Provably Secure Mutual Authentication and Key Agreement Scheme Using PUF in Internet of Drones Deployments

Internet of Drones (IoD), designed to coordinate the access of unmanned aerial vehicles (UAVs), is a specific application of the Internet of Things (IoT). Drones are used to control airspace and offer services such as rescue, traffic surveillance, environmental monitoring, delivery and so on. However, IoD continues to suffer from privacy and security issues. Firstly, messages are transmitted over public channels in IoD environments, which compromises data security. Further, sensitive data can also be extracted from stolen mobile devices of remote users. Moreover, drones are susceptible to physical capture and manipulation by adversaries, which are called drone capture attacks. Thus, the development of a secure and lightweight authentication scheme is essential to overcoming these security vulnerabilities, even on resource-constrained drones. In 2021, Akram et al. proposed a secure and lightweight user–drone authentication scheme for drone networks. However, we discovered that Akram et al.’s scheme is susceptible to user and drone impersonation, verification table leakage, and denial of service (DoS) attacks. Furthermore, their scheme cannot provide perfect forward secrecy. To overcome the aforementioned security vulnerabilities, we propose a secure mutual authentication and key agreement scheme between user and drone pairs. The proposed scheme utilizes physical unclonable function (PUF) to give drones uniqueness and resistance against drone stolen attacks. Moreover, the proposed scheme uses a fuzzy extractor to utilize the biometrics of users as secret parameters. We analyze the security of the proposed scheme using informal security analysis, Burrows–Abadi–Needham (BAN) logic, a Real-or-Random (RoR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. We also compared the security features and performance of the proposed scheme and the existing related schemes. Therefore, we demonstrate that the proposed scheme is suitable for IoD environments that can provide users with secure and convenient wireless communications.


Introduction
Internet of Drones (IoD) [1], which is often referred to as an unmanned aerial vehicles (UAVs) network, is a layered network control architecture designed to coordinate the access of drones. Drones in IoD environments can perform various flight tasks by embedding various sensors, actuators, recorders, batteries, computations, and communication modules. Figure 1 shows the basic structure of a drone in IoD environments. With these modules, drones are used to control the airspace and offer services such as rescue, healthcare, traffic surveillance, environmental monitoring, delivery, and search to users [2]. The IoD architecture generally comprises remote users, a control server, and drones. Remote users query the information of drones to receive useful services. The control server is centrally located in the wireless communication flow, mediating and providing a seamless data exchange process between remote users and drones. Drones, located in their own flying zone, collect surrounding environment information and send it to users through the control center. Although IoD environments offer useful services to users, they can suffer from several privacy and security issues [3]. Firstly, IoD environments can be vulnerable to various security attacks, such as eavesdropping, deleting, and intercepting, because all messages are transmitted via a public channel. Moreover, the mobile devices of remote users can be stolen/lost, and the sensitive stored data of these devices can threaten the whole IoD environment. Additionally, drones can be physically captured by malicious adversaries who can try to impersonate them using secret information extracted from drones using power analysis attacks. Finally, drones in IoD environments are designed to use restricted power, computation, and storage sources because the entire energy source is preferentially devoted to flying tasks. Thus, a secure and lightweight authentication scheme is necessary, considering the above security vulnerabilities and specific features of IoD environments.
In 2021, Akram et al. [4] proposed a user-drone access scheme designed to be secure and lightweight for drone networks. The authors claimed that the scheme resists user, control center, and drone impersonation attacks and provides anonymity and untraceability. However, we find that Akram et al.'s scheme is vulnerable to drone impersonation, verification table leakage, and denial of service (DoS) attacks. In addition, their scheme cannot ensure perfect forward secrecy and fails to guarantee correctness. To improve these vulnerabilities, we propose a mutual authentication and key agreement (MAKA) scheme that can provide convenient services to users with high security and efficiency for IoD environments. In the proposed scheme, we utilize biometrics [5] to resist various security attacks, such as offline guessing attacks on user devices. Moreover, we apply physical unclonable function (PUF) [6] technology to prevent cloning and physical attacks of drones using power analysis attacks. Considering real-time communication in IoD environments and the limited computation resources of user devices and drones, we only utilize hash functions and exclusive-OR operators, which are reliable in terms of computation and communication overheads.

•
We review and perform a security analysis of Akram et al.'s scheme. Then, we propose a MAKA scheme designed to ensure high security using biometrics and PUF. Hash functions and exclusive-OR operations are used for lightweight architecture, making the proposed scheme suitable for drone networks. Moreover, a fuzzy extractor and PUF are applied in the proposed scheme to enhance the security level. • We prove the security robustness of the proposed scheme using the Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation tool [7,8], Real-or-Random (RoR) model [9], and Burrows-Abadi-Needham (BAN) logic [10]. • We perform an informal analysis to ensure that the proposed scheme can provide security against various attacks, including offline password guessing, session key disclosure, verification table leakage, impersonation, and DoS attacks. Additionally, we show that the proposed scheme can achieve mutual authentication, perfect forward secrecy, untraceability, and anonymity. • We evaluate and compare the security features, communication, and computation costs of the proposed scheme with existing authentication schemes, including Akram et al.'s scheme.

