Lightweight Drone-to-Ground Station and Drone-to-Drone Authentication Scheme for Internet of Drones

Abstract

The implementation of the Authentication and Key Agreement (AKA) protocol in the Internet of Drones (IoD) is crucial for enhancing the security and reliability of information transmission. However, almost all existing authentication protocols between drones and Ground Station (GS) may suffer from several attacks due to capture attacks. In addition, the authentication between drones requires the participation of GS, which not only increases the amount of computation and transmission but also faces challenges such as impersonation attacks, lack of privacy protection, and perfect forward security. Therefore, we propose a secure and lightweight drone-to-GS (D2G) and D2D AKA protocol with perfect forward secrecy for IoD. Our protocol integrates physical unclonable functions (PUF) symmetrically into GS and drones to protect secret information against capture attacks while ensuring that GS does not store secret information related to drones. Furthermore, the proposed protocol enables direct mutual authentication between drones in a symmetrical manner without GS involvement, improving security and efficiency, particularly in scenarios where drones must collaborate without GS connectivity. Formal security proof using the random oracle model confirms the protocol’s resilience against various attacks. The performance analysis indicates that our scheme improves computational efficiency by an average of 39.44% compared to existing schemes that offer comparable security. Additionally, our approach incurs zero storage overhead during the GS authentication process. This protocol offers a secure and efficient solution for IoD, enhancing both security and scalability.

1. Introduction

Drones, or Unmanned Aerial Vehicles (UAVs) are aircraft systems that operate without a human pilot, either remotely controlled by an operator or autonomously via pre-programmed flight paths. They are used in various fields such as surveillance, aerial photography, logistics, agriculture, and infrastructure inspection, offering significant benefits in terms of cost efficiency, operational flexibility, and access to hard-to-reach areas [1,2]. Drones typically operate autonomously or semi-autonomously, relying on communication with GS for navigation, control, and data transfer. This interaction forms the foundation of many modern drone applications, where security and reliability are crucial. The IoD extends the Internet of Things (IoT) concept to drones [3,4,5,6], enabling them to share data, communicate with one another, and integrate into broader systems and networks. This connectivity makes drones smarter, more autonomous, and capable of executing more complex tasks, creating a dynamic ecosystem where drones can interact and collaborate.

However, as drones become more integrated into critical infrastructure, the security vulnerabilities associated with their communication channels are increasingly concerning [7]. Drones communicate wirelessly with GS, other drones, and cloud-based platforms [8], making them vulnerable to various cyberattacks, including unauthorized access, data tampering, malicious interception, impersonation, man-in-the-middle, replay attacks, physical capture, and more [9]. To mitigate such risks, drone authentication and key agreement protocols have emerged as crucial mechanisms for ensuring secure communication between drones and other entities [10,11,12]. Authentication protocols verify the identity of drones and their communication partners, preventing unauthorized devices from interacting with the system. Key agreement protocols allow secure cryptographic keys to be shared between communicating drones or between a drone and GS, ensuring the confidentiality and integrity of exchanged information. Given the resource constraints of drones, such as limited computational power and energy supply, it is crucial that these AKA protocols [13,14,15,16,17,18] are lightweight and energy-efficient, without compromising security. Additionally, the protocols must be resilient against evolving threats, considering the increasing sophistication of cyberattacks targeting UAVs and their ground control systems.

Motivation and contribution: In recent years, numerous scholars have proposed various AKA schemes for IoD. However, almost all existing AKA schemes are unable to resist capture attacks from GS and drones; attackers can obtain secret information stored in GS and drones; thus, they can launch impersonation attacks, man-in-the-middle attacks, etc., and cannot achieve anonymity and perfect forward secrecy. On the other hand, the mutual authentication between drones requires the participation of GS, which increases communication and computation costs and may also be vulnerable to several attacks due to GS being captured. As the drone size increases, it also becomes impractical to expect GS to incur significant storage overhead for storing information related to the drone’s registration and communication phases. Therefore, how to solve the above problems is a challenge. Our solution is the first scheme to propose such an idea, which can achieve various security attributes and lightweight requirements and is also applicable to the need for drones to cooperate in executing tasks when they cannot establish contact with ground stations. The main contributions of this paper are summarized as follows:

• A secure and lightweight D2G and D2D authentication and key agreement protocol with perfect forward secrecy for IoD is proposed.
• In order to enhance the security and privacy-preserving, we integrate PUF into GS and drones, respectively, to resist capture attacks from GS and drones. In addition, GS has no additional storage overhead for the registration and authentication process for drones. Furthermore, the mutual authentication between drones does not require the participation of GS, which is more secure and efficient.
• The proposed protocol guarantees to be secured against all known threats faced by IoD. The semantic security of the proposed protocol is formally proved under the random oracle model. Comparative analysis shows that our protocol can resist various known attacks, achieve perfect forward security and privacy protection, and maintain low computational costs.

There are three innovations in the work: (a) Ground stations and drones can complete mutual authentication without storing drones’ information. This provides a strong condition for the scalability of the system. (b) The authentication between drones does not require the participation of ground stations. This effectively reduces the burden on the GS and allows drones to communicate with each other even if they travel outside the communication range of the GS. (c) The security of GS is taken into account. The work incorporates PUF into both the GS and drones. This integration serves as a robust defense mechanism against capture attacks, significantly enhancing the overall security posture of the system.

The rest of this paper is organized as follows. Section 2 discusses the related works. In Section 3, the system model for IoD is introduced. Section 4 describes our proposed protocol. Section 5 provides a security proof of the protocol. In Section 6, a performance analysis of the protocol is also presented. Finally, we conclude the paper in Section 7.

2. Related Works

Recent efforts to secure drone networks have led to the development of various lightweight authentication protocols that address both emerging security challenges and the constraints of limited resources. Jan et al. [19] proposed a protocol specifically tailored for the IoD, emphasizing minimal overhead while ensuring robust security.

Several researchers have focused on encryption-based methods. Cheon et al. [20] introduced a homomorphic authenticated encryption technique that enables real-time data protection by allowing simultaneous encryption and verification. This approach safeguards confidentiality and integrity without imposing heavy computational demands. In a complementary direction, Jiang et al. [21] designed an intelligent authentication system that leverages behavioral analysis and prediction to identify abnormal drone activity, thereby effectively mitigating identity spoofing risks.

