A Lightweight Certificateless Authenticated Key Agreement Scheme Based on Chebyshev Polynomials for the Internet of Drones

Highlights

What are the main findings?

• We propose a novel and practical certificateless cryptographic scheme utilizing Chebyshev polynomials.
• The proposed scheme significantly reduces computational overhead compared to existing solutions. Performance evaluations and comparative analysis reveal a substantial decrease in computational costs, with our scheme requiring approximately 65% less computational effort.

What is the implication of the main finding?

• This work fills a critical research gap by establishing a practical certificateless cryptographic scheme based on Chebyshev polynomials. Beyond this novelty, it also promotes the broader application and exploration of Chebyshev polynomials within the domain of public key cryptography.
• The considerable reduction in computational overhead, particularly when compared to certificateless schemes based on elliptic curve cryptography, positions our proposed solution as a highly attractive option for resource-constrained environments (e.g., the IoD).

Abstract

The Internet of Drones (IoD) overcomes the physical limitations of traditional ground networks with its dynamic topology and 3D spatial flexibility, playing a crucial role in various fields. However, eavesdropping and spoofing attacks in open channel environments threaten data confidentiality and integrity, posing significant challenges to IoD communication. Existing foundational schemes in IoD primarily rely on symmetric cryptography and digital certificates. Symmetric cryptography suffers from key management challenges and static characteristics, making it unsuitable for IoD’s dynamic scenarios. Meanwhile, elliptic curve-based public key cryptography is constrained by high computational complexity and certificate management costs, rendering it impractical for resource-limited IoD nodes. This paper leverages the low computational overhead of Chebyshev polynomials to address the limited computational capability of nodes, proposing a certificateless public key cryptography scheme. Through the semigroup property, it constructs a lightweight authentication and key agreement protocol with identity privacy protection, resolving the security and performance trade-off in dynamic IoD environments. Security analysis and performance tests demonstrate that the proposed scheme resists various attacks while reducing computational overhead by 65% compared to other schemes. This work not only offers a lightweight certificateless cryptographic solution for IoD systems but also advances the engineering application of Chebyshev polynomials in asymmetric cryptography.

1. Introduction

After years of development, the unmanned aerial vehicle (UAV) has evolved from simple remote-controlled devices into an intelligent platform that integrates navigation, perception, and communication capabilities. With the advancements in modern communication technologies, a single UAV can no longer fulfill the collaborative requirements in increasingly complex scenarios. Therefore, in various applications such as emergency disaster relief, remote area coverage, and the Internet of Things (IoT), UAVs have formed the IoD through dynamic self-organizing networks. This novel, networked, intelligent, air-based communication system has emerged as a prominent focus of industrial and academic research [1,2,3]. As a key component of the emerging 6G communication systems, IoD breaks through the physical limitations of traditional terrestrial base stations by relying on its fast response capability and three-dimensional spatial topology flexibility. By utilizing dynamic deployment and seamless connectivity, IoD greatly extends the coverage of existing networks [4]. Nevertheless, the openness of the wireless channel during IoD communication results in IoD nodes being highly susceptible to various attacks, such as eavesdropping and forgery, when transmitting and processing data [5]. The security issues and resource-constrained challenges faced by UAVs severely limit the deployment of IoD for large-scale applications [6].

Nowadays, to address the security challenges of IoD, symmetric cryptography is commonly employed to secure UAV nodes. However, symmetric cryptography relies on pre-shared keys, which form the basis of symmetric encryption systems. If these keys are intercepted during the initial negotiation phase while being transmitted through an open channel, subsequent communications will be completely exposed [7]. Moreover, symmetric keys cannot be bound to the unique identities of UAVs, and any attacker can replicate a legitimate key to create fake nodes, thereby disrupting the operation of UAV swarms. The static key management mechanism of symmetric cryptography also proves ill-suited for the dynamic topological environment inherent in the IoD.

In contrast, public key cryptography can effectively deal with the security problem of IoD by strongly binding the public key with the identity to achieve forward security through dynamic key management. Certificate-based public key cryptography relies on a third-party certificate authority (CA) to manage the full life cycle of digital certificates, but there are certificate management issues. Identity-based cryptography (IBC) effectively removes the complexity of certificate management by using the user’s identity directly as a public key carrier, but it still suffers from key escrow problems. By combining partial private keys with the user’s secret values, certificateless public key cryptography (CL-PKC) [8] solves the key escrow problem of IBC. It retains the core advantages of certificate-free authentication. This cryptography paradigm combines lightweight features with enhanced security and holds considerable potential for engineering applications in resource-constrained IoD environments.