Organization
In Section 2, we introduce existing studies on IoD environments. We provide a system model as well as an adversary model, fuzzy extractor, and PUF used in the proposed scheme in Section 3. Then, we show Akram et al.'s scheme in Section 4. Section 5 describes security vulnerabilities discovered in Akram et al.'s scheme. The proposed scheme is introduced in Section 6. Security analyses, i.e., BAN logic, RoR model, AVISPA, are shown in Section 7, and performance analyses, i.e., security features, communication, computation costs, are shown in Section 8. In Section 9, we conclude our paper and describe future works.

Related Works
Since the basic concept of IoD environments was introduced by Gharibi et al. [1], various authentication schemes have been proposed over the past few years. In 2018, Wazid et al. [11] proposed an authentication scheme to provide remote users with drone services based on three-factor technology. To apply lightweight communication services, Wazid et al. utilize hash function and exclusive-OR operators. However, their scheme cannot prevent privileged insider and impersonation attacks. In 2019, Teng et al. [12] analyzed security vulnerabilities, named "attacker mode", which can happen in IoD environments. Thus, they proposed an authentication scheme utilizing the elliptic curve digital signature algorithm (ECDSA) to verify the legitimacy of identity signatures on drones. However, Teng et al.'s scheme was designed as an authentication scheme involving two-way authentication between drones based on ECC, which incurs a large computational overhead. Srinivas et al. [13] proposed a temporal credential-based authentication for IoD networks. Srinivas et al. argued that security and efficiency are the main requirements for the IoD environment, and a lightweight authentication protocol is essential to satisfy these requirements. In their scheme, the authors claimed that it can resist various security attacks such as a stolen mobile device, replay, MITM, ephemeral secret leakage (ESL), impersonation, password and/or biometric update, and remote drone capture attacks. In 2020, Ali et al. [14] pointed out that Srinivas et al.'s scheme [13] does not provide untraceability and resists stolen verifier attacks. To overcome that, Ali et al. suggested a lightweight authentication scheme for drones using symmetric key primitives and temporal credentials. Ever [15] suggested a framework for mobile sinks used in drones using bilinear pairing and ECC, which has a large computational cost. However, Ever's protocol cannot provide user anonymity and untraceability [16]. In 2022, Wu et al. [17] proposed a drone communication scheme for 5G networks. They argued that several existing IoD protocols have high computation overheads because of using a public key infrastructure (PKI) mechanism. Therefore, they only utilized hash functions and exclusive-OR operators. In the same year, Tanveer et al. [18] proposed an authentication mechanism for IoD environments. They used an AES-CBC-256 cipher and ECC to ensure the anonymity of users. Although the above schemes [11][12][13][14][15]17,18] provide useful services such as healthcare, rescue, and traffic surveillance, they can suffer from physical attacks because each drone cannot protect security parameters from power analysis attacks.
To strengthen the authentication process and access control of drones, various PUFbased authentication schemes have been proposed. Alladi et al. [19] proposed a two-stage authentication protocol that divided drone hierarchies for smart drone networks. In Alladi et al.'s scheme, each drone equipped with PUF communicates with a ground station through a leader drone, reducing network overhead. Thus, the authors claimed their scheme does not require the storage of secret keys in drones, protecting it from impersonation, drone tampering, and MITM attacks. In the same years, Pu et al. [20] proposed an authentication protocol for drone environments using PUF and chaotic systems. The authors used the challenge-response pair of the PUF as the seed value of the chaotic system to jumble the message randomly. In 2021, Zhang et al. [21] suggested a three-party authentication scheme for IoD environments. In Zhang et al.'s scheme, the head drone manages member drones and mediates the communication between the ground station and member drones. The entire process of their scheme only uses hash functions and XOR operations. Moreover, the authors introduced PUF systems to prevent physical capture attacks.
In 2021, Akram et al. [4] suggested a scheme for secure and efficient drone access in IoD networks. The authors demonstrated that various security attacks, e.g., user, control center, and drone impersonation attacks, can be prevented in their scheme. However, our security analysis indicates that their scheme is vulnerable to DoS, session key disclosure, stolen-verifier, and drone impersonation attacks and cannot provide perfect forward secrecy.
We summarize the cryptographic techniques and the advantages and limitations of the existing related schemes [4,[11][12][13][14][15][17][18][19][20][21] in Table 1. Although previous authentication schemes can provide convenient services to users, they still have high computational and communication overhead and security drawback problems. Therefore, we propose a secure drone-access scheme to improve these security flaws considering lightweight communication characteristics of IoD environments. The proposed scheme can provide stolen mobile device and drone impersonation attacks using biometric and PUF technologies, respectively. Moreover, the proposed scheme can support efficient communications using only hash functions and exclusive-OR operators. Table 1. Cryptographic technologies and properties of the related schemes for IoD environments.