Blockchain technology has emerged as a promising solution for decentralized security. Tan et al. [22] developed a blockchain-assisted distributed authentication service for industrial drones, which offers tamper resistance while keeping the system lightweight. Additionally, Wang et al. [23] presented a blockchain-enhanced mutual authentication protocol that further secures drone communications, and García et al. [24] combined a μTesla-based approach with blockchain to protect broadcast communications within drone networks.

Other studies have explored alternative lightweight cryptographic mechanisms. Yu et al. [25] proposed an authentication protocol that employs physical unclonable functions (PUFs), offering an efficient solution for smart city applications where drones operate under strict resource constraints. In parallel, streamlined authentication and key agreement schemes have been put forward by Zhang et al. [26] and Wazid et al. [6], both aiming to balance robust security with low computational overhead. Moreover, Hussain et al. [27] introduced an efficient user access protocol that reinforces overall system reliability in dynamic drone environments.

In addition to protocol development, broader evaluations and adaptations for emerging network technologies have also been considered. Rodrigues et al. [28] provided a comprehensive review of various authentication methods for drone communications. Alladi et al. [29] introduced Drone-MAP, a protocol designed for drone-assisted 5G networks, which addresses the need for ultra-low latency and high security in next-generation communication systems. Furthermore, Wu et al. [30] developed an enhanced authentication framework optimized for 5G-enabled drone networks, underscoring the importance of robust security in high-speed settings.

Advanced protocols designed for large-scale drone deployments and swarm communications have also been explored. Bansal et al. [31] proposed SHOTS, a scalable authentication-attestation protocol that incorporates optimal trajectory planning to enhance both security and operational efficiency in drone swarms. Similarly, Javed et al. [32] investigated the use of blockchain as a certificate authority, aiming to mitigate vulnerabilities associated with centralized systems. Finally, Mishra et al. [33] introduced a secure key management framework that leverages blockchain and big data analytics for drones operating in networks beyond 5G, while Zhang et al. [34] demonstrated the potential of an ECC-based lightweight authentication protocol to meet the dual demands of security and efficiency in modern drone applications.

Lastly, Xiao et al.’s scheme [35] allows mutual authentication between a drone and the GS, as well as between any two drones, establishing secure session keys in both cases. However, their protocol does not account for GS security, which is vulnerable to physical capture attacks, and it requires GS participation for drone-drone authentication. Li et al. [36] introduced CSECMAS, an efficient certificate signing-based authentication scheme that leverages elliptic curve cryptography for drone communication networks. Their approach focuses on providing robust security while minimizing computational overhead, making it well-suited for resource-constrained drone systems. Bansal and Sikdar [37] proposed a location-aware clustering method aimed at developing a scalable authentication protocol for drone swarms. By incorporating geographic information into the clustering process, their framework enhances scalability and streamlines the authentication process in large-scale drone deployments. Cho et al. [38] developed SENTINEL, a secure and efficient authentication framework tailored for drone communications. Their method emphasizes rapid and reliable authentication, ensuring that dynamic drone networks can maintain high levels of security without sacrificing operational efficiency. However, the protocol is vulnerable to physical capture attacks. Yu et al. [39] introduced LAKA-UAV, a lightweight authentication and key agreement scheme that leverages blockchain for cloud-assisted drone networks in flying ad-hoc environments. Their framework focuses on providing robust security with minimal computational overhead, making it suitable for dynamic and distributed drone communications. Bhattarai et al. [40] proposed a lightweight and anonymous, application-aware authentication and key agreement protocol designed specifically for the Internet of Drones. Their approach emphasizes user privacy and efficient credential management, addressing the unique challenges inherent in drone communication networks. Alkatheiri et al. [41] developed a lightweight authentication scheme based on PUF for drone networks. This method exploits the inherent uniqueness of PUFs to deliver a secure and resource-efficient solution for authenticating drones in diverse operational environments.

Overall, the security and privacy of drone communications in IoD have been the subject of various AKA protocols in recent years, but these existing schemes face challenges related to session key leakage, physical capture attacks, and inefficiency in UAV-to-UAV or UAV-to-GS communications. These existing protocols highlight the need for more efficient, secure, and resilient AKA schemes, especially for scenarios where UAVs must authenticate each other independently of the GS. Our proposed protocol addresses these gaps by providing mutual drone-to-drone authentication without requiring GS involvement, improving both security and efficiency. Some important related works are summarized in

Table 1. The summary of the related schemes for IoD.

Scheme	Year	Cryptographic Techniques	Advantages	Limits
[19]	2021	Utilize hash message authentication code	Protects the communication between drone and drone	Authentication requires GS
[20]	2018	Utilize homomorphic encryption	Guarantees the security against eavesdropping and forgery attacks	Vulnerable to session key leaks and insider attacks
[21]	2020	Utilize Kalman Trajectory Predicting Algorithm	Provides the government with intelligent control	Does not resist physical capture attack
[28]	2019	Utilize ECC	Provides mutual authentication between base station devices and UAVs	Does not resist physical capture attack
[6]	2019	Utilize fuzzy extractor	Provides three-factor security	Does not guarantee perfect backward secrecy
[27]	2023	Utilize one-way hash function	Provides mutual authentication for user and drone	Does not resist physical capture attack
[23]	2023	Utilize one-way hash function	Provides a lightweight blockchain-enhanced mutual authentication	Does not resist physical capture attack
[24]	2023	Utilize one-way hash function	Utilizes blockchain to manage drone authentication	Authentication requires GS
[33]	2023	Utilize one-way hash function	Provides an authentication key management framework with big data analytics	Does not resist physical capture attack
[34]	2023	Utilize ECC	Provides drone-GS authentication	Does not resist physical capture attack
[35]	2024	Utilize one-way hash function	Provides low computation overload	Does not resist GS capture attack
[36]	2022	Utilize ECC	Establishes a secure session between the GS and a UAV	Substantial computational overhead
[37]	2021	Utilize PUF	Uses K-Means clustering to construct UAV clusters	Does not resist replay attack, anonymity, and perfect forward secrecy

. The proposed scheme addresses the limitations of these previously proposed protocols listed in Table 1, such as the need for GS involvement for D2D authentication, GS physical capture attack, and perfect forward security.