Nevertheless, the current mainstream certificateless cryptography schemes are generally based on elliptic curve cryptography (ECC). Although ECC shows good applicability in traditional network environments, the high computational complexity and significant energy consumption in its cryptography operations make it difficult to meet the IoD nodes’ dual demands of real-time response and lightweight computation. To address this bottleneck, Chebyshev polynomials with lightweight computational properties show unique advantages and provide a more adaptable cryptographic solution for IoD environments. The current cryptographic research based on Chebyshev polynomials focuses on symmetric cryptographic regimes, which are widely used in fields such as image encryption algorithm design because of their chaotic properties and fast iteration advantage. Chebyshev polynomials in public key cryptographic cryptosystems are still underexplored. Existing literature shows that although some scholars have proposed authentication and key negotiation protocols based on Chebyshev polynomials [9,10], compared with their mature applications in symmetric cryptography, critical issues such as the exploration of algebraic characteristics and the construction of security models for Chebyshev polynomials in public key cryptosystems still present research gaps. Their potential advantages as nonlinear mathematical tools in public key cryptography urgently require breakthroughs through algorithmic innovation and application expansion.

To address these problems, we introduce a certificateless cryptography scheme based on Chebyshev polynomials and propose an authentication and key negotiation protocol for the IoD. This solution addresses the critical issues of secure authentication and efficient key negotiation in the dynamic topologies of IoD environments.

The proposed scheme achieves a marked improvement in computational efficiency. However, it presents three potential avenues for further enhancement: (1) Its communication efficiency remains comparable to the baseline schemes, indicating no simultaneous improvement in this aspect. (2) Although the pseudo-identity (PID) mechanism provides fundamental privacy safeguards, it does not achieve complete dynamic anonymity. (3) The scheme proposed lacks quantum resistance.

Contribution

The main contributions of this paper are as follows:

(1)

Compared with the traditional public key cryptography mechanism, the proposed certificateless public key cryptography scheme not only improves the deployment flexibility of UAV nodes (e.g., allowing for rapid network access without pre-set certificates) but also enhances the system security by reducing the risk of key escrow.

(2)

To address the computational constraints of IoD nodes, we introduce Chebyshev polynomials with lower computational overhead as certificateless cryptographic operators and construct a lightweight key negotiation protocol using their semigroup property.

(3)

The security and performance analysis shows that the proposed scheme achieves a balance between security and resource overhead while guaranteeing IoD low-latency communication and dynamic topology adaptation.

2. Related Work

The authentication and key negotiation protocols between IoD nodes (e.g., UAVs and ground stations) are crucial in securing IoD communications. In 2024, Pu et al. [11] proposed a lightweight anonymous authentication and key negotiation protocol employing symmetric cryptography. This protocol generates session keys by using hash functions, XOR operations, and physical unclonable functions (PUF) to avoid sensitive data leakage risks in IoD. Similarly, Wazid et al. [12] introduced a novel three-factor authentication and key negotiation scheme between users and accessed UAVs, incorporating dynamic credentials to improve system flexibility. However, these symmetric cryptography-based protocols are prone to the proliferation of the number of keys stored by the nodes when applied to large-scale UAV clusters. At the same time, the characteristics of IoD’s multiple hops and rapid topology changes may also exacerbate the complexity of key management. Consequently, some scholars have explored public key cryptography based on elliptic curves to solve IoD authentication and key negotiation problems [13,14,15]. However, computational efficiency and certificate management issues cannot effectively meet the requirements of high real-time IoD. Certificateless cryptography, widely applied in the IoT and the Internet of Vehicles (IoV) [16,17,18], solves the certificate management problem but is still being explored in IoD environments where lower computational resource consumption is essential. Recently, since the computational cost of Chebyshev polynomials is merely one-third of the scalar multiplication in elliptic curve public key cryptography [9,19], utilizing Chebyshev chaotic maps to construct certificateless public key cryptography schemes offers a promising technological direction for enhancing IoD’s security [20].

The cryptographic application of chaotic maps began with the pioneering chaotic cryptographic system proposed by Habutsu et al. [21]. Initial research concentrated on the chaotic properties of Chebyshev polynomials, particularly their use in image encryption. Studies [22,23] have designed image encryption algorithms based on pixel permutation and grayscale value confusion using the polynomial’s high sensitivity to initial conditions and dynamic traversability. With further research, Chebyshev polynomials have found broader applications, such as in quantum image processing [24] and machine learning [25]; significantly, the semigroup property of Chebyshev polynomials has been gradually applied to the expansion of symmetric cryptosystems. In recent years, these polynomials have been integrated into the design of lightweight authentication protocols, resulting in several innovative proposals [10,26,27]. These proposals construct shared keys through polynomial iterative operations, achieving efficient key negotiation and conditional privacy protection in resource-constrained settings like IoV [10,26] and IoD [27]. Notably, the scheme in literature [26] employs dynamic identity mapping to achieve anonymous authentication of vehicle nodes while preserving polynomial computational efficiency. The scheme in document [27] capitalizes on the efficiency of chaotic maps to develop a lightweight authentication protocol for IoD, demonstrating significant advantages in computational and communication resource efficiency.

