# Provably Secure Mutual Authentication and Key Agreement Scheme Using PUF in Internet of Drones Deployments

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Research Contributions

- We review and perform a security analysis of Akram et al.’s scheme. Then, we propose a MAKA scheme designed to ensure high security using biometrics and PUF. Hash functions and exclusive-OR operations are used for lightweight architecture, making the proposed scheme suitable for drone networks. Moreover, a fuzzy extractor and PUF are applied in the proposed scheme to enhance the security level.
- We perform an informal analysis to ensure that the proposed scheme can provide security against various attacks, including offline password guessing, session key disclosure, verification table leakage, impersonation, and DoS attacks. Additionally, we show that the proposed scheme can achieve mutual authentication, perfect forward secrecy, untraceability, and anonymity.
- We evaluate and compare the security features, communication, and computation costs of the proposed scheme with existing authentication schemes, including Akram et al.’s scheme.

#### 1.2. Organization

## 2. Related Works

## 3. Preliminaries

#### 3.1. System Model

- Remote user (${U}_{m}$): A remote user ${U}_{m}$ owns a mobile device to receive IoD services. To communicate with a drone ${D}_{n}$, ${U}_{m}$ must register with the control center. ${U}_{m}$ utilizes biometric technology in addition to identity and password to store sensitive information safely.
- Control center: The control center is a trusted third party with enough computation and storage capacities. Therefore, the control center perform a role as the system manager of IoD environments. Furthermore, the control center authenticates with both ${U}_{m}$ and ${D}_{n}$ information and helps ${U}_{m}$ to access the ${D}_{n}$. The control center generates secret keys for ${U}_{m}$ and ${D}_{n}$ against their identities.
- Drone (${D}_{n}$): A drone ${D}_{n}$ collects the data in their particular flying zone and must be registered by the control center to communicate with ${U}_{m}$. Then, ${D}_{n}$ sends the data to =${U}_{m}$ through the control center. Moreover, ${D}_{n}$ has restricted computation and storage capacities.

#### 3.2. Adversary Model

#### 3.3. Fuzzy Extractor

- $Gen\left(Bi{o}_{m}\right)=({\alpha}_{m},{\beta}_{m})$: It is a probabilistic algorithm to generate a secret key ${\alpha}_{m}$. The user inputs biometric $Bi{o}_{m}$, the output of this function is the secret parameter ${\alpha}_{m}$, and the public reproduction parameter ${\beta}_{m}$.
- $Rep(Bi{o}_{m}^{*},{\beta}_{m})=\left({\alpha}_{m}\right)$: It is a deterministic algorithm to recreate the original ${\alpha}_{m}$. The function accepts a noisy user biometric $Bi{o}_{m}^{*}$ and controls the noise using the public reproduction parameter ${\beta}_{m}$. Then, this algorithm reproduces the original biometric secret key ${\alpha}_{m}$.

#### 3.4. Physical Unclonable Function

- The PUF is a physical microstructure of the device.
- It is extremely difficult or impossible to clone the PUF circuit.
- An unpredictable response value must be output.
- It is possible to evaluate and implement a PUF circuit easily.

## 4. Revisit of Akram et al.’s Scheme

#### 4.1. Registration Phase

#### 4.1.1. Remote User Registration Phase

**Step 1:**- The user inputs their own $I{D}_{m}$, $P{W}_{m}$ and imprints $Bi{o}_{m}$. Then, ${U}_{m}$ calculates $Gen\left(Bi{o}_{m}\right)=({\alpha}_{m},{\beta}_{m})$ and sends $I{D}_{m}$ to the control center.
**Step 2:**- The control center calculates $SI{D}_{m}=h(I{D}_{m}\left|\right|s)$, ${k}_{m}=h(SI{D}_{m}\left|\right|MSK)$ and generates a random number ${a}_{m}$. After that, the control center computes $MI{D}_{m}=En{c}_{MSK}$$\left(SI{D}_{m}\right|\left|{\alpha}_{m}\right)$ and sends $\{{k}_{m},SI{D}_{m},SI{D}_{n}\}$ to ${U}_{m}$.
**Step 3:**- ${U}_{m}$ computes ${\gamma}_{m}=h(I{D}_{m}\left|\right|P{W}_{m}\left|\right|{\alpha}_{m})\oplus {k}_{m}$, $SI{D}_{m}^{u}=h(I{D}_{m}\left|\right|P{W}_{m})\oplus SI{D}_{m}$. Then, ${U}_{m}$ stores $\{{\gamma}_{m},SI{D}_{m}^{u},SI{D}_{n}\}$.

#### 4.1.2. Drone Registration Phase

**Step 1:**- ${D}_{n}$ selects $I{D}_{n}$ and sends it to the control center.
**Step 2:**- The control center computes $SI{D}_{n}=h(I{D}_{n}\left|\right|s)$, ${k}_{n}=h(SI{D}_{n}\left|\right|MSK)$ and stores $\{I{D}_{n},{k}_{n},SI{D}_{n}\}$ in its database. Then, the control center sends $\{{k}_{n},SI{D}_{n}\}$ to ${D}_{n}$.
**Step 3:**- When ${D}_{n}$ receives $\{{k}_{n},SI{D}_{n}\}$, ${D}_{n}$ saves them in the memory.