3. System Model

The system model, including the network model (overall architecture) and its corresponding threat model, is described as follows.

3.1. Network Model

The network model is shown in Figure 1, which contains a GS and drones. In Figure 1, drones have limited memory and compute capabilities when compared to the GS, and they communicate with each other over an insecure wireless channel.

The GS serves as the main command and control hub for the safe flight and guidance of drones. The GS often acts as the central hub for monitoring and controlling drone fleets. It coordinates flight paths, monitors real-time drone status (e.g., battery levels, GPS location, and system health), and adjusts operational parameters based on environmental conditions. The GS is responsible for overseeing drone missions, providing updates, and ensuring that drones follow assigned routes or complete specified tasks, such as surveillance or delivery. The GS collects and aggregates data transmitted by drones, which could include sensor data, images, videos, and telemetry. This data can be used for real-time analysis or stored for later processing. The GS processes this collected data to make decisions, such as adjusting drone routes based on real-time data or performing predictive analytics to optimize drone operations.

Drones are the core components of IoD, where they perform various tasks related to surveillance, delivery, communication, and data collection. In the IoD ecosystem, drones are designed to work autonomously or in coordination with GS and other drones to complete complex operations. Drones in the IoD are often capable of autonomous flight, navigating based on pre-defined routes, real-time GPS data, and environmental sensing. They can adjust their paths dynamically based on obstacles or changes in the environment, making them highly adaptable in diverse situations. Drones can make decisions on-the-fly, such as selecting an optimal flight path or avoiding collisions, without the need for continuous remote control by GS.

In IoD ecosystem, the GS and drones work together to ensure efficient, secure, and reliable operations. Their collaboration is vital for tasks such as surveillance, delivery, data collection, and fleet management. In order to establish a secure communication session with the GS, a drone needs to perform the drone-GS AKA. In order to establish a secure communication session with another drone, a drone needs to perform the drone-drone AKA without the help of GS.

3.2. Threat Model

We define the threat model as follows in accordance with the Dolev-Yao threat model [42] and Krawczyk (CK) threat model [43].

• The adversary A may be an internal attacker or a drone with a valid registration, in which case the attacker may transmit harmful messages or initiate impersonation attacks.
• A can also eavesdrop, modify, intercept, forge, delete, and replay the messages transmitted publicly.
• A can gain access to stored data by side-channel attacks on drones and GS, but cracking PUF is tough.

4. Proposed Protocol

The proposed scheme is organized into four phases: (1) System initialization. (2) Drone registration. (3) Drone-GS authentication and key agreement. (4) Drone-drone authentication and key agreement. (5) Pseudo-identity and public key update. (6) Drone revocation/reissue phase.

Table 2. The notations used in this scheme.

Notation	Description
GS	Ground station
$I{D}_s$$, I{D}_i$	$\mathrm{Identities} \mathrm{of} \mathrm{GS}, Dron{e}_i$
$PI{D}_i$$, PI{D}_j$	$\mathrm{Pseudo}-\mathrm{identities} \mathrm{of} Dron{e}_i$$, Dron{e}_j$
$PI{D_i}^{\prime }$	$\mathrm{New} \mathrm{pseudo}-\mathrm{identitiy} \mathrm{of} Dron{e}_i$
$P$	The generator of the elliptic curve
$x_s, Y_s$	Private and public key of GS
$d_{\mathrm{i}},Y_{\mathrm{i}}$	Private and public key of drone
$PUF\left(\right)$	Physical unclonable function
$Ch{a}_i,Re{s}_i$	The challenge and response pair
$h\left(.\right)$	Hash function
$\oplus$	XOR operation
$\left|\right|$	Concatenation
$T_{\mathrm{i}}$	Timestamp of current time
$E_{SK\left(\right)}/D_{SK\left(\right)}$	Symmetric encryption/decryption function
$S{K}_{is}$	The session key between drone and GS
$S{K}_{ij}$	The session key between drones

presents the notations used in this scheme.

4.1. System Initialization Phase

GS selects an elliptic curve $E\left(G{F}_q\right)$ and a base point $P$ then selects its private key $x_s\in Z_q^{*}$ and a random number $Ch{a}_s$ and its identity $I{D}_s$, calculates $Re{s}_s=PUF\left(Ch{a}_s\right)$, $Q_s=x_s\oplus \mathrm{h}\left(Re{s}_s\right)$, $Y_s=x_s·P$ as its public key, and stores $\left\{PUF\right(),Q_s,Ch{a}_s\}$. GS selects one-way hash function $h\left(.\right)$. Finally, GS publishes the system parameters $\{q,P,Y_s,I{D}_s,h\left(.\right)\}$.

4.2. Drone Registration Phase

In this phase, A drone launches a registration application with GS before deployment in the IoD. The registration phase is shown in Figure 2.

The detailed description of the drone registration is as follows:

• The drone selects its identity $I{D}_i$ and sends its identity $I{D}_i$ to GS via a secure channel.
• On receiving the request from the drone, GS verifies the legitimacy and uniqueness of the identity $I{D}_i$, selects a random number $d_i$, calculates $Re{s}_s=PUF\left(Ch{a}_s\right)$, $x_s=Q_s\oplus \mathrm{h}\left(Re{s}_s\right)$, $PI{D}_i=E_{x_s}\left(I{D}_i\right|\left|d_i\right|\left|T_{\mathrm{i}}\right)$, $Y_{\mathrm{i}}=d_{\mathrm{i}}·\mathrm{P}$, where $T_{\mathrm{i}}$ is current time. Then, GS sends $\{PI{D}_i,d_i\}$ to drone via a secure channel and adds $Y_{\mathrm{i}}$ in the revocation list.
• The drone selects a challenge value $Ch{a}_i$, calculates $Re{s}_i=PUF\left(Ch{a}_i\right)$, $Q_i=d_i\oplus h\left(Re{s}_i\right)$, $Y_{\mathrm{i}}=d_{\mathrm{i}}·\mathrm{P}$, then the drone stores $\{Ch{a}_i,PI{D}_i,I{D}_i,Q_i,Y_{\mathrm{i}}\}$.

4.3. Drone-GS Authentication and Key Agreement Phase

Ground station (GS) and drone authentication could enable GS to get the status of a drone, flight plan, GPS coordinates, and scope of regulations. The drone-GS authentication and key agreement phase is shown in Figure 3.