Compared to the flourishing developments in the symmetric cryptography domain, public key cryptography based on the Chebyshev polynomial has progressed more slowly. Kocarev et al. [28] first proposed the application of real-domain Chebyshev polynomials to public key cryptosystems, whose security is based on the problem of the intractability of polynomial iterations. However, Bergamo et al. [29] found that the periodicity of the cosine function in the real domain leads to polynomial trajectory predictability, allowing attackers to decrypt ciphertext efficiently without the private keys. Kocarev et al. [30] and Ning et al. [31] introduced the theoretical framework of Chebyshev polynomials under finite fields to overcome this flaw. They proved that it can construct public key schemes with the same security as the ElGamal algorithm [28]. Subsequently, Zhang [32] extended the use of the semigroup property by expanding the polynomial definition domain. Chen et al. [33] suggested that improper selection of modulus can result in overly short periods, making the system vulnerable to brute-force attacks. Therefore, it is crucial to choose an appropriate modulus to ensure that Chebyshev polynomials generate sequences with sufficiently long periods to resist such attacks.

Chebyshev polynomials also have extended applications in public key cryptography. In the field of certificateless public key cryptography, Algehawi and Samsudin [34] proposed a CL-PKC scheme based on Chebyshev polynomials, which significantly reduces the computational complexity by not using the bilinear pair operation. However, Tan et al. [35] pointed out a severe security vulnerability in the scheme, where attackers could derive the master key using linear correlations in the public key updating mechanism. Additionally, the scheme needs to generate temporary key pairs for each communication pair, leading to lower efficiency than the standard CL-PKC scheme. In subsequent research, Shakiba [36] proposed a multiplicative coupled cryptosystem by fusing the first and second classes of Chebyshev polynomials, improving key space complexity to resist brute-force attacks effectively. Recently, Lee [37] proposed an Identity-based Encryption (IBE) scheme using extended Chebyshev mapping to achieve chosen ciphertext security in the standard model with significantly reduced computation time compared to traditional schemes using bilinear pairing. Additionally, Long [38] innovatively combined blockchain with Chebyshev polynomial authentication schemes to construct a secure architecture for IoT supporting dynamic group key management, while Abdelfatah [39] proposed a model without secure channels that can simultaneously meet lightweight and non-repudiation requirements through key mixing mechanisms.

In summary, the above research indicates that elliptic curve-based cryptographic operations prevalent in mainstream public key cryptography face high resource consumption bottlenecks. Its high computational complexity and excessive storage requirements further limit its applicability in resource-constrained nodes within IoD systems. Although the cryptographic efficiency advantages of Chebyshev polynomials, supported by semigroup properties, have been thoroughly demonstrated, the current certificateless cryptography based on Chebyshev mapping remains incomplete. Existing schemes do not fully demonstrate computational efficiency advantages, and their foundational algorithmic designs do not entirely adhere to the principles of certificateless cryptography. This paper aims to address these flaws by constructing a certificateless cryptographic scheme based on the Chebyshev polynomial that offers lightweight security authentication and key negotiation protocols for IoD systems.

3. Preliminaries

3.1. Chebyshev Polynomial

Definition 1.

(Chebyshev polynomial). Let n and x be variables such that $n\in Z^{\ast }$and $x\in [-1,+1]$. The cosine representation of the n-th order Chebyshev polynomial is defined as $T_n\left(x\right)=\mathit{cos}(n\cdot \mathit{arccos} (x\left)\right)$. When $n\ge 2$, the equivalent recursive iterative definition is:

$$\left\{\begin{array}{cc}1\hfill & \left(n=0\right)\\ x\hfill & \left(n=1\right)\\ 2x{T}_{n-1}\left(x\right)-T_{n-2}\left(x\right)\hfill & \left(n\ge 2\right)\end{array}\right.$$

3.2. Property

Definition 2.

