Security-Enhanced Lightweight Authentication Key-Agreement Protocol for Unmanned Aerial Vehicle Communication

Abstract

Unmanned aerial vehicles have been widely employed in recent years owing to their remarkable features such as low environmental requirements and high survivability, and a new tendency towards networking, intelligence, and collaboration has emerged. The realization of these novel capabilities requires a secure and efficient wireless communication channel; however, it is vulnerable to eavesdropping, forgery, and manipulation by attackers. Therefore, ensuring the security of the wireless communication between unmanned aerial vehicles and ground stations is an urgent issue. The traditional solution to this problem is to design an authenticated key-agreement protocol between unmanned aerial vehicles and ground stations. However, an analysis of existing representative methods has shown that these methods are computationally expensive and difficult to implement in resource-intensive aerial vehicles. Furthermore, existing key-agreement systems are highly dependent on the security of temporary session information. When the temporary session information is stolen, the attacker can obtain the session key for the current communication and perform information theft attacks. Therefore, a security-enhanced lightweight authenticated key-agreement protocol for unmanned aerial vehicles’ communication is proposed in this study. We present a low-computational-cost agreement method that can achieve secure key agreement in cases of temporary session information leakage. Both theoretical analysis and experimental verification show that our proposed protocol has superior security properties and lower computational costs than representative protocols.

1. Introduction

As flying devices controlled by built-in computer and communication equipment, unmanned aerial vehicles (UAVs) are characterized by low environmental requirements and high survivability [1]. In recent years, they have been used in many fields and are increasingly showing a trend towards networking and collaboration [2]. Wireless communication is the main method for UAVs to network and collaborate and has now become an important capability component of UAV systems. Consequently, the quality of wireless communication has a significant effect on the operation of UAVs. However, because wireless channels are transmitted in open areas, they can easily be intercepted, deceived, and manipulated by attackers [3], resulting in the illegal theft of private data, failure or accidental execution of important operations, and incalculable losses to users [4,5]. Therefore, ensuring the security of the wireless communication between UAVs and ground stations is a problem that must be solved urgently.

To improve the security of wireless communication, researchers must first address the legitimacy of the identity of the communication entity and the confidentiality and integrity of the communication data [6]. The key question is how to ensure the security of the communication key under the premise of acceptable communication delays [7]. At present, the academic community typically uses authenticated key-agreement protocols to solve this problem, such as those proposed by Hasan et al. [8], Mahmood et al. [9], and Abbasinezhad-Mood et al. [10]. These protocols all design corresponding identity-authentication processes and key-exchange mechanisms, which to a certain extent achieve identity legitimacy verification and data-integrity verification.

The above security protocols are mainly based on public key cryptography theory [11]. The session participants can securely negotiate the session key required for data encryption and achieve identity authentication in open channels [12,13]. The session key is generated using the private parameters of each session participant in combination with an asymmetric encryption calculation, and the key changes with each session. This method ensures a high degree of key security. Therefore, the development of protocols for authenticated key negotiation in UAV communication scenarios has become a research focus (e.g., the protocols described in [14,15], and Rodrigues [16] and Yu [17], which implement identity verification and key-exchange strategies based on the asymmetry and interchangeability of public key cryptography).

Common authentication-key negotiation protocols are based on the ECC (Elliptic-Curve Cryptography) [18] algorithm and DH (Diffie–Hellman) key-exchange [19] concept, and implement key exchange and identity authentication through a combination of scalar multiplication [20] and point addition [21]. Typical protocols include those described in [22,23,24,25]. However, because the computing and storage devices on UAVs are usually electronic components with low computing power and limited memory space, existing protocols for negotiating authentication keys based on the ECC algorithm generally require a large number of time-consuming scalar multiplication operations. This results in an unacceptable amount of time to establish a session between the UAV and ground station, and thus, the requirements for low-latency communication cannot be met. For example, the lightweight two-party two-factor authentication protocol proposed by Chaudhry et al. [26] is based on ECC computation. It combines the identity of the protocol instance with a temporary identity and uses ECC scalar multiplication and symmetric encryption operations to perform identity authentication and key computation in advance. It can be applied to two-to-two communication scenarios, but the protocol requires eight time-consuming operations. Ren [27] and Tsobdjou et al. [28] proposed a learner implementation; however, their works require six time-consuming operations. Therefore, it is necessary to optimize the algorithm based on existing work and design a security protocol with lower computational complexity, without reducing the security strength, to meet the requirements of real-time communication in UAV scenarios.

In addition, the key security of existing ECC-based authenticated key-agreement systems (e.g., those in [22,23]) is primarily based on temporary random numbers that are generated during the session. Once the attacker gains possession of the temporary information, the public information can be used to calculate the session key directly. Because an onboard computer is a low-power terminal with limited resources, the pseudo-random numbers that it generates are usually predictable to a certain extent. As the attack possibilities gradually increase, the security risk of using common authenticated key-agreement protocols in UAV communication scenarios also gradually increases.

In response to the above problems, this study proposes a lightweight security-enhanced authentication key-agreement protocol (SE-UAVAKA) that is suitable for communication between UAVs and ground stations. Compared with existing authentication key-agreement protocols, this study makes the following contributions:

(a)

An authenticated key-agreement protocol with low computational complexity and only four scalar multiplication operations is proposed, and the performance analysis shows that our protocol has a lower computational cost than representative protocols.

(b)

A key-agreement scheme is designed to compute the session key by combining the identity identifier and a temporary session random number. This scheme ensures the security of the session key when information on the temporary session random number is leaked.

(c)

A formal analysis and ProVerif simulation [29] are performed to verify the performance of the proposed protocol. Both the theoretical analysis and experimental verification show that the proposed protocol has higher security properties and a lower computational cost than representative protocols.

The remainder of this paper is organized as follows: Section 2 presents a theoretical analysis of the shortcomings of the existing protocols. Section 3 introduces the proposed authenticated key-agreement protocol. Section 4 presents the theoretical analysis, simulation verification, and performance and security comparison of protocol security. Finally, Section 5 summarizes the study. The main contributions of this paper and the schematic diagram of the key chapter structure are shown in Figure 1.

2. Analysis of Limitations of Existing Representative Methods

2.1. Analysis of Security Vulnerabilities in the Chaudhry Protocol

In 2022, Chaudhry et al. [26] proposed a lightweight, authenticated, two-party key-agreement protocol for Smart-Grid Infrastructure. The key security of this protocol is ensured by temporary random numbers that are generated by each party, thereby realizing secure two-party authentication under the premise of eight scalar multiplication operations. However, upon analysis, we found that the above protocol cannot withstand attacks based on known session-specific temporal information. A symbolic definition of the Chaudhry protocol is provided in [26]. The security analysis of the Chaudhry protocol is as follows:

If the attacker obtains the temporary session information $r_{sm}$ and $r_{nan}$ during the execution of the Chaudhry protocol, the session key $SK$ of the session can be calculated through the following steps:

(a)

Attacker C obtains the message by listening to the public channel: $R_{sm},R_{nan},T_{sm},T_{nan}$;

(b)

Leveraging the publicly available $Q_{nan},Q_{sm}$ and the obtained $r_{sm},r_{nan}$, the adversary can calculate $K_{sm}$ through the scalar–point-multiplication operation $K_{sm}=r_{sm}{Q}_{nan}$;

(c)

Attacker C obtains the $K_{nan}$ by calculating $r_{sm}{Q}_{nan}+K_{sm}$ because $K_{sm}=d_{nan}{R}_{sm}$;

(d)

Attacker C obtains the $SK$ by calculating $SK=H_1(K_{sm}\left|\right|K_{nan}\left|\right|R_{sm}\left|\right|R_{nan}\left|\right|T_{sm}\left|\right|T_{nan})$.