The detailed description of the drone-GS authentication and key agreement phase is as follows:

• The drone selects a random number $a_1$ and a timestamp $T_1$, calculates $Re{s}_i=PUF\left(Ch{a}_i\right)$, $d_i=Q_i\oplus \mathrm{h}\left(Re{s}_i\right)$, $A_1=a_1·\mathrm{P}$, $A_2=h\left(d_i\right|\left|T_1\right|\left|I{D}_i\right|\left|PI{D}_i\right|\left|I{D}_s\right|\left|A_1\right)$, and sends {$T_1,A_1,A_2,PI{D}_i$} to GS.
• On receiving the information from the drone, GS verifies the freshness of $T_1$, calculates $Re{s}_s=PUF\left(Ch{a}_s\right)$, $x_s=Q_s\oplus \mathrm{h}\left(Re{s}_s\right)$, $I{D}_i\left|\right|d_i\left|\right|T_{\mathrm{i}}=D_{x_s}\left(PI{D}_i\right)$, $A_2^{*}=h\left(d_i\right|\left|T_1\right|\left|I{D}_i\right|\left|PI{D}_i\right|\left|I{D}_s\right|\left|A_1\right)$, then verifies if $A_2^{*}=A_2$, if not, reject it. Otherwise, GS selects a random number $b_1$ and a timestamp $T_2$, calculates $B_1=b_1·P$, $S{K}_{is}=h\left(A_1\right|\left|B_1\right|\left|\left(b_1·A_1\right)\right|\left|PI{D}_i\right|\left|I{D}_s\right)$, $PI{D_i}^{\prime }=E_{x_s}\left(I{D}_i\right|\left|d_i\right|\left|T_2\right)$, $B_2=h\left(d_i\right|\left|S{K}_{is}\right|\left|B_1\right|\left|PI{D_i}^{\prime }\right||$$I{D}_s\left|\right|T_1\left|\right|T_2$), $B_3=PI{D_i}^{\prime }\oplus \mathrm{h}\left(d_i\right|\left|T_2\right)$, then sends {$B_1,B_2,{B_3,T}_2$} to drone. The $S{K}_{is}$ serves as a session key between the drone and GS.
• On receiving the information from GS, the drone verifies the freshness of $T_2$, then calculates $S{K}_{is}=h\left(A_1\right|\left|B_1\right|\left|\right(a_1·B_1\left)\right|\left|T_2\right|\left|PI{D}_i\right|\left|I{D}_s\right)$, $PI{D}_i^{\prime }=B_3\oplus \mathrm{h}\left(d_i\right|\left|T_2\right)$, $B_2^{*}=d_i\left|\right|S{K}_{is}\left|\right|B_1\left|\right|PI{D_i}^{\prime }\left|\right|I{D}_s\left|\right|T_1\left|\right|T_2)$, then verifies if $B_2^{*}=B_2$, if it is valid, the drone gets the session key $S{K}_{is}$ and updates the pseudo-identity $PI{D}_i^{\prime }$.

4.4. Drone-Drone Authentication and Key Agreement Phase

In this phase, AKA requests from one drone to another drone for future secure communication. The drone-drone authentication and key agreement phase is shown in Figure 4.

The detailed description of the drone-drone authentication and key agreement phase is as follows:

• $Dron{e}_i$ selects two random numbers $a_3,a_4$ and a timestamp $T_3$, calculates $Re{s}_i=h\left(Ch{a}_i\right)$, $d_i=Q_i\oplus \mathrm{h}\left(Re{s}_i\right)$, $A_5=a_3·\mathrm{P}$, $A_6=h(d_{\mathrm{i}}·Y_j|\left|T_3\right)$, $A_7=E_{A_6}\left(a_4\right|\left|T_3\right|\left|PI{D}_i\right|\left|PI{D}_j\right)$, $A_8=h\left(a_4\right|\left|T_3\right|\left|PI{D}_i\right|\left|PI{D}_j\right|\left|A_5\right|\left|A_7\right)$, sends {$PI{D}_j,T_3,A_5,A_7,A_8$} to $Dron{e}_j$.
• On receiving the information from $Dron{e}_i$, the $Dron{e}_j$ verifies the freshness of $T_3$, calculates $Re{s}_j=PUF\left(Ch{a}_j\right)$, $d_j=Q_j\oplus \mathrm{h}\left(Re{s}_j\right)$, $A_6^{*}=h(d_{\mathrm{j}}·Y_i|\left|T_3\right)$, $a_4\left|\right|T_3\left|\right|PI{D}_i\left|\right|PI{D}_j=D_{A_6^{*}}\left(A_7\right)$, $A_8^{*}=h\left(a_4\right|\left|T_3\right|\left|PI{D}_i\right|\left|PI{D}_j\right|\left|A_5\right|\left|A_7\right)$, then verifies if $A_8^{*}=A_8$, if not, reject it. Otherwise, $Dron{e}_j$ selects a random number $b_2$ and a timestamp $T_4$, calculates $B_3=b_2·\mathrm{P}$, $S{K}_{ij}=h\left(A_5\right|\left|B_3\right|\left|\left(b_2·A_5\right)\right|\left|PI{D}_i\right|\left|\mathrm{P}I{D}_j\right)$, $B_4=h\left(a_4\right|\left|S{K}_{ij}\right|\left|A_5\right|\left|B_3\right|\left|PI{D}_i\right|\left|PI{D}_j\right|\left|T_3\right|\left|T_4\right)$, then sends $\{B_3,B_4,T_4\}$ to $Dron{e}_i$. The $S{K}_{ij}$ serves as a session key between the $Dron{e}_i$ and $Dron{e}_j$.
• On receiving the information from $Dron{e}_j$, $Dron{e}_i$ verifies the freshness of $T_4$, cal-culates $S{K}_{ij}=h\left(A_5\left|\left|B_3\right|\right|\left(a_3·B_3\right)\left|\left|PI{D}_i\right|\right|\mathrm{P}I{D}_j\right)$, $B_4^{\mathrm{*}}=h\left(a_4\right|\left|S{K}_{ij}\right|\left|A_5\right|\left|B_3\right|\left|PI{D}_i\right|\left|PI{D}_j\right|\left|T_3\right|\left|T_4\right)$, then verifies if $B_4^{\mathrm{*}}=B_4$, if it is valid, $Dron{e}_i$ gets the session key $S{K}_{ij}$.