(Semigroup property): let $r, s\in Z^{\ast }$, $x\in [-1,+1]$, the semigroup property of Chebyshev polynomials is defined as follows:

$$\begin{array}{cc}{T}_r\left(T_{s\left(x\right)}\right)& =\cos \left(rco{s}^{-1}\left(\cos \left(sco{s}^{-1}\left(x\right)\right)\right)\right)\hfill \\ & =\cos \left(rsco{s}^{-1}\left(x\right)\right)\hfill \\ & =T_{rs}\left(x\right)\hfill \end{array}$$

Chebyshev polynomials also satisfy the exchange property: $T_r\left(T_s\left(x\right)\right)=T_s\left(T_r\left(x\right)\right)$.

In 2008, Zhang [28] proved that the semigroup property holds on the interval $(-\mathrm{\infty },+\mathrm{\infty })$, which leads to a recursive relational formula under the extended domain of definition:

$$T_n\left(x\right) mod p=2x{T}_{n-1}\left(x\right)-T_{n-2}\left(x\right) mod p, n>2$$

where $x\in (-\mathrm{\infty },+\mathrm{\infty })$ and p is a large prime number.

The extended Chebyshev polynomials also satisfy the exchange property: $T_r\left(T_s\left(x\right)\right) mod p=T_s\left(T_r\left(x\right)\right)mod p$.

Definition 3 

([40]). Let p be a large prime number, $x\in Z_p$ and $m, n\in Z_p^{\ast }$, then

$$2T_m\left(x\right)T_n\left(x\right) mod p=T_{m+n}\left(x\right) mod p+T_{\left|m-n\right|}\left(x\right) mod p$$

3.3. Mathematically Hard Problems

Definition 4.

(Chebyshev Discrete Logarithm Problem, CDLP): Given x and y, it is infeasible to find n by any polynomial time bounded algorithm, such that  $y=T_n\left(x\right)$.

Definition 5.

(Chebyshev Diffie-Hellman Problem, CDHP): Given x,  $T_n\left(x\right)$ and $T_m\left(x\right)$, the value of $T_{m·n}\left(x\right)$ cannot be solved by using any polynomial time bounded algorithm.

4. Our Proposal

4.1. System Model

The system model for the Chebyshev polynomial-based certificateless authentication and key agreement protocol for the IoD proposed in this paper is illustrated in Figure 1.

The system comprises a key generation center (KGC) and IoD devices. In this structure, multiple UAVs must share task data in real-time, relying on efficient authentication key negotiation protocols to secure IoD communications. The process involves several stages: In the initialization phase, the KGC generates a master key pair and other system parameters. During the registration phase, entities such as UAVs and ground stations send registration requests and unique identifiers to the KGC. The KGC generates pseudonyms and public-private key pairs for each entity and sends these keys to the entities over a secure channel. In the complete key generation phase, entities such as UAVs aggregate the partial keys received from the KGC and combine them with their own secret values to generate complete key pairs. During the authentication and key negotiation phase, IoD nodes verify each other’s identities through signature verification and generate session keys through the key negotiation protocol to complete the authentication and key negotiation process.

4.2. Certificateless Authenticated Key Negotiation Based on Chebyshev Polynomials

The detailed flow encompassing the initialization phase, registration phase, and authentication and key agreement phase of the proposed scheme is shown in Figure 2. Figure 2a illustrates the process of the scheme’s setup and registration, while Figure 2b presents the core steps of the scheme’s authenticated key agreement. The content depicted in Figure 2 will be elaborated upon in subsequent subsections of this chapter.

4.2.1. Setup Phase

In this phase, KGC generates the master private key and public key based on Chebyshev polynomials according to the security requirements of the system, and generates other system parameters as follows:

(1)

KGC picks a sufficiently large prime $p$ and creates a unique identity $I{D}_{KGC}$.

(2)

KGC chooses $x\in Z_q^{\ast }$ as the seed of a Chebyshev polynomial and a one-way secure hash function $H:\{0,1{\}}^{\ast }\to Z_q^{\ast }$.

(3)

KGC chooses a random number $y\in Z_q^{\ast }$ as the system master private key and computes the corresponding system public key $P_0=T_y\left(x\right)modp$.

(4)

KGC selects a request validity time $\Delta t$ for the system.

(5)

KGC publishes $\{p,H,x,P_0,\Delta t\}$ to each user through a secure channel and secretly keeps its private key y.

4.2.2. Authenticated Key Negotiation

In this phase, the UAV $U_i$ needs to interact with the KGC to complete the registration process, generating a self-complete public-private key pair as well as a pseudonym $PI{D}_i$, which is used to realize identity anonymization and the subsequent key negotiation process as follows:

(1)

$U_i$ selects a random number $z_i\in Z_q^{\ast }$, calculates $Z_i=T_{z_i}\left(x\right)modp$, and transmits a registration request containing information such as $\left\{I{D}_i,Z_i\right\}$ to the KGC server through a secure channel.