To summarize, since the temporary information $r_{sm},r_{nan}$ of the specific session is leaked, the attacker can calculate and obtain the session key of the current session through the above steps.

2.2. An Analysis of the Security Vulnerabilities in the Ren Protocol

Ren et al. [27] proposed a lightweight two-party two-factor authentication protocol in 2024. The authors of this article designed a protocol applicable to IoT device-to-server and device-to-device communication, featuring lightweightness, anonymity, and high security. Through a security analysis, Ren et al. concluded that their protocol has security features such as two-way authentication and user anonymity. However, based on our analysis, we conclude that the above protocol cannot withstand attacks based on known session-specific temporal information. A symbolic definition of the Ren protocol can be found in the literature [27]. The security analysis of the Ren protocol is as follows:

If the attacker obtains the key information s during the execution of the Ren protocol in device-to-device communication, the session key $sk$ can be calculated for each session using the following steps:

(a)

Attacker C receives the message by listening to the public channel: $T_n,T_i,N_j$;

(b)

Attacker C obtains $n_i$ through the temporary session;

(c)

Attacker C calculates $n_i{N}_j$ through the elliptic-curve scalar multiplication operation.

(d)

Attacker C obtains the $sk$ by calculating $sk=h\left(T_i\right|\left|T_j\right|\left|n_i{N}_j\right)$.

In summary, by leaking the temporary information $n_i$ of a specific session, an attacker can calculate and obtain the session key of the current session using the above steps.

2.3. Analysis of Security Vulnerabilities in the Tsobdjou Protocol

In 2021, Tsobdjou et al. [28] proposed a lightweight authenticated two-party key-agreement protocol for mobile communication. In this protocol, the private information of the communication entities is protected by an ID and a password, and the key security is ensured by temporary random numbers that are generated by each party. Secure authentication of the two parties can be achieved under the premise of six scalar multiplication operations. However, in our analysis, we found that the protocol above could not withstand attacks based on known session-specific temporary information. A symbolic definition of the Tsobdjou protocol can be found in [28]. The security analysis of the Tsobdjou protocol is as follows:

If the attacker obtains the temporary information n of the session during the execution of the Tsobdjou protocol, the session key $K_{MC}$ of the session can be calculated using the following steps:

(a)

Attacker C obtains the message by listening to the public channel M.

(b)

Attacker C obtains the session key directly by calculating $KMC=n·M$.

In summary, by leaking the temporary information n of a specific session, an attacker can calculate and obtain the session key of the current session using the above steps.

3. A Security-Enhanced Authenticated Key-Agreement Protocol: SE-UAVAKA

3.1. Related Theories and Definitions

3.1.1. Security Attribute Definition

Reference [22] shows that the key-agreement protocol is secure enough to determine whether it meets the typical security properties. When conducting security analysis on security protocols, the following typical security properties are mainly considered:

• Impersonation attack resistance: If the attacker cannot obtain the long-term key of protocol entity A, they will not be able to impersonate A and communicate with other protocol entities.
• Replay attack resistance: An attacker cannot deceive the target host by sending data packets that the target host has already received.
• Known session-specific temporary information attack resistance: The disclosure of temporary intermediate results does not affect the security of the session key.
• Perfect forward security: The disclosure of long-term keys of all protocol units has no influence on the security of the previously created session keys.
• Known-key security: Even if an attacker gets hold of some previous session keys, they cannot obtain the current session key.
• User anonymity: During the execution of the protocol, attackers cannot find out the identity of the protocol instance.
• Mutual authentication: Protocol units can authenticate each other, and the authentication process cannot be falsified by attackers.

3.1.2. Some Notations Used in the Protocols

This solution can realize the secure registration of protocol units and the negotiation of security keys as well as the anonymous security authentication of identities under the condition of a temporary loss of session information. The symbol definitions used in the protocol execution steps described in this article are listed in

Table 1. Some notations used in the protocols.

Notation	Description
A	Agreement Entity A
B	Agreement Entity B
$RC$	Key-generation center $RC$
$PK$	Public key of the key-generation center
$sk$	Private key of the key-generation center
$I{D}_A,I{D}_B$	Identification of the protocol entity
$Z_q^{\ast }$	Integers in finite fields
$E(.)$	Symmetric encryption function
$D(.)$	Symmetric decryption function
⊕	Bitwise XOR Operator
$TS$	Timestamp information
$H(.)$	One-way hash function
$SS{K}_{AB},SS{K}_{BA}$	Session keys of protocol entities

.

3.2. SE-UAVAKA Initialization Phase

In the initialization phase of the protocol (SE-UAVAKA), the key-generation center generates global parameters (including elliptic-curve base points, global public keys, selected one-way hash functions, and encryption functions) and then sends broadcast signals of the global parameters to each UAV device and ground station in the vicinity through a wireless channel.

The individual steps of the initialization phase of the protocol are as follows:

Key-generation center RC:

(a)

Select a large prime number p and the parameters $a,b$ as an elliptic curve $E(a,b)$: A finite field exists on $y^2=x^3+ax+b$ and satisfies $4a^3+27b^2\not\equiv 0(modp)$. The prime p is chosen to be sufficiently large (e.g., 256+ bits for modern security), while a and b are randomly selected from ${\mathbb{F}}_p$ such that $4a^3+27b^2\not\equiv 0(modp)$, ensuring the curve is nonsingular (free from cusps or self-intersections) to maintain cryptographic integrity by avoiding singular points where discrete logarithm problems become computationally tractable.

(b)

Select point P as the base point of the elliptic curve. This point is selected because it generates a large cyclic subgroup of prime order, ensuring resistance to attacks like Pohlig–Hellman, and its cofactor is minimized to maintain cryptographic robustness.

(c)

Select a one-way hash function $H(·)$ (e.g., SHA-256, representing robust collision resistance and standardized security) and a symmetric encryption/decryption function $E(·),D(·)$ (e.g., AES-128, ensuring strong confidentiality and widespread cryptographic acceptance).

(d)

Enter the ID (a constant identity ID that uniquely identifies the protocol instance, ensuring immutability and persistence throughout the device lifecycle) of the trusted protocol instance in the database (which is normally saved when the device leaves the factory;

(e)

Use a cryptographically secure pseudorandom number generator (CSPRNG, e.g., AES-CTR_DRBG from Linux/dev/urandom, FIPS 140-2 certified) to generate the global private key $sk\in [1,n-1]$ (where n is the order of the elliptic-curve group), then compute the RC’s global public key via scalar multiplication: $PK=sk·P$ (with “·” denoting elliptic-curve scalar multiplication).

(f)

Transfer all public parameters $\left(E\right(a,b),p,P,PK,$ $H(.),E(.),D(.))$ to all protocol entities.

3.3. SE-UAVAKA Registration Phase

This section describes the execution of the protocol registration phase in detail. The UAV and matching ground station complete pairwise registration over the public channel with the participation of the key-generation center. Each protocol instance encrypts and sends the ID information to the key-generation center through the public channel. The key-generation center calculates the long-term key of each protocol instance, encrypts it, and sends it to each protocol instance via the public channel. The individual phases of the registration of protocol entities are shown in Figure 2.