#### 4.2. AKA Phase

**Step 1:**- ${U}_{m}$ inputs $I{D}_{m}$, $P{W}_{m}$ and also imprints $Bi{o}_{m}$. Then, ${U}_{m}$ computes ${\alpha}_{m}$$=Rep(Bi{o}_{m},$${\beta}_{m})$, $SI{D}_{m}=SI{D}_{m}^{u}\oplus h(I{D}_{m}\left|\right|P{W}_{m})$, ${k}_{m}={\gamma}_{m}\oplus h(I{D}_{m}\left|\right|P{W}_{m}\left|\right|{\alpha}_{m})$. Afterward, ${U}_{m}$ generates ${a}_{1}$ and computes ${A}_{1}=h(SI{D}_{m}\left|\right|SI{D}_{c}\left|\right|{k}_{m})\oplus {a}_{1}$, ${A}_{2}=h(SI{D}_{m}\left|\right|SI{D}_{c}\left|\right|{k}_{m}\left|\right|$${a}_{1})\oplus SI{D}_{n}$ and ${A}_{3}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|{k}_{m}\left|\right|{a}_{1})$. Finally, ${U}_{m}$ sends $\{MI{D}_{m},$${A}_{1},{A}_{2},{A}_{3}\}$ to the control center.
**Step 2:**- The control center retrieves $(SI{D}_{m}\left|\right|{\alpha}_{m})=De{c}_{MSK}\left(MI{D}_{m}\right)$. Then, the control center computes ${k}_{m}=h(SI{D}_{m}\left|\right|$$MSK)$, ${a}_{1}^{*}={A}_{1}\oplus h(SI{D}_{m}^{*}\left|\right|SIDc\left|\right|{k}_{m}^{*})$ and $SI{D}_{n}^{*}={A}_{2}\oplus h(SI{D}_{m}^{*}\left|\right|SI{D}_{c}\left|\right|{k}_{m}^{*}\left|\right|{a}_{1}^{*})$, and verifies ${k}_{n}$ against $SI{D}_{n}^{*}$. Then, the control center computes ${A}_{3}^{*}=h(SI{D}_{m}^{*}\left|\right|SI{D}_{n}^{*}\left|\right|SI{D}_{c}\left|\right|{k}_{m}^{*}\left|\right|{a}_{1}^{*})$ and checks ${A}_{3}^{*}\stackrel{?}{=}{A}_{3}$. The control center generates ${a}_{2}$, ${a}_{m}^{new}$ and computes $MI{D}_{m}^{new}=En{c}_{MSK}(SI{D}_{m}\left|\right|{a}_{m}^{new})$, ${A}_{4}=h(SI{D}_{n}^{*}\left|\right|{k}_{n})\oplus ({a}_{1}^{*}\left|\right|{a}_{2}\left|\right|MI{D}_{m}^{new})$, ${A}_{5}=h(SI{D}_{n}^{*}\left|\right|SI{D}_{c}\left|\right|{k}_{n}\left|\right|{a}_{1}^{*})\oplus SI{D}_{m}^{*}$ and ${A}_{6}=h(SI{D}_{m}^{*}\left|\right|SI{D}_{n}^{*}\left|\right|SI{D}_{c}\left|\right|{k}_{n}\left|\right|{a}_{1}^{*}\left|\right|{a}_{2})$. Finally, the control center sends $\{{A}_{4},{A}_{5}$, ${A}_{6}\}$ to the drone ${D}_{n}$.
**Step 3:**- ${D}_{n}$ computes $({a}_{1}^{**}\left|\right|{a}_{2}^{*}\left|\right|MI{D}_{m}^{new})={A}_{4}\oplus h(SI{D}_{n}\left|\right|{k}_{n})$, $SI{D}_{m}^{**}={A}_{5}\oplus h(SI{D}_{n}\left|\right|SI{D}_{c}$$\left|\right|{k}_{n}\left|\right|{a}_{1}^{**})$ and ${A}_{6}^{*}=h(SI{D}_{M}^{**}\left|\right|SI{D}_{n}\left|\right|$$SI{D}_{c}\left|\right|{k}_{n}\left|\right|{a}_{1}^{**}\left|\right|{a}_{2}^{*})$. Then, ${D}_{n}$ checks ${A}_{6}^{*}\stackrel{?}{=}{A}_{6}$ and generates ${a}_{3}$. After that, ${D}_{n}$ computes ${A}_{7}=h(SI{D}_{n}\left|\right|SI{D}_{m}^{**}\left|\right|{a}_{1}^{**})\oplus ({a}_{2}\left|\right|{a}_{3}^{*}$$\left|\right|MI{D}_{m}^{new})$, ${A}_{8}=h({a}_{1}^{**}\left|\right|{a}_{2}\left|\right|{a}_{3}^{*})$, $S{K}_{nm}=h(SI{D}_{m}^{**}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|{A}_{8})$ and ${A}_{9}=h(SI{D}_{m}^{**}\left|\right|SI{D}_{n}\left|\right|$$SI{D}_{c}\left|\right|{a}_{2}\left|\right|{a}_{3}^{*}\left|\right|{A}_{8})$. Finally, ${D}_{n}$ sends $\{{A}_{7}$, ${A}_{9}\}$ to ${U}_{m}$.
**Step 4:**- The ${U}_{m}$ computes $\left({a}_{2}^{*}\right||$${a}_{3}^{**}\left|\right|MI{D}_{m}^{new})={A}_{7}\oplus h(SI{D}_{n}\left|\right|SI{D}_{m}\left|\right|{a}_{1})$, ${A}_{8}^{*}=h({a}_{1}\left|\right|{a}_{2}^{*}$$\left|\right|{a}_{3}^{**})$ and ${A}_{9}^{*}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|$${a}_{2}^{*}\left|\right|{a}_{3}^{**}\left|\right|{A}_{8}^{*})$. Then, it validates ${A}_{9}^{*}\stackrel{?}{=}{A}_{9}$ and computes $S{K}_{nm}=h(SI{D}_{m}^{**}\left|\right|SI{D}_{n}\left|\right|$$SI{D}_{c}\left|\right|{A}_{8}^{*})$.

## 5. Cryptanalysis of Akram et al.’s Scheme

#### 5.1. Session Key Disclosure Attack

**Step 1:**- $\mathcal{A}$ computes $({a}_{1}\left|\right|{a}_{2}\left|\right|MI{D}_{m}^{new})={A}_{4}\oplus h(SI{D}_{n}\left|\right|$${k}_{n})$, $SI{D}_{m}={A}_{5}\oplus h(SI{D}_{n}\left|\right|$$SI{D}_{c}\left|\right|{k}_{n}\left|\right|{a}_{1})$, and $({a}_{2}\left|\right|{a}_{3}\left|\right|MI{D}_{m}^{new})={A}_{7}\oplus h(SI{D}_{n}\left|\right|SI{D}_{m}\left|\right|{a}_{1})$.
**Step 2:**- $\mathcal{A}$ calculates $S{K}_{nm}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|{A}_{8})$.

#### 5.2. Drone Impersonation Attack

**Step 1:**- The adversary $\mathcal{A}$ first intercepts $\{{A}_{4},{A}_{5},{A}_{6}\}$ transmitted by the public channel.
**Step 2:**- $\mathcal{A}$ can obtain ${a}_{1},{a}_{2}$, $MI{D}_{m}^{new}$ by computing $({a}_{1}\left|\right|{a}_{2}\left|\right|MI{D}_{m}^{new})={A}_{4}\oplus h(SI{D}_{n}\left|\right|{k}_{n})$.
**Step 3:**- $\mathcal{A}$ can compute $SI{D}_{m}$ through $SI{D}_{m}={A}_{5}\oplus h(SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|{k}_{n}\left|\right|{a}_{1})$.
**Step 4:**- $\mathcal{A}$ generates random ${a}_{3}^{*}$ and computes ${A}_{8}^{*}=h({a}_{1}\left|\right|{a}_{2}\left|\right|{a}_{3}^{*})$.
**Step 5:**- $\mathcal{A}$ can successfully compute ${A}_{7}^{*}=h(SI{D}_{n}\left|\right|SI{D}_{m}\left|\right|$${a}_{1})\oplus ({a}_{2}\left|\right|{a}_{3}^{*}\left|\right|MI{D}_{m}^{new})$, ${A}_{9}^{*}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|$${a}_{2}\left|\right|{a}_{3}^{*}\left|\right|{A}_{8}^{*})$.

#### 5.3. Stolen-Verifier Attack

#### 5.4. Perfect Forward Secrecy

#### 5.5. DoS Attack

#### 5.6. Correctness

## 6. Proposed Scheme

#### 6.1. Initialization Phase

**Step 1:**- The control center selects an identity $I{D}_{n}$ and a challenge $C{H}_{n}$ and sends $\{I{D}_{n},C{H}_{n}\}$ to the drone ${D}_{n}$.
**Step 2:**- The drone stores $\{I{D}_{n},C{H}_{n}\}$ in the memory.