(2)

Upon receiving the registration request from $U_i$, the KGC verifies the legitimacy of $I{D}_i$ by checking it against a pre-established list of valid identities. If the $I{D}_i$ provided by $U_i$ is present in the identity list, $U_i$ is allowed to register; otherwise, the registration request from $U_i$ is denied.

(3)

KGC uses the real identity $I{D}_i$ of UAV $U_i$ to compute $PI{D}_i=H\left(I{D}_i\right)$ to generate the pseudonym $PI{D}_i$.

(4)

KGC picks a random number $s_i\in Z_q^{\ast }$, computes $S_i=T_{s_i}\left(x\right)modp$, $e_i=H\left(PI{D}_i,Z_i,S_i,P_0\right)$, $t_i=(s_i+y{e}_i)modp$, and $X_i=T_{\left|s_i-e_i·y\right|}\left(x\right)modp$, then returns the $\{t_i,S_i,X_i,PI{D}_i\}$ through the secure channel back to $U_i$.

(5)

$U_i$ receives $\left\{t_i,S_i,X_i,PI{D}_{\mathrm{i}}\right\}$, then calculates $PI{D}_i=H\left(I{D}_i\right)$, $e_i=H\left(PI{D}_i,Z_i,S_i,P_0\right)$, and verifies $T_{t_i}\left(x\right)modp\stackrel{?}{=}2S_i{T}_{e_i}\left(P_0\right)modp-X_i$. If it holds, $U_i$ accept $\left\{t_i,S_i,X_i,PI{D}_{\mathrm{i}}\right\}$; otherwise, ignore the message.

(6)

$U_i$ obtains the complete public/private key pair $(S{K}_i,P{K}_i)$, where $S{K}_i=\left(t_i,z_i\right)$, $P{K}_i=\left(S_i,Z_i,X_i\right)$.

(7)

$U_i$ precomputes $M_i=T_{\left|t_i-z_i\right|}\left(x\right)modp$, and sends $\left\{P{K}_i,I{D}_i,PI{D}_i,M_i\right\}$ through the secure channel to KGC.

4.2.3. Authentication and Key Negotiation Phase

In this phase, assuming that $U_i$ and $U_j$ are two UAV nodes in the IoD and have generated their respective public/private key pairs after the registration phase, authentication and key negotiation can be accomplished through the following steps:

(1)

$U_i$ chooses a random number $r_i\in Z_q^{\ast }$ and computes $R_i=T_{r_i}\left(x\right)modp$.

(2)

$U_i$ takes the current timestamp $T_1$, calculates $h_i=H\left(PI{D}_i,R_i,T_1\right)$, $K_i=\left(r_i+h_i\left(t_i+z_i\right)\right)modp$, $L_i=T_{\left|r_i-h_i·\left(z_i+t_i\right)\right|}\left(x\right)modp$, $Q_{ij}=T_{r_i\left(t_i+z_i\right)}\left(x\right)modp$, and sends $\{PI{D}_i,R_i,K_i,L_i,Q_{ij},T_1\}$ to $U_j$.

(3)

$U_j$ receives the message $\{PI{D}_i,R_i,K_i,L_i,Q_{ij},T_1\}$, obtains the current timestamp $T_2$, checks whether $\left|T_2-T_1\right|<\Delta t$ is valid, and retrieves the legitimacy of the $PI{D}_i$ and obtains the $M_i$ via KGC. If any of the above conditions are not satisfied, $U_j$ ignores the message.

(4)

$U_j$ calculates $h_i=H\left(PI{D}_i,R_i,T_1\right)$, $e_i=H\left(PI{D}_i,Z_i,S_i,P_0\right)$ and verifies that $T_{K_i}\left(x\right)modp\stackrel{?}{=}\left(2R_i{T}_{h_i}\left(2\left(2S_i{T}_{e_i}\left(P_0\right)modp-X_i\right)Z_{i}modp-M_i\right)modp-L_i\right)modp$, if it is valid, then continue with the following process. Otherwise, the authentication is rejected.

(5)

$U_j$ chooses the random number $r_j\in Z_q^{\ast }$ and computes the session key $s{k}_{ji}=T_{r_j\left(t_j+z_j\right)}\left(Q_{ji}\right)modp$.