As shown in Figure 2, the detailed registration steps of protocol entities A and B are as follows (A1 represents the first step performed by entity A):

UAV side (hereinafter referred to as protocol entity A in Figure 2):

(a)

Use the random number generator described in the initialization phase to generate a random number $s_a\in Z_q^{\ast }$ (where $Z_q^{\ast }$ represents a set of positive integers), and use a one-way hash function to calculate $x_a=H(I{D}_A\left|\right|s_a)$ (where $\left|\right|$ is a connector, indicating that two elements are concatenated together);

(b)

Using the scalar multiplication of elliptic curves, compute $XAP=x_a·P$;

(c)

Calculate the symmetric key for the temporary encryption $kas=x_a·PK$ (the global public key generated during the initialization phase);

(d)

Use symmetric encryption technology to encrypt the identities $I{D}_A$ and $x_a$ to obtain $E_{kas}(I{D}_A,x_a)$ (for example, when using the AES-128 algorithm, the string formed by concatenating $I{D}_A$ and $x_a$ is used as the parameter to be encrypted, and $kas$ is used as the symmetric encryption key for calculation);

(e)

Send $E_{kas}(I{D}_A,x_a)$ and $XAP$ to the key-generation center RC.

Key-generation center side in Figure 2:

(a)

Combine the global private key $sk$ and $XAP$ issued by protocol instance B and use the scalar multiplication operation of the elliptic curve to compute $ksa=sk·XAP$ (because $XAP=x_a·P$, $ksa=sk·x_a·P=x_a·sk·P$; therefore, $ksa=x_a·PK=kas$);

(b)

Use $ksa$ for decryption to obtain the ID and $x_a$ of protocol unit A: $I{D}_A$, $x_a=D_{ksa}\left(E_{kas}(I{D}_A,x_a)\right)$ and then wait for the message from B.

Ground station side in Figure 2:

(a)

Use the random number generator described in the initialization phase to generate a random number $s_b\in Z_q^{\ast }$ and use a one-way hash function to calculate $x_b=H(I{D}_B\left|\right|s_b)$;

(b)

Using the scalar multiplication of elliptic curves, compute $XBP=x_b·P$;

(c)

Calculate the symmetric key for the temporary encryption $kbs=x_b·PK$;

(d)

Encrypt identity $I{D}_B$ and $x_b$ using symmetric encryption to obtain $E_{kbs}(I{D}_B,x_b)$;

(e)

Send $E_{kbs}(I{D}_B,x_b)$ and $XBP$ to the key-generation center RC.

Key generation center side in Figure 2:

(a)

Combine the global private key $sk$ and $XBP$ issued by protocol instance B and use the scalar multiplication operation of the elliptic curve to compute $ksb=sk·XBP$ (because $XBP=x_b·P$, $ksb=sk·x_b·P=x_b·sk·P$; therefore, $ksb=x_b·PK=kbs$);

(b)

Use $ksb$ for decryption to obtain the ID and $x_b$ of protocol unit A: $I{D}_B$, $x_b=D_{ksb}\left(E_{kbs}(I{D}_B,x_b)\right)$ and then wait for the message from B;

(c)

Calculate $y_a=H(I{D}_A\left|\right|I{D}_B)+x_a$ and calculate $y_b=H(I{D}_A\left|\right|I{D}_B)+x_b$;

(d)

Encrypt $y_a,y_b$ using $ksa$ and $ksb$, respectively, and send them to A and B.

UAV side in Figure 2:

(a)

Decrypt $y_a=D_{kas}\left(E_{ksa}\left(y_a\right)\right)$ with $kas$;

(b)

Store $y_a$.

Ground Station side in Figure 2:

(a)

Decrypt $y_b=D_{kbs}\left(E_{ksb}\left(y_b\right)\right)$ using $kbs$;

(b)

Store $y_b$.

3.4. SE-UAVAKA Authentication Key-Agreement Phase

3.4.1. Detailed Steps of Authentication Key-Agreement Phase

In the authentication key-agreement phase, the UAV and matching ground station establish a session independently. Once the session is initiated, they exchange the corresponding information about the ID, public key, check value, and timestamp. Both parties rely on this information to complete key negotiations and ID authentication. When this step is completed, each party calculates the session key required for the following session. A schematic of this phase is shown in Figure 3.

The detailed execution steps of the authentication key-agreement phase between protocol entities A and B are as follows (according to Figure 4):

UAV side (Protocol entity A) in Figure 4:

(a)

Retrieve the data $y_a,I{D}_A$ obtained during the registration phase from the local secure storage.

(b)

Select a random number $r_a\in Z_q^{\ast }$ and use scalar multiplication to calculate $N_a=((r_a·I{D}_A)·P)$.

(c)

Generate the current timestamp $T{S}_a$.

(d)

Calculate $H_a=H(I{D}_A\left|\right|T{S}_a\left|\right|N_a)$ using a one-way hash function.

(e)

XOR of the x-axis of point $N_a$ of the elliptic curve to obtain $Eax=N_{a-x}\oplus (y_a-x_a)$.

(f)

XOR encryption of the x-axis of point $N_y$ of the elliptic curve to obtain $Eay=N_{a-y}\oplus (y_a-x_a)$.

(g)

Use the symmetric encryption algorithm to encrypt the ID to obtain $E_{ya-xa}\left(I{D}_A\right)$.

(h)

Send parameters $E_{ya-xa}\left(I{D}_A\right),Eax,Eay,H_a,T{S}_a$ to protocol entity B through an open channel.

Ground station side (protocol entity B) in Figure 4:

(a)

Decode the x-axis information of $N_a$ to obtain $N_{a-x}^{\prime }=Eax\oplus (y_b-x_b)$.

(b)

Decode the y-axis information of $N_a$ to obtain $N_{a-y}^{\prime }=Eay\oplus (y_b-x_b)$.

(c)

Combine the above x- and y-axis information to obtain $N_a^{\prime }=(N_{a-x}^{\prime },N_{a-y}^{\prime })$.

(d)

Decrypt the information using the symmetric decryption algorithm to obtain the ID of protocol entity A: $I{D}_A^{\prime }=D_{ya-xa}\left(E\left(I{D}_A\right)\right)$.

(e)

Calculate $H_a^{\prime }=H(I{D}_A^{\prime }\left|\right|T{S}_a\left|\right|N_a^{\prime })$ using a one-way hash function.

(f)

Compare with the obtained $H_a$: $H_a=H_a^{\prime }?$ If the comparison is successful, B authenticates A successfully.

(g)

Fetch the data $y_b,I{D}_B$ obtained during the registration phase from the local secure storage.

(h)

Select a random number $r_b\in Z_q^{\ast }$ and use scalar multiplication to calculate $N_b=((r_b·I{D}_B)·P)$.

(i)

Generate the current timestamp $T{S}_b$.

(j)

Calculate $H_b=H(I{D}_B\left|\right|T{S}_b\left|\right|N_b)$ using a one-way hash function.

(k)

XOR of the x-axis of point $N_b$ of the elliptic curve to obtain $Ebx=N_{b-x}\oplus (y_b-x_b)$.

(l)

XOR encryption of the x-axis of point $N_y$ of the elliptic curve to obtain $Eby=N_{b-y}\oplus (y_b-x_b)$.

(m)

Use the symmetric encryption algorithm to encrypt the ID to obtain $E_{yb-xb}\left(I{D}_B\right)$.

(n)

Calculate the session key $SS{K}_{BA}=H(r_b·I{D}_B·N_a^{\prime })$.

(o)

Send the parameters $E_{yb-xb}\left(I{D}_B\right),Ebx,Eby,H_b,T{S}_b$ to protocol entity A through an open channel.

UAV side (Protocol entity A) in Figure 4

(a)

Decode the x-axis information of $N_b$ to obtain $N_{b-x}^{\prime }=Ebx\oplus (y_a-x_a)$.

(b)

Decode the y-axis information of $N_b$ to obtain $N_{b-y}^{\prime }=Eby\oplus (y_a-x_a)$.

(c)

By combining the above x- and y-axis information, we obtain $N_b^{\prime }=(N_{b-x}^{\prime },N_{b-y}^{\prime })$.