#### 6.2. Drone Registration Phase

**Step 1:**- The drone ${D}_{n}$ retrieves the challenge $C{H}_{n}$ stored in the memory and computes $R{E}_{n}=PUF\left(C{H}_{n}\right)$, and $Gen\left(R{E}_{n}\right)=({\alpha}_{n},{\beta}_{n})$. After that, the ${D}_{n}$ sends $\{I{D}_{n},C{H}_{n}\}$ to the control center.
**Step 2:**- The control center generates a random number ${a}_{n}$ and computes $SI{D}_{n}=h(I{D}_{n}\left|\right|s)$, ${k}_{n}=h(SI{D}_{n}\left|\right|s\left|\right|{a}_{n})$, and saves $\{I{D}_{n},SI{D}_{n},{a}_{n},C{H}_{n}\}$ in the database. Then, the control center sends $\{SI{D}_{n},{k}_{n}\}$ to the ${D}_{n}$.
**Step 3:**- Finally, the ${D}_{n}$ deletes the $C{H}_{n}$ and computes ${\gamma}_{n}=h(I{D}_{n}\left|\right|{\alpha}_{n})\oplus {k}_{n}$, $SI{D}_{n}^{D}=h(I{D}_{n}\left|\right|{\alpha}_{n}\left|\right|{k}_{n})\oplus SI{D}_{n}$, and stores $\left\{{\gamma}_{n}\right\}$ in its memory.

#### 6.3. User Registration Phase

**Step 1:**- The user ${U}_{m}$ selects an identity $I{D}_{m}$, a password $P{W}_{m}$, and a biometric template $Bi{o}_{m}$. After that, the mobile device calculates $Gen\left(Bi{o}_{m}\right)=({\alpha}_{m},{\beta}_{m})$. The ${U}_{m}$ sends $\left\{I{D}_{m}\right\}$ to the control center.
**Step 2:**- The control center generates random number ${a}_{m}$ and computes $SI{D}_{m}=h(I{D}_{m}$$\left|\right|s)$, ${k}_{m}=h(SI{D}_{m}\left|\right|s\left|\right|{a}_{m})$, $SI{D}_{m}^{*}=SI{D}_{m}\oplus h\left(s\right||{a}_{m})$ and $MI{D}_{m}=h(SI{D}_{m}\left|\right|{a}_{m})$. Then, the control center stores $\{MI{D}_{m},SI{D}_{m}^{*},{a}_{m}\}$ in the database, and sends $\{{k}_{m},SI{D}_{m}$, $SI{D}_{n},MI{D}_{m}\}$ to the ${U}_{m}$.
**Step 3:**- The ${U}_{m}$ computes ${\gamma}_{m}=h(I{D}_{m}\left|\right|P{W}_{m}\left|\right|{\alpha}_{m})\oplus {k}_{m}$, ${\delta}_{m}=h({\alpha}_{m}\left|\right|{k}_{m}\left|\right|SI{D}_{m})$, $SI{D}_{m}^{u}$$=h(I{D}_{m}\left|\right|P{W}_{m})\oplus SI{D}_{m}$, and $SI{D}_{n}^{u}=h(P{W}_{m}\left|\right|{\alpha}_{m})\oplus SI{D}_{n}$, and stores $\{{\gamma}_{m},{\delta}_{m},$$SI{D}_{m}^{u},SI{D}_{n}^{u},MI{D}_{m}\}$ in the memory.

#### 6.4. MAKA Phase

**Step 1:**- The ${U}_{m}$ inputs $I{D}_{m}$ and $P{W}_{m}$, and imprints $Bi{o}_{m}$. After that, ${U}_{m}$ computes ${\alpha}_{m}=Rep(Bi{o}_{m},{\beta}_{m})$, $SI{D}_{m}=h(I{D}_{m}\left|\right|P{W}_{m})\oplus SI{D}_{m}^{u}$, $SI{D}_{n}=h(P{W}_{m}\left|\right|{\alpha}_{m})\oplus SI{D}_{n}^{u}$, ${k}_{m}=h(I{D}_{m}\left|\right|P{W}_{m}\left|\right|{\alpha}_{m})\oplus {\gamma}_{m}$, and ${\delta}_{m}^{*}=h({\alpha}_{m}\left|\right|{k}_{m}\left|\right|SI{D}_{m})$, and checks ${\delta}_{m}^{*}\stackrel{?}{=}{\delta}_{m}$. Then, the ${U}_{m}$ generates a random nonce ${a}_{1}$ and calculates ${A}_{1}=h(SI{D}_{m}\left|\right|SI{D}_{c}\left|\right|{k}_{m})\oplus {a}_{1}$, ${A}_{2}=h(SI{D}_{m}\left|\right|SI{D}_{c})\oplus SI{D}_{n}$, and ${V}_{1}=h(SI{D}_{m}\left|\right|SI{D}_{n}$$\left|\right|SI{D}_{c}\left|\right|{k}_{m}\left|\right|{a}_{1})$. The ${U}_{m}$ sends $\{MI{D}_{m},{A}_{1},{A}_{2},{V}_{1}\}$ to the control center.
**Step 2:**- The control center checks whether $MI{D}_{m}=MI{D}_{m}^{old}$ or $MI{D}_{m}=MI{D}_{m}^{new}$. If $(MI{D}_{m}==MI{D}_{m}^{old})$ then, retrieves $\{SI{D}_{m}^{*},{a}_{m}\}$ against $MI{D}_{m}^{old}$, and if $(MI{D}_{m}==MI{D}_{m}^{new})$, retrieves $\{SI{D}_{m}^{*},{a}_{m}\}$ against $MI{D}_{m}^{new}$. After that, the control center computes $SI{D}_{m}=SI{D}_{m}^{*}\oplus h\left(s\right||{a}_{m})$, ${k}_{m}=h(SI{D}_{m}\left|\right|s\left|\right|{a}_{m})$, ${a}_{1}={A}_{1}\oplus h(SI{D}_{m}\left|\right|SI{D}_{c}\left|\right|$${k}_{m})$, $SI{D}_{n}={A}_{2}\oplus h(SI{D}_{m}\left|\right|SI{D}_{c})$, and ${V}_{1}^{*}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|{k}_{m}\left|\right|{a}_{1})$. If ${V}_{1}^{*}\stackrel{?}{=}{V}_{1}$ is correct, the control center computes $MI{D}_{m}^{new}=h(SI{D}_{m}\left|\right|{a}_{1})$ and updates $MI{D}_{m}^{new}$. Then, the control center checks for $I{D}_{n},{a}_{n},C{H}_{n}$ against $SI{D}_{n}$ from its database and computes ${k}_{n}=h(SI{D}_{n}\left|\right|s\left|\right|{a}_{n})$. The control center calculates ${A}_{3}=h(SI{D}_{n}\left|\right|{k}_{n})\oplus ({a}_{1}\left|\right|{a}_{2})$, ${A}_{4}=h(SI{D}_{n}\left|\right|{k}_{n}\left|\right|{a}_{1})\oplus SI{D}_{m}$, ${A}_{5}=h(SI{D}_{c}\left|\right|I{D}_{n})\oplus C{H}_{n}$, and ${V}_{2}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|{k}_{n}\left|\right|{a}_{1}\left|\right|{a}_{2})$ and sends $\{{A}_{3},{A}_{4},{A}_{5},{V}_{2}\}$ to the drone.
**Step 3:**- The drone ${D}_{n}$ computes $C{H}_{n}={A}_{5}\oplus h(SI{D}_{c}\left|\right|I{D}_{n})$, $R{E}_{n}=PUF\left(C{H}_{n}\right)$, ${\alpha}_{n}=Rep(R{E}_{n},{\beta}_{n})$, ${k}_{n}={\gamma}_{n}\oplus h(I{D}_{n}\left|\right|{\alpha}_{n})$, $SI{D}_{n}=SI{D}_{n}^{D}\oplus h(I{D}_{n}\left|\right|{\alpha}_{n}\left|\right|{k}_{n})$, $({a}_{1}\left|\right|{a}_{2})={A}_{3}\oplus h(SI{D}_{n}\left|\right|{k}_{n})$, $SI{D}_{m}={A}_{4}\oplus h(SI{D}_{n}\left|\right|{k}_{n}\left|\right|{a}_{1})$, and ${V}_{2}^{*}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c}$$\left|\right|{k}_{n}\left|\right|{a}_{1}\left|\right|{a}_{2})$. If ${V}_{2}^{*}\stackrel{?}{=}{V}_{2}$ is correct, the ${D}_{n}$ generates a random nonce ${a}_{3}$, and calculates ${A}_{6}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|{a}_{1})\oplus ({a}_{2}\left|\right|{a}_{3})$, ${A}_{7}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c})$, $SK=h\left({A}_{7}\right|\left|{a}_{1}\right|\left|{a}_{2}\right|\left|{a}_{3}\right)$, and ${V}_{3}=h({A}_{7}\left|\right|{a}_{1}\left|\right|{a}_{3}\left|\right|SK)$. Then, the ${D}_{n}$ sends $\{{A}_{6},{V}_{3}\}$ to the ${U}_{m}$.
**Step 4:**- The ${U}_{m}$ computes $({a}_{2}\left|\right|{a}_{3})={A}_{6}\oplus h(SI{D}_{m}\left|\right|SI{D}_{n}$$\left|\right|{a}_{1})$, ${A}_{7}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|$$SI{D}_{c})$, $SK=h\left({A}_{7}\right|\left|{a}_{1}\right|\left|{a}_{2}\right|\left|{a}_{3}\right)$, and ${V}_{3}^{*}=h({A}_{7}\left|\right|{a}_{1}\left|\right|{a}_{3}\left|\right|SK)$ and checks ${V}_{3}^{*}\stackrel{?}{=}{V}_{3}$. Then, the ${U}_{m}$ updates $MI{D}_{m}^{new}$.