Schemes Cryptographic Technologies Advantages and Limitations
Wazid et al. [11] * Hash functions * Fuzzy extractor * Presented IoD environments and utilized biometrics information to ensure the security of remote users * Vulnerable to privileged insider and impersonation attacks Teng et al. [12] * ECDSA * Defined security threats in IoD environments named "attacker mode" * Requires large computation overheads

Preliminaries
We present the system model and adversary model for IoD environments. Moreover, we introduce some relevant preliminaries to understand this paper.

System Model
As shown in Figure 2, IoD environments consist of a control center, users and drones. According to the IoD environment model, various drones collect the data in their particular zones in a target field and transmit the data to the server. External users are required to connect to the server to obtain data from the deployed drones. For access, secure authentication is necessary between the user and drone via the control center. Subsequently, the user and drone pair share a session key and begin communication. The details of this process are as follows.

•
Remote user (U m ): A remote user U m owns a mobile device to receive IoD services.
To communicate with a drone D n , U m must register with the control center. U m utilizes biometric technology in addition to identity and password to store sensitive information safely. • Control center: The control center is a trusted third party with enough computation and storage capacities. Therefore, the control center perform a role as the system manager of IoD environments. Furthermore, the control center authenticates with both U m and D n information and helps U m to access the D n . The control center generates secret keys for U m and D n against their identities. • Drone (D n ): A drone D n collects the data in their particular flying zone and must be registered by the control center to communicate with U m . Then, D n sends the data to =U m through the control center. Moreover, D n has restricted computation and storage capacities.

Adversary Model
We follow the widely used adversary model, named the "Dolev-Yao (DY) adversary model" [22,23]. Under the DY model, the entities involved in the IoD environments, i.e., U m and D n , are not assumed to be trustworthy, and the communication of the channel is insecure. Therefore, an adversary A can modify or delete the transmitted messages and also can eavesdrop on the exchanged messages. Furthermore, drones move around in unattended hostile areas with collected sensor data. Thus, they are vulnerable to physical capture attacks [11,24], and the sensitive data stored in the drone can be extracted using the power analysis attacks.

Fuzzy Extractor
The fuzzy extractor [25] is widely accepted to verify the biometric authentication. A biometric key can be generated with a biometric template such as fingerprints, faces and irises. The fuzzy extractor is defined with the following two algorithms: • Gen(Bio m ) = (α m , β m ): It is a probabilistic algorithm to generate a secret key α m . The user inputs biometric Bio m , the output of this function is the secret parameter α m , and the public reproduction parameter β m . • Rep(Bio * m , β m ) = (α m ): It is a deterministic algorithm to recreate the original α m . The function accepts a noisy user biometric Bio * m and controls the noise using the public reproduction parameter β m . Then, this algorithm reproduces the original biometric secret key α m .

Physical Unclonable Function
PUF is a physical circuit that maps a bit-string pair called "challenge-response pair" [6]. When an input challenge value is entered into the PUF circuit, it produces a value that isan arbitrary string of bits. In this paper, we use PUF to generate secret values instead of stringing them in the memory of the drone and obtain a stable response good enough for security using fuzzy extractors. The property of PUF is as below. • The PUF is a physical microstructure of the device. • It is extremely difficult or impossible to clone the PUF circuit. • An unpredictable response value must be output. • It is possible to evaluate and implement a PUF circuit easily.

Revisit of Akram et al.'s Scheme
Akram et al. [4] suggested a drone-access authentication protocol for surveillance tasks in a smart city. Akram et al.'s scheme is composed of the following phases: (1) user registration; (2) drone registration; (3) authentication and key agreement (AKA) phases. Table 2 shows the whole notation and description in their scheme.

. Remote User Registration Phase
Step 1: The user inputs their own ID m , PW m and imprints Bio m . Then, U m calculates Gen(Bio m ) = (α m , β m ) and sends ID m to the control center.
Step 2: The control center calculates SID m = h(ID m ||s), k m = h(SID m ||MSK) and generates a random number a m . After that, the control center computes MID m = Enc MSK (SID m ||α m ) and sends {k m , SID m , SID n } to U m .

Drone Registration Phase
Step 1: D n selects ID n and sends it to the control center.
Step 2: The control center computes SID n = h(ID n ||s), k n = h(SID n ||MSK) and stores {ID n , k n , SID n } in its database. Then, the control center sends {k n , SID n } to D n .
Step 3: When D n receives {k n , SID n }, D n saves them in the memory.

AKA Phase
Step 1: U m inputs ID m , PW m and also imprints Bio m . Then, Step 2: The control center retrieves (SID m ||α m ) = Dec MSK (MID m ). Then, the control cen- , and verifies k n against SID * n . Then, the control center computes The control center generates a 2 , a new m and computes MID new Step 3: = A 9 and computes SK nm = h(SID * * m ||SID n || SID c ||A * 8 ).