(d)

Decrypt the information using the symmetric decryption algorithm to obtain the ID of protocol entity A: $I{D}_B^{\prime }=D_{yb-xb}\left(E\left(I{D}_B\right)\right)$.

(e)

Calculate $H_b^{\prime }=H(I{D}_B^{\prime }\left|\right|T{S}_b\left|\right|N_b^{\prime })$ using a one-way hash function.

(f)

Compare with the obtained $H_b$: $H_b=H_b^{\prime }?$ If the comparison is successful, A authenticates B successfully.

(g)

Calculate the session key: $SS{K}_{AB}=H(r_a·I{D}_A·N_b^{\prime })$.

Through these steps, the UAV and ground station complete a secure agreement for the session key and achieve ID authentication.

3.4.2. Explanation of Key Processes in the Authentication Key-Agreement Phase

The authentication key-agreement phase is the core step of the SE-UAVAKA protocol, which supports secure two-way authentication and session key establishment between the UAV and the ground station.

In this phase, the pre-shared long-term keys ($y_a$, $y_b$) and identities ($I{D}_A$, $I{D}_B$) are extracted from secure storage as the starting point. Each entity generates fresh temporary session parameters (such as random numbers $r_a$, $r_b$) to ensure session uniqueness and forward security; public parameters ($N_a$, $N_b$) are derived using elliptic-curve scalar multiplication while minimizing computational overhead.

In addition, timestamps ($T{S}_a$, $T{S}_b$) and hash-based checksums ($H_a$, $H_b$) are used in this paper to resist replay attacks and verify message integrity. Crucially, the session keys ($SS{K}_{AB}$/$SS{K}_{BA}$) in this phase are dynamically generated through temporary random numbers, long-term identities, and exchange parameters to ensure that the current session still has specific security even if the previous keys are leaked.

3.4.3. Security Mechanisms and Design Rationale

• Elliptic-Curve Scalar Multiplication: The proposed scheme employs scalar multiplication ($N_a=(r_a·I{D}_A)·P$) to generate cryptographic parameters, establishing direct binding between $I{D}_A$ and ephemeral value $r_a$ as impersonation resistance. Without knowledge of both $I{D}_A$ and the drone’s long-term secret $x_a$, adversaries cannot feasibly forge valid $N_a$ parameters.
• XOR-based Parameter Obfuscation: The XOR operation ($Eax=N_{a-x}\oplus (y_a-x_a)$) serves dual security purposes: (1) Obscures sensitive coordinate data from elliptic-curve operations during transmission, preventing eavesdroppers from directly reconstructing $N_a$; (2) leverages $(y_a-x_a)$ as session-specific secrets generated during registration to enforce dual-key decryption requirements. This design withstands known temporary parameter attacks since $SS{K}_{AB}$ derivation requires both $I{D}_A$ and $(y_a-x_a)$, remaining secure even if $r_a$ gets compromised.
• Timestamp and Hash Validation: The protocol incorporates timestamp validation ($T{S}_a$, $T{S}_b$) to ensure message freshness, complemented by hash commitments $H_a=H(I{D}_A\left|\right|T{S}_a\left|\right|N_a)$ and $H_b=H(I{D}_B\left|\right|T{S}_b\left|\right|N_b)$ for parameter integrity verification. Any tampering during transmission alters the resulting hash values, triggering verification failure at the recipient side.
• Identity-Protected Symmetric Encryption: Anonymous authentication is achieved through session-specific symmetric encryption of identifiers ($E_{y_a-x_a}\left(I{D}_A\right)$). Without access to the long-term secret $H\left(I{D}_A\right|\left|I{D}_B\right)$—securely stored in device memory and never exposed in communication channels—attackers cannot correlate sessions with specific drones or ground stations.

3.4.4. Main Improvements of This Protocol

• Improved efficiency: The protocol reduces scalar multiplication operations to four (two per entity), significantly lowering computational latency compared to prior works (e.g., Chaudhry’s eight operations).
• Resistance to Known Session-Specific Attacks: A key innovation lies in binding the session key to both long-term identities ($I{D}_A$, $I{D}_B$) and ephemeral parameters ($r_a$, $r_b$). Even if temporary values ($r_a$, $r_b$) leak, an adversary cannot compute $SS{K}_{AB}=H(r_a·I{D}_A·N_b)$ without knowing $I{D}_A$ and $N_b$, which are protected via XOR obfuscation and encrypted channels. This contrasts with vulnerabilities in Chaudhry’s and Ren’s protocols, where session keys become directly computable from leaked temporaries.
• Mutual Authentication Guarantees: The protocol enforces mutual authentication through bidirectional hash verification. Entity B validates $H_a$ to confirm that $N_a$ was generated by a legitimate UAV with knowledge of $I{D}_A$ and $y_a-x_a$. Similarly, Entity A verifies $H_b$ to authenticate the ground station. This dual-check mechanism ensures that neither party can proceed to key derivation without successful authentication.

By integrating these mechanisms, the SE-UAVAKA protocol achieves robust security with minimal computational burden, addressing the critical need for lightweight yet secure communication in UAV networks.

4. Security Analysis and Simulation Verification

To achieve anonymous security authentication between two parties, two-way authentication and user anonymity between protocol units A and B must first be fulfilled. Simultaneously, attacks on known session-specific temporary information must be prevented when the temporary information of protocol entities A and B is leaked to achieve secure key negotiation when the temporary session information of two parties is leaked. Therefore, in this section, formal analysis methods are used to demonstrate the security of the two-way authentication, user anonymity, and resistance to attacks on known session-specific temporary information. Informal analysis methods are used to demonstrate the security of other properties that are easier to achieve. In addition, the simulation verification tool ProVerif is used to verify the authentication process and security of the session key of the proposed protocol.

4.1. Formal Analysis of Protocol Security

4.1.1. Detailed Steps for Formal Security Analysis

Mutual Authentication

Because it is difficult to prove bidirectional authentication using conventional mathematical models, we use BAN logic [30] to analyze the bidirectional authentication of the protocol described in this article formally. BAN logic is a general formal analysis method that is used to prove the bidirectional authentication of a protocol. The specific proof process is as follows: first, we use modeling symbols to express the communication process of the protocol; then, we propose the proof objective; finally, we perform theoretical deduction according to the rules of BAN logic. If the proof goal can be deduced according to the rules of BAN logic, the protocol is secure; otherwise, the protocol has security vulnerabilities. The corresponding symbols are listed in

Table 2. Some notations used in the BAN logic.

Notation	Description
$U|\equiv M$	Entity U believes the statement M
$U◁M$	Entity U receives message M
$U|\sim M$	Entity U once sent message M
$U\Rightarrow M$	Entity U has control over message M
$\#\left(M\right)$	Message M is fresh
${\langle M\rangle }_N$	The message is composed of M and N
$(M,N)$	$M,N$ is part of the message $(M,N)$
${\{M,N\}}_K$	$M,N$ is encrypted by the key K
$U\stackrel{K}{⟷}V$	U and V communicate using the key K

.

Rules of BAN logic are as follows:

(a)

Message meaning rule: If the entity U believes that K is a shared key between the entities U and V, and U receives a message encrypted with K, then the entity U believes that V has sent a message M, the formulas are as follows: $U|\equiv U\stackrel{K}{⟷}V,U◁{\left\{M\right\}}_K\mapsto U|\equiv V|\sim M$

(b)

Checking freshness rule: If the entity U believes that the message M was sent by V and is fresh, then the entity U believes that the entity V trusts the message M. The formulas are as follows: $U|\equiv \#(M),U|\equiv V|\sim M\mapsto U|\equiv V|\equiv M$.

