A Post-Quantum Authentication and Key Agreement Scheme for Drone Swarms

Abstract

With the continuous development of quantum computing technology, the traditional public key cryptosystem is facing severe security challenges, especially in the resource-constrained UAV swarm communication scenario. To deal with this problem, this paper proposes a secure communication scheme for the post-quantum era, which combines the Kyber-based group key agreement mechanism and the lightweight identity authentication system constructed by sparse Merkle tree (SMT). The system is initialized by the edge node, and supports the dynamic joining and leaving of the UAV through the authentication and key management mechanism. To meet the security and performance requirements in different application scenarios, we design and integrate two mainstream post-quantum signature schemes to provide flexible identity authentication options. Experimental results show that the scheme has low resource overhead while ensuring security, which is suitable for the actual communication deployment of post-quantum UAV swarm.

1. Introduction

1.1. Research Background

In recent years, with the rapid development of UAV (unmanned aerial vehicle) technology, UAVs have been widely applied in several key fields, such as commercial logistics, military reconnaissance, precision agriculture, and disaster monitoring. In particular, the drone swarm technology, which enables multi-UAV cooperative operations, demonstrates great potential in practical applications due to its high efficiency and flexibility [1]. However, with the large-scale deployment of the UAV swarm system, the security threats faced by its communication system are also increasingly serious. UAVs usually rely on wireless communication for task coordination and instruction transmission, which is vulnerable to man-in-the-middle attack, replay attack, identity forgery and other security threats. More importantly, with the continuous evolution of quantum computing technology, the traditional cryptographic mechanism faces the risk of being cracked, and the security of the UAV swarm system urgently needs to be reconstructed and reinforced in the post-quantum era [2].

A large number of studies have been carried out at home and abroad on the application of post-quantum cryptography algorithms in resource-constrained devices. To meet the security requirements of lightweight devices such as the Internet of Things, embedded systems, and drones, researchers systematically evaluate the performance of NIST candidate algorithms (such as Kyber, Dilithium, SPHINCS+, etc.) on ARM Cortex-M, RISC-V and other platforms to resist the quantum age.

In 2018, an unmanned aerial vehicle (UAV) light show in Xi ’an, China, failed to use an encrypted control channel, resulting in a lack of anti-jamming ability of the drones, and about 200 drones fell out of control. In 2011, Iran successfully hijacked a U.S. RQ-170 drone by impersonating the controller; and in 2017, a US MQ-9 drone encountered jamming. These incidents reveal the severe challenges faced by current UAV communication security. The existing UAV security protocols generally do not consider post-quantum threats and dynamic membership management issues, and it is urgent to add post-quantum security protection and flexible membership management mechanisms into the design [3].

1.2. Research Status and Requirements

At present, the research in the field of UAV secure communication at home and abroad still relies on traditional cryptography methods to ensure communication security. For example, Ouadah and Merazka (2024) proposed an authentication mechanism based on Diffie–Hellman key exchange combined with Hash Message Authentication Code (HMAC) [4] to improve security during data transmission. Although such schemes have certain security in the current computing environment, their security will face serious threats with the rapid development of quantum computing technology. In this regard, Muhammad Asghar Khan and other scholars have called for the early introduction of post-quantum cryptography (PQC) algorithm to build a UAV communication system that can resist quantum attacks and ensure its sustainable security in the future quantum era [2].

In order to deal with the severe challenges brought by quantum computing to the existing security mechanisms, it is urgent to design a group key agreement mechanism with post-quantum resistance, which should support lightweight and efficient group authentication. And it has good dynamic characteristics to adapt to the dynamic joining and leaving of UAV nodes, so as to construct a safe, reliable and scalable UAV swarm communication protocol.

1.3. Research Objectives

This study aims to construct a set of post-quantum security oriented UAV swarm communication protocol to solve the security shortcomings of the current system in terms of quantum computing threats and node dynamic management. The specific objectives include designing a group key agreement mechanism based on lattice cryptography to ensure the confidentiality of communication in the quantum environment. A lightweight identity authentication scheme combined with sparse Merkle tree [5] was constructed to achieve efficient and verifiable node identity management. A member management strategy supporting UAV nodes to dynamically join and leave was proposed to improve the adaptability and scalability of the protocol.

This study not only promotes the transformation from “traditional security” to “post-quantum security” in UAV swarm communication at the theoretical level, but also provides effective support for its security deployment in key scenarios such as military communication and disaster monitoring, which has important research value and application prospects.

2. Preliminaries

In this section, we present the core construction algorithm of our scheme.

2.1. CRYSTALS-Kyber

Kyber is a Key Encapsulation Mechanism (KEM [6]) based on lattice cryptography. It uses Module Learning With Errors (M-LWE) as the security basis. Its security can be formally proved based on the hardness of lattice problem in quantum computation. The key idea of Kyber is to hide key information by introducing noise, so as to complete key agreement without revealing the private key. The basic process includes parameter generation, key pair generation, encryption (key encapsulation) and decryption (decapsulation).

Kyber does this in the following way: First, it takes the public matrix $A\in Z_q^{k\times k}$ and generates the pk:

$$pk=(A,b=As+e)$$

(1)

Here, s is the private key and e is the noise vector of small parameters.