(6)

$U_j$ computes $R_j=T_{r_j}\left(x\right)modp$, $h_j=H\left(PI{D}_{U_j},R_j,T_2\right)$, $K_j=\left(r_j+h_j\left(t_j+z_j\right)\right)modp$, $L_j=T_{|r_j-h_j·\left(z_j+t_j\right)}\left(x\right)modp$, $Q_{ji}=T_{r_j\left(t_j+z_j\right)}\left(x\right)modp$, and send $\{PI{D}_j,R_j,K_j,L_j,Q_{ji},T_2\}$ to $U_i$.

(7)

Receiving the message $\{PI{D}_j,R_j,K_j,L_j,Q_{ji},T_2\}$, $U_i$ obtains the current timestamp $T_3$, checks whether $\left|T_3-T_2\right|<\Delta t$ is valid, and retrieves the legitimacy of $PI{D}_j$ and obtains $M_j$ via KGC. If any of the above conditions are not satisfied, $U_i$ ignores the message.

(8)

$U_i$ calculates $h_j=H\left(PI{D}_{U_j},R_j,T_2\right)$, $e_i=H\left(PI{D}_j,Z_j,S_j,P_0\right)$ and verifies that $T_{K_j}\left(x\right)modp\stackrel{?}{=}\left(2R_j{T}_{h_j}\left(2\left(2S_j{T}_{e_j}\left(P_0\right)modp-X_j\right)Z_{j}modp-M_j\right)modp-L_j\right)modp$. If it holds, $U_i$ computes the session key $s{k}_{ij}=T_{r_i\left(t_i+z_i\right)}\left(Q_{ji}\right)modp$.

After the above steps, the UAV nodes $U_i$ and $U_j$ will obtain the same session key, i.e., $s{k}_{ij}=s{k}_{ji}=T_{r_i{r}_j\left(t_i+z_i\right)\left(t_j+z_j\right)}\left(x\right)modp$.

4.2.4. Correctness Analysis

In this section, we will provide a correctness analysis of the critical verification steps of the proposed cryptographic scheme. This analysis primarily relies on the two properties introduced in Section 3.2 for formal proof.

$$\begin{array}{c}{T}_{s_i+e_i·y}\left(x\right)mod p=2\left(T_{s_i}\left(x\right)mod p\right)\left(T_{e_i}\left(T_y\left(x\right)mod p\right)mod p\right)-T_{\left|s_i-e_i·y\right|}\left(x\right)mod p\hfill \\ =2S_i{T}_{e_i}\left(P_0\right)mod p-X_i\hfill \end{array}$$

$$\begin{array}{c}{T}_{K_i}\left(x\right)mod p=T_{r_i+h_i\left(t_i+z_i\right)}\left(x\right)mod p\hfill \\ =2T_{r_i}\left(x\right)mod p·T_{h_i\left(t_i+z_i\right)}\left(x\right)mod p-T_{\left|r_i-h_i\left(z_i+t_i\right)\right|}\left(x\right)mod p\hfill \\ =2R_i{T}_{h_i}\left(T_{t_i+z_i}\left(x\right)mod p\right)mod p-L_i\hfill \\ =2R_i{T}_{h_i}\left(2T_{t_i}\left(x\right){mod p·T}_{z_i}\left(x\right)mod p-T_{\left|t_i-z_i\right|}\left(x\right)mod p\right)mod p-L_i\hfill \\ =2R_i{T}_{h_i}\left(2\left(2S_i{T}_{e_i}\left(P_0\right)mod p-X_i\right)Z_i-M_i\right)mod p-L_i\hfill \end{array}$$

4.3. Informal Security Analysis

Here, the security of the proposed scheme is informally analyzed, which shows that the scheme is robust to well-known adversarial attacks.

4.3.1. Device Capture Attack

In our scheme, even if a legitimate UAV device is physically captured and an adversary gains access to its public key $P{K}_i=\left(S_i,Z_i,X_i\right)$ and private key $S{K}_i=\left(t_i,z_i\right)$ through techniques like power analysis, it remains computationally infeasible for the adversary to find $s_i$ from $Z_q^{\ast }$ such that $S_i=T_{s_i}\left(x\right)$ based on the CDLP assumption. Consequently, without knowing $s_i$, the adversary cannot derive the system master private key $y$ from $t_i=s_i+y{e}_i$, preventing impersonation of the KGC.

4.3.2. Forward Secrecy

Forward secrecy ensures that even if a user’s long-term key is compromised or leaked, the confidentiality of previous session keys is not endangered, thus protecting past communication. In our protocol, the session key $sk=T_{r_i{r}_j\left(t_i+z_i\right)\left(t_j+z_j\right)}\left(x\right)$ is jointly generated from random numbers and private keys. It varies with each generation due to differing random numbers, making it impossible for the adversary to derive the session key $sk$ solely from the user’s private key. Therefore, the protocol achieves forward security.