4.5. Pseudo-Identity and Public Key Update Phase

To resist identity tracking attacks and protect the privacy of the vehicle, the temporary pseudo-identity and public key of the drone can be updated.

After the drone $Dron{e}_i$ and GS complete the mutual authentication (please refer to Section 4.3) and gets session key $S{K}_{is}$, GS chooses $d_i^{new}$ and current timestamp $T_i^{new}$, computes $PI{D}_i^{new}=E_{x_s}\left(I{D}_i\right|\left|d_i^{new}\right|\left|T_i^{new}\right)$, $B_5=PI{D}_i^{new}\oplus \mathrm{h}\left(S{K}_{is}\right|\left|T_5\right)$, $B_6=d_i^{new}\oplus \mathrm{h}\left(T_5\right||S{K}_{is}$),$Y_i^{new}=d_i^{new}·\mathrm{P}$, and sends $B_5$ and $B_6$ to $Dron{e}_i$ via a public channel.

After receiving $B_5$ and $B_6$, $Dron{e}_i$ computes $PI{D}_i^{new}$ and $d_i^{new}$ from $B_5$ and $B_6$, and computes $Q_i^{new}=d_i^{new}\oplus \mathrm{h}\left(Re{s}_i\right)$ and $Y_i^{new}=d_i^{new}·\mathrm{P}$, updates $d_i$ and $Y_i$.

4.6. Drone Revocation/Reissue Phase

The drone revocation phase is crucial in scenarios where a drone needs to be removed from the system’s authorized list. This could be due to a drone being compromised, malfunctioning, or no longer needed. In this phase, the system must revoke the drone’s access rights, ensuring it can no longer communicate with other components like GS or other drones.

The GS decrypts $I{D}_i\left|\right|d_i\left|\right|T_{\mathrm{i}}$ based on the $PI{D}_i$ of the drone that needs to be revoked, calculates $Y_{\mathrm{i}}=d_{\mathrm{i}}·\mathrm{P}$, then adds $Y_i$ to the revocation list that are already authenticated with GS. Then, if GS and other drones discover the $Y_i$ of a revoked drone in the revocation list, they will refuse to communicate with it.

When a revoked drone needs to be reissued, it needs to re-initiate a registration request to GS for a new $Y_{\mathrm{i}}$ and ${PID}_{\mathrm{i}}$. At this point, since the drone’s $Y_{\mathrm{i}}$ is already on the revocation list, GS needs to decide whether to accept this registration request or not based on the actual situation. If it is deemed that the drone can be legally re-registered, then remove $Y_i$ from the revocation list.

5. Security Proof

In this part, we first provide informal security proof for the proposed scheme. Then, we present a formal security proof for the proposed scheme using the random oracle model.

5.1. Informal Security Proof

5.1.1. Replay Attack

Timestamps and random numbers are associated with public messages. Replayed messages fail to meet freshness and integrity standards. The proposed protocol can resist replay attacks.

5.1.2. Impersonation Attack

In the drone-GS authentication and key agreement phase, suppose an adversary impersonates the drones to authenticate with GS and forges the message {$T_1,A_1,A_2,PI{D}_i$}, where $A_1=a_1·\mathrm{P}$, $A_2=h\left(d_i\right|\left|T_1\right|\left|I{D}_i\right|\left|PI{D}_i\right|\left|I{D}_s\right|\left|A_1\right)$, $a_1$ and $d_i$ are random numbers, $I{D}_i$ and $I{D}_s$ are identities of the drone and GS, $PI{D}_i$ is pseudo-identity of the drone. $PI{D}_i$ will be updated after authentication. It is impossible to calculate $A_2$ without knowing $d_i$ and $I{D}_i$.

In the drone-drone authentication and key agreement phase, suppose an adversary impersonates the drones to authenticate with another drone and forges the message {$PI{D}_j,T_3,A_5,A_7,A_8$}, where $A_5=a_3·P$, $A_6=h(d_{\mathrm{i}}·Y_j|\left|T_3\right)$, $A_7=E_{A_6}\left(a_4\right|\left|T_3\right|\left|PI{D}_i\right|\left|PI{D}_j\right)$, $A_8=h\left(a_4\right|\left|T_3\right|\left|PI{D}_i\right|\left|PI{D}_j\right|\left|A_5\right|\left|A_7\right)$, $a_3$ and $d_i$ are random numbers, $PI{D}_i$ and $PI{D}_j$ is pseudo-identities. $PI{D}_i$ will be updated after authentication. It is impossible to calculate $A_6$ without knowing $d_i$.

5.1.3. Drone Physical Capture Attack

Suppose an adversary has physically captured some drones; the adversary can retrieve stored information $\{Ch{a}_i,PI{D}_i,I{D}_i,Q_i,Y_{\mathrm{i}}\}$ through power analysis attacks, where $Re{s}_i=PUF\left(Ch{a}_i\right)$, $d_i=Q_i\oplus \mathrm{h}\left(Re{s}_i\right)$. While the adversary can collect this information, attempting to probe or manipulate the integrated circuits of captured drones to retrieve the output responses of their PUFs will result in irreversible damage to the PUFs due to slight physical variances.

5.1.4. GS Physical Capture Attack

Similarily, suppose an adversary has physically captured GS; the adversary can retrieve stored information $\{Ch{a}_{\mathrm{s}},Q_{\mathrm{s}}\}$ through power analysis attacks, where $Re{s}_{\mathrm{s}}=PUF\left(Ch{a}_{\mathrm{s}}\right)$, ${\mathrm{x}}_{\mathrm{s}}=Q_{\mathrm{s}}\oplus \mathrm{h}\left(Re{s}_{\mathrm{s}}\right)$. While the adversary can collect this information, attempting to probe or manipulate the integrated circuits of captured drones to retrieve the output responses of their PUFs will result in irreversible damage to the PUFs due to slight physical variances.

5.1.5. Forward and Backward Secrecy

Assume the attacker has complete knowledge of the protocol’s long-term keys. However, the random numbers used for session key agreements are not publicly available. Even if the attacker knows long-term keys, he cannot recover earlier or any future session keys.