Encryption (key encapsulation): Here, r is a random vector.

$$u=A^{T}r+e_1$$

(2)

$$v=b^{T}r+e_2+m[q/2]$$

(3)

Decryption (decryption of the key): Recovers the message.

$$m[q/2]\approx v-u^{T}s$$

(4)

Kyber supports three security levels (Kyber512, Kyber768, Kyber1024) and has been selected by NIST as one of the post-quantum encryption standards.

2.2. CRYSTALS-Dilithium

CRYSTALS-Dilithium [7] is a lattice-based post-quantum signature algorithm, whose security is built on the hardness of the Module-LWE (modular noisy learning) and Module-SIS (modular-Short Integer Solution) problems. These problems are still considered hard in the context of quantum computing, so Dilithium can effectively resist quantum attacks.

Key generation phase: The algorithm generates the public matrix $A\in Z_q^{k\times 1}$ from the pseudo-random seed, then samples two small norm private vectors $s_1\in Z_q^l$,$s_2\in Z_q^l$, and then computes

$$t=A{s}_1+s_{2}modq$$

(5)

Here, t is part of the public key and finally outputs the public key $pk=(A,t)$ and the private key $sk=(s_1,s_2)$.

Signature phase: Given a message m, the message digest is first computed, $\mu =H\left(pk\right|\left|m\right)$

The vector $y\in Z_q^l$ is then sampled and computed:

$$\omega =Aymodq$$

(6)

Rounding or truncating $\omega$ yields a reduced ${\omega }_1$, which is used to generate the hash challenge: $c=H\left(\mu \right|\left|{\omega }_1\right)$, and then compute the signature response vector:

$$z=y+c\times s_1$$

(7)

If the z-norm is out of the set range or the reconstructed value leaks private key information, this attempt is discarded and resampled.

The final signature is $\sigma =(z,c)$.

Signature verification: The verifier recomputes the digest and reconstructs the verification vector ${\omega }^{\prime }$

$$\mu =H\left(pk\right|\left|m\right)$$

(8)

$$\omega ’=A·z-c·tmodq$$

(9)

Finally, the challenge value is calculated and compared, the high part ${\omega }_1^{\prime }$ is extracted from the reconstructed ${\omega }^{\prime }$, and then the $c=H\left(\mu \right|\left|{\omega }_1^{\prime }\right)$ is verified. Finally, the norm is checked to see if it is “small enough”.

Dilithium avoids complex Gaussian sampling, adopts truncation and rounding techniques to simplify the implementation, and has high efficiency and resistance to side channel attacks [8]. It is more suitable for the UAV communication environment.

2.3. Sparse Merkle Tree

Sparse Merkle tree (SMT) is a modified hash tree structure, which maps a fixed length key space (e.g., 256 bits) into a fixed depth binary tree, where each possible key corresponds to a unique path in the tree. Different from the traditional Merkle tree, SMT is more suitable for representing sparse data sets, and all the unassigned nodes are filled with the default hash value (such as all-zero hash), so it has efficient space utilization.

Similarly, each node is obtained by hashing its two children, that is,

$$H_{node}=H(H_{left}\left|\right|H_{right})$$

(10)

Due to the sparse tree structure, the hash values of many nodes can be precomputed and cached, which greatly improves the insertion and verification efficiency.

In the identity authentication scenario, SMT supports efficient proof of existence or non-existence of a certain key-value pair. The verification can be completed in logarithmic time by providing a path composed of the hash of the sibling nodes from the target leaf node to the root node, and the path length is fixed to the hash output bit length (e.g., 256 bits corresponds to 256 layers of the path). As a global commitment value, the root hash can effectively detect any data tampering behavior and carry out dynamic authentication and membership management, especially in post-quantum secure communication systems, which can realize efficient, secure and traceable identity binding mechanisms. It is more applicable in resource-constrained environments such as UAV swarm communication.

2.4. Aggregation Function HKDF

HKDF [9] (HMAC-based Key Derivation Function) is a structured key derivation function standardized in cryptographic literature in RFC 5869. Based on HMAC, it can extract the initial key material IKM (X) of any length into a high-entropy, fixed-length key, and support the generation of multiple sub-keys from a shared key. It is often used in key agreement protocols, key aggregation and other scenarios. In the scheme, we use this function to aggregate the temporary keys of each UAV to generate the final group key.

2.5. SPHINCS+

SPHINCS+ (Stateless Practical Hash-based INcredibly Compact and Secure Plus) (Figure 1) is a stateless digital signature algorithm based on hash function construction, which has good post-quantum security. It is the only hash-based signature scheme selected in NIST post-quantum cryptography standardization project, which plays an important role in security, practicability and standardization.

Different from the traditional signature schemes based on integer factorization or elliptic curve, SPHINCS+ completely relies on the collision resistance and irreversibility of hash functions to construct its security foundation, so as to naturally resist the attack of quantum algorithms (such as Shor’s algorithm). It uses multi-level hash tree structure (such as HORST and FORS substructure) and Merkle tree overlay to achieve the ability of multi-message signature, and avoids the state synchronization problem in earlier hash signature schemes such as XMSS.

Winternitz One-Time Signature Plus (WOTS+) is a hash-based one-time signature scheme that can securely sign data a single time. In SPHINCS+, WOTS+ acts as the leaf node signature algorithm to provide the basis for the Merkle tree node signature in the upper layer. Compared with the original WOTS, WOTS+ introduces hash chain randomization and other optimization methods to improve efficiency and flexibility while maintaining anti-quantum security.