4.3.3. Man-in-the-Middle Attack

A man-in-the-middle attacker establishes a secret connection between two communicating parties, intercepting, altering, or forwarding their communications to steal sensitive information or disrupt communication integrity. In our protocol, UAVs $U_i$ and $U_j$ can only share a session key $s{k}_{ij}$ after mutual authentication, preventing the attacker from establishing a legitimate session with either $U_i$ or $U_j$. Thus, the protocol is secure against man-in-the-middle attacks.

4.3.4. Replay Attack

In the replay attack, the adversary intercepts information transmitted during IoD drone communications and replays authentication messages in the current session to impersonate legitimate UAVs. In our protocol, message senders include a current timestamp in the authentication signature, allowing receivers to detect replayed messages by verifying the timestamp’s validity. Thus, the protocol is secure against replay attacks.

4.3.5. Identity Privacy Protection

Our scheme uses pseudonyms derived from the real identities of UAVs through hash functions, $PI{D}_i=H\left(I{D}_i\right)$, for communication between UAVs. The one-way property of hash functions ensures that sensitive information, such as the UAVs’ true identities, is not disclosed to other member UAVs, and adversaries find it impossible to extract real identities from transmitted messages. Therefore, our protocol provides identity privacy protection.

4.3.6. Key Leakage Attack

Key leakage attack implies that an adversary attempts to obtain user keys by intercepting negotiation and authentication information during the key agreement process. In our protocol, even if the adversary intercepts $U_i$‘s authentication message $K_i=r_i+h_i\left(t_i+z_i\right)$ and $R_i=T_{r_i}\left(x\right)$, the probability of finding a legitimate key $\left(t_i+z_i\right)$ in $Z_q^{\ast }$ is negligible based on the CDLP assumption. Thus, the adversary cannot obtain $U_i$‘s key information or impersonate $U_i$ to communicate with $U_j$, making the protocol resistant to key leakage attacks.

4.3.7. Eavesdropping Attack

Eavesdropping attack implies that an adversary intercepts the authentication information of both communicating parties during the key negotiation process and attempts to derive the session key. If an adversary intercepts both $U_i$‘s authentication message $Q_{ij}=T_{t_i+z_i}\left(T_{r_i}\left(x\right)\right)$ and $U_j$‘s message $Q_{ji}=T_{t_j+z_j}\left(T_{r_j}\left(x\right)\right)$, the Chebyshev polynomial-based CDHP assumption makes the probability of obtaining the session key $s{k}_{ij}=s{k}_{ji}=T_{r_i{r}_j\left(t_i+z_i\right)\left(t_j+z_j\right)}\left(x\right)$ negligible. Hence, the protocol can prevent eavesdropping attacks.

4.3.8. Impersonation Attack

An impersonation attack implies that an attacker uses captured messages to impersonate a legitimate participant and communicate with the other party. In this scheme, the attacker wishing to impersonate $U_i$ needs to generate authentication messages $\{PI{D}_i,R_i,K_i,L_i,M_i,T_1\}$ from accessible data. Without knowing $r$ and the private key $S{K}_i$, the attacker cannot forge $R_i,K_i,L_i$. Thus, the protocol resists impersonation attacks.

4.3.9. Temporary Key Leakage Attack

Resistance to temporary key leakage ensures that even if temporary keys are leaked, the long-term private keys and session keys of UAV devices remain secure. In this protocol, temporary keys $r_i,r_j$ are randomly generated and independent of long-term private keys $S{K}_i$, $S{K}_j$ with the session key $sk=T_{r_i{r}_j\left(t_i+z_i\right)\left(t_j+z_j\right)}\left(x\right)$ derived from random numbers and private keys. Consequently, even if temporary keys are leaked, adversaries cannot derive session keys or long-term private keys $SK$.

4.3.10. Insider Privilege Attack

In our certificateless scheme, the private key is composed of $t_i$ and $z_i$, where $t_i=s_i+y{e}_i$ is generated by the KGC selecting random parameters $s_i$ and signing with the master private key $y$, and $z_i$ is a user-selected random number. During registration, UAVs send registration information $\{I{D}_i, Z_i\}$ to the KGC, and based on the CDLP assumption, the KGC cannot derive $z_i$ from $Z_i$. Even if the KGC maliciously leaks $t_i$, since $z_i$ is retained by the user, adversaries cannot obtain the complete private key $S{K}_i$, thus preventing insider privilege attacks.