(c)

Arbitration rule: If the entity U believes that the entity V has control over the message M, and the entity U believes that V trusts the message M, then the entity U trusts the message M. The formulas are as follows: $U|\equiv V\Rightarrow M,U|\equiv V|\equiv M\mapsto U|\equiv M$.

(d)

Fresh-connections rule: If the entity U believes that the message M is fresh, then the entity U also believes that the message simply concatenated by M and N is also fresh. The formulas are as follows: $U|\equiv \#(M)\mapsto U|\equiv \#(M,N)$.

(e)

Trust rule: If the entity U trusts a message that is simply a concatenation of the messages M and N, then the entity U believes this message M. The formulas are as follows: $U|\equiv (M,N)\mapsto U|\equiv M$.

(f)

Sending rule: If the entity U believes that the entity V has sent a message connected by M and N, then the entity U believes that V has sent the message M. The formulas are as follows: $U|\equiv V|\sim (M,N)\mapsto U|\equiv V|\sim M$.

From the execution process of the authentication-key negotiation phase of the protocol, it can be observed that protocol entity B realizes the authentication of protocol entity A through verification $H_a$. This process requires correct calculation of $N_a$, because $N_a$ is composed of message combinations $r_a, I{D}_A$. Therefore, if protocol entity B wishes to authenticate protocol entity A, it must trust the message $r_a, I{D}_A$. Similarly, if protocol entity A wishes to authenticate protocol entity B, it must trust the message $r_b, I{D}_B$. Therefore, the two-way authentication proof objectives of this protocol are as follows:

• Goal 1: $B|\equiv A|\equiv {\langle r_a\rangle }_{IDA}$ (protocol entity B believes that protocol entity A trusts the message ${\langle r_a\rangle }_{IDA}$).
• Goal 2: $A|\equiv B|\equiv {\langle r_b\rangle }_{IDB}$ (protocol entity B believes that protocol entity A trusts the message).
• Goal 3: $B|\equiv {\langle r_a\rangle }_{IDA}$ (protocol entity B trusts the message ${\langle r_a\rangle }_{IDA}$).
• Goal 4: $A|\equiv {\langle r_b\rangle }_{IDB}$ (protocol entity A trusts the message ${\langle r_b\rangle }_{IDB}$).

This protocol can be formally expressed as follows:

• Step 1: $A\to B:E_{ya-xa}\left(I{D}_A\right),Eax,Eay,T{S}_a,H_a$:
  $\{E_{ya-xa}\left(I{D}_A\right),{\left({\langle r_a\rangle }_{IDA}\right)}_{ya-xa},T{S}_a,H_a\}$.
• Step 2: $B\to A:E_{yb-xb}\left(I{D}_B\right),Ebx,Eby,T{S}_b,H_b$:
  $\{E_{yb-xb}\left(I{D}_B\right),{\left({\langle r_b\rangle }_{IDB}\right)}_{yb-xb},T{S}_b,H_b\}$.

The following basic assumptions are made for the authentication scheme of the protocol:

Assumption A1. 

$B|\equiv \#({\langle r_a\rangle }_{IDA})$ (protocol entity B believes in the freshness of the message ${\langle r_a\rangle }_{IDA}$).

Assumption A2. 

$A|\equiv \#({\langle r_b\rangle }_{IDB})$ (protocol entity A believes in the freshness of the message ${\langle r_b\rangle }_{IDB}$).

Assumption A3. 

$B|\equiv B\stackrel{H\left(I{D}_A\right|\left|I{D}_B\right)}{⟷}A$ (protocol entity B believes that the key $H\left(I{D}_A\right|\left|I{D}_B\right)$ is shared by A and B (note: according to the definition of the protocol registration phase, $y_a-x_a=y_b-x_b=H(I{D}_A\left|\right|I{D}_B)$)).

Assumption A4. 

$A|\equiv A\stackrel{H\left(I{D}_A\right|\left|I{D}_B\right)}{⟷}B$ (protocol entity A believes that the key $H\left(I{D}_A\right|\left|I{D}_B\right)$ is shared by A and B).

Assumption A5. 

$B|\equiv A\Rightarrow {\langle r_a\rangle }_{IDA}$ (protocol entity B believes that A has control over the message ${\langle r_a\rangle }_{IDA}$).

Assumption A6. 

$A|\equiv B\Rightarrow {\langle r_b\rangle }_{IDB}$ (protocol entity A believes that B has control over the message ${\langle r_b\rangle }_{IDB}$).

Combined with step 1, we obtain conclusion 1:

Conclusion 1: $B◁E_{ya-xa}\left(I{D}_A\right),Eax,Eay,T{S}_a,H_a$:

$\{E_{ya-xa}\left(I{D}_A\right),{\left({\langle r_a\rangle }_{IDA}\right)}_{ya-xa},T{S}_a,H_a\}$.

The combination of conclusion 1, assumption 3, and the rule of the meaning of the message results in conclusion 2:

Conclusion 2: $B|\equiv A|\sim \{E_{ya-xa}\left(I{D}_A\right),{\left({\langle r_a\rangle }_{IDA}\right)}_{ya-xa}$$,T{S}_a,H_a\}$.

Combining conclusion 2 and the transmission rules, we obtain conclusion 3:

Conclusion 3: $B|\equiv A\sim {\langle r_a\rangle }_{IDA}$.

Combining conclusion 3, assumption 1, and the freshness-checking rule results in conclusion 4:

Conclusion 4: $B|\equiv A|\equiv {\langle r_a\rangle }_{IDA}$. (Goal 1 achieved).

By combining conclusion 4, assumption 5, and the arbitration rule, we obtain conclusion 5:

Conclusion 5: $B|\equiv {\langle r_a\rangle }_{IDA}$ (Goal 3 achieved).

Combined with step 2, we obtain conclusion 6:

Conclusion 6: $A◁E_{yb-xb}\left(I{D}_B\right),Ebx,Eby,T{S}_b,H_b$:

$\{E_{yb-xb}\left(I{D}_B\right),{\left({\langle r_a\rangle }_{IDB}\right)}_{yb-xb},T{S}_b,H_b\}$.

The combination of conclusion 6, assumption 4, and the message-meaning rule yields conclusion 7.

Conclusion 7: $A|\equiv B|\sim \{E_{yb-xb}\left(I{D}_B\right),{\left({\langle r_b\rangle }_{IDB}\right)}_{yb-xb},$$T{S}_b,H_b\}$.

Combining conclusion 7 and the transfer rules, we obtain conclusion 8:

Conclusion 8: $A|\equiv B\sim {\langle r_b\rangle }_{IDB}$.

By combining conclusion 8 and assumption 2, and the checking of freshness rule, we obtain conclusion 9:

Conclusion 9: $A|\equiv B|\equiv {\langle r_b\rangle }_{IDB}$ (Goal 2 achieved).

The combination of conclusion 9, assumption 6, and the arbitration rule yields conclusion 10:

Conclusion 10: $A|\equiv B|\equiv {\langle r_b\rangle }_{IDB}$. (Goal 4 achieved).

In summary, the proposed protocol can achieve secure mutual two-way authentication.

Anti-Attack Against Known Session-Specific Temporary Information

The security of the session key is not compromised if session-specific temporary information is leaked. Before formally analyzing the protocol against attacks on known session-specific temporary information, the following definition is introduced:

Definition 1. 

Let $H(.)$ denote a one-way hash function, be the input value of the one-way hash function, and be the output value of the one-way hash function. We use $Event1$ to represent the event: known $b=H\left(a\right)$, unconditional output a.

Definition 2. 