FORS (Forest of Random Subsets) is an intermediate structure for signing message digests in SPHINCS+. It is composed of multiple small Merkle trees, which can split the message hash into several parts and sign them separately, so as to achieve more efficient data coverage. FORS improves the signing speed and allows the signing algorithm to be applicable to large message spaces, which is an important part of SPHINCS+ to improve the overall performance.

3. Our Scheme

3.1. System Architecture and Roles of Participants

Edge Node (Figure 2) [10]: This is the identity authentication center, group key coordinator and dynamic member manager in UAV communication, and is responsible for the main amount of calculation.

Unmanned Aerial Vehicle (UAV): This participates in identity authentication, key agreement, and encrypted communication, holds its own credentials, and is the main component of the UAV system.

Ground Station (GS): As the sender of the instructions and the owner of the returned data in the UAV system, the GS was regarded as an ordinary UAV node in the proposed scheme, and participated in the unified identity authentication and key agreement process.

3.2. System Initialization

• Scheme One:

Firstly, the edge node generates its own Kyber encryption and decryption key and Dilithium signature public and private key [11].

$$p{k}_e,s{k}_e=Kyber.KeyGen\left(\right)$$

(11)

$$mpk,msk=Dilithium.KeyGen\left(\right)$$

(12)

Each UAV $UA{V}_i$ locally and independently generates its own Kyber public and private key, and carries out hash binding at the same time, and then the edge node generates the signature credential ${\sigma }_i$ for the UAV node.

$$p{k}_i,s{k}_i-Kyber.KeyGen\left(\right)$$

(13)

$$H\left(I{D}_i\right|\left|p{k}_i\right)$$

(14)

$${\sigma }_i=Dilithium.Sign\left(H\right(I{D}_i\left|\right|p{k}_i\left)\right)$$

(15)

Then, the edge nodes construct sparse Merkle tree (SMT) and calculate the corresponding leaf nodes and their indices for all UAV nodes. Each index is mapped by the unique identification (ID) of the UAV to a unique position in the $2^{256}-bit$ space, which is used to accurately locate the position of the node in the SMT.Insert $inde{x}_i\to lea{f}_i$ to form a complete SMT, which records and publishes the hash of the root for subsequent authentication.

$$inde{x}_i=H\left(I{D}_i\right)$$

(16)

$$lea{f}_i=H({\sigma }_i\left|\right|p{k}_i)$$

(17)

• Scheme two:

Similarly, the edge nodes generate the corresponding public and private keys according to the SPHINCS+ and Kyber algorithms used.

$$p{k}_e,s{k}_e=Kyber.KeyGen\left(\right)$$

(18)

$$PK,SK=SPHINCS+.KyberGen\left(\right)$$

(19)

Each UAV A generates its own Kyber public and private key, binds it with its own B, and then generates the signing certificate according to the SPHINCS+ algorithm by the edge points.

$$p{k}_i,s{k}_i=Kyber.KeyGen\left(\right)$$

(20)

$$H\left(I{D}_i\right|\left|p{k}_i\right)$$

(21)

$${\sigma }_i=SPHINCS+.Sign\left(H\right(I{D}_i\left|\right|p{k}_i\left)\right)$$

(22)

Similarly, the edge nodes construct the initial sparse Merkle tree, generate the corresponding leaf node value and index for each UAV, record and publish the hash of the root for subsequent authentication.

$$inde{x}_i=H\left(I{D}_i\right)$$

(23)

$$lea{f}_i=H({\sigma }_i\left|\right|p{k}_i)$$

(24)

3.3. Group Authentication

Before each communication, $UA{V}_i$ must first verify its identity [12], and $UA{V}_i$ provides identity credentials to edge nodes.

$$UA{V}_i\to (I{D}_i,p{k}_i,{\sigma }_i,MerkleProo{f}_i)\to EN$$

(25)

Firstly, the edge node verifies whether the received signature is signed by itself, and then recalculates its index in the sparse Merkle tree and the corresponding leaf node according to the identity credential submitted by the UAV. Combined with the provided Merkle verification path, the edge node reconstructed the root node, and compared with the original root node stored locally to judge the legitimacy of the node identity (Figure 3).

$$Dilithium.Verify\left(H\right(I{D}_i\left|\right|p{k}_i),{\sigma }_i)$$

(26)

or

$$SPHINCS+.Verify\left(H\right(I{D}_i\left|\right|p{k}_i),{\sigma }_i)$$

(27)

$$VerifySMTProof(inde{x}_i,lea{f}_i,MerkleProo{f}_i)$$

(28)

Through the above verification process, the edge node can effectively determine whether the identity of the UAV node is legal. If it passes verification, it was allowed to participate in the subsequent group key agreement process. If it fails verification, the node is added to the blacklist, and it is forbidden to participate in the key agreement and subsequent communication.