## 7. Security Analysis

#### 7.1. BAN Logic

#### 7.1.1. Rules

**1.**- MMR:$$\frac{{\mathcal{PR}}_{1}\phantom{\rule{4pt}{0ex}}|\equiv {\mathcal{PR}}_{1}\stackrel{KEY}{\leftrightarrow}{\mathcal{PR}}_{2},\phantom{\rule{7.5pt}{0ex}}{\mathcal{PR}}_{1}\u22b2{\left(MS{G}_{1}\right)}_{KEY}}{{\mathcal{PR}}_{1}|\equiv {\mathcal{PR}}_{2}|\sim MS{G}_{1}}$$
**2.**- NVR:$$\frac{{\mathcal{PR}}_{1}|\equiv \#\left(MS{G}_{1}\right),\phantom{\rule{7.5pt}{0ex}}{\mathcal{PR}}_{1}|\equiv {\mathcal{PR}}_{2}\phantom{\rule{4pt}{0ex}}|\sim MS{G}_{1}}{{\mathcal{PR}}_{1}|\equiv {\mathcal{PR}}_{2}|\equiv MS{G}_{1}}$$
**3.**- JR:$$\frac{{\mathcal{PR}}_{1}|\equiv {\mathcal{PR}}_{2}\u2907MS{G}_{1},\phantom{\rule{7.5pt}{0ex}}{\mathcal{PR}}_{1}|\equiv {\mathcal{PR}}_{2}|\equiv MS{G}_{1}}{{\mathcal{PR}}_{1}\phantom{\rule{4pt}{0ex}}|\equiv MS{G}_{1}}$$
**4.**- BR:$$\frac{{\mathcal{PR}}_{1}\phantom{\rule{4pt}{0ex}}|\equiv (MS{G}_{1},MS{G}_{2})}{{\mathcal{PR}}_{1}\phantom{\rule{4pt}{0ex}}|\equiv MS{G}_{1}}$$
**5.**- FR:$$\frac{{\mathcal{PR}}_{1}\phantom{\rule{4pt}{0ex}}|\equiv \#\left(MS{G}_{1}\right)}{{\mathcal{PR}}_{1}\phantom{\rule{4pt}{0ex}}|\equiv \#(MS{G}_{1},MS{G}_{2})}$$

#### 7.1.2. Goals

**Goal 1:**- ${D}_{n}|\equiv {D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m}$
**Goal 2:**- ${D}_{n}|\equiv {U}_{m}|\equiv {D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m}$
**Goal 3:**- ${U}_{m}|\equiv {D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m}$
**Goal 4:**- ${U}_{m}|\equiv {D}_{n}|\equiv {D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m}$

#### 7.1.3. Idealized Forms

- $Me{s}_{1}$
- : ${U}_{m}\to CC:{\{{a}_{1},SI{D}_{n}\}}_{SI{D}_{m}}$
- $Me{s}_{2}$
- : $CC\to {D}_{n}:{\{{a}_{1},{a}_{2},SI{D}_{m}\}}_{{k}_{n}}$
- $Me{s}_{3}$
- : ${D}_{n}\to {U}_{m}:{\{{a}_{2},{a}_{3}\}}_{SI{D}_{m}}$

#### 7.1.4. Assumptions

- $A{S}_{1}$:
- $CC|\equiv \#({a}_{1})$
- $A{S}_{2}$:
- ${D}_{n}|\equiv \#({a}_{2})$
- $A{S}_{3}$:
- ${U}_{m}|\equiv \#\left({a}_{3}\right)$
- $A{S}_{4}$:
- ${D}_{n}|\equiv {U}_{m}\u2907({D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m})$
- $A{S}_{5}$:
- ${U}_{m}|\equiv {D}_{n}\u2907({D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m})$
- $A{S}_{6}$:
- $CC|\equiv CC\stackrel{SI{D}_{m}}{\leftrightarrow}{U}_{m}$
- $A{S}_{7}$:
- ${D}_{n}|\equiv CC\stackrel{{k}_{n}}{\leftrightarrow}{D}_{n}$
- $A{S}_{8}$:
- ${U}_{m}|\equiv {D}_{n}\stackrel{SI{D}_{m}}{\leftrightarrow}{U}_{m}$

