mobile user. • V j : The jth drone.
• CS: The control server. • ID i , PW i : The identity and password of U i . • ID j : The identity of V j . • k, MSK: 160 bits secret value and master key of CS. • n: 160 bits public parameter selected by CS.
The current timestamp of U i , V j and CS, respectively.
• r 1 , r 2 : 160 bits random numbers of U i and V j , respectively. • L V j : An active drone list.

System Setup Phase
In this phase, CS first generates MSK and k as its master key and secret value, respectively. Then, CS chooses a secure one-way hash function h : {0, 1} * → Z * n , where n is a 160-bits public parameter chosen by CS. Finally, CS saves (MSK, k) secretly and publishes (h(·), n).

User Registration Phase
In this phase, every mobile user U i needs to perform the user registration procedure with CS via a secure channel. The graphical representation of the registration procedure of the user is depicted in Figure 2. Step 1. U i chooses his/her identity ID i , password PW i and a random number Step 2. After receiving the registration request from U i , CS checks the uniqueness of U i 's identity. If the uniqueness of ID i is satisfied, CS computes A i = h(PID i ||MSK) and sends it to U i securely.

Step 3. After receiving
the tamper-proof memory, which means that the parameters B i and r U i can be used during the computation, but it is unable to extract them from the mobile device of U i .

Drone Registration Phase
In this phase, every drone V j needs to complete the drone registration procedure with CS via a secure channel. The graphical representation of the registration procedure of the drone is depicted in Figure 3. Step 1. CS selects an unique identity ID j for V j and computes α j = h(ID j ||k). Then CS saves (ID j , α j ) in list L V j and sends {ID j , α j } to V j securely.
Step 2. After receiving the registration parameters from CS, V j stores ID j and α j in its memory securely.

Authentication and Key Agreement Phase
After registration, U i and V j can communicate with each other and establish a common session key SK ij = SK ji for securing future communications. The graphical representation of the proposed authentication and key agreement phase is depicted in Figure 4.
Step 1. U i opens the login portal and inputs his/her identity ID i and password PW i into the mobile device. Then the mobile device retrieves (B i , r U i ) and computes Then it randomly generates two 160 bits random numbers r new U i , r 1 ∈ Z * n and computes PID new Step 2. After receiving the authentication request from U i , CS checks whether time − T U i ≤ ∆ T holds or not. If not, CS rejects the authentication request immediately.
Step 3. CS checks whether M 3 = M 3 holds or not. If yes, CS authenticates the legality of U i . Otherwise, CS rejects U i 's authentication request. Now, CS randomly assigns an active drone V j in IoD for U i and computes Step 4. After receiving the message from CS, V j checks whether time − T CS ≤ ∆ T holds or not. If not, V j rejects this session. Otherwise, V j retrieves α j and computes  Otherwise, it implies that V j is also authenticated to U i and the common session key SK ij = h(PID new i ⊕ r 1 ⊕ r 2 ) = SK ji will be used for securing IoD communications between U i and V j . Finally,

Security Analysis of the Proposed Scheme
In this section, meticulous informal security analysis and the security verification are carried out using ProVerif to prove the security and the validity of the proposed scheme. In addition, BAN logic is utilized to corroborate the logical exactitude of the proposed scheme.