3.4. Group Key Agreement

The legitimate UAV nodes that pass the authentication will participate in the group key agreement process [12]. Each node first locally generates a temporary session key $K_i$ locally, and then encrypts the key using the Kyber public key $p{k}_e$ of the edge node, and sends the ciphertext to the edge node.

$$c_i=Kyber.En{c}_p{k}_e(K_i\left|\right|T_i)$$

(29)

The edge node decrypts all and obtains a set of temporary keys $(K_1{K}_2{K}_3\dots K_n)$. It first verifies whether the time has expired compared with the current system time, and then performs the XOR operation if the time has not expired.

$$X=K_1\oplus K_2\oplus K_3\dots \oplus K_n$$

(30)

Get the result X calculated by the above formula, which is used as the seed input hash, bind Merkle root, and generate the final group key. To ensure that only authenticated UAVs derive the final group key, we use the root of the authentication tree as the salt in HKDF. As a public input, the salt randomizes the key derivation process and cryptographically binds the key to the authentication result.

$$seed=SHA3\left(X\right)$$

(31)

$$K_{group}=HKDF(Seed,salt=Root)$$

(32)

Next, the edge node performs group key distribution, that is, encrypts the group key with $UA{V}_i$ using its Kyber public key to obtain a series of ciphertexts $(c{t}_{1}c{t}_{2}c{t}_3\dots c{t}_n)$, which are then broadcast.

$$c{t}_i=Kyber.En{c}_p{k}_i\left(K_{group}\right)$$

(33)

After $UA{V}_i$ receives the ciphertext, it decrypts it with its Kyber private key and recovers $K_{group}$.

3.5. Encrypted Communication Phase

At this point, all nodes in the UAV system (including the ground station) have completed the consensus shared key agreement $K_{group}$. In the subsequent communication process, both the control commands issued and the sensing data uploaded by the UAV should be symmetrically encrypted with the shared key to ensure the confidentiality and integrity of the communication [13].

3.6. Dynamic Membership Management

Considering the highly dynamic operating environment of the UAV, the system should be able to support the dynamic joining and leaving of UAV nodes to ensure the flexibility and stability of the network [14].

When a new UAV node joins, it firstly provides Kyber’s public key and ID to the edge node, and then constructs a new leaf node and inserts it into the sparse Merkle tree.

$${\sigma }_{new}=Dilithium.Sign\left(H\right(I{D}_{new}\left|\right|p{k}_{new}\left)\right)$$

(34)

or

$${\sigma }_{new}=SPHINCS+.Sign\left(H\right(I{D}_{new}\left|\right|p{k}_{new}\left)\right)$$

(35)

$$lea{f}_{new}=H({\sigma }_{new}\left|\right|p{k}_{new})$$

(36)

$$inde{x}_{new}=H\left(I{D}_{new}\right)$$

(37)

$$UpdateSMT(inde{x}_{new}\to lea{f}_{new})$$

(38)

Then, the new aggregation seed is calculated, and the new group key is calculated, which is encrypted by the same Kyber public key of each UAV node. Finally, the ciphertext is broadcast to all UAV member nodes.

$$See{d}^{\prime }=SHA3(K_1\oplus K_2\oplus K_3\dots \oplus K_n\oplus K_{new})$$

(39)

$$K_{group}^{\prime }=HKDF(See{d}^{\prime },salt=NewRoot)$$

(40)

$$c{t}_i=Enc.Kybe{r}_p{k}_i\left(K_{group}^{\prime }\right)$$

(41)

When a UAV node needs to exit the network, the edge node will mark its corresponding path as empty in the sparse Merkle tree and update the root hash value of the tree. Subsequently, the edge node will renegotiate with the rest of the legitimate members to generate a new group key, and then broadcast it to the remaining members to ensure the forward and backward security of group communication.

$$inde{x}_i\to null$$

(42)

$$See{d}^{″}=SHA3(K_1\oplus K_2\oplus \dots \oplus K_{i-1}\oplus K_{i+1}\dots \oplus K_n)$$

(43)

$$K_{group}^{″}=HKDF(See{d}^{″},salt=NewRoot)$$

(44)

4. Security Analysis

In this section, we provide a comprehensive analysis of the security of our scheme.

4.1. Basic Security Properties

4.1.1. Authentication

In this scheme, sparse Merkle tree (SMT) is used to efficiently bind and verify the identity of UAV nodes. In the system initialization phase, each legitimate UAV node distributes its corresponding encrypted identity and its authentication path in SMT by the edge computing node. In the process of identity authentication, nodes only need to submit the path information consistent with the global root hash to the edge computing node, which can complete fast and efficient identity verification. Since the path and node identity are structurally tightly bound to the root hash value, any unregistered or forged node cannot construct a valid path and thus fail the authentication process. The mechanism effectively prevents illegal nodes from forging identities to participate in communication, ensures that the subsequent group key agreement and encrypted communication are only carried out between trusted entities, and enhances the anti-forgery and communication confidentiality of the system.

4.1.2. Confidentiality

All the authenticated legitimate UAV nodes will participate in the group key agreement process initiated by the edge computing nodes. The scheme uses Kyber-based post-quantum public Key encryption mechanism as the basis, and combines HKDF (HMAC-based Key Derivation Function) to aggregate the temporary keys submitted by each UAV node to jointly generate the final group communication key K. The key is used for subsequent symmetric encryption communication to ensure the confidentiality and forward security of the communication content during transmission. Because Kyber is based on the computational problem of Modular Learning Congruence Problem (Module-LWE), its negotiation process still maintains high strength security in the face of quantum attacks, which ensures that even if the attacker has full control of the communication link information, they cannot restore the valid clear text content or deduce the group key K.

