CUBAT-AKA-Collaborative UAV Batch Authentication and Tree-Based Key Agreement

Abstract

As Flying Ad Hoc Networks (FANETs) are highly vulnerable to security threats such as identity spoofing, session replay and man-in-the-middle attacks in open-air channels, it is crucial to design an authentication key agreement (AKA) scheme to ensure the security of unmanned aerial vehicle (UAV) swarm networking within FANETs. However, existing AKA schemes for FANETs often struggle to balance authentication efficiency and high dynamism within UAV swarms whilst meeting necessary security requirements. To address the issue, this paper proposes CUBAT-AKA (Collaborative UAV Batch Authentication and Tree-based Key Agreement), a lightweight UAV swarm authentication and key agreement scheme based on batch verification and a binary tree structure. The scheme constructs a secure and lightweight three-party authentication mechanism based on aggregated verification and the Chinese Remainder Theorem (CRT). By offloading computational tasks to the authentication center and aggregating authentication responses in batches, it significantly improves the efficiency of UAV access authentication in large-scale FANET scenarios. To address the dynamic nature of UAVs frequently joining and leaving clusters in FANETs, an improved binary tree-based key agreement method has been designed, reducing key update overhead to a logarithmic level and enabling lightweight session key distribution and updates for UAV clusters. Security analysis demonstrates that, under the random oracle model, CUBAT-AKA is resistant to eavesdropping, replay, man-in-the-middle, impersonation and collusion attacks, whilst ensuring forward and backward security during member changes. Performance analysis indicates that this scheme offers significant advantages over comparable solutions in terms of both UAV cluster access authentication efficiency and dynamic key agreement overhead.

1. Introduction

In recent years, with the deep integration of wireless communication technology and unmanned aerial vehicle (UAV) technology [1], Flying Ad Hoc Networks (FANETs) have emerged as a core component of low-altitude intelligent networks and have become a key technological enabler for diverse missions such as collaborative reconnaissance, environmental monitoring, emergency rescue and logistics delivery [2,3]. FANETs enable real-time information exchange between UAVs and Ground Control Stations (GCSs) (U2G) as well as between UAVs themselves (U2U), thereby facilitating the execution of collaborative tasks in a swarm configuration [4]. However, as FANETs are deployed in open and highly dynamic airspace environments [5], their communication channels are highly vulnerable to security threats such as identity spoofing attacks, replay attacks and man-in-the-middle attacks [6,7]. Furthermore, UAV nodes in FANETs exhibit higher three-dimensional mobility, more frequent topological changes, and stricter computational and energy resource constraints [8]. These characteristics necessitate that FANETs possess more efficient capabilities for UAV cluster access authentication and key agreement [9]. Consequently, the design of a lightweight FANET authentication and key agreement (AKA) scheme that can both ensure mutual trust between entities and achieve efficient, dynamic session key agreement holds significant practical importance for promoting the widespread deployment of UAV clusters in the low-altitude economy and intelligent applications [10,11,12].

However, secure communication in FANETs faces the following unique challenges. Firstly, in terms of authentication efficiency, UAV swarm missions typically involve a large number of UAVs simultaneously accessing the jurisdiction of a single GCS within a short timeframe, while traditional one-by-one authentication methods would result in significant authentication delays, making it difficult to meet the real-time requirements of the mission. Secondly, in terms of resource constraints, UAV nodes are limited by finite computational power, storage capacity and battery life, and cannot bear the overhead of heavy-duty cryptographic operations such as bilinear pairings and modular exponentiations, which necessitates the design of lightweight security mechanisms that rely on efficient primitives such as elliptic curve scalar multiplication and hash functions [13]. Furthermore, regarding highly dynamic topologies, UAVs frequently join or leave the swarm formation whilst executing missions. This requires a dynamic group key agreement mechanism capable of efficiently updating the shared session key in response to membership changes, whilst strictly ensuring both forward and backward security to prevent departing UAVs from decrypting current communications or newly joined UAVs from accessing historical sessions [14]. Finally, regarding the communication environment, both the air-to-air links between UAVs and the air-to-ground links between UAVs and the Ground Control Station (GCS) are exposed to an open electromagnetic environment, where attackers can easily carry out eavesdropping, tampering and injection attacks [15].