Simulation Verification with ProVerif
ProVerif is a proper tool that can automatically analyze cryptographic protocols and verify the security and reliability of authentication protocols. The specific operation of ProVerif is described in detail below.
The symbols used in the proof process are defined as shown in Figure 5. The "sch" and "ch" refer to the secure channel and the common channel. The functions used mainly include h(), xor(), and con(), which represent the hash operation, XOR operation and join operation, respectively. Figure 6 shows the defined queries and events. Here, SK ij and SK ji represent the common session keys of the user and the drone, respectively. The event UserStarted() indicates that the user U i starts working, the event UserAuthed() indicates that the user is authenticated, the event ControlServerAcUser() indicates that the control server CS authenticates the user event, the event DroneAcControlServer() indicates that the drone V j authenticates the control server event, the event UserAcControlServer() indicates that the user U i authenticates the control server event, and the event UserAcDrone() means that the user U i authenticates the drone event.  The tripartite agreement of user U i , drone V j and control server CS are converted into ProVerif code as shown in Figure 7, Figure 8 and Figure 9, respectively. In the working process of U i , out(sch, (IDi, PIDi)) and in(sch, (xAi : bitstring)) represent the messages sent and received by U i through the secure channel during the registration phase. After completing the registration, U i starts authentication by executing the event UserStarted(). Next, out(ch, (PIDi, M1, M2, M3, TUi)) represents the message is transmitted from U i to CS over the common channel, in(ch, (xM7 : bitstring, xM8 : bitstring, xM9 : bitstring, xM10 : bitstring, xTV j : bitstring)) represents the message is transmitted from V j to U i over the common channel. In addition, the working process of CS includes UiReg for U i registration by CS, V jReg for V j registration by CS, and CSAuth means the authentication operation of CS.   Finally, the results of the execution of the ProVerif code are shown in Figure 10. Based on the results of Figure 10, it shows that the sequence of events is normal and it can be proved that the attacker cannot derive the common session key shared among U i and V j during IoD communications.

BAN Logic Analysis
In the proposed scheme, when the mobile device wants to communicate with the flying drone, they must authenticate each other. In the following description, we use the BAN logic model to prove the security of the proposed scheme. The notation of BAN logic is described as follows: -P | ≡ X: P believes X or P would be entitled to believe X.
-P X: P sees X. Someone has sent a message containing X to P, who can read and repeat X. -P | ⇒ X: P has jurisdiction over X. P is an authority on X and should be trusted on this matter. -P | ∼ X: P once said X. P at some time sent a message including X.
The formula X is fresh, that is, X has not been sent in a message at any time before the current run of the protocol.
-P K ←→ Q: P and Q may use the shared key K to communicate.
-P S ⇐⇒ Q: The formula S is a secret known only to P and Q and possibly to principals trusted by them.
In the authentication and key-agreement phase of the proposed scheme, the main goal of our scheme is to authenticate the session key establishment between a mobile user U i and the flying drone V j .
According to the authentication and key agreement phase, we use BAN logic to produce an idealized form as follows: To analyze the proposed scheme, we make the following assumptions: According to these assumptions and rules of BAN logic, we show the main proof of the session key establishment between a mobile user U i and the flying drone V j as follows: Flying drone V j authenticates mobile device U i . By M1 and the seeing rule, we can derive: By A2 and the freshness rule, we can derive: By S1, A4 and the message meaning rule, we can derive: By S2, S3, and the nonce verification rule, we can derive: By S4 and the belief rule, we can derive: By S5, A6 and the jurisdiction rule, we can derive: By S6 and the belief rule, we can derive: By S7, A7 and the jurisdiction rule, we can derive: Mobile device U i authenticates flying drone V j . By M2 and the seeing rule, we can derive: By A1 and the freshness rule, we can derive: By S9, A3 and the message meaning rule, we can derive: By S10, S11, and the message meaning rule, we can derive: By S12, A5, and the jurisdiction rule, we can derive: By S5, S8, S12 and S13, it can be proved that, in our authentication scheme, the mobile device U i and the flying drone V j authenticate each other with the help of control server CS. In addition, we are also able to prove that the proposed scheme can establish a common session key SK ij between the mobile device U i and the remote flying drone V j with the help of CS. Finally, the authentication and key agreement phase of our scheme thus guarantee the security of SK ij between U i and V j .

Scenario:
A malicious attacker uses an illegal flying drone V j to authenticate a legal mobile device U i . Analysis: The attacker will not succeed because the illegal flying drone V j has not been registered to the legal control server CS, and the illegal flying drone V j cannot calculate the correct session key SK. Thus, it will fail when the legal mobile device U i attempts to authenticate the illegal flying drone V j . In the proposed scheme, the attacker cannot achieve their purpose using an illegal flying drone V j . In the same scenario, the proposed scheme can also defend against a malicious attack using an illegal mobile device U i to connect to a legal flying drone V j . This is because the illegal mobile device U i has not been registered to the legal control server CS, and thus the illegal mobile device U i cannot calculate the correct session key SK. Therefore, the attack will fail when the legal flying drone V j attempts to authenticate the illegal mobile device U i .