4.1.3. Forward Safety

The group communication key used in this scheme has strict session restrictions, and the key is only valid in a single UAV mission (a flight cycle). After the completion of the task, the system will re-execute the complete key agreement process before the next take-off to ensure that the group communication key K generated by each negotiation is unique and unpredictable in the entropy source and negotiation context, and has no correlation with the previous key. This design ensures the Forward Secrecy of the system: even if a node is compromised in the future and the current secret key is leaked, the attacker still cannot decryption the historical communication data, which effectively limits the scope of potential information leakage and improves the overall security of the system in the long-term operation.

4.1.4. Post-Quantum Security

The scheme is constructed based on a variety of anti-quantum cryptography primitives, which fully guarantees the security of the system. The group key is generated by the Kyber algorithm based on Module-LWE, and the node identity is verified efficiently by the sparse Merkle tree constructed by anti-quantum hash. In the first scheme, the edge node uses the Dilithium algorithm based on Module-LWE and Module-SIS to sign the identity certificate. Ensure its integrity and tamper resistance. The second scheme uses the hash-based post-quantum signature algorithm SPHINCS+ to ensure the post-quantum security of the identity credential, and each component is designed to provide long-term stable security based on anti-quantum computing problems.

Kyber post-quantum security proof [15]: Let $A\in R_q^{k\times k}$ be a public matrix, let $R_q=Z_q\left[X\right]/(X_n+1)$, the secret vector $e\in R_q^k$ follow central or Gaussian distributions. The problem is to decide, given $(A,t)$ whether t is random or has the above structure. Kyber is based on the IND-CPA secure public key encryption scheme and achieves IND-CCA2 secure KEM by Fujisaki–Okamoto conversion. The reduction is as follows: if there exists an attacker A who can attack Kyber KEM under the IND-CCA2 model with non-negligible probability, then an algorithm B can be constructed to solve the Module-LWE problem with non-negligible probability.

$$Ad{v}_A^{IN{D}_{C}CA2}\left(Kyber\right)\le Ad{v}_B^{M_{M}LE}+negl\left(\lambda \right)$$

(45)

Post-quantum security proof of Dilithium: Dilithium converts the identification protocol into a non-interactive signature through the Fiat–Shamir with Aborts structure. In the random oracle model, Dilithium can be proved to satisfy the security of EUF-CMA (existential unforgeability under the chosen message attack). That is, if an attacker can forge a valid signature, a reduction algorithm can be constructed to solve the Module-SIS problem [16].

$$Ad{v}_A^{RU{F}_{C}MA}\le Ad{v}^{MSIS}+negl\left(\lambda \right)$$

(46)

Based on the above analysis, Dilithium is considered to have reliable post-quantum security, which can resist forgery attempts under quantum attacks, and is suitable for identity authentication scenarios with high requirements for long-term security.

The post-quantum security proof of SPHINCS+ is as follows; SPHINCS+ is a hash-based, stateless post-quantum signature scheme. The security of the algorithm is built on the basic security assumption of the underlying hash function, such as collision resistance, pre-image resistance and second pre-image resistance.

The overall security of SPHINCS+ is achieved by a modular design, and its signature construction consists of multiple sub-components, including WOTS+, FORS, hash trees, etc. It is known that the probability that an attacker successfully forges a signature does not exceed the sum of the probabilities that the individual submodules are compromised. That is,

$$\begin{array}{cc}\hfill {\mathrm{InSec}}^{\mathrm{PQ}\text{-}\mathrm{EU}\text{-}\mathrm{CMA}}(\mathrm{SPHINCS}+;\mu ,q_s)& \le \hfill \\ \hfill {\mathrm{InSec}}^{\mathrm{PQ}\text{-}\mathrm{PRF}}(\mathrm{PRF};\mu ,q_1)& +\hfill \\ \hfill {\mathrm{InSec}}^{\mathrm{PQ}\text{-}\mathrm{PRF}}({\mathrm{PRF}}_{\mathrm{msg}};\mu ,q_1)& +\hfill \\ \hfill {\mathrm{InSec}}^{\mathrm{PQ}\text{-}\mathrm{PRF}}({\mathrm{PRF}}_{\mathrm{msg}};\mu ,q_s)& +\hfill \\ \hfill {\mathrm{InSec}}^{\mathrm{PQ}\text{-}\mathrm{ITSR}}(H_{\mathrm{msg}};\mu ,q_s)& +\hfill \\ \hfill {\mathrm{InSec}}^{\mathrm{PQ}\text{-}\mathrm{SM}\text{-}\mathrm{TCR}}(\mathrm{Th};\mu ,q_3)& +\hfill \\ \hfill 3{\mathrm{InSec}}_{\mathrm{PQ}\text{-}\mathrm{SM}\text{-}\mathrm{TCR}}(F;\mu ,q_3)& +\hfill \\ \hfill {\mathrm{InSec}}^{\mathrm{PQ}\text{-}\mathrm{SM}\text{-}\mathrm{DSPR}}(F;\mu ,q_3)\end{array}$$

(47)

In summary, SPHINCS+ is a hash-based signature algorithm with clear structure, high modularity and formal security proof, which shows extremely high robustness against quantum attacks. Thanks to its completely hash-based design without algebraic structure dependence, SPHINCS+ can still provide NIST Level 5 (approximately equivalent to 128-bit quantum security) even under the quantum threat model. Although its signature size is large (about 7.6 KB) and its signature delay is high, it has more advantages in UAV applications that are not sensitive to the size of the signature and have high security requirements. Therefore, the second scheme is more suitable for large UAV systems such as military UAV and strategic reconnaissance, which have strict requirements for confidentiality and anti-quantum attack.