In response to the challenges of inefficient authentication and complex dynamic key agreement in UAV clusters within FANETs, this paper proposes the CUBAT-AKA (Collaborative UAV Batch Authentication and Tree-based Key Agreement) scheme, a lightweight authentication and key agreement scheme based on batch authentication and an improved binary tree structure. To address the frequent topological changes caused by the high-speed movement of UAVs in FANETs, this scheme achieves efficient UAV access authentication and lightweight UAV group key updates by offloading the authentication computational load to a Trusted Authority capable of batch processing, and by combining this with a tree-based structure that offers logarithmic-time update efficiency for key agreement. The main contributions of this paper include:

• An efficient batch three-party authentication mechanism based on CRT. To address the computational burden posed by the large-scale access of UAVs in FANETs, this proposal designs a three-party authentication mechanism involving UAVs, the Ground Control Station (GCS) and a Trusted Authority (TA). By utilizing elliptic curve aggregation verification technology, the TA simultaneously validates the credentials of multiple UAVs, significantly reducing the average computational overhead per authentication. Furthermore, by innovatively integrating the Chinese Remainder Theorem (CRT), the GCS aggregates multiple authentication response messages into a single value for broadcast. This approach effectively optimizes communication overhead and authentication latency whilst ensuring the security of three-party mutual authentication, thereby significantly enhancing the system’s operational efficiency in large-scale UAV swarm scenarios.
• A dynamic group key agreement method based on a dynamic binary tree. To establish a secure communication environment following authentication, this proposal presents an efficient group key agreement method based on an improved binary tree structure, in which the GCS and authenticated UAVs are mapped to leaf nodes of the binary tree. By defining tree node numbers and associating them with tree keys, private and public keys for branch nodes and the root node are generated using hash functions and recursive computation. This algorithm automates the construction of group session keys, ensuring that the GCS and all legitimate members can efficiently negotiate a shared group session key.
• A lightweight forward and backward secure key update mechanism. In response to the frequent changes in FANET topologies, a lightweight update mechanism has been designed for scenarios involving the joining and leaving of UAVs. By introducing an improved binary tree logical structure, UAVs and the Ground Control Station (GCS) are able to implement precise node deletion and path update scheme, the GCS need only broadcast a small number of updated tree public key parameters along the associated paths to guide the remaining legitimate members in synchronously updating the group key. This mechanism significantly reduces the communication burden on end devices whilst strictly ensuring the system’s forward and backward security, thereby enhancing the practicality and robustness of the solution in high-speed, resource-constrained UAV swarm environments.

The structure of this paper is outlined as follows: works related to our scheme are introduced in Section 2. Section 3 provides the frequently used notations and definitions as well as the problem formulation, including the system and threat models, and the formal definition of our scheme along with the security model is presented. In Section 4, we describe the concrete construction of our CUBAT scheme, and Section 5 presents the security and performance analysis. Finally, Section 6 gives a brief conclusion of our work.