#### 7.1.5. BAN Logic Proof

**Step 1:**- We can obtain $R{A}_{1}$ from the message $Me{s}_{1}$.$$R{A}_{1}:CC\u22b2{\{{a}_{1},SI{D}_{n}\}}_{SI{D}_{m}}$$
**Step 2:**- We can obtain $R{A}_{2}$ from the rule MMR using $R{A}_{1}$ and $A{S}_{6}$.$$R{A}_{2}:CC|\equiv {U}_{m}|\sim ({a}_{1},SI{D}_{n})$$
**Step 3:**- We can obtain $R{A}_{3}$ from the rule FR using ${S}_{3}$ and $A{S}_{1}$.$$R{A}_{3}:CC|\equiv \#({a}_{1},SI{D}_{n})$$
**Step 4:**- We can obtain $R{A}_{4}$ from the rule NVR using $R{A}_{2}$ and $R{A}_{3}$.$$R{A}_{4}:CC|\equiv {U}_{m}|\equiv ({a}_{1},SI{D}_{n})$$
**Step 5:**- We can obtain $R{A}_{5}$ from the message $Me{s}_{2}$.$$R{A}_{5}:{D}_{n}\u22b2{\{{a}_{1},{a}_{2},SI{D}_{m}\}}_{{k}_{n}}$$
**Step 6:**- We can obtain $R{A}_{6}$ from the MMR using $R{A}_{5}$ and $A{S}_{7}$.$$R{A}_{6}:{D}_{n}|\equiv CC|\sim ({a}_{1},{a}_{2},SI{D}_{m})$$
**Step 7:**- We can obtain $R{A}_{7}$ from the FR using $R{A}_{6}$ and $A{S}_{2}$.$$R{A}_{7}:{D}_{n}|\equiv \#({a}_{1},{a}_{2},SI{D}_{m})$$
**Step 8:**- We can obtain $R{A}_{8}$ from the NVR using $R{A}_{6}$ and $R{A}_{7}$.$$R{A}_{8}:{D}_{n}|\equiv CC|\equiv ({a}_{1},{a}_{2},SI{D}_{m})$$
**Step 9:**- We can obtain $R{A}_{9}$ from the message $Me{s}_{3}$.$$R{A}_{9}:{U}_{m}\u22b2{\{{a}_{2},{a}_{3}\}}_{SI{D}_{m}}$$
**Step 10:**- We can obtain $R{A}_{10}$ from the MMR using $R{A}_{9}$ and $A{S}_{8}$.$$R{A}_{10}:{U}_{m}|\equiv {D}_{n}|\sim ({a}_{2},{a}_{3})$$
**Step 11:**- We can obtain $R{A}_{11}$ from the NVR using $R{A}_{10}$ and $A{S}_{3}$.$${S}_{11}:{U}_{m}|\equiv {D}_{n}|\equiv ({a}_{2},{a}_{3})$$
**Step 12:**- We can obtain $R{A}_{12}$ and $R{A}_{13}$ from $R{A}_{8}$ and $R{A}_{11}$. Therefore, ${U}_{m}$ and ${D}_{n}$ can compute the session key $SK=h\left({A}_{7}\right|\left|{a}_{1}\right|\left|{a}_{2}\right|\left|{a}_{3}\right)$, where ${A}_{7}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|SI{D}_{c})$.$$R{A}_{12}:{D}_{n}|\equiv {U}_{m}|\equiv ({D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m})\hspace{1em}\mathbf{(Goal\; 2)}$$$$R{A}_{13}:{U}_{m}|\equiv {D}_{n}|\equiv ({D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m})\hspace{1em}\mathbf{(Goal\; 4)}$$
**Step 13:**- We can obtain $R{A}_{14}$ and $R{A}_{15}$ from the jurisdiction rule using $R{A}_{12}$ and $A{S}_{4}$, and $R{A}_{13}$ and $A{S}_{5}$, respectively.$$R{A}_{14}:{D}_{n}|\equiv \left({D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m}\right)\hspace{1em}\mathbf{(Goal\; 1)}$$$$R{A}_{15}:{U}_{n}|\equiv \left({D}_{n}\stackrel{SK}{\leftrightarrow}{U}_{m}\right)\hspace{1em}\mathbf{(Goal\; 3)}$$

#### 7.2. RoR Model

- $Execute(PA{R}_{U}^{i},PA{R}_{C}^{j},PA{R}_{D}^{k})$: In this query, the adversary eavesdrop messages are transmitted via an open channel. Therefore, the adversary can obtain messages generated from $PA{R}_{U}^{i}$, $PA{R}_{C}^{j}$, and $PA{R}_{D}^{k}$. This query is a passive attack.
- $CorruptDevice\left(PA{R}_{U}^{i}\right)$: In this query, the adversary can obtain secret parameters from $PA{R}_{U}^{i}$ using a power analysis attack. Therefore, the query CorruptDevice is an active attack.
- $Send\left(PAR\right)$: In this query, the adversary can send messages to all participants $PA{R}_{U}^{i}$, $PA{R}_{C}^{j}$, and $PA{R}_{D}^{k}$. Furthermore, the adversary can obtain returned messages from these participants. Thus, this query is an active attack
- $Test\left(PAR\right)$: Before starting the game, an unbiased coin $UC$ is flipped in this query. The adversary obtains $UC=1$ when the session key is fresh. The adversary can also obtain $UC=0$ when the session key of the proposed scheme cannot guarantee freshness. If not, the adversary obtains a “null value” ⊥. To achieve a secure session key agreement, the adversary cannot discriminate between the session key and the random number.

#### Security Proof

**Theorem 1.**

**Proof.**

- $G{A}_{0}$:
- In $G{A}_{0}$, the adversary selects a random bit r. Thus, we obtain the following equation.$${\mathcal{MA}}_{AD}\left(P\right)=|2AD\left[{A}_{G{A}_{0}}\right]-1|$$
- $G{A}_{1}$:
- In $G{A}_{1}$, the adversary eavesdrops messages $\{MI{D}_{m},{A}_{1},{A}_{2},{V}_{1}\}$, $\{{A}_{3},{A}_{4},{A}_{5},$${V}_{2}\}$, and $\{{A}_{6},{V}_{3}\}$ using $Execute$ query. Then, the adversary performs the $Test$ query to obtain the session key $SK=h\left({A}_{7}\right|\left|{a}_{1}\right|\left|{a}_{2}\right|\left|{a}_{3}\right)$. To compute $SK$, the adversary must obtain the random nonces ${a}_{1}$, ${a}_{2}$, and ${a}_{3}$. Moreover, ${A}_{7}$ is composed of $SI{D}_{m}$, $SI{D}_{n}$, and $SI{D}_{c}$, where $SI{D}_{m}$ is the secret parameter of user. Therefore, the adversary cannot calculate $SK$. Therefore, we can obtain the following equation.$$|AD\left[{A}_{G{A}_{1}}\right]|=|AD\left[{A}_{G{A}_{0}}\right]|$$
- $G{A}_{2}$:
- In $G{A}_{2}$, the adversary utilizes $Send$ and $HA$ to attack the network. However, all of the parameters are masked in a cryptographic hash function that can prevent the hash collision problem. For this reason, the adversary cannot obtain the session key $SK$. According to the birthday paradox [33], we can obtain the following inequation.$$|AD\left[{A}_{G{A}_{2}}\right]-AD\left[{A}_{G{A}_{1}}\right]|\le \frac{q{u}_{ha}^{2}}{\left|HA\right|}$$
- $G{A}_{3}$:
- Similar to $G{A}_{2}$, the adversary utilizes queries $Send$ and $PU$ in this game. According to Section 3.4, the PUF is extremely difficult or impossible to clone. This means the adversary has no advantage in $G{A}_{3}$.$$|AD\left[{A}_{G{A}_{3}}\right]-AD\left[{A}_{G{A}_{2}}\right]|\le \frac{q{u}_{pu}^{2}}{\left|PU\right|}$$
- $G{A}_{4}$:
- This game is the final game in which the adversary extracts secret parameters $\{{\gamma}_{m},{\delta}_{m},SI{D}_{m}^{u},SI{D}_{n}^{u},MI{D}_{m}\}$ from the device of the user using the query $CorruptDevice$. The adversary attempts to calculate $SK$ from these parameters. However, each parameter consists of a password and the biometrics of a user, and this means that the adversary must guess the password and biometrics at the same time. Since this task is computationally infeasible, the adversary cannot compute $SK$. Therefore, we can obtain the following inequation using Zipf’s law [29].$$|AD\left[{A}_{G{A}_{4}}\right]-AD\left[{A}_{G{A}_{2}}\right]|\le max\{{C}^{\prime}q{u}_{se}^{{s}^{\prime}},\frac{q{u}_{se}}{{2}^{{B}_{m}}}\}$$