In contrast, Dilithium, as a lattice-based signature scheme, offers higher signing efficiency and smaller signature sizes. For example, the signature size of Dilithium Level 3 is about 2.4 KB, and the signing delay is around 1–2 ms. This makes it more suitable for small, resource-sensitive UAV platforms with limited computing power. Although its theoretical resistance to quantum attacks is slightly lower than that of SPHINCS+, its security level is sufficient for general civil or commercial applications. Therefore, Scheme 1 is more suitable for small-scale civil UAV systems with moderate security requirements and high sensitivity to performance and bandwidth, such as those used in logistics distribution and environmental monitoring.

4.2. Analysis of Anti-Attack Capability

(1)

Resistant to replay attacks:

In order to prevent the attacker from capturing and replaying the historical key agreement messages to cheat the system, this scheme introduced a time factor as part of the negotiation context in the group key agreement phase to ensure the uniqueness and timeliness of the session key generated in each round of key agreement. The mechanism effectively prevents the reuse of invalid keys and the forgery of session context, and enhances the system’s ability to resist replay attacks and forward security threats (Figure 4).

(2)

Security proof against man-in-the-middle attack:

The scheme adopted Kyber algorithm in the group key agreement phase, and its security could be reduced to the Modular Learning Error Problem (M-LWE) in the standard model. Before negotiation, the identities of all nodes were authenticated by the sparse Merkle tree, and the attacker could not forge a valid identity path. In the process of key negotiation, the derived key binds the current time parameter T to ensure that the output of each negotiation is unique.

If an attacker A can successfully launch a man-in-the-middle attack and cheat legitimate nodes to establish a shared key, a reduced agent B can be constructed to distinguish the true key of Kyber encryption challenge from the false key, thereby breaking the IND-CCA2 security of the reduced agent B. This assumption is in contradiction with Kyber security, so the scheme can be proved to be resistant to the man-in-the-middle attack under the random oracle model.

(3)

Security against forgery attack:

In this scheme, all node identity information has been generated by edge nodes and embedded in the sparse Merkle tree in the initialization phase, and the root hash is the global authentication benchmark. In identity authentication, each node needs to provide its identity ID signature and Merkle path, and the edge node verifies it.

If a forgery attacker attempts to authenticate as an unregistered identity, they must construct an authentication path that is legal and matches the root hash. However, due to the collision resistance of the Merkle tree hash function, the attacker cannot forge any legal path without knowing the hash values and paths of other nodes. Therefore, the authentication phase has the ability to resist forgery.

Furthermore, if an attacker A can forge the legal identity and pass the authentication, it is equivalent to the attacker finding the authentication path with the hash function collision or the forged tree root consistent, and then destroying the collision resistance of the hash function or the integrity of the Merkle tree. The contradiction is true.

(4)

In the UAV swarm communication scenario, Denial of Service (DoS) attack is a common and serious security threat. An attacker may attempt to make edge computing nodes or individual UAVs into a resource exhaustion state by sending a large number of forged authentication requests or repeatedly initiating the key agreement process. In this regard, the post-quantum secure communication protocol proposed in this paper has certain natural defense capabilities in design, and the reasons are as follows:

Firstly, in the identity authentication phase, the protocol adopted the sparse Merkle tree (SMT) structure, which could efficiently verify the identity of legitimate nodes. As a commitment of lightweight global state, SMT root node only needs O(log N) overhead to verify whether the identity is legitimate, which avoids the computational bottleneck caused by linear search or centralized authentication. Even if the attacker forges a large number of identities to try authentication, the required overhead of the system remains at the logarithmic level, and the resource pressure is relatively limited.

Secondly, the key agreement is based on the Kyber algorithm, which has good computational efficiency, especially on the embedded platform. Even in the case of multiple concurrent negotiation requests, the computational cost of decoding and reconstruction operations is lower than that of traditional key agreement schemes, and it is not easy to cause resource blocking.

In summary, although this paper does not introduce a special DoS mitigation mechanism, from the perspective of the protocol construction itself, its lightweight and hierarchical design idea makes the system robust to DoS attacks, especially suitable for the resource-constrained UAV swarm communication environment.

4.3. Security Analysis of the Overall Protocol

Based on the reduction proof, this section analyzes the security of the proposed post-quantum UAV swarm communication protocol from three aspects of group key agreement, identity authentication and signature mechanism, and proves that the attacker cannot destroy the key confidentiality, identity authenticity and message non-repudiation with non-negligible probability (Figure 5).

(1)

Group key Agreement security

The scheme uses Kyber KEM to realize group key agreement, and its security is based on Kyber’s IND-CCA security. Assuming that there exists an attacker mathcalA that can recover or distinguish the shared key K after eavesdropping or tampering with the negotiated communication, an algorithm mathcalB can be constructed to challenge the security of Kyber in the IND-CCA security model using the power of mathcaA.

The attacker’s advantage is defined as follows:

$$Ad{v}_A^{AEM}:=Pr\left[AsuccessfullyrecoversorcdistinguishesthegroupkeyK\right]$$

(48)

Since Kyber satisfies IND-CCA security, there exists a negligible function $ϵ\left(\lambda \right)$ such that

$$Ad{v}_A^{KEM}\le Ad{v}_B^{IND-CCA}\left(Kyber\right)\le {ϵ}_1\left(\lambda \right)$$

(49)

Therefore, the key irrecoverability and forward security of the group key agreement process can be guaranteed in the standard model.