5.1.6. MITM Attack

To undertake MITM attacks against the proposed protocol, an adversary must intercept and tamper with the communications. According to the preceding description, {$T_1,A_1,A_2,PI{D}_i$} and {$PI{D}_j,T_3,A_5,A_7,A_8$} are protected and unknown to the adversary. The adversary can intercept these messages but cannot modify them. Therefore, the proposed scheme can prevent MITM attacks.

5.1.7. Anonymity and Untraceability

In the proposed protocol, the pseudo-identity of a drone is $PI{D}_i=E_{x_s}\left(I{D}_i\right|\left|d_i\right|\left|T_{\mathrm{i}}\right)$, where $x_s$ and $T_{\mathrm{i}}$ are secret values generated by GS. The pseudo-identities of drones are different and unlinkable. The adversary cannot obtain the real identity or trace the drone based on $PI{D}_i$. Thus, the proposed protocol preserves anonymity and unlinkability.

5.1.8. Desynchronization Attack

The GS generates pseudo-identities on an individual basis. Suppose an attacker initiates assaults that disrupt drone pseudo-identity updates. The attacker interferes with the drone to receive the correct message from GS utilizing tampering and interception. However, this will not affect the drone’s authentication. As a result, the suggested protocol can withstand desynchronization attacks.

5.1.9. ESL Attack

Even if an adversary obtains the long-term secret $I{D}_i$ during the drone-GS authentication and key agreement phase, it is unable to compute the session because it lacks knowledge of $a_1$ or $b_1$. And in the phase of drone-drone authentication and key agreement, it is also unable to compute the session key, because it does not know $a_3$ or $b_2$.

5.1.10. Insider Attack

Because our solution utilizes PUF to protect the security of secret parameters in drones and GS, no internal or external attackers can obtain the secret parameters of drones and GS, thus resisting privileged insider attacks.

5.2. Formal Security Proof

We employ the random oracle model to show the proposed protocol’s semantic security. The random oracle model is a theoretical construct used in the analysis of cryptographic protocols. It assumes that certain hash functions or other cryptographic primitives behave like an ideal random function. In this model, when a party queries the random oracle with an input, the oracle returns a uniformly distributed random output that has not been previously returned for any other input, and this random mapping is stored internally. It helps in simplifying the security analysis of protocols by abstracting away the complexity of real-world hash functions and providing a clean framework for proving security properties. In cryptographic security proofs within the random oracle model, a sequence of “games” is used to formally demonstrate that an adversary’s advantage in breaking a scheme is negligible.

Definition 1.

The participants are composed of Drone(D) and Ground Station(GS). In the i-th instance, the participants are denoted as $I{n}_{Di}^i \left(I{n}_{Dj}^i\right)$, and $I{n}_{Gi}^i$, respectively. The state Accept represents that an oracle receives a correct message. If two oracles are in Accept and the session keys have been agreed, the oracles get their session identities and participant identities. The oracles can be considered partners if their session keys and session identities are the same, and the participant identity is equal to each other’s identity.

Definition 2.

The queries simulate the capabilities of attackers.

Execute($I{n}_{Di}^i,I{n}_{Gi}^i,I{n}_{Dj}^i$): All the messages transmitted openly can be intercepted by the adversary A.

Send($I{n}_{Di}^i,I{n}_{Gi}^i,I{n}_{Dj}^i,m$): A forges and sends the message m to $I{n}_{Di}^i$, $I{n}_{Gi}^i$ or $I{n}_{Dj}^i$, if m is correct, $I{n}_{Di}^i$, $I{n}_{Gi}^i$ or $I{n}_{Dj}^i$ responses A.

Reveal($I{n}_{Di}^i,I{n}_{Gi}^i,I{n}_{Dj}^i$): A can get the session keys between $I{n}_{Di}^i$, $I{n}_{Gi}^i$ and $I{n}_{Dj}^i$.

Test($I{n}_{Di}^i,I{n}_{Gi}^i,I{n}_{Dj}^i, r$): This query is only permitted to be run once. which creates a random bit r, and if r = 1, returns the real session key; otherwise, returns a random number.

Corrupt($I{n}_{Di}^i, I{n}_{Dj}^i$): Which simulates the side-channel attack on the drone, and returns the stored information {$Ch{a}_i,PI{D}_i,I{D}_i,Q_i,Y_i$}.

CorruptGS($I{n}_{Gi}^i$): Which simulates the attack of capturing GS, and returns the stored information {$Ch{a}_s,Q_s$}.

Definition 3.

A is allowed to execute at most once Test($I{n}_{Di}^i,I{n}_{Gi}^i,I{n}_{Dj}^i, r$) and multiple other queries to determine the correctness of the return value of Test($I{n}_{Di}^i,I{n}_{Gi}^i,I{n}_{Dj}^i, r$). That is A guesses the random bit r generated by Test($I{n}_{Di}^i,I{n}_{Gi}^i,I{n}_{Dj}^i, r$). The possibility is $Ad{v}_P^A=\left|2Pr[Suc(A)]-1\right|$, $Ad{v}_P^A<\eta$ represents the protocol is secure, where η is sufficiently small.

Theorem 1.

The advantage of obtaining the session key in polynomial time by A is:

$$Ad{v}_P^A\le {\displaystyle \frac{q_H^2}{2^{l_H}}}+{{\displaystyle \frac{(q_{SE}+q_{EX})}{n}}}^2+2Ad{v}_{ECDLP}^A+2q_{SE}Ad{v}_{PUF}^A$$

where $q_H$, $q_{SE}$ and $q_{EX}$ represents the times of executing Hash, Send, and Execute, respectively. $l_H$ and n are the length of hash and transcripts. The advantage of breaking PUF and ECDLP by $Ad{v}_{PUF}^A$ and $Ad{v}_{ECDLP}^A$, respectively.

Proof of Theorem 1.