#### 7.3. AVISPA Simulation

#### 7.4. Informal Security Analysis

#### 7.4.1. Stolen/lost Mobile Device Attack

#### 7.4.2. Offline Password-Guessing Attack

#### 7.4.3. Impersonation Attack

- (1)
- User impersonation attack: In this attack, an adversary $\mathcal{A}$ tries to disguise a legitimate user ${U}_{m}$. $\mathcal{A}$ has to make a valid login request message $\{MI{D}_{m},{A}_{1},{A}_{2},{V}_{1}\}$. $\mathcal{A}$ can obtain $MI{D}_{m}$ from the mobile device. However, without having the credentials $SI{D}_{m},SI{D}_{n}$, and ${k}_{m}$, it is a difficult task for $\mathcal{A}$ to calculate $MI{D}_{m},{A}_{1},{A}_{2},{V}_{1}$. Thus, $\mathcal{A}$ cannot generate a valid login request message on behalf of ${U}_{m}$. Hence, the proposed scheme provides protection against user impersonation attacks.
- (2)
- Control center impersonation attack: For this attack, let us suppose that $\mathcal{A}$ tries to send the message $\{{A}_{3},{A}_{4},{A}_{5},{V}_{2}\}$ to the ${D}_{n}$ on behalf of the CC. However, without having the credentials $SI{D}_{m},SI{D}_{n},{k}_{n},I{D}_{n}$, and random nonce ${a}_{1}$, it is computationally hard for $\mathcal{A}$ to make a valid message. Therefore, the proposed scheme is resilient against the CC impersonation attack.
- (3)
- Drone impersonation attack: This attack is a disguise attack in which a malicious adversary $\mathcal{A}$ conceals its identity information and attempts to behave as ${D}_{n}$. To do this, $\mathcal{A}$ computes $C{H}_{A}^{*}={A}_{3}\oplus h(I{D}_{n}\left|\right|{\gamma}_{n})$. Since $PUF(.)$ is a physical unclonable circuit, $\mathcal{A}$ cannot compute $R{E}_{n}$. Therefore, it is impossible to compute ${\alpha}_{n}=Rep(R{E}_{n},{\beta}_{n})$, $SI{D}_{n}=h(I{D}_{n}\left|\right|{\alpha}_{n})$, ${k}_{n}={\gamma}_{n}\oplus SI{D}_{n}$, $(SI{D}_{m}\left|\right|{a}_{1}\left|\right|{a}_{2})={A}_{2}\oplus h(SI{D}_{n}\left|\right|SI{D}_{c}\left|\right|{k}_{n})$ to calculate ${A}_{4}=h(SI{D}_{m}\left|\right|SI{D}_{n}\left|\right|{a}_{1})\oplus ({a}_{2}\left|\right|{a}_{3})$. Thus, the proposed scheme can prevent drone impersonation attacks.