Let $E(a,b)$ be the elliptic curve with initial parameters $a,b$, P be the base point on the elliptic curve, and k be the scalar that is used for scalar multiplication of the elliptic curve. We use $Event2$ to represent the event: known $P,R=k·P$, unconditional output k.

Definition 3. 

Set $E_{sk}(.)$ as the symmetric encryption operation. a is the input value of the symmetric encryption operation and b is the output value of the symmetric encryption operation. Use $Event3$ to represent the event: known $b=E_{sk}\left(a\right)$, unconditional output a.

Definition 4. 

Set k as the long-term key of the protocol entity. We use $Event4$ to represent the event: unconditional output k.

Definition 5. 

Let $Event5$ represent the attacker successfully capturing the temporary state of the session between protocol entities and obtaining the temporary information of the session.

We analyze the probability of occurrence of $Event1$, $Event2, Event3, Event4, and Event5$:

Let $Ad{c}_C^H\left(t_1\right)$ be the probability that $Event1$ occurs at least once in polynomial time $t_1$. According to the irreversible property of the one-way hash function, $Ad{c}_C^H\left(t_1\right)\le {\epsilon }_1$, where ${\epsilon }_1$ is a real number with a negligible size.

Let $Ad{c}_C^{ECDLP}\left(t_2\right)$ be the probability that $Event2$ occurs at least once in polynomial time $t_2$. From the problem of the discrete logarithm of the elliptic curve, we obtain $Ad{c}_C^{ECDLP}\left(t_2\right)$$\le {\epsilon }_2$, where ${\epsilon }_2$ is a real number with a negligible size.

Let $Ad{c}_E^H\left(t_3\right)$ be the probability that $Event3$ occurs at least once in polynomial time $t_3$. It follows that $Ad{c}_C^E\left(t_3\right)\le {\epsilon }_3$, where ${\epsilon }_3\approx 1/2^{len\left(sk\right)}$ ($len\left(sk\right)$ denotes the value of the key length); ${\epsilon }_3$ is a real number whose size can be ignored if the key length is greater than 128 bits.

Let $Ad{c}_K^H\left(t_4\right)$ be the probability that $Event4$ occurs at least once in polynomial time $t_4$. From this, it follows that if ${\epsilon }_4\approx 1/2^{len\left(k\right)}$ ($len\left(k\right)$ represents the value of the key length), ${\epsilon }_4$ is a real number whose size can be ignored if the long-term key length is greater than 128 bits.

Let $Ad{c}_c^{SR}\left(t_5\right)$ be the probability that $Event5$ occurs at least once in polynomial time $t_5$. When analyzing the proposed protocol against attacks on known session-specific temporary information, it is assumed that the temporary session information of the two protocol units is leaked to the attacker, that is, $Ad{c}_c^{SR}\left(t_5\right)=1$.

Let $Event6$ represent the following event: Attacker C successfully implements a known session-specific temporary information attack on the proposed protocol. If attacker C successfully implements a known session-specific temporary information attack, the possible attack implementation paths are as follows:

(a)

$Event5$ occurs and the temporary session information $r_a$ is obtained.

(b)

Retrieve messages transmitted through the public channel: $E_{ya-xa}\left(I{D}_A\right),Eax,Eay,Ha,T{S}_a$.

(c)

$Event4$ occurs; obtain $H\left(I{D}_A\right|\left|I{D}_B\right)$ and decrypt the message to obtain $N_a,I{D}_A$.

(d)

Determine the message transmitted through the public channel: $E_{yb-xb}\left(I{D}_B\right),Ebx,Eby,Hb,T{S}_b$.

(e)

Decrypt the message to obtain $N_b,I{D}_B$.

(f)

The session key is obtained by calculation: $SS{K}_{AB}=H(r_a·I{D}_A·N_b)$.

As $Event4$ and $Event5$ are independent of one another, $Event4$ and $Event5$ occur at least once when $Event6$ occurs. If $Ad{c}_C^{SSK}\left(t_6\right)$ represents the probability that $Event6$ occurs at least once in polynomial time $t_6$, we obtain $Ad{c}_C^{SSK}\left(t_6\right)\le {\epsilon }_4·1$. Because ${\epsilon }_4$ can be ignored, attacker C cannot perform a known session-specific attack on the proposed protocol in polynomial time $t_6$.

User Anonymity

$Event7$ is used to represent the following event: Attacker C successfully destroys the user anonymity of the protocol. The execution steps are as follows:

(a)

Obtain the message transmitted through the public channel $E_{ya-xa}\left(I{D}_A\right),E_{yb-xb}\left(I{D}_B\right)$.

(b)

$Event4$ occurs, and $I{D}_A$ is received according to $E_{ya-xa}$ $\left(I{D}_A\right)$ or $I{D}_B$ is received according to $E_{yb-xb}\left(I{D}_A\right)$.

Alternatively, we follow the steps below:

Let $Ad{c}_C^{ID}\left(t_7\right)$ represent the probability that $Event7$ occurs at least once in polynomial time $t_7$. From the above analysis, the probability that $Event6$ occurs at least once is the same as the probability that $Event1$ or $Event3$ occurs at least once. Therefore, $Ad{c}_C^{ID}\left(t_7\right)\le {\epsilon }_4·1$, and because ${\epsilon }_4$ can be ignored, attacker C cannot destroy the user anonymity of the protocol in polynomial time $t_7$.

4.1.2. Interpretation and Result Evaluation

Clarification of BAN Logic and Probabilistic Analysis

Section 4.1.1 employs BAN logic to conduct a formal security analysis of the SE-UAVAKA protocol. This approach ensures the logical correctness of two-way authentication and session-key negotiation by modeling trust relationships and belief propagation among protocol entities. The analysis directly references key components from the original paper (such as $H_a$ and $H_b$ derived from fresh timestamps and shared secrets), applying specific rules to verify message authenticity and timeliness, ultimately enabling both parties to establish mutual trust in the session key $SS{K}_{AB}$.

Furthermore, the paper quantitatively assesses the protocol’s security by evaluating the success probability of attackers in various scenarios through probabilistic analysis. It demonstrates that the protocol’s security relies on well-established cryptographic problems, as evidenced by defined events (such as compromising hash functions or solving elliptic-curve discrete logarithm problems). Crucially, even with temporary session data leakage, the inclusion of long-term secrets (e.g., $H(I{D}_A\parallel I{D}_B)$) in the key derivation process maintains the ongoing security of $SS{K}_{AB}$. Thus, the paper effectively combines logical and quantitative analysis to comprehensively demonstrate the protocol’s security.

Applicability of Analytical Methods

This study employs a formal verification approach combining BAN logic and probabilistic analysis, chosen based on the following technical considerations:

• Relevance of BAN Logic: Addressing the fundamental requirement of mutual authentication, BAN logic rigorously formalizes trust transfer mechanisms between protocol entities through axiomatic rules (e.g., message freshness and jurisdiction rules). Its “belief-action” framework effectively models dependency relationships among critical authentication parameters. The logic systematically characterizes how entities establish trust in session keys and ephemeral values through message exchanges, thereby ensuring logical consistency throughout the authentication process. For example, it formalizes the derivation of trust through sequential verification steps during protocol execution.
• Complementarity of Probabilistic Analysis: Through formal definitions of adversary success events (Event1–Event7) and computation of their probabilistic bounds, this approach transforms protocol security into mathematically quantifiable propositions. The methodology establishes explicit connections between session-key compromise probabilities and the computational intractability of the elliptic-curve discrete logarithm problem (ECDLP), aligning with modern cryptography’s provable security paradigm. This dual perspective enables rigorous security evaluation under practical attack conditions, particularly when temporary session parameters become compromised, while maintaining alignment with computational complexity assumptions.