2. Related Work

Currently, significant progress has been made in research on authentication key agreement for self-organizing networks. Zhou et al. [16] implemented reliable authentication based on a traditional PKI architecture, but this incurred substantial overhead in terms of communication and certificate management. Raya et al. [17] designed an anonymous authentication scheme, but this entailed a heavy burden in terms of maintaining and storing certificate revocation lists. Plössl et al. [18] protected incident messages using asymmetric cryptography, but the certificate overhead remained excessive. Lu et al. [19] utilized infrastructure-assisted time-key certificates to alleviate storage pressure, but this introduced high communication latency. Zhang et al. [20] proposed a batch authentication mechanism based on identity signatures, reducing the burden of certificate management in large-scale scenarios, but it is vulnerable to replay and privacy leakage attacks. Lee et al. [21] proposed a scheme based on group signatures to protect member privacy, but the member revocation list is complex and signature verification incurs high overhead. Wang et al. [22] proposed a self-authentication protocol supporting batch authentication, but the computational overhead was excessive. Liu et al. [23] combined PUF with certificate-less signing to resolve the ‘one device, two public keys’ issue and support efficient batch authentication. Liu et al. [24] proposed the LWAKA scheme, which synchronizes authentication information in advance through trajectory planning, achieving an effective balance between authentication efficiency and privacy strength. In the field of unmanned aerial vehicles (UAVs), Tanveer et al. [25] proposed the PAF-IoD framework, which utilizes PUFs and AEGIS authentication–encryption to design a lightweight three-party authentication scheme for IoD environments. This effectively defends against physical capture and temporary secret leakage attacks, but only supports point-to-point session key establishment between a user and a single UAV. Huang et al. [26] proposed a robust AKA scheme for UAV search-and-rescue networks based on hyperelliptic curve cryptography. They demonstrated the semantic security of session keys under an eCK adversary model and significantly reduced communication overhead; however, this scheme also focuses on two-party authentication. Nevertheless, in the aforementioned schemes, the TA must remain online, posing a single-point-of-failure risk, and they are unable to achieve dynamic group key updates for UAV swarms.

To eliminate reliance on a single trusted center, Wei et al. [27] proposed a decentralized AKA scheme based on smart contracts, deploying registration, authentication and revocation functions on the blockchain, thereby effectively reducing the risk of single points of failure. Wei et al. [28] further proposed a threshold-based decentralized AKA scheme utilizing a consortium blockchain, which addressed the issue of key leakage by combining edge computing with a threshold voting mechanism. Karmakar et al. [29] proposed the SwarmAuth scheme, which utilizes blockchain to store authentication information and implements access control via smart contracts. By integrating a Physical Unclonable Function (PUF), it enables mutual authentication between the Ground Control Station (GCS) and the UAV, whilst employing K-means clustering to dynamically generate location-based UAV clusters. Khan et al. [30] proposed a certificate-based access control and key agreement scheme for FANETs based on HECC. By utilizing an 80-bit key length, they significantly reduced computational and communication costs; however, the scheme only supports point-to-point key agreement between two drones. Nevertheless, the aforementioned schemes require real-time access to on-chain data during the authentication process or lack the capability for group key agreement, making it difficult to meet the requirements for secure group communication within drone clusters.

With regard to group key agreement, Mejri et al. [31] implemented group key generation for self-organizing networks; however, the operations based on large prime groups resulted in significant communication overhead. Dua et al. [32] utilized cluster heads to simplify the authentication process, but Jiang et al. [33] pointed out that non-interactive key establishment struggles to ensure forward secrecy under highly dynamic topologies. Cao et al. [34] implemented dynamic group key agreement without the need for bilinear pairs by combining the Just–Vaudenay protocol with self-authenticating cryptography; however, key updates still require all members to re-execute the negotiation process. Liu et al. [35] utilized trusted computing and bilinear pairs to construct a two-factor authentication mechanism, but the complex computations resulted in a significant drop in efficiency. Xiao et al. [36] demonstrated that most existing schemes rely on an online trusted center to implement dynamic key updates, making it difficult to simultaneously ensure efficiency, scalability, and both forward and backward security. Regarding group key management for unmanned aerial vehicle (UAV) swarms, Gaydamaka et al. [37] proposed a dynamic topological organization and maintenance algorithm based on a virtual coordinate system for GNSS-denied environments, supporting swarm merging and separation. The algorithm maintains over 90% topological similarity even under 30% positioning error, but does not address authentication or key agreement. Wang et al. [38] proposed a physical-layer group key generation scheme based on satellite cluster state information. By utilizing the regional similarity of navigation satellite signals to achieve efficient group key establishment, and by processing signal inconsistencies via a fuzzy extractor, they achieved a 100% key matching rate within a 25-metre radius; however, the effective range is limited by the attenuation range of signal similarity.