#### 7.4.4. Replay and MITM Attacks

#### 7.4.5. Physical and Cloning Attacks

#### 7.4.6. Privileged Insider Attack

#### 7.4.7. Ephemeral Security Leakage Attack

#### 7.4.8. Stolen-Verifier Attack

#### 7.4.9. User Anonymity and Untraceability

#### 7.4.10. Perfect Forward Secrecy

#### 7.4.11. Mutual Authentication

#### 7.4.12. DoS Attack

#### 7.4.13. Drone Capture Attack

#### 7.4.14. Session Key Disclosure Attack

## 8. Performance Analysis

#### 8.1. Security Features Comparison

#### 8.2. Communication Costs Comparison

#### 8.3. Computation Costs Comparison

## 9. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Gharibi, M.; Boutaba, R.; Waslander, S.L. Internet of drones. IEEE Access
**2016**, 4, 1148–1162. [Google Scholar] [CrossRef] - Abualigah, L.; Diabat, A.; Sumari, P.; Gandomi, A.H. Applications, deployments, and integration of internet of drones (iod): A review. IEEE Sens. J.
**2021**, 21, 25532–25546. [Google Scholar] [CrossRef] - Lin, C.; He, D.; Kumar, N.; Choo, K.K.R.; Vinel, A.; Huang, X. Security and privacy for the internet of drones: Challenges and solutions. IEEE Commun. Mag.
**2018**, 56, 64–69. [Google Scholar] [CrossRef] - Akram, M.W.; Bashir, A.K.; Shamshad, S.; Saleem, M.A.; AlZubi, A.A.; Chaudhry, S.A.; Alzahrani, B.A.; Zikria, Y.B. A secure and lightweight drones-access protocol for smart city surveillance. IEEE Trans. Intell. Transp. Syst.
**2021**, 23, 19634–19643. [Google Scholar] [CrossRef] - Umar, M.; Islam, S.H.; Mahmood, K.; Ahmed, S.; Ghaffar, Z.; Saleem, M.A. Provable secure identity-based anonymous and privacy-preserving inter-vehicular authentication protocol for VANETS using PUF. IEEE Trans. Veh. Technol.
**2021**, 70, 12158–12167. [Google Scholar] [CrossRef] - Herder, C.; Yu, M.D.; Koushanfar, F.; Devadas, S. Physical unclonable functions and applications: A tutorial. Proc. IEEE
**2014**, 102, 1126–1141. [Google Scholar] [CrossRef] - AVISPA, T. Automated Validation of Internet Security Protocols and Applications. 2015. Available online: https://www.avispa-project.org/ (accessed on 6 February 2023).
- Glouche, Y.; Genet, T.; Heen, O.; Courtay, O. A security protocol animator tool for AVISPA. In Proceedings of the ARTIST2 Workshop on Security Specification and Verification of Embedded Systems, Pisa, Italy, 18–20 May 2006; pp. 1–7. [Google Scholar]
- Abdalla, M.; Fouque, P.A.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. In Proceedings of the International Workshop on Public Key Cryptography, Les Diablerets, Switzerland, 23–26 January 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 65–84. [Google Scholar]
- Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst. (TOCS)
**1990**, 8, 18–36. [Google Scholar] [CrossRef] - Wazid, M.; Das, A.K.; Kumar, N.; Vasilakos, A.V.; Rodrigues, J.J. Design and analysis of secure lightweight remote user authentication and key agreement scheme in Internet of drones deployment. IEEE Internet Things J.
**2018**, 6, 3572–3584. [Google Scholar] [CrossRef] - Teng, L.; Jianfeng, M.; Pengbin, F.; Yue, M.; Xindi, M.; Jiawei, Z.; Gao, C.; Di, L. Lightweight security authentication mechanism towards UAV networks. In Proceedings of the 2019 International Conference on Networking and Network Applications (NaNA), Daegu City, Republic of Korea, 10–13 October 2019; pp. 379–384. [Google Scholar]
- Srinivas, J.; Das, A.K.; Kumar, N.; Rodrigues, J.J. TCALAS: Temporal credential-based anonymous lightweight authentication scheme for Internet of drones environment. IEEE Trans. Veh. Technol.
**2019**, 68, 6903–6916. [Google Scholar] [CrossRef] - Ali, Z.; Chaudhry, S.A.; Ramzan, M.S.; Al-Turjman, F. Securing smart city surveillance: A lightweight authentication mechanism for unmanned vehicles. IEEE Access
**2020**, 8, 43711–43724. [Google Scholar] [CrossRef] - Ever, Y.K. A secure authentication scheme framework for mobile-sinks used in the internet of drones applications. Comput. Commun.
**2020**, 155, 143–149. [Google Scholar] [CrossRef] - Deebak, B.D.; AI-Turjman, F. A smart lightweight privacy preservation scheme for IoT-based UAV communication systems. Comput. Commun.
**2020**, 162, 102–117. [Google Scholar] [CrossRef] - Wu, T.; Guo, X.; Chen, Y.; Kumari, S.; Chen, C. Amassing the security: An enhanced authentication protocol for drone communications over 5G networks. Drones
**2022**, 6, 10–29. [Google Scholar] [CrossRef] - Tanveer, M.; Alkhayyat, A.; Naushad, A.; Kumar, N.; Alharbi, A.G. RUAM-IoD: A Robust User Authentication Mechanism for the Internet of Drones. IEEE Access
**2022**, 10, 19836–19851. [Google Scholar] [CrossRef] - Alladi, T.; Chamola, V.; Kumar, N. PARTH: A two-stage lightweight mutual authentication protocol for UAV surveillance networks. Comput. Commun.
**2020**, 160, 81–90. [Google Scholar] [CrossRef] - Pu, C.; Li, Y. Lightweight authentication protocol for unmanned aerial vehicles using physical unclonable function and chaotic system. In Proceedings of the 2020 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN), Orlando, FL, USA, 13–15 July 2020; pp. 1–6. [Google Scholar]
- Zhang, N.; Jiang, Q.; Li, L.; Ma, X.; Ma, J. An efficient three-factor remote user authentication protocol based on BPV-FourQ for internet of drones. Peer-to-Peer Netw. Appl.
**2021**, 14, 3319–3332. [Google Scholar] [CrossRef] - Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory
**1983**, 29, 198–208. [Google Scholar] [CrossRef] - Chattaraj, D.; Bera, B.; Das, A.K.; Rodrigues, J.J.; Park, Y. Designing Fine-Grained Access Control for Software-Defined Networks Using Private Blockchain. IEEE Internet Things J.
**2021**, 9, 1542–1559. [Google Scholar] [CrossRef] - Tanveer, M.; Kumar, N.; Hassan, M.M. RAMP-IoD: A robust authenticated key management protocol for the Internet of Drones. IEEE Internet Things J.
**2021**, 9, 1339–1353. [Google Scholar] [CrossRef] - Dodis, Y.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 523–540. [Google Scholar]
- Kim, M.; Lee, J.; Park, K.; Park, Y.; Park, K.H.; Park, Y. Design of secure decentralized car-sharing system using blockchain. IEEE Access
**2021**, 9, 54796–54810. [Google Scholar] [CrossRef] - Kwon, D.K.; Yu, S.J.; Lee, J.Y.; Son, S.H.; Park, Y.H. WSN-SLAP: Secure and lightweight mutual authentication protocol for wireless sensor networks. Sensors
**2021**, 21, 936. [Google Scholar] [CrossRef] - Shashidhara, R.; Nayak, S.K.; Das, A.K.; Park, Y. On the design of lightweight and secure mutual authentication system for global roaming in resource-limited mobility networks. IEEE Access
**2021**, 9, 12879–12895. [Google Scholar] [CrossRef] - Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur.
**2017**, 12, 2776–2791. [Google Scholar] [CrossRef] - Bagga, P.; Das, A.K.; Wazid, M.; Rodrigues, J.J.; Choo, K.K.R.; Park, Y. On the design of mutual authentication and key agreement protocol in internet of vehicles-enabled intelligent transportation system. IEEE Trans. Veh. Technol.
**2021**, 70, 1736–1751. [Google Scholar] [CrossRef] - Son, S.; Lee, J.; Park, Y.; Park, Y.; Das, A.K. Design of blockchain-based lightweight V2I handover authentication protocol for VANET. IEEE Trans. Netw. Sci. Eng.
**2022**, 9, 1346–1358. [Google Scholar] [CrossRef] - Wazid, M.; Bagga, P.; Das, A.K.; Shetty, S.; Rodrigues, J.J.; Park, Y. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J.
**2019**, 6, 8804–8817. [Google Scholar] [CrossRef] - Boyko, V.; MacKenzie, P.; Patel, S. Provably secure password-authenticated key exchange using Diffie-Hellman. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000; Springer: Berlin/Heidelberg, Germany, 2000; pp. 156–171. [Google Scholar]
- Kwon, D.; Son, S.; Park, Y.; Kim, H.; Park, Y.; Lee, S.; Jeon, Y. Design of Secure Handover Authentication Scheme for Urban Air Mobility Environments. IEEE Access
**2022**, 10, 42529–42541. [Google Scholar] [CrossRef] - Ryu, J.; Oh, J.; Kwon, D.; Son, S.; Lee, J.; Park, Y.; Park, Y. Secure ECC-based three-factor mutual authentication protocol for telecare medical information system. IEEE Access
**2022**, 10, 11511–11526. [Google Scholar] [CrossRef]

Schemes | Cryptographic Technologies | Advantages and Limitations |
---|---|---|

Wazid et al. [11] | * Hash functions * Fuzzy extractor | * Presented IoD environments and utilized biometrics information to ensure the security of remote users * Vulnerable to privileged insider and impersonation attacks |

Teng et al. [12] | * ECDSA | * Defined security threats in IoD environments named “attacker mode” * Requires large computation overheads |

Srinivas et al. [13] | * Hash functions * Fuzzy extractor | * Used temporal credentials for mutual authentication * Vulnerable to untraceability and stolen verifier attacks |

Ali et al. [14] | * Hash functions * Fuzzy extractor * Symmetric key primitives | * Anonymous and lightweight security solution using temporal credentials and symmetric key primitives * Vulnerable to ESL, physical and cloning attacks |

Ever et al. [15] | * Bilinear pairings * ECC | * Analyzed studies utilized UAVs as mobile sinks * Require high computation overheads * Cannot provide anonymity and untraceability |

Wu et al. [17] | * Hash functions * Fuzzy extractor | * Proposed a drone-to-user authentication scheme for 5G networks * Vulnerable to physical attacks due to the stored parameters in UAV |

Tanveer et al. [18] | * Hash functions * Fuzzy extractor * ECC * Symmetric key primitives | * Provides anonymous communication to users using AES and ECC * Vulnerable to physical attacks due to the stored parameters in UAV |

Alladi et al. [19] | * PUF * Message authentication code * Symmetric key primitives | * Classified drones by layer and proposed PUF-based two-stage authentication protocol * Vulnerable to replay, insider, server spoofing, DoS attacks |