4.2. Informal Analysis of Protocol Security

4.2.1. Detailed Steps for Formal Security Analysis

Anti-Imitation Attack

During the authentication key negotiation phase, attacker C imitates protocol instance A to participate in the session by performing the following steps:

(a)

Select a random number $r_c$. Because the registration fails, a random number $y_c,I{D}_C$ is selected as the long-term key. Calculate $N_c=(r_c·I{D}_c)·P$.

(b)

Generate the timestamp $T{S}_c$.

(c)

Calculate the summary value $H_c=H(I{D}_C\left|\right|T{S}_c$ $\left|\right|N_c)$.

(d)

Obtain $Ecx$ by XOR scrambling the x-axis of point $N_c$ of the elliptic curve: $Ecx=N_{c-x}\oplus (y_c-x_c)$.

(e)

Obtain $Ecy$ by XOR scrambling the y-axis of the point of the elliptic curve $N_c$: $Ecy=N_{c-y}\oplus (y_c-x_c)$.

(f)

Send the message $E_{yc-xc}\left(I{D}_C\right),Ecx,Ecy,H_c,T{S}_c$ to protocol entity B.

After receiving the attacker’s message, protocol entity B performs the following steps:

(a)

Decrypt the x-axis information: $N_{c-x}^{\prime }=Ecx\oplus (y_c-x_c)$.

(b)

Decrypt the y-axis information: $N_{c-y}^{\prime }=Ecy\oplus (y_c-x_c)$.

(c)

By combining the above x- and y-axis information, we obtain $N_c^{\prime }=(N_{c-x}^{\prime },N_{c-y}^{\prime })$.

(d)

Decrypt $E_{yc-xc}\left(I{D}_C\right)$ by using a symmetric decryption algorithm to obtain the ID: $I{D}_c^{\prime }=D_{yb-xb}\left(E_{yc-xc}\left(I{D}_C\right)\right)$.

(e)

Calculate using a one-way hash function: $H_c^{\prime }=H(I{D}_C^{\prime }\left|\right|T{S}_c^{\prime }\left|\right|N_c^{\prime })$.

(f)

Because $y_c$ is not legally registered, the calculated $y_c-x_c\ne y_b-x_b$; that is, $H_c\ne H_c^{\prime }$, and thus, the session is rejected.

In summary, the authentication key-negotiation phase can resist impersonation attacks.

Perfect Forward Security

We assume that the long-term keys $y_a,y_b,I{D}_A,I{D}_B$ of protocol entities A and B are leaked. Because the session key is obtained by calculating $SS{K}_{AB}=H(r_a·I{D}_A·r_b·I{D}_B·P)$, under normal circumstances, attacker C cannot obtain the temporary information $r_a,r_b$ of the session during the authentication key-agreement phase, and it cannot obtain the session key $SS{K}_{AB}$ for each session. Therefore, the disclosure of the long-term key does not affect the security of the session key of the previous session. Thus, the protocol has complete forward security.

Anti-Repetition Attack

Supposing that attacker C sends the message “$E_{ya-xa}\left(I{D}_A\right)$$,Eax,Eay,H_a,T{S}_a$”, the replay is sent to protocol entity B. Because protocol entity B has already received the above data packet, that is, there is the same timestamp information $T{S}_a$, protocol entity B will reject the data packet because of the uniqueness of the timestamp. If attacker C constructs the timestamp information $T{S}_c$ itself and sends it to the protocol entity B after exchanging $T{S}_c$, B can evaluate the timeliness of $T{S}_c$. If the time interval exceeds the threshold value, the data packet is rejected. Therefore, the protocol prevents replay attacks. The steps for analyzing replay attacks for other messages are the same as those for the messages mentioned above.

Known Key Security

Assume that an attacker successfully obtains session key $SS{K}_{AB}$ for a session. As each session key is associated with temporary session information $r_a,r_b$, even if the attacker obtains a specific session key, the session key has no correlation with that of the current session. Therefore, the attacker cannot use it to infer the session key of the current session. Thus, the protocol has known key security.

4.2.2. Interpretation and Result Evaluation

Security Analysis of SE-UAVAKA (Section Anti-Imitation Attack–Section Known Key Security): An analysis demonstrates that SE-UAVAKA fulfills its specified security properties through the following mechanisms: Resistance to impersonation attacks is achieved by cryptographically binding long-term keys ($y_a/x_a,y_b/x_b$) with temporary parameters ($r_a,r_b$) during authentication, ensuring hash-value mismatch ($H_c\ne H_c^{\prime }$) for adversaries lacking valid credentials. Perfect forward secrecy is realized by deriving session keys from session-specific random values $r_a$ and $r_b$, thereby isolating historical session-key exposures from long-term key compromises. Replay attack resistance relies on timestamp freshness verification ($T{S}_a,T{S}_b$), which invalidates duplicated or delayed messages. Known-key security is ensured through session-unique parameter generation, where each session key exclusively depends on newly generated $r_a/r_b$, preventing cross-session key derivation even if prior keys are leaked. These results collectively underscore the robustness of SE-UAVAKA’s security design.

4.3. Formal Simulation Verification of Protocol Security

4.3.1. Formal Modeling of the Protocol Flow

In this section, the ProVerif tool is used to model the protocol formally. Before using the ProVerif tool for security simulation verification, it is necessary to use the modeling language provided by the ProVerif tool to model the execution process of the proposed protocol fully. For space reasons, only the formal modeling process of protocol entities A and B in the authentication-key negotiation phase is described here.

Definitions of the relevant terms in ProVerif can be found in [31]. The formal modeling algorithm for the authentication-key negotiation phase of protocol entity A is shown in Algorithm 1.

Algorithm 1 Formal modeling algorithm for the authentication-key-agreement phase of entity A.

Input: Null Output: Process $pEa$    let pEa=    event startAuthB;    new ra:Random;    let Na = computeNx(ra,ida,P) in    let hab = Minus(ya,xa) in    let EaxEay = exor(Na,hab) in    new TSSeeda:bitstring;    let TSa = generate_Timeline(TSSeeda) in    let Ha = threeElementsHash(ida,TSa,Na) in    let eIDa = symenc(ida,hab) in    out (c,(eIDa,EaxEay,Ha,TSa));    in (c,(xeIDb:bitstring,xEbxEby:bitstring,xHb:bitstring,xTSb:TimeLine));    let xNb = dxor(xEbxEby,hab) in    let xidb = symdec(xeIDb,hab) in    let xxHb = threeElementsHash(xidb,xTSb,xNb) in    if (xxHb = xHb) then        let SKAB = computeKeySK(ra,ida,xNb) in        let SSKAB = oneElementHash(SKAB) in        event endAuthA.

Algorithm 1 shows the modeling process of the authentication key-agreement phase of protocol entity A, which is described by the Horn clause provided by the ProVerif tool. The execution steps of the algorithm correspond to the detailed execution steps of the protocol described in Section 4.3. “$eventstartAuthB$” represents the event “Protocol entity B starts authenticating protocol entity A”; “$eventendAuthB$” represents the event “Protocol entity A successfully completes the authentication of protocol entity B”.

The algorithm for the authentication key-agreement phase of protocol entity B is shown in Algorithm 2.

Algorithm 2 Formal modeling algorithm for the authentication key-agreement phase of entity B.