Cryptanalysis of Akram et al.'s Scheme
According to Section 3.2, an adversary A can obtain a {γ m , SID u m , SID n } from legitimate user's mobile device. Moreover, A can obtain {k n , SID n } from a captured drone using a power analysis attack. With this information, various security attacks, i.e., session key disclosure, drone impersonation, stolen-verifier, DoS attacks, and perfect forward secrecy, can be executed by A. The details are shown below.

Session Key Disclosure Attack
For A to generate a session key SK nm = h(SID m ||SID n ||SID c ||A 8 ), A has to obtain SID m , SID n and A 8 = h(a 1 ||a 2 ||a 3 ). The procedures are as follows.
Step 1: Thus, Akram et al.'s scheme is insecure against session key disclosure attacks.

Drone Impersonation Attack
In this attack, we assume that A can capture drones D n physically and obtain the value {SID n , k n } stored in the memory of D n . In order to be able to forward message {A 7 , A 9 } on behalf of legal D n , then A has to calculate the value of A can compute the A 7 and A 9 through the following below: Step 1: The adversary A first intercepts {A 4 , A 5 , A 6 } transmitted by the public channel.
Step 2: A can obtain a 1 , Step 3: A can compute SID m through SID m = A 5 ⊕ h(SID n ||SID c ||k n ||a 1 ).
Therefore, Akram et al.'s scheme cannot resist drone impersonation attacks.

Stolen-Verifier Attack
When A obtains the table information {k n , SID n } of the control center, A can calculate SK nm = h(SID m ||SID n ||SID c ||A 8 ). The steps are the same as Section 5.1. Therefore, Akram et al.'s scheme is vulnerable to stolen-verifier attacks.

Perfect Forward Secrecy
Let us suppose that the control center's long-term secret key MSK is compromised by the adversary A, and A has captured all the previously transmitted messages MID m , A 1 , A 2 and A 4 through the public channel.
Thus, Akram et al.'s scheme does not provide perfect forward secrecy.

DoS Attack
In the AKA phase, the login process is not executed normally in the remote user (U m ) side. Afterward, the inputs ID m , PW m , and Bio m , U m compute α m , SID m , and k m . Then, U m immediately generates a random nonce and computes an authentication request message {MID m , A 1 , A 3 }. Therefore, the adversary A can send unlimited amounts of login authentication request messages to the control center if A obtains a stolen/lost mobile device of U m and inputs a randomly selected identity, password, and biometrics. These messages can threaten the load on the control center. Thus, Akram et al.'s scheme is vulnerable to DoS attacks.

Correctness
In the user registration phase, the control center calculates the value of MID m . After that, the MID m is not transmitted to U m , and U m cannot compute it because the MID m is masked with MSK, which is the control center's secret key. However, in the AKA phase, U m sends the MID m to the control center as the first transmitted message. Thus, Akram et al.'s scheme has a correctness problem.

Proposed Scheme
The proposed scheme consists of the following phases: (1) initialization; (2) user registration; (3) drone registration; (4) MAKA. We show the flowchart of the proposed scheme in Figure 3. The proposed scheme is lightweight as it uses only the cryptographic one-way hash function and exclusive-OR operations, apart from the fuzzy extractor and PUF technique that is needed for verification at the user side and drone side, respectively.

Initialization Phase
This phase describes that the control center selects an identity and a challenge for the drone D n before the registration phase. Detailed steps are illustrated in Figure 4. Additionally, this phase is performed via a secure channel.

Control Center
Drone D n Step 1: The control center selects an identity ID n and a challenge CH n and sends {ID n , CH n } to the drone D n .
Step 2: The drone stores {ID n , CH n } in the memory.

Drone Registration Phase
In this phase, a drone D n is registered at the control center to its deployment in the IoD environments through a secure channel. Detailed steps are illustrated in Figure 5.
Step 1: The drone D n retrieves the challenge CH n stored in the memory and computes RE n = PUF(CH n ), and Gen(RE n ) = (α n , β n ). After that, the D n sends {ID n , CH n } to the control center.
Step 2: The control center generates a random number a n and computes SID n = h(ID n ||s), k n = h(SID n ||s||a n ), and saves {ID n , SID n , a n , CH n } in the database. Then, the control center sends {SID n , k n } to the D n .
Step 3: Finally, the D n deletes the CH n and computes γ n = h(ID n ||α n ) ⊕ k n , SID D n = h(ID n ||α n ||k n ) ⊕ SID n , and stores {γ n } in its memory.

User Registration Phase
In the user registration phase, a remote user U m has to register at the control center to access the real-time information from an accessed drone D n in IoD environments. This procure performs via a secure channel with the following steps. Figure 6 shows the details.

User U m
Control Cetner Step 1: The user U m selects an identity ID m , a password PW m , and a biometric template Bio m . After that, the mobile device calculates Gen(Bio m ) = (α m , β m ). The U m sends {ID m } to the control center.
Step 2: The control center generates random number a m and computes SID m = h(ID m ||s),

MAKA Phase
The following steps are performed among the U m , the control center, and an accessed drone D n through a public channel. To establish a session key for secure communication among them, they need to perform the MAKA processes. Details are illustrated in Figure 7.