5. Performance Analysis

5.1. Scheme Computational Cost

In this section, we compared the computational costs of our scheme with four other related schemes. In our experiments, we used the Miracl and GMP libraries to simulate these schemes on a Windows system, utilizing an AMD Ryzen 7 5800H 3.20-GHz processor (Santa Clara, CA, USA) with 16 GB RAM. Our simulations employed the secp160r1 elliptic curve parameters and SHA256 as the hash function. Additionally, the bit length for modular operations was set at 256 bits, and the bit length for Chebyshev polynomial operations was 160 bits.

Computational efficiency refers to the time consumed by different cryptographic operations during identity authentication and key agreement protocols. The symbols $T_H$, $T_{bp}$, $T_{ecm}$, $T_{eca}$, and $T_c$ represent the time for executing one-way hash functions, bilinear pairing operations, elliptic curve point multiplication, elliptic curve point addition, and Chebyshev polynomial operations, respectively. The simulation results presented in

Table 1. Execution time of cryptographic elements.

Notation	Description	Cost
$T_H$	Time of one-way hash operation	≈0.002 ms
$T_H$	Time of a bilinear pairing	≈30.034 ms
$T_{ecm}$	Time of an EC point multiplication	≈1.400 ms
$T_{eca}$	Time of an EC point addition	≈0.006 ms
$T_c$	Time of a Chebyshev polynomial computation	≈0.485 ms

show that $T_H$ is approximately 0.002 ms, $T_{bp}$ is about 30.034 ms, $T_{ecm}$ is about 1.400 ms, $T_{eca}$ is about 0.006 ms, and $T_c$ is about 0.485 ms. Our protocol implements bidirectional authentication key agreement, requiring 14 Chebyshev polynomials and 6 hash function operations during the authentication and key agreement phase. Consequently, the computational cost of our proposed protocol is $\left(14\times 0.144\right)+\left(6\times 0.004\right)=2.04 \mathrm{m}\mathrm{s}$.

Table 2. Computation overhead comparison with other related protocols.

Schemes	Operations	Total Cost
Scheme [13]	$10 T_{ecm}+14 T_H+4 T_{eca}$	14.052 ms
Scheme [14]	$8{ T}_{ecm}+10 T_H+2 T_{eca}$	11.232 ms
Scheme [15]	$4{ T}_{ecm}+17{ T}_H+6 T_{bp}$	185.838 ms
Scheme [16]	$10{ T}_{ecm}+5 T_H+T_{eca}$	14.016 ms
Proposed	$14 T_c+6 T_H$	4.862 ms

and Figure 3 compare the computational costs of our protocol with other schemes from different dimensions.

The results show that our protocol offers higher computational efficiency. The primary reason is that our approach employs Chebyshev polynomials, which are more lightweight than elliptic curve point multiplication, as cryptographic operators. Compared to references [13,14,15], our protocol uses a certificateless structure, avoiding certificate management and key escrow issues and providing a more efficient solution for authentication and key agreement in resource-constrained IoD devices.

5.2. Scheme Communication Cost

When considering communication efficiency, only communication messages related to authentication are counted. Assume that the size for identity ID, hash values/random numbers, timestamps, ECC points, Chebyshev polynomial output values, and encryption/decryption parameters are 160 bits, 160 bits, 32 bits, 320 bits, and 160 bits, respectively. The key agreement process in our proposed protocol involves two messages, resulting in a total communication cost of $10\times 160+2\times 32=1664 \mathrm{b}\mathrm{i}\mathrm{t}$. The comparison of total communication costs with other schemes is shown in Figure 4. The results indicate that the communication cost of our proposed scheme is slightly higher than schemes [15,16] but lower than schemes [13,14].

6. Conclusions

This paper addresses the dual challenges of dynamic topology and resource constraints in the IoD environment by proposing a certificateless authentication and key agreement scheme based on Chebyshev polynomials. Theoretical analysis and simulation results demonstrate that this scheme introduces the lightweight characteristics of Chebyshev chaotic mapping into the certificateless public key cryptographic architecture, resolving the certificate management issues in existing IoD public key authentication solutions. Compared to traditional elliptic curve cryptographic schemes, there is a significant improvement in computational efficiency.

Future research will focus on three directions: (1) exploring the collaborative security mechanisms of Chebyshev polynomials with emerging technologies such as blockchain and federated learning to construct a cross-domain authentication system for the IoD environment, (2) incorporating a periodic identity update mechanism to strengthen privacy protection, and (3) exploring hybrid post-quantum cryptographic extensions to fortify quantum resistance.