Input: Null Output: Process $pEb$    let pEb=    event startAuthA;    in (c,(xva:bitstring,xhida:bitstring,xTSa:TimeLine,xla:bitstring,xSAP:Point));    in (c,(xeIDa:bitstring,xEaxEay:bitstring,xHa:bitstring,xTSa:TimeLine));    new rb:Random;    let Nb = computeNx(rb,idb,P) in    let hba = Minus(yb,xb) in    let EbxEby = exor(Nb,hba) in    new TSSeedb:bitstring;    let TSb = generate_Timeline(TSSeedb) in    let Hb = threeElementsHash(idb,TSb,Nb) in    let eIDb = symenc(idb,hba) in    let xNa = dxor(xEaxEay,hba) in    let xida = symdec(xeIDa,hba) in    let xxHa = threeElementsHash(xida,xTSa,xNa) in    if (xxHa = xHa) then        let SKBA = computeKeySK(rb,idb,xNa) in        let SSKBA = oneElementHash(SKBA) in        out (c,(eIDb,EbxEby,Hb,TSb));        event endAuthB.

Algorithm 2 shows the modeling process for negotiating the authentication key of protocol entity B, which is described by the Horn clause provided by the ProVerif tool. The execution steps of Algorithm 2 correspond to the detailed execution steps of the protocol described in Section 4.3. “$eventstartAuthA$” represents the event “Protocol entity A starts authenticating protocol entity B”; $eventendAuthA$ represents the event “Protocol entity B successfully completes authentication of protocol entity A”.

After completing the above steps, edit the statement “$process(!pEa|!pEb)$” to start the main process. The ProVerif tool automatically simulates the simultaneous execution of the protocol by executing the aforementioned main process.

4.3.2. Protocol Security Verification Results

Based on the modeling performed by the protocol, the security of the protocol is verified using the execution results of the ProVerif tool. The verification results of the ProVerif tool are shown in Figure 5.

The ProVerif security verification shows that the authentication process of the proposed protocol cannot be destroyed by attackers and the session key cannot be obtained by attackers. The protocol security satisfies these requirements.

4.3.3. Interpretation and Result Evaluation

This study employs the ProVerif tool for formal simulation-based verification. The protocol workflow is first modeled in ProVerif’s formal language, with defined security properties and verification objectives: (1) confidentiality of key against adversarial access, and (2) reliability and effectiveness of mutual authentication. Through entity modeling and simulation of protocol participants A and B, the analysis demonstrates that adversaries cannot circumvent authentication via identity spoofing or message manipulation, nor derive valid session keys from compromised data. These findings complement theoretical security analyses, confirm the protocol’s resilience in practical attack scenarios, and establish a robust technical foundation for engineering implementation.

4.4. Performance Analysis and Security Comparison

4.4.1. Performance Analysis

In this section, the computational cost of the protocol authentication key-agreement phase is used as a comparison standard, and the computational cost of the protocol is analyzed and compared with that in the literature [26,27,28]. Since computational cost is primarily determined by the number of executions of time-consuming operations, the computational cost of various protocols can be objectively evaluated through testing and statistical analysis of such operations on different platforms, combined with theoretical analysis.

For convenience, Mul represents the elliptic-curve scalar multiplication operation, Add represents the elliptic-curve point-addition operation, Exp represents the power multiplication operation, Hash represents the hash operation, and Xor represents the XOR encryption and decryption operation.

With an Intel Core i5-4460 3.20 GHz processor, 8 GB of RAM, and Windows 10 operating system platform [32], the test results show that when the p value is 192 bits, the average time required for a scalar multiplication operation is 2.1780 ms, the average time required for a point-addition operation is 0.0239 ms, the average time required for a hash operation is 0.0186 ms, and the average time required for an XOR encryption and decryption operation is 0.0091 ms. The test results are shown in

Table 3. Average time consumption of each operation.

Operation	Average Time per Session (PC)	Average Time per Session (ARM Cortex-M3)
Mul	2.1780 ms	87 ms
Add	0.0239 ms	0.36 ms
Hash	0.0186 ms	0.065 ms
Xor	0.0091 ms	0.1 ms

.

With an ARM Cortex-M3 100 MHz processor, 512 kb of RAM [10]. The test results show that the average time required for a symmetric encryption and decryption (incluing XOR encryption and decryption operation) operation is about 0.1 ms. When the p value is 192 bits, the average time required for a scalar multiplication operation is 87 ms, the average time required for a point addition operation is 0.36 ms, the average time required for a hash operation is 0.065 ms. The test results are shown in Table 3.

Consumption of the authentication-key negotiation process of each protocol is shown in

Table 4. The computation cost for the authentication and key-agreement phase.

Protocol	Number of Tests	Agreement Time (PC)	Agreement Time (ARM Cortex-M3)
Chaudhry	$8Mul+2Add+8Hash$	17.621 ms	697.24 ms
Tsobdjou	$6Mul+2Xor+8Hash$	13.235 ms	522.72 ms
Ren	$6Mul+8Hash$	13.2168 ms	522.52 ms
Proposed	$4Mul+6Hash+12Xor$	8.9328 ms	349.59 ms

.

According to the Table 4, the protocol described in this solution is superior to the industry representative protocol in terms of computational cost.

4.4.2. Security Comparison

This section compares the Chaudhry protocol [26], Ren protocol [27], and Tsobdjou protocol [28] and conducts a comprehensive evaluation of the security of the protocols described in this study. The security analysis and verification results of the protocols are presented in Section 4.2 and Section 4.3, respectively, and the security flaw analysis of each protocol are described in Section 2. IAR represents an anti-impersonation attack, RAR represents an anti-replay attack, UA represents user anonymity, MA represents mutual authentication, PFS represents perfect forward security, KKS represents known key security, and KSTR represents an anti-known session-specific temporary information attack. Combined with the security-flaw analysis results of the representative protocols in Section 2, a security comparison of each protocol is shown in

Table 5. Protocol security comparison.

Properties	Ren	Chaudhry	Tsobdjou	Proposed
IAR	✓	✓	✓	✓
RAR	✓	✓	✓	✓
UA	✓	✓	✓	✓
MA	✓	✓	✓	✓
PFS	✓	✓	✓	✓
KKS	✓	✓	✓	✓
KSTR	☓	☓	☓	✓

.

Table 5 shows that the proposed protocol can meet all security properties described in Section 3; that is, the protocol can resist common attack methods such as imitation attacks, replay attacks, and known session-specific temporary information attacks. In addition, it has user anonymity, complete forward security, known key security, and two-way authentication.

4.4.3. Interpretation and Result Evaluation

Performance analysis demonstrates that the SE-UAVAKA protocol achieves a key negotiation time of 8.9328 ms through optimized scalar multiplication operations (limited to four iterations) and lightweight implementations of hash and XOR functions. This represents a significant reduction compared to benchmark protocols such as Chaudhry, Ren, and Tsobdjou, confirming adaptability to resource-constrained UAV environments. Security evaluations confirm the protocol’s comprehensive fulfillment of critical requirements, including impersonation-attack resistance, replay-attack prevention, user anonymity, and perfect forward security. Notably, it addresses a critical limitation in existing solutions by effectively resisting known session-specific temporary information attacks. The protocol thus establishes an optimal balance between cryptographic robustness and operational efficiency, meeting the dual demands of low-latency communication and high-grade security in UAV networks.

5. Conclusions

This study has proposed a lightweight security-enhanced authentication key-agreement solution to address the security risks of eavesdropping, counterfeiting, and tampering in UAV communication scenarios. Compared with existing representative protocols, the proposed protocol can ensure the security of session keys when temporary session random number information is leaked and can provide the same level of security with less time-consuming calculations. Security analysis and security simulation verification show that the proposed protocol can satisfy all the security attributes in Section 2. The performance analysis results showed that the proposed protocol has obvious advantages in terms of performance. The authentication-key negotiation protocol is suitable for one-to-one communication between UAVs and ground stations. The protocol needs to be optimized and improved in the future to meet the requirements of one-to-many communication between ground stations, UAVs, and wireless security communication between UAVs.