A Lightweight and Secure End-to-End Authentication Protocol Using PUF for Internet of Drones

The Internet of Drones (IoD) has become an important platform for applications such as smart agriculture, industrial monitoring, and large-scale aerial sensing. However, securing IoD communications remains challenging because drones often operate in open environments and have limited computation, storage, and energy resources. Existing authentication and key agreement protocols still face practical limitations, including high computational overhead, exposure to physical capture attacks, and reliance on centralized servers for session-key generation. In this paper, we first analyze a recent IoD authentication scheme and show that it is vulnerable to session-key disclosure, offline identity/password guessing, and mobile device/drone impersonation attacks. To address these issues, we propose a lightweight Physically Unclonable Function (PUF)-based end-to-end authentication protocol for IoD environments. The proposed scheme avoids storing long-term secret keys in drone memory and enables the mobile device and drone to establish a session key directly, without involving the Ground Station Server in key derivation. The security of the proposed protocol is evaluated through informal analysis, BAN logic, the Real-or-Random model, and AVISPA simulation. The results show that the scheme resists common attacks, including replay, impersonation, stolen verifier, physical capture, and offline password guessing attacks. Performance evaluation further indicates that the protocol maintains low computational cost while providing stronger security guarantees, making it suitable for resource-constrained IoD deployments.