The games $Gam{e}_i$ (0 ≤ i ≤ 4) are defined to simulate the attacks launched by A. $Wi{n}_i$ (0 ≤ i ≤ 4) means A guesses the random bit r in the $Gam{e}_i$. The games are defined as:

• $Gam{e}_0$: This game simulates the real attack first launched by A. According to the definition, we get:

  $$Ad{v}_P^A=|2Pr[Wi{n}_0]-1|,$$

  (1)
• $Gam{e}_1$: This game simulates the eavesdropping attack. A gets all the messages transmitted publicly. Then, A guesses the random bit r. However, because of the ECDLP, the attacker cannot judge the association between the captured messages and the session keys. Therefore, we get:

  $$Pr[Wi{n}_0]=Pr[Wi{n}_1],$$

  (2)
• $Gam{e}_2$: This game simulates the collision attack on the transcripts and hash results, according to the definition of the birthday paradox, the probability of hash collision is less than ${\displaystyle \frac{q_H^2}{2^{l_H+1}}}$, and the collision probability of other transcripts is less ${{\displaystyle \frac{(q_{SE}+q_{EX})}{2n}}}^2$, Therefore, we have:

  $$Pr[Wi{n}_2]-Pr[Wi{n}_1]\le {\displaystyle \frac{q_H^2}{2^{l_H+1}}}+{{\displaystyle \frac{(q_{SE}+q_{EX})}{2n}}}^2,$$

  (3)
• $Gam{e}_3$: This game simulates A executes Corrupt($I{n}_{Di}^i,I{n}_{Dj}^i$) and CorruptGS($I{n}_{Gi}^i$) to obtain the stored information $\{Ch{a}_i,PI{D}_i,I{D}_i,Q_i,Y_{\mathrm{i}}\}$ in the drone and $\{Ch{a}_{\mathrm{s}},Q_{\mathrm{s}}\}$ in GS, where $Re{s}_i=PUF\left(Ch{a}_i\right)$, $d_i=Q_i\oplus \mathrm{h}\left(Re{s}_i\right)$. If A wants to obtain the valuable parameters, he must guess $d_i$ or break PUF. Suppose the probability of breaking PUF by A is $Ad{v}_{PUF}^A$. Therefore, we have:

  $$Pr[Wi{n}_3]-Pr[Wi{n}_2]\le q_{SE}Ad{v}_{PUF}^A,$$

  (4)
• $Gam{e}_4$: A can obtain $A_5=a_3·P$, $B_3=b_2·\mathrm{P}$, which are used for session keys agreements. This game simulates that A calculates the session keys according to the transcripts. We have:

  $$Pr[Wi{n}_4]-Pr[Wi{n}_3]\le Ad{v}_{ECDLP}^A,$$

  (5)

  The session keys are generated independently and randomly. Hence, the advantage of guessing r is equal to guessing the session key. We have:

  $$Pr[Wi{n}_4]={\displaystyle \frac{1}{2}},$$

  (6)

Combining the above formulas, we have:

$${\displaystyle \frac{1}{2}}Ad{v}_P^A=|Pr[Wi{n}_0]-{\displaystyle \frac{1}{2}}|\le {\displaystyle \frac{q_H^2}{2^{l_H+1}}}+{{\displaystyle \frac{(q_{SE}+q_{EX})}{2n}}}^2+Ad{v}_{ECDLP}^A+q_{SE}Ad{v}_{PUF}^A$$

$$Ad{v}_P^A\le {\displaystyle \frac{q_H^2}{2^{l_H}}}+{{\displaystyle \frac{(q_{SE}+q_{EX})}{n}}}^2+2Ad{v}_{ECDLP}^A+2q_{SE}Ad{v}_{PUF}^A$$

Equations (1)–(6) combined with the final proof typically serve to demonstrate the security properties of the proposed authentication and key agreement protocol. The final proof in ROM typically leverages these equations to conclude that an adversary’s advantage in breaking the protocol is negligible, thereby confirming its robustness. □

5.3. Security Comparison

Table 3. Security comparison.

Feature	[17]	[34]	[35]	[37]	Ours
A1	✗	✗	✔	✔	✔
A2	✗	✔	✔	✗	✔
A3	✗	✔	✔	✔	✔
A4	✔	✔	✔	✔	✔
A5	✗	✗	✗	✗	✔
A6	✔	✔	✔	✔	✔
A7	✔	✔	✔	✗	✔
A8	✗	✔	✗	✗	✔

✔:Resist (Attacks); ✗: Suffer (Attacks). A1: drone physical capture attack; A2: replay attack; A3: desynchronization attack; A4: MITM attack; A5: GS physical capture attack; A6: session key disclosure attack; A7: anonymity and untraceability; A8: perfect forward secrecy.

compares the security aspects of the proposed scheme to other relevant AKA protocols for IoD [17,34,35,37]. We choose metrics A1 through A8 to compare the security of the protocols. These metrics are important indicators of protocol security. Failure to meet these security metrics can cause very serious harm to the system.

In [17], the lack of timestamps used in the drone-GS authentication phase can easily lead to replay attacks, the lack of PUF challenge-response values to defend against physical capture attacks by drones and GS, and the lack of mechanisms such as pseudonyms to defend against desynchronization attacks. In [34], neither the drones nor the GS use physical unclonable functions to defend against physical capture attacks. In [35], this scheme uses only physically unclonable functions for drones and does not take into account the security of the GS, which is therefore vulnerable to physical capture attacks. In [37], similarly, no PUF challenge-response value is applied to the GS, leaving the GS vulnerable to physical capture attacks, and this scheme drone-GS phase lacks a timestamping mechanism, leading to vulnerability to replay attacks. The lack of Diffie-Hellman secret value in the negotiation of the session key phase results in no forward security for these schemes in [17,35,37]. Moreover, this protocol does not dynamically update the identity and does not achieve untraceability.

6. Performance Analysis

In this section, we compare the performance between the proposed protocol and the related protocols [17,34,35,36]. We compare these articles because they are recent studies that introduce innovative solutions to problems in the IoD, each offering valuable insights.

In [17], they propose a lightweight and privacy-preserving mutual AKA protocol for IoD environments. This protocol employs PUF and a chaotic system to accomplish mutual authentication and establish a secure session key between communication entities in the IoD. This protocol is a big improvement in operational efficiency, but it is vulnerable to a variety of attacks such as replay attacks. In [34], they claim to have proposed a lightweight protocol based on ECC for drone authentication, but the system operates inefficiently, and this protocol is vulnerable to physical capture attacks. The same issues as those in the scheme in [36] still exist. In [35], this protocol they proposed dramatically improves the computational efficiency but does not take into account the security of GS. GS is vulnerable to physical capture attacks, and every authentication between drones requires the participation of GS, making the system less efficient and scalable. We propose an innovative solution to address intractable security problems while minimizing time-consuming computations. Additionally, our approach avoids adding storage overhead to the ground station (GS) as the number of drones increases.