Control Center Drone Dn
Inputs IDm, PWm Imprints Biom αm = Rep(Biom, βm) Checks for IDn, an, CHn against SIDn from its database  = δ m . Then, the U m generates a random nonce a 1 and calculates A 1 = h(SID m ||SID c ||k m ) ⊕ a 1 , A 2 = h(SID m ||SID c ) ⊕ SID n , and V 1 = h(SID m ||SID n ||SID c ||k m ||a 1 ). The U m sends {MID m , A 1 , A 2 , V 1 } to the control center. = V 1 is correct, the control center computes MID new m = h(SID m ||a 1 ) and updates MID new m . Then, the control center checks for ID n , a n , CH n against SID n from its database and computes k n = h(SID n ||s||a n ). The control center calculates A 3 = h(SID n ||k n ) ⊕ (a 1 ||a 2 ), A 4 = h(SID n ||k n ||a 1 ) ⊕ SID m , A 5 = h(SID c ||ID n ) ⊕ CH n , and V 2 = h(SID m ||SID n ||SID c ||k n ||a 1 ||a 2 ) and sends {A 3 , A 4 , A 5 , V 2 } to the drone.

Security Analysis
To prove the security robustness of the proposed scheme, BAN logic, RoR model, and AVISPA simulation are used in this section. Using informal security analysis, we analyze the theoretical security of the proposed scheme.

BAN Logic
BAN logic [10] is a widely known formal proof used by many researchers to show mutual authentication of protocols [26][27][28]. Therefore, we apply the proposed scheme to BAN logic proof and verify mutual authentication. We introduce notations and descriptions for BAN logic in Table 3. In BAN logic, there are five logical rules: message meaning rule (MMR), nonce verification rule (NVR), jurisdiction rule (JR), belief rule (BR), and freshness rule (FR). Details are as follows.

Goals
In the proposed scheme, there are four goals for the BAN logic. Let the user, control center, and drone be U m , CC, and D n , respectively.

. Assumptions
We show the assumptions using in BAN logic as follows.

BAN Logic Proof
Step 1: We can obtain RA 1 from the message Mes 1 .
Step 2: We can obtain RA 2 from the rule MMR using RA 1 and AS 6 .
Step 3: We can obtain RA 3 from the rule FR using S 3 and AS 1 .
Step 4: We can obtain RA 4 from the rule NVR using RA 2 and RA 3 .
Step 5: We can obtain RA 5 from the message Mes 2 .
RA 5 : D n {a 1 , a 2 , SID m } k n Step 6: We can obtain RA 6 from the MMR using RA 5 and AS 7 .
Step 7: We can obtain RA 7 from the FR using RA 6 and AS 2 .
Step 8: We can obtain RA 8 from the NVR using RA 6 and RA 7 .
Step 9: We can obtain RA 9 from the message Mes 3 .
Step 10: We can obtain RA 10 from the MMR using RA 9 and AS 8 .
Step 11: We can obtain RA 11 from the NVR using RA 10 and AS 3 .
Step 12: We can obtain RA 12 and RA 13 from RA 8 and RA 11 . Therefore, U m and D n can compute the session key SK = h(A 7 ||a 1 ||a 2 ||a 3 ), where A 7 = h(SID m ||SID n ||SID c ).
Step 13: We can obtain RA 14 and RA 15 from the jurisdiction rule using RA 12 and AS 4 , and RA 13 and AS 5 , respectively.