Informal Security Analysis
In this subsection, we present the informal security analysis of the proposed scheme and show it can satisfy the following security features and attack resilience in IoD environments. , T V j }, which are communicated during the authentication and key agreement phase of the proposed scheme. From these messages, it is hard for A to derive U i 's real identity ID i from PID i without knowing the random number r U i because PID i is protected with cryptographic hash function h(·). That is to say, U i 's real identity are transmitted in cipher format instead of plaintext. Therefore, the user anonymity can be provided in the proposed authentication scheme. Proposition 2. The proposed scheme ensures untraceability between a mobile user and the control server and also between a mobile and its associated drone.
Proof. In the proposed authentication mechanism, the generation of messages {PID i , M 1 , M 2 , M 3 , M 4 , M 5 , M 6 , M 7 , M 8 , M 9 , M 10 } incorporate the fresh random numbers r U i , r 1 , and r 2 and the pseudonym ID and session key is updated after each successful authentication. As a result, it is impossible for A to correlate the communicated messages from the current and previous AKA process and the proposed scheme can provide untraceability. Proposition 3. The proposed scheme supports mutual authentication between any two communicating parties, and also between a drone V j and its associated U i .

Proof.
During the proposed authentication process as presented in Section 3.4, a drone V j verifies its associated U i 's legitimacy before establishment of a session key. In the session, CS first checks the freshness of U i 's login request by validating the timestamp T U i in the messages {PID i , M 1 , M 2 , M 3 , T U i }. Later, CS checks M 3 to authenticate U i . When receiving {M 4 , M 5 , M 6 , M 7 , M 8 , T CS } from CS, V j checks T CS and M 6 to authenticate CS and U i . If both the conditions are validated successfully, V j agrees a session key with U i . In the similar way, when receiving {M 7 , M 8 , M 9 , M 10 , T V j }, U i checks T V j and M 10 to authenticate V j and U i also agrees a session key with V j . Finally, the proposed scheme achieves mutual authentication and both U i and V j ensure that they shared the same session key with the help of CS for securing the future IoD communications. Proof. After the successful authentication process, U i and V j can establish a common session key SK ij = h(PID new i ⊕ r 1 ⊕ r 2 ) and the adversary A may try to derive SK ij to damage the later IoD communications between them. However, in Step 1 of the authentication and key agreement phase, A cannot get PID new i and r 1 from M 1 and M 2 without knowing the knowledge of A i = h(PID i ||MSK). Similarity, in Step 5 of the authentication and key agreement phase, A cannot obtain r 2 from M 9 without knowing the knowledge of α j = h(ID j ||k). Therefore, A cannot get success from session key disclosure attack in the proposed AKA scheme.

Proposition 5.
The proposed scheme is resilient against known session key attack.
Proof. It can be observed from Section 3.4 that the session key SK ij is the combination of both session-specific credential PID [ i new] and two 160 bits random numbers r 1 and r 2 . Moreover, usage of session-specific credentials and random numbers in computation of session keys between U i and V j over different sessions make always-unique session keys. Even if a session key is disclosed for a specific session, it will not result in computing the session keys over other sessions. Thus, the contributed scheme is protected from known session key attack. Proposition 6. The proposed scheme is protected against drone capture attack.
Proof. According to CK adversary model defined in Section 2.2, an adversary A may physically capture the drone in the sensing environment and maliciously extract the stored contents from its memory by using power analysis attacks. In this way, A can get {ID j , α j } from the memory of compromised drone V j . By capturing V j , A can only compromise the session key between a victim user U i and V j . Since all the identities and credentials for all V j are distinct in IoD network, A cannot compromise other non-captured drone due to the distinct as well as uniqueness property of the contents stored in the remote drones. Finally, compromise of a drone does not result in damaging secure IoD communications among a user and other non-compromised drones and the contributed scheme is resilient against drone capture attack.