Pu et al. [20] | * PUF * Chaotic system | * Used PUF and chaotic map technologies to generate random key * Vulnerable to physical attacks because of a stored challenge value in the memory of UAV |

Zhang et al. [21] | * Hash functions * Fuzzy extractor * FourQ * Symmetric key primitives | * Proposed authentication scheme using FourQ and BPV pre-computation technologies * Require high computation and communication overheads * Cannot provide user anonymity |

Akram et al. [4] | * Hash functions * Fuzzy extractor * Symmetric key primitives | * Provide privacy of location information to remote users and drones * Vulnerable to drone impersonation, stolen verifier, and DoS attacks, and have correctness problem |

Notation | Description |
---|---|

$I{D}_{m},I{D}_{n}$ | Identity of the user and drone |

$SI{D}_{c},SI{D}_{m},SI{D}_{n}$ | Pseudonym of the control center, user and drone |

$Bi{o}_{m}$ | Biometric of the user |

${k}_{m},{k}_{n}$ | Master private key of the user and drone |

$s,MSK$ | Secret keys of the control center |

$Rep(.)$ | Fuzzy biometric reproduction |

$Gen(.)$ | Fuzzy biometric generator |

${a}_{1},{a}_{2},{a}_{3}$ | Random numbers |

$SK$ | Session key |

$h(.)$ | Hash function |

$\left|\right|$ | Concatenation operator |

⊕ | Exclusive-OR operator |

Notation | Description |
---|---|

${\mathcal{PR}}_{1},{\mathcal{PR}}_{2}$ | Principals |

$MS{G}_{1},MS{G}_{2}$ | Statements |

$SK$ | Session key |

${\mathcal{PR}}_{1}|\equiv MS{G}_{1}$ | ${\mathcal{PR}}_{1}$ believes $MS{G}_{1}$ |

${\mathcal{PR}}_{1}|\sim MS{G}_{1}$ | ${\mathcal{PR}}_{1}$ once said $MS{G}_{1}$ |

${\mathcal{PR}}_{1}\u2907MS{G}_{1}$ | ${\mathcal{PR}}_{1}$ controls $MS{G}_{1}$ |

${\mathcal{PR}}_{1}\u22b2MS{G}_{1}$ | ${\mathcal{PR}}_{1}$ receives $MS{G}_{1}$ |

$\#MS{G}_{1}$ | $MS{G}_{1}$ is fresh |

${\left(MS{G}_{1}\right)}_{KEY}$ | $MS{G}_{1}$ is encrypted with $KEY$ |

${\mathcal{PR}}_{1}\stackrel{KEY}{\leftrightarrow}{\mathcal{PR}}_{2}$ | ${\mathcal{PR}}_{1}$ and ${\mathcal{PR}}_{2}$ have shared key $KEY$ |

SFF | [14] | [17] | [18] | [21] | [24] | [4] | Proposed |
---|---|---|---|---|---|---|---|

$SP1$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP2$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP3$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP4$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP5$ | ✓ | ✓ | ✓ | ✓ | × | ✓ | ✓ |

$SP6$ | × | × | × | × | × | × | ✓ |

$SP7$ | × | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP8$ | ✓ | ✓ | ✓ | ✓ | × | × | ✓ |

$SP9$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP10$ | × | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP11$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP12$ | ✓ | ✓ | ✓ | ✓ | ✓ | × | ✓ |

$SP13$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$SP14$ | ✓ | ✓ | ✓ | ✓ | ✓ | × | ✓ |

$SP15$ | ✓ | ✓ | ✓ | ✓ | ✓ | × | ✓ |

Schemes | Total Costs | Number of Messages |
---|---|---|

Ali et al. [14] | 1696 bits | 3 messages |

Wu et al. [17] | 3360 bits | 3 messages |

Tanveer et al. [18] | 2240 bits | 3 messages |

Zhang et al. [21] | 5760 bits | 4 messages |

Tanveer et al. [24] | 1856 bits | 3 messages |

Akram et al. [4] | 2304 bits | 3 messages |

Proposed | 2560 bits | 3 messages |

Schemes | Remote User Side | Control Center Side | Drone Side | Total | Total Costs (s) |
---|---|---|---|---|---|

[14] | $10{T}_{H}+1{T}_{FE}$ | $7{T}_{H}$ | $7{T}_{H}$ | $24{T}_{H}+1{T}_{FE}$ | ≈1.301 ms |

[17] | $12{T}_{H}+1{T}_{FE}$ | $9{T}_{H}$ | $8{T}_{H}$ | $29{T}_{H}+1{T}_{FE}$ | ≈1.446 ms |

[18] | $9{T}_{H}+4{T}_{ENC}$ $+3{T}_{ECC}$ | $4{T}_{H}+3{T}_{ENC}+1{T}_{ECC}$ | $7{T}_{H}+2{T}_{ENC}$ $+2{T}_{ECC}$ | $20{T}_{H}+9{T}_{ENC}+6{T}_{ECC}$ | ≈4.534 ms |

[21] | $7{T}_{H}+3{T}_{pmFourQ}+$ $1{T}_{ENC}+1{T}_{O}+1{T}_{M}$ | $5{T}_{H}+1{T}_{pmFourQ}$ $+2{T}_{ENC}+1{T}_{M}$ | $4{T}_{H}+1{T}_{pmFourQ}$ $+1{T}_{ENC}+1{T}_{O}$ | $16{T}_{H}+5{T}_{pmFourQ}$ $+4{T}_{ENC}+2{T}_{O}+2{T}_{M}$ | ≈10.943 ms |

[24] | $6{T}_{H}+3{T}_{AC}$ $+3{T}_{ECC}+1{T}_{FE}$ | $2{T}_{H}+1{T}_{ECC}+3{T}_{AC}$ | $3{T}_{H}+2{T}_{ECC}+2{T}_{AC}$ | $11{T}_{H}+6{T}_{ECC}$ $+8{T}_{AC}+1{T}_{FE}$ | ≈5.114 ms |

[4] | $9{T}_{H}$ | $7{T}_{H}+2{T}_{ENC}$ | $7{T}_{H}$ | $23{T}_{H}+2{T}_{ENC}$ | ≈0.739 ms |

Ours | $11{T}_{H}+1{T}_{FE}$ | $11{T}_{H}$ | $10{T}_{H}+1{T}_{FE}$ | $32{T}_{H}+2{T}_{FE}$ | ≈2.138 ms |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Park, Y.; Ryu, D.; Kwon, D.; Park, Y.
Provably Secure Mutual Authentication and Key Agreement Scheme Using PUF in Internet of Drones Deployments. *Sensors* **2023**, *23*, 2034.
https://doi.org/10.3390/s23042034

**AMA Style**

Park Y, Ryu D, Kwon D, Park Y.
Provably Secure Mutual Authentication and Key Agreement Scheme Using PUF in Internet of Drones Deployments. *Sensors*. 2023; 23(4):2034.
https://doi.org/10.3390/s23042034

**Chicago/Turabian Style**

Park, Yohan, Daeun Ryu, Deokkyu Kwon, and Youngho Park.
2023. "Provably Secure Mutual Authentication and Key Agreement Scheme Using PUF in Internet of Drones Deployments" *Sensors* 23, no. 4: 2034.
https://doi.org/10.3390/s23042034