RoR Model
The Real-or-Random model [9] is a formal proof analysis that proves the session key security of the protocol. Thus, we establish a premise for applying the proposed scheme to the RoR model. There are participants, adversaries and queries in our scheme. Participants are the entities that communicate with each other in the proposed scheme. Therefore, participants are as follows: PAR i U , PAR j C , and PAR k D , where i, j, and k are the instances of user, control center, and drone, respectively. The adversary in RoR model can modify, delete, and eavesdrop the exchanged messages. With this ability, the adversary can perform various queries such as Execute, CorruptDevice, Send, and Test. We describe the details of these queries as below.
• Execute(PAR i U , PAR j C , PAR k D ): In this query, the adversary eavesdrop messages are transmitted via an open channel. Therefore, the adversary can obtain messages generated from PAR i U , PAR j C , and PAR k D . This query is a passive attack. • CorruptDevice(PAR i U ): In this query, the adversary can obtain secret parameters from PAR i U using a power analysis attack. Therefore, the query CorruptDevice is an active attack.
• Send(PAR): In this query, the adversary can send messages to all participants PAR i U , PAR j C , and PAR k D . Furthermore, the adversary can obtain returned messages from these participants. Thus, this query is an active attack • Test(PAR): Before starting the game, an unbiased coin UC is flipped in this query. The adversary obtains UC = 1 when the session key is fresh. The adversary can also obtain UC = 0 when the session key of the proposed scheme cannot guarantee freshness. If not, the adversary obtains a "null value" ⊥. To achieve a secure session key agreement, the adversary cannot discriminate between the session key and the random number.
Security Proof Theorem 1. The adversary AD attempts to compute the session key SK = h(A 7 ||a 1 ||a 2 ||a 3 ) in polynomial time. Therefore, we define the possibility that AD breaks the security of the session key as MA AD (P). Moreover, we define that H A and PU are the range space of the function h(.) and PUF(.), respectively. The number of H A, PU, and Send queries are qu ha , qu pu , and qu se , respectively. We define the secret biometric bits as B m . At last, we define the Zipf's parameter [29] as C and s .
The security proof in the proposed scheme is composed of five games GA n (n = 0, 1, 2, 3, 4). Before starting the game, we define A GA n as the probability that AD wins the game and AD[A GA k ] as the advantage of A GA k . We follow the security proof according to [30][31][32].
GA 0 : In GA 0 , the adversary selects a random bit r. Thus, we obtain the following equation.
GA 1 : In GA 1 , the adversary eavesdrops messages {MID m , A 1 , A 2 , V 1 } , {A 3 , A 4 , A 5 , V 2 }, and {A 6 , V 3 } using Execute query. Then, the adversary performs the Test query to obtain the session key SK = h(A 7 ||a 1 ||a 2 ||a 3 ). To compute SK, the adversary must obtain the random nonces a 1 , a 2 , and a 3 . Moreover, A 7 is composed of SID m , SID n , and SID c , where SID m is the secret parameter of user. Therefore, the adversary cannot calculate SK. Therefore, we can obtain the following equation.
GA 2 : In GA 2 , the adversary utilizes Send and H A to attack the network. However, all of the parameters are masked in a cryptographic hash function that can prevent the hash collision problem. For this reason, the adversary cannot obtain the session key SK. According to the birthday paradox [33], we can obtain the following inequation.
GA 3 : Similar to GA 2 , the adversary utilizes queries Send and PU in this game. According to Section 3.4, the PUF is extremely difficult or impossible to clone. This means the adversary has no advantage in GA 3 .

|AD[A
GA 4 : This game is the final game in which the adversary extracts secret parameters {γ m , δ m , SID u m , SID u n , MID m } from the device of the user using the query CorruptDevice. The adversary attempts to calculate SK from these parameters. However, each parameter consists of a password and the biometrics of a user, and this means that the adversary must guess the password and biometrics at the same time. Since this task is computationally infeasible, the adversary cannot compute SK. Therefore, we can obtain the following inequation using Zipf's law [29].
After the game, the adversary guesses the result bits r, and we can make the following equation.
The result (9) can be obtained using the triangular inequality.
After multiplying (9) by 2, we can obtain the required result inequation.
qu se 2 B m } Therefore, we can demonstrate that the proposed scheme can ensure the session key security by proving the Theorem 1.

AVISPA Simulation
AVISPA [7,8] is a simulation tool that proves the security robustness of the proposed scheme against replay and MITM attacks. Therefore, various security protocols [23,34,35] are proved by using AVISPA. In this section, we explain the main data flow of AVISPA and show the simulation result.
Firstly, we need to write the proposed scheme as a programming language named "High-Level Protocol Specification Language (HLPSL)" in AVISPA. After writing in HLPSL code, the proposed scheme is converted to "Intermediate Format (IF)". Then, the translator in AVISPA starts analyzing the IF through the four backends: "On-the-Fly Model Checker (OFMC)", "Three Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP)", "SAT-based Model Checker (SATMC)", and "Constraint Logic-based Attack Searcher (CL-AtSe)". Because OFMC and CL-AtSe only support an exclusive-OR operator, the proposed scheme is executed in these backends. The analyzed result is recorded and summarized in the "Output Format (OF)". If there is a result of "SAFE" in OF, we can demonstrate that the proposed scheme can prevent replay and MITM attacks.
In AVISPA, we define roles to be suitable for the proposed scheme. Therefore, there are three roles in the proposed scheme: the user US, control center CC, and drone DR. Moreover, we show the session and environment roles in Figure 8.  Figure 9 shows the role of user US written in HLPSL code. State 1 is the user registration phase that US sends {ID m } to the CC through a secure channel. After receiving return message {k m , SID m , SID n , MID m } from CC, US computes and stores γ m , δ m , SID u m , and SID u n in state 2. Then, US computes a login request message {MID m , A 1 , A 2 , V 1 } to the CC. Note that witness(US, CC, us_cc_aa1, Aa1 ) and witness(US, DR, us_dr_aa1, Aa1 ) are functions to prove the freshness of random nonce a 1 . Finally, US receives {A 6 , V 3 } from DR and computes the session key SK = h(A 7 ||a 1 ||a 2 || a 3 ). The code request(DR, US, dr_us_aa3, Aa3 ) means the acceptance of freshness for a 3 . The AVISPA result is shown in Figure 10. As we mentioned before, we execute the proposed scheme in OFMC and CL-AtSe backends, and the summary of the result is "SAFE". Therefore, we prove that the proposed scheme can prevent replay and MITM attacks.