(2)

Authentication Security

In the identity authentication phase, sparse Merkle tree (SMT) was used to realize a lightweight and verifiable post-quantum identity authentication mechanism, and SPHINCS+ or Dilithium signature algorithm was combined to ensure the unforgeability and integrity of authentication information.

The core security goal of authentication correctness is that the attacker cannot generate an unauthorized legal identity authentication path and the corresponding signature to bypass the legitimacy verification. Let mathcalA be an authentication attacker whose goal is to successfully forge the identity of a legitimate UAV without authorization.

$$Ad{v}_A^{KEM}:=Pr[AforgesavalidMerklepath+signature\sigma ]$$

(50)

$$Ad{v}_A^{KEM}\le Ad{v}_A^{SMT}+Ad{v}_A^{SPHINCS+\_sig}$$

(51)

For SMT, the security is based on the hash function collision and second preimage problem, which can be regarded as ${ϵ}_1\left(\lambda \right)$.

For the signature algorithms, SPHINCS+ and Dilithium are evaluated by NIST standards and meet the security of EUF-CMA ${ϵ}_2\left(\lambda \right)$.

$$Ad{v}_A^{KEM}\le {ϵ}_2\left(\lambda \right)+{ϵ}_3\left(\lambda \right)$$

(52)

The attacker cannot effectively forge the legal identity in the calculation, which ensures the anti-quantum security and anti-impersonation ability of the UAV identity authentication stage.

(3)

Protocol Composition Security

Since the key agreement, authentication and signature mechanisms are based on independent security assumptions (IND-CCA security, hash irreversibility and EUF-CMA security), the whole protocol satisfies the parallel composition security. Even if an attacker attempts an attack in one module, the security of other parts is not affected.

$$Ad{v}_A^{protocol}\le Ad{v}_A^{KEM}+Ad{v}_A^{auth}+Ad{v}_A^{sig}\le ϵ\left(\lambda \right)$$

(53)

It can be concluded that under the post-quantum security of basic sub-components, the proposed UAV swarm protocol has security guarantees such as integrity, authentication and confidentiality in the post-quantum threat model.

5. Performance Analysis

In order to verify the practical feasibility of the proposed scheme on resource-constrained devices such as UAVs, this section evaluates the system performance from the perspective of UAV nodes, and analyzes the operating overhead and resource occupation of each stage.

5.1. Memory Footprint Analysis

In the whole scheme, each UAV node firstly performed the generation of Kyber key pair and stored the private key securely. Then, in the group identity authentication phase, the node received and stored the identity authentication information and its signature issued by the edge computing node. Finally, in the group key agreement phase, each node completed a complete ciphertext generation and decryption process based on Kyber algorithm, so as to realize secure group key agreement (Figure 6).

Taking Kyber-768 as an example, the public key is 1184 B and the private key is 2400 B in the key generation phase. The authentication path field of the sparse Merkle tree in the identity authentication stage is about 640 B. In the first scheme, the post-quantum signature Dilithium accounts for about 2420 B. Finally, the group shared key is about 32 B, which is about 6.4 KB in total. For Scheme II, the signature size of SPHINCS+ accounts for about 7.6 KB, totaling about 10 KB. For typical embedded UAV systems such as STM32H7 or ARM Cortex-M series, RAM is usually 64 KB to 512 KB, which is acceptable (Figure 7).

5.2. Running Time Analysis

In order to evaluate the operation efficiency of the proposed scheme on embedded UAV nodes, this section analyzes the processing delay of key stages such as identity authentication, key agreement and communication encryption and decryption. An example is a Cortex-M4 processor (≈100 MHz) (Figure 8).

Authentication phase: The edge node needs to verify its legitimacy in the sparse Merkle tree. Here, the height of our tree is 256. A single execution of SHA-256 on the embedding platform Cortex-M4 takes about 3 μs, and the total time of reconstructing the tree is

$$T_{auth}\approx 256\times 3\mathsf{\mu }\mathrm{s}$$

(54)

In scheme one, the edge node verifies the signature certificate generated by Dilithium, and the edge node takes (Intel NUC) as an example to verify the signature about 0.09 ms.

In the second scheme, the edge node verifies the signature credential of SPHINCS+, which takes about 2 ms.

Key agreement phase: In this phase, the UAV node needs to perform one Kyber-768 decryption operation:

$$T_{Kyber-DEC}\approx 2.8\mathrm{ms}$$

(55)

Encrypted communication phase (symmetric encryption): AES is used in the scheme to encrypt the communication content with the negotiated post-quantum shared key, which has good performance on the embedded platform, so the total time consumption of encryption is

$$T_{AES}^{128B}\approx 30\mathsf{\mu }\mathrm{s}$$

(56)

In summary, the total running time of full authentication + key agreement + symmetric encryption is about

$$T_{total}^1\approx T_{auth}+T_{Kyber-DES}+T_{AES}^{128B}=3.59\mathrm{ms}$$

(57)

$$T_{total}^2\approx T_{auth}+T_{Kyber-DES}+T_{AES}^{128B}=5.59\mathrm{ms}$$

(58)

In the real-time control scenario, the communication delay of UAV has strict requirements, which usually needs to be controlled within 50 ms, and ideally should be less than 20 ms to ensure the accurate response of flight attitude and system stability. In contrast, the average delay of our scheme in the authentication and key agreement phase is 3.59 ms, which is significantly better than the above standards, and has good real-time performance and engineering deployability (Figure 9).