We evaluate the communication efficiency of [17,34,35,36] by counting the number of exchanged messages. By analyzing the communication sequence diagrams from [17,34,35,36], we first determine the messages exchanged in a single drone scenario and then calculate the total number of messages for a network of 100 drones. In [17], between a drone and GS, the drone first sends an authentication request to GS, which verifies the message’s legitimacy and responds. The drone then verifies the response before sending a final message back to GS in the authentication process. This process requires three messages for a single drone application. For a network of 100 drones, a total of 300 messages are needed. In the case of authentication between two drones, one drone initiates the request-response phase with GS, exchanging two messages. Then, it communicates with the other drone through GS, exchanging four more messages. In total, six messages are required for a single drone interaction, and 600 messages are needed for a network of 100 drones. In [34], only the authentication and key negotiation phases of drones and GS are considered. Five message interactions are required in an application scenario with one drone and 600 messages in a scenario with 100 drones. In [35], the authentication between the drone and GS requires only one request and one response message, while authentication between drones involves four message exchanges. For a single drone application scenario, this results in 2 messages, and for 100 drones, a total of 200 and 400 messages are exchanged, respectively. In [36], the drone and GS authentication involves the Certificate Authority, requiring 5 messages for a single drone application scenario and 500 messages for a network of 100 drones. In our scheme, both Drone-GS authentication and Drone-to-Drone authentication require only one request and one response message. This means that for a scenario with one drone, two messages are exchanged, and for a network of 100 drones, 200 messages are needed. Our scheme significantly outperforms other schemes in terms of communication efficiency and scalability, both for Drone-to-Drone and Drone-to-GS authentication. These results are demonstrated in Figure 5.

The size of the information exchanged is also considered as a factor of communication efficiency. We consider that the sizes of ID, ECC key, timestamp, hash code, random number, secret number, Henon map value, PUFchallenge, and PUF response are 64 bits, 160 bits, 32 bits, 256 bits, 60 bits, 192 bits, 256 bits, 32 bits, and 320 bits. In the drone-GS AKA phase, the cost in our protocol is {32 + 160 + 256 + 64} + {160 + 256 + 256 + 32} = 1216 bits, while [17] requires {256 + 256 + 256 + 256 + 256 + 256 + 256} = 1792 bits, ref. [34] requires 2600 bits, ref. [35] requires {64 + 60 + 256 + 32 + 256} + {64 + 256 + 256 + 256} = 1500 bits, and ref. [36] requires at least 2944 bits. The communication efficiency of our protocol has improved by at least 44.9%.

Table 4. Communication cost.

Schemes	No. of Messages (Drone-GS)	No. of Messages (Drone-Drone)	Communication Cost (bits)
[17]	3	6	1792
[34]	6	-	2600
[35]	2	4	1500
[36]	5	-	2944
Ours	2	2	1216

shows the communication cost of these protocols. Therefore, our protocol is optimal in terms of communication efficiency and satisfies the lightweight requirement. These results are demonstrated in Figure 6.

To simulate the computing performance of mobile devices in an IoD environment, let $T_H$ be the time of the hash operation, $T_{SE}$ be the time of the symmetric encryption/decryption operation, $T_{ECC}$ be the time cost of ECC operation. These specific performance metrics are among the more time-consuming of the protocols and often determine the performance of the entire system. In the environment of a Windows 10 64-bit laptop, Intel (R) Core (TM) i5-6300HQ CPU @ 2.30 GHz, 12 GB RAM, we get $T_H\approx 0.068$ ms, $T_{ECC}\approx 2.501$ ms, $T_{SE}\approx 0.56$ ms. In the environment of Raspberry Pi 4B, $T_H\approx 0.019$ ms, $T_{ECC}\approx 2.610$ ms, $T_{SE}\approx 0.511$ ms. Although the values of these metrics vary depending on the CPU, memory, and operating system, they illustrate an approximate relationship between the values of the various metrics.

Table 5. Computation cost.

Schemes	Drone	GS	Total	Times (ms)
[17]	$11T_H$	$11T_H$	$22T_H$	1.496
[34]	$8T_H$$+3T_{ECC}$$+2T_{SE}$	$8T_H$$+3T_{ECC}$$+2T_{SE}$	$16T_H$$+6T_{ECC}$$+4T_{SE}$	18.334
[35]	$8T_H$	$9T_H$	$17T_H$	1.156
[36]	-	-	$5T_H$$+6T_{ECC}$$+2T_{SE}$	16.16
Ours	$5T_H$$+2T_{ECC}$	$5T_H$$+2T_{ECC}$$+2T_{SE}$	$10T_H$$+4T_{ECC}$$+2T_{SE}$	11.804

provides a comparison of computational costs for the proposed scheme and related schemes. Although the computational overhead of our proposed protocol is not optimal, this scheme ensures a wider variety of security. Efficiency makes sense only when security is ensured.

7. Conclusions

We have proposed a secure and lightweight AKA protocol for IoD, effectively addressing critical security threats such as capture attacks, impersonation, and privacy breaches. By integrating PUF and enabling direct drone-to-drone authentication without GS involvement, our protocol enhances both security and efficiency. Additionally, it guarantees perfect forward secrecy, ensuring that past communications remain secure even if future cryptographic keys are compromised. Performance analysis indicates that our scheme improves computational efficiency by an average of 31.3% and communication efficiency by an average of 39.44% compared to existing schemes that offer comparable security. Furthermore, our protocol achieves zero storage overhead for GS authentication, further optimizing resource utilization. Formal security proof validates its robustness, making it a reliable and scalable solution for IoD deployments. In practical applications, this protocol strengthens authentication mechanisms in drone networks, enabling secure, efficient, and scalable communication. This is particularly beneficial for applications such as surveillance, disaster response, and logistics, where reliable and low-latency authentication is essential.

The limitation of our protocol is that it does not consider cross-domain scenarios. Future research will focus on developing cross-domain drone-to-GS authentication schemes that eliminate the need for GS to store drone information, as well as cross-domain drone-to-drone authentication mechanisms that operate without GS involvement. These advancements will further enhance the scalability and flexibility of IoD authentication systems.