Informal Security Analysis
We conduct an informal analysis of the proposed scheme to demonstrate the theoretical security robustness. Details are as below.

Stolen/lost Mobile Device Attack
If an adversary A obtains a lost mobile device of U m , it can extract secret parameters {γ m , δ m , SID u m , SID u n , MID m } using power analysis attacks. However, all of secret parameters are masked in the identity ID m , password PW m , and biometrics Bio m information. Therefore, A must guess ID m , PW m , and Bio m at the same time and this process is not practical. Thus, the proposed scheme is secure against stolen/lost mobile device attacks.

Offline Password-Guessing Attack
An adversary A can attempt an offline guessing attack using {MID m , A 1 , A 2 , V 1 }, {A 3 , A 4 , A 5 , V 2 } and {A 6 , V 3 }, and the extracted values {γ m , δ m , SID u m , SID u n , MID m }, {γ n } from mobile device and drone, respectively. Using a password dictionary, A can guess PW * A . However, A cannot know that PW * A is valid or not. It is because δ m is masked with biometric secret key α m . Therefore, the proposed scheme prevents offline passwordguessing attacks.

Impersonation Attack
(1) User impersonation attack: In this attack, an adversary A tries to disguise a legitimate user U m . A has to make a valid login request message {MID m , A 1 , A 2 , V 1 }. A can obtain MID m from the mobile device. However, without having the credentials SID m , SID n , and k m , it is a difficult task for A to calculate MID m , A 1 , A 2 , V 1 . Thus, A cannot generate a valid login request message on behalf of U m . Hence, the proposed scheme provides protection against user impersonation attacks. (2) Control center impersonation attack: For this attack, let us suppose that A tries to send the message {A 3 , A 4 , A 5 , V 2 } to the D n on behalf of the CC. However, without having the credentials SID m , SID n , k n , ID n , and random nonce a 1 , it is computationally hard for A to make a valid message. Therefore, the proposed scheme is resilient against the CC impersonation attack. (3) Drone impersonation attack: This attack is a disguise attack in which a malicious adversary A conceals its identity information and attempts to behave as D n . To do this, A computes CH * A = A 3 ⊕ h(ID n ||γ n ). Since PUF(.) is a physical unclonable circuit, A cannot compute RE n . Therefore, it is impossible to compute α n = Rep(RE n , β n ), SID n = h(ID n ||α n ), k n = γ n ⊕ SID n , (SID m ||a 1 ||a 2 ) = A 2 ⊕ h(SID n ||SID c ||k n ) to calculate A 4 = h(SID m ||SID n ||a 1 ) ⊕ (a 2 ||a 3 ). Thus, the proposed scheme can prevent drone impersonation attacks.

Replay and MITM Attacks
In the proposed scheme, all messages are masked in random nonce a 1 , a 2 , and a 3 to maintain the freshness. Moreover, each participant, e.g., remote user, control center, drone, checks the validity of the message by calculating and checking V * 1 , V * 2 , and V * 3 . Therefore, the proposed scheme can prevent replay and MITM attacks.

Physical and Cloning Attacks
For this attack, an adversary A intercepts a drone D n and extracts the secret parameters {γ n } from the memory. However, A cannot compute the session key SK = h(A 7 ||a 1 ||a 2 ||a 3 ) because each parameter in the message {A 3 , A 4 , A 5 , V 2 } is masked in the PUF technology, which has an unclonable property. Thus, A cannot obtain any advantages from D n , and this means that the proposed scheme is secure against physical or cloning attacks.

Privileged Insider Attack
In this attack, an adversary A is a privileged insider of the proposed system. Thus, A can obtain the registration request message {ID m } and secret parameters {γ m , δ m , SID u m , SID u n , MID m } from the remote user U m . However, without having PW m and biometric secret key α m of U m , deriving secret credentials SID m = h(ID m ||PW m ) ⊕ SID u m and k m = h(ID m ||PW m ||α m ) ⊕ γ m is computationally infeasible. Thus, the proposed scheme prevents privileged insider attacks.

Ephemeral Security Leakage Attack
To prevent this security attack, the proposed scheme must maintain security even if random numbers are leaked. Thus, A obtains a 1 , a 2 , a 3 , which are used during the AKA phase. However, A cannot calculate SID m , k m , and k n without knowing the secret key s to the control center. Additionally, A cannot obtain any advantages to impersonate as a legitimate user U m . Thus, the proposed scheme prevents ephemeral secret leakage (ESL) attacks.

Stolen-Verifier Attack
We can assume that an adversary A obtains table data {ID n , SID n , a n , CH n } and {MID m , SID * m , a m } from the database of the control center and attempts to calculate the session key SK = h(A 7 ||a 1 ||a 2 ||a 3 ) or impersonate the control center. However, A cannot calculate the secret parameter SID m , k m and k n without the secret keys of the control center and also cannot obtain random number a 1 , a 2 , a 3 . Thus, A cannot compute SK or impersonate the control center. This means that the proposed scheme is resilient to stolen-verifier attacks.