Summary of Performance Analysis

Through experimental comparison, it can be seen that Scheme 1 and Scheme 2 have good anti-quantum attack ability, and their overall performance meets the real-time requirements of UAV flight system. However, the two schemes show their respective advantages and applicability differences in specific application scenarios. In the first scheme, the lattice-based digital signature algorithm Dilithium is used in the identity authentication stage, which has high verification efficiency and small signature size, and is suitable for small UAV swarm communication scenarios with limited resources and relatively low security requirements. In contrast, Scheme 2 uses SPHINCS+ signature algorithm, and although its signature generation overhead is large and the signature size is longer, it performs better in long-term security and anti-tampering ability, so it is more suitable for UAV swarm communication systems with larger scale and higher security and robustness requirements (Figure 10).

We also compare the performance of two mainstream post-quantum signature algorithms SPHINCS+ and Dilithium under different security levels (Level 1, 3, 5). It can be seen that Dilithium has significant advantages in signature generation time, verification speed and signature length, and has better performance [27]. Although both of them meet the security requirements of NIST standard at the same level, SPHINCS+ is constructed based on hash function, and its security does not depend on specific mathematical problems. SPHINCS+ has stronger formal security guarantee and stronger ability to resist future attacks [28], so it is a highly conservative design, which is more suitable for application scenarios with higher long-term security and robustness requirements. In conclusion, Scheme 2 (using SPHINCS+) is more suitable for deployment in UAV systems with higher security requirements under the premise of acceptable computational cost.

Through the comparative analysis of the signature algorithm adopted in this scheme and the similar mainstream post-quantum signature algorithms, as shown in Figure 11, although Rainbow III has a small signature size, its public and private keys are generally large, which is not conducive to the deployment of resource-constrained devices [29]. Although the key size of Picnge-L3-fs is small, the signature overhead is significant, which increases the communication burden. Falcon-1024 performs well in terms of signature size and verification efficiency, but its implementation relies on high-precision floating-point arithmetic and its algorithm complexity is high, so it is not suitable for stable operation on embedded platforms. In contrast, Dilithium achieves a good balance between signature size, key size and computational efficiency, which is more suitable for UAV application scenarios with high requirements for computing resources and response time. It can also be seen from the comparison results in Figure 12 that SPHINCS+ has better overall performance among similar post-quantum signature schemes based on hash construction. SPHINCS+ has both high security and anti-quantum computing ability, and is suitable as a trusted signature mechanism in scenarios with high security requirements.

6. Conclusions and Future Work

6.1. Conclusions

Aiming at the key security issues faced in UAV swarm communication, such as group identity authentication, key agreement and encrypted communication, this paper designs and implements two swarm communication schemes with post-quantum security. Both schemes used edge computing node to guide the initialization process uniformly, and combined the Kyber KEM key agreement mechanism, Aggregate Function (HKDF) and sparse Merkle tree (SMT) to construct a lightweight identity authentication structure. In the identity authentication phase, Dilithium algorithm was used to issue verifiable signature credentials for each UAV node by the edge node. The second scheme implements stateless signature authentication mechanism based on SPHINCS+ algorithm, which is suitable for scenarios that require higher independence of signature states. Except for the different authentication methods, the other communication processes are consistent, and a group communication framework with security, scalability and resource adaptability is constructed together. The system supports the dynamic join and exit management of nodes to ensure the flexible deployment ability of UAV swarm in the changing mission environment. Moreover, the respective applicable environments of the two schemes are discussed. Through experimental evaluation in typical resource-constrained scenarios, the results show that in scheme one, the average authentication and key processing time of the UAV node side is 3.59 ms, which verifies that the scheme has a good balance between lightweight deployment, real-time performance and security intensity, and has the potential for practical application.

6.2. Future Work

This scheme is mainly for centralized authentication and key management scenarios under a single UAV swarm architecture, and is suitable for small- and medium-sized cluster communication supported by edge computing capabilities. In the future research and system expansion, a distributed security framework supporting multi-swarm coordination and edge-coordinated computing can be further explored to meet the requirements of larger-scale and cross-regional task coordination of unmanned systems. Specifically, hierarchical key architecture is introduced to establish a relay trust chain between edge nodes, and a cross-domain authentication mechanism is used to realize mutual identity recognition and shared key agreement between groups. Thus, secure communication between different groups can be ensured.

In addition, each UAV node in the current scheme needs to explicitly have its own identity and sparse Merkle path, which has the advantage of efficiency in resource-constrained environments. However, in highly sensitive tasks, such as tactical coordination, intelligence collection and other scenarios, the plaintext carrying of identity and authentication path may cause privacy leakage risk. Therefore, in the future, Zero-Knowledge Proof (ZKP) technology can be further integrated to design a lightweight authentication protocol with privacy protection ability, so that nodes can complete the legitimacy verification without revealing their identity and path information, and improve the anonymity, anti-analysis and anti-tampering of the system. Such mechanisms will significantly enhance the applicability of our system in complex and security-sensitive environments, and lay the foundation for building a communication ecosystem of unmanned systems with post-quantum security capabilities.