Proposition 7.
The proposed scheme is secure against stolen device attack.
Proof. Suppose an adversary A somehow gets or steals the mobile device of user U i and extracts the stored contents {B i , r U i } from its memory by using power analysis attacks. Thus, A can get access to IoD environment. However, A cannot drive the valid secret credential A i due to the protection of U i 's password. Moreover, the password is protected in the form of a one-way hash function which is a non-invertible function. Although A can guess the password of U i , he/she cannot verify the correctness without having U i 's identity ID i and the login parameters of previous session. Therefore, the contributed scheme can resist stolen device attack. Proposition 8. The proposed scheme is resilient secure against three kinds of impersonation attacks, including: user impersonation, CS impersonation and drone impersonation.
Proof. The following impersonation attacks related to the contributed scheme are taken into account.
(a) User impersonation attack: Let an adversary A try to behave himeself/herself as a legitimate user U i and he/she wants to generate an authorized login request, say of U i and forge messages by extracting the important credential PID i of U i to prove A's authenticity. In order to perform this operation, A needs to choose two random numbers r new A and r * 1 and a timestamp T U A and computes However, due to the lack of knowledge about A i , A will fail to compute M 1 as valid login parameter. Therefore, the proposed scheme is secure against user impersonation attack.

Performance Evaluation
This section shows a detailed comparison among the proposed scheme and those of the most relevant state-of-the-art schemes in the IoD environment, such as the schemes of Singh et al. [30] and Zhang et al. [29] in terms of security features, computational and communication overheads.

Comparison of Security Features
We highlight on the comparison of security features and attacks protection of the contributed scheme against relevant schemes [29,30] in this section. It is clear from the Table 1 that the scheme of Singh et al. [30] is insecure against session key exposure attack, impersonation attack, drone capture attack and stolen device attack and Zhang et al. [29] is unprotected against session key exposure attack and impersonation attack. Furthermore, the scheme of Singh et al. [30] lacks mutual authentication, user anonymity and untraceability and Zhang et al. [29] does not provide user anonymity and untraceability. Therefore, the proposed AKA scheme can provide more security features and protect against all kinds of attack which makes it more suitable for generic secure communications in IoD-based environments.

Comparison of Computational Overhead
In order to provide the analysis of the comparative computation overhead, the symbols listed in Table 2 with their executing time as per the experiment presented in [31] on a mobile (drone) device with 2.45 G processor and 2 GB memory, performed on the Android 4.4.2 operation system. The control server is simulated on a PC I5-4460S with 2.90 GHz processor and 4 GB memory, performed on Window 8 operation system:  Table 3, total computational overhead of the proposed scheme, the scheme of Singh et al. [30], Zhang et al. [29] is 27T h ≈ 1.022 ms, 4T exp +12T mul ≈ 9.092 ms, 24T h ≈ 1.001 ms, respectively. The computational overhead of the proposed scheme is slightly higher than Zhang et al., whereas the proposed scheme has less computational overhead as compared with the scheme of Singh et al. Moreover, the proposed scheme is more secure than the all rest of the related schemes as proved earlier.

Comparison of Communication Overhead
This section presents another significant performance factor, namely communication overhead, to demonstrate the efficiency of the proposed scheme. For comparison purposes and to keep simplicity, let |G| denote the 1024 bits length of element in G and |Z n | denote the 160 bits length of the element in Z n . The symbol |T| denotes a timestamp 32 bits in lengts and participant identities. We compare the communication overhead of different participants during the login and authentication phases, where the bits sent over communication channel and the number of messages transmitted between them are also considered.

Conclusions
In this paper, we proposed a lightweight hash-based authenticated key agreement and privacy preservation scheme without using symmetric/asymmetric cryptographic operations for IoD environments. The proposed scheme is a three-party AKA mechanism, which enables mobile users to communicate securely, through the public communication channel, with the IoD participants such as control server and drones. Moreover, the proposed scheme can provide anonymity and untraceability of the participants in IoD. We proved the security of the proposed scheme formally through the ProVerif tool and BAN logic analysis as well as informally. The comparative analysis depicts that the proposed scheme achieves better trade-off among security features, computational overhead and communication cost. From the results, it is concluded that the proposed scheme not only supports more security features but is also suitable for the drones or resource-constrained sensing devices in the IoD environments.