User Anonymity and Untraceability
An adversary A cannot reveal the real identity ID m of a legitimate user because of a cryptographic one-way hash function h(.) masks ID m with the secret key of the control center. Therefore, the proposed scheme provides the user's anonymity.

Perfect Forward Secrecy
If the master key s of the control center is leaked to an adversary A, it can attempt to compute SK to attack the previous session. However, A cannot obtain the SK because SK = h(A 7 ||a 1 ||a 2 ||a 3 ) does not include s. Moreover, if master secret key s of the control center is compromised, A cannot obtain SID m , SID n , a 1 , a 2 , a 3 because A cannot compute SID m = h(ID m ||s) without the real identity of the U m , SID n = h(ID n ||α n ) and without the secret key α n . Therefore, A does not obtain any advantages over SK. This means that the proposed scheme guarantees perfect forward secrecy.

Mutual Authentication
In the MAKA phase, there are three messages {MID m , A 1 , 6 , V 3 } transmitted via public channels. Thus, each participant checks the legitimacy of the other participants and messages using V 1 , V 2 , and V 3 in the proposed scheme. If this process is successful, we can ensure authentication. Thus, the proposed scheme guarantees mutual authentication.

DoS Attack
If an adversary A tries to transmit {MID m , A 1 , A 2 , V 1 } to the control center as a replay message, A has to pass the login phase by verifying the values of δ m = h(α m ||k m ||SID m ). However, A cannot construct a valid δ m because A cannot obtain α m , k m , SID m . Therefore, the replay message would not be sent to the control center. Thus, this proposed scheme can resist DoS attacks.

Drone Capture Attack
If an adversary A captures a drone D n and obtains {γ n }, A can try to threaten another legitimate drone D n1 . However, all of the drones are secure in PUF technology according to Section 7.4.5, and γ n = h(ID n ||α n ) ⊕ k n is an independent parameter. Therefore, the proposed scheme can prevent drone capture attacks.

Session Key Disclosure Attack
To compute the session key SK = h(A 7 ||a 1 ||a 2 ||a 3 ), an adversaryA has to obtain SID m , SID n , a 1 , a 2 and a 3 . However, A cannot obtain any of these values because SID m and SID n are masked with secret key s and a 1 , a 2 and a 3 are random numbers that are temporarily used in a session. Therefore, the proposed scheme is secure against session key disclosure attacks.

Performance Analysis
We demonstrate the security features of the proposed scheme with a related scheme [4,14,18,21,24] in terms of "security functionalities", "communication costs", and "computation costs".

Schemes Total Costs Number of Messages
Ali et al. [14] 1696 bits 3 messages Wu et al. [17] 3360 bits 3 messages Tanveer et al. [18] 2240 bits 3 messages Zhang et al. [21] 5760 bits 4 messages Tanveer et al. [24] 1856 bits 3 messages Akram et al. [4] 2304 bits 3 messages Proposed 2560 bits 3 messages Although our scheme has slightly higher communication costs than Akram et al.'s scheme [4], we offer better security functionalities and efficient computation costs compared to the related schemes [14,17,18,21,24]. Figure 11 illustrates the total communication costs of the proposed scheme and the related schemes.
≈10.943 ms [24] 6T H + 3T AC +3T ECC + 1T FE Compared with the proposed scheme and Akram et al.'s scheme, the proposed scheme consumes more computation costs. However, the proposed scheme utilizes the fuzzy extractor and PUF technologies and, therefore, provides much higher security to the entire IoD network systems than [4]. Figure 12 illustrates that the computational cost (delay) increases at the control center with an increasing number of users.

Conclusions
In this study, we reviewed Akram et al.'s scheme, which was proposed for secure authentication between users and drones in IoD networks. In Akram et al.'s scheme, there are several security vulnerabilities, such as session key disclosure, drone impersonation, and stolen-verifier attacks. In addition, their scheme cannot ensure perfect forward secrecy and has correctness problems. To overcome the security flaws of their scheme and provide various functional features, we proposed a secure MAKA scheme using biometrics and PUF technologies. The proposed scheme can provide robustness to withstand various attacks, including session key disclosure, verification table leakage, impersonation, ESL, and privileged insider attacks. Moreover, the proposed scheme can achieve mutual authentication, perfect forward secrecy, and anonymity. To prove the session key security and mutual authentication, we analyzed the proposed scheme using an RoR model and BAN logic, respectively. Furthermore, we simulated the proposed scheme using AVISPA and showed that the proposed scheme is resilient against replay and MITM attacks. A comparative study of functionality features, efficiency, and security shows the effectiveness of the proposed scheme. Therefore, we can demonstrate that the proposed scheme has security robustness compared to existing user authentication protocols for IoD environments with reasonable computation and communication overheads. These characteristics show that the proposed scheme can provide users with high security reliability and high-speed communication in IoD environments. In future work, we intend to implement the proposed scheme in real environments using the mobile device as a user, a desktop as a server, and Raspberry PI 4 as a drone.