In response to the shortcomings of existing schemes in terms of authentication efficiency, dynamic key management and lightweight design, this paper proposes the CUBAT-AKA scheme. By employing a CRT-based batch three-party authentication mechanism and an improved binary tree structure, it provides a key agreement scheme for FANETs that balances efficiency, lightweight design and forward and backward security.

3. System Model and Definitions

To better understand the construction of CUBAT-AKA, we list the frequently used notations in

Table 1. Notation descriptions.

Notations	Descriptions
$G,q,P$	Elliptic curve cyclic additive group defined over a finite field, the prime order of the group, and the generator of the group
$s,P_{pub}$	System private key $s\in {\mathbb{Z}}_q^{*}$ generated by the Trusted Authority (TA) and the corresponding system public key $P_{pub}=s·P$
$RI{D}_i,I{D}_j$	Identity information of UAV $U_i$ and identity identifier of Ground Control Station $GC{S}_j$
$l_i,l_j$	Long-term session keys assigned by the TA to UAV $U_i$ and Ground Control Station $GC{S}_j$, used for subsequent authentication processes
$k_i,K_i$	Partial temporary private key randomly chosen by UAV $U_i$ and its corresponding partial public key $K_i=k_i·P$
$m_i$	Large prime chosen by UAV $U_i$, used for the computation of the Chinese Remainder Theorem (CRT)
$BP{K}_{RI{D}_i}$	Batch public key of UAV constructed to implement batch authentication
$TS{K}_i,TP{K}_i$	Tree secret key and tree public key associated with node $N_i$ in the binary tree
$index$	Random index assigned by the GCS, used to compute branch node keys and prevent key collisions
$H_i(1\le i\le 6)$	Cryptographic one-way hash functions with different labels used in the scheme
${\sigma }_j$	ECDSA digital signature generated by $GC{S}_j$ for broadcast messages

and introduce relevant definitions. Subsequently, we present the system model with threat models, and finally establish the formal definition and security model of CUBAT-AKA.

3.1. Preliminary

3.1.1. Elliptic Curve Cryptography (ECC)

Let $F_p$ be a finite field determined by a prime p. Let a set of elliptic curve points E over $F_p$ be defined by the equation

$$y^2=x^3+ax+bmodp,$$

where $a,b\in F_p$. Let O be the point at infinity. Then O and all other points on E form an additive elliptic curve group G of order q with generator P. The main properties of G are as follows:

• Scalar Point Multiplication: Let $P\in G$ and $m\in {\mathbb{Z}}_p^{*}$. The scalar multiplication on E is defined as

  $$m·P=P+P+\dots +P\left(m\mathrm{times}\right).$$
  Note that the symbol ‘+’ here denotes the point addition operation on the curve.
• Elliptic Curve Discrete Logarithm Problem (ECDLP): Given $x\in {\mathbb{Z}}_q^{*}$ and $Q=xP$, where $P,Q\in G$ are on curve E, it is computationally infeasible for a probabilistic polynomial-time (PPT) adversary to compute x given Q and P.
• Elliptic Curve Diffie–Hellman Problem (ECDHP): Let $x,y\in {\mathbb{Z}}_q^{*}$, and let $X=xP$, $Y=yP$, where $X,Y\in G$ are on curve E. Given $X=xP$ and $Y=yP$, it is computationally infeasible for a PPT adversary to compute $xyP$.

3.1.2. Chinese Remainder Theorem (CRT)

The Chinese Remainder Theorem (CRT), also known as the Sun Zi theorem, provides a simple method to obtain the general solution for a system of linear congruences. The system of linear congruences for CRT is described as follows:

$$\left\{\begin{array}{c}x\equiv a_1(mod{m}_1)\hfill \\ x\equiv a_2(mod{m}_2)\hfill \\ x\equiv a_3(mod{m}_3)\hfill \\ ⋮\hfill \\ x\equiv a_n(mod{m}_n)\hfill \end{array}\right.$$

Assuming the integers $m_1,m_2,\dots ,m_n$ are pairwise coprime, then for any integers $a_1,a_2,\dots ,a_n$, the system has a solution. The general solution can be constructed as follows:

• Let $M=m_1\times m_2\times \dots \times m_n={\prod }_{i=1}^n{m}_i$, where M is the product of the n integers $m_1,m_2,\dots ,m_n$.
• Let $M_i={\displaystyle \frac{M}{m_i}}$, where $M_i$ is the product of the $n-1$ integers excluding $m_i$.
• Let $t_i=M_i^{-1}$, such that $t_i{M}_i\equiv 1(mod{m}_i)$ for any $i\in \{1,2,\dots ,n\}$.
• The general solution can be expressed as

  $$\begin{array}{cc}\hfill x& =a_1{t}_1{M}_1+a_2{t}_2{M}_2+\dots +a_n{t}_n{M}_n+kM\hfill \\ & =kM+{\displaystyle \sum _{i=1}^n}{a}_i{t}_i{M}_i,\mathrm{where}k\in \mathbb{Z}\hfill \\ & =\left({\displaystyle \sum _{i=1}^n}{a}_i{t}_i{M}_i\right)modM\hfill \end{array}$$

In this paper, the Chinese Remainder Theorem is used by the GCS to confirm the establishment of a one-to-many communication session.

3.1.3. Binary Tree-Based Key Agreement

Binary tree-based key agreement reduces the computational complexity from linear order $O\left(n\right)$ to logarithmic order $O(logn)$ by leveraging the binary tree structure, thus improving the efficiency of key management. Its core design principles are as follows:

• Node–Key Association: Each node $N_i$ in the binary tree is associated with a pair of keys $\{TS{K}_i,TP{K}_i\}$, where $TS{K}_i$ is the tree secret key, and $TP{K}_i=TS{K}_i·P$ is the corresponding public tree key. Leaf nodes represent UAVs $V_i$ participating in communication, and their private keys are directly set to the partial private key $k_i$ generated by the UAV during the authentication phase.
• Layered Recursive Calculation: The private key $TS{K}_i$ of a non-leaf node is recursively generated from the private keys of its left and right child nodes, with the formula

  $$TS{K}_i=H_5(TS{K}_{\mathrm{left}}·TP{K}_{\mathrm{right}},index)$$

  where $index$ is a random number assigned by the Ground Control Station (GCS), used to increase key entropy and prevent the generation of duplicate keys.
• Group Key Generation and Maintenance: The secret key $SK$ of the root node $N_0$ serves as the group session key shared by the current GCS and all UAVs. When new UAVs join or existing UAVs leave, the GCS can quickly reconstruct the group key by adding or deleting leaf nodes and updating the parameters of the nodes on the associated path, effectively ensuring forward and backward security.

3.2. System Model

The system model of the CUBAT-AKA scheme described in this paper primarily comprises three entities: the UAV, Ground Control Station (GCS) and Trusted Authority (TA), as shown in Figure 1.

1.

unmanned aerial vehicle (UAV): Each UAV is equipped with a lightweight communication module supporting both air-to-air (A2A) and air-to-ground (A2G) links. Before participating in any swarm mission, all UAVs must complete identity registration with the TA through a secure channel. During mission execution, UAVs exchange sensing data and coordination commands with neighboring UAVs via A2A links, and report status information to the GCS via A2G links. Due to limited onboard computational power, storage capacity and battery life, UAVs are considered resource-constrained nodes in the system.

2.

Ground Control Station (GCS): The GCS serves as the ground-side hub for UAV swarm management, responsible for task assignment, swarm coordination and real-time flight monitoring. It also acts as an access gateway that provides network connectivity for UAVs entering its coverage area. Compared to UAVs, the GCS possesses significantly greater computational and communication resources, enabling it to handle aggregated authentication messages and assist in group key distribution.

3.

Trusted Authority (TA): The TA is a fully trusted entity managed by authorized airspace regulators, responsible for system initialization, identity registration and credential issuance for all UAVs and GCSs. During the authentication phase, the TA performs batch identity verification to support large-scale UAV access. To mitigate single points of failure, we assume that redundant TAs are deployed.

3.3. Security Model

Upon the random oracle model, the proposed CUBAT-AKA scheme requires session key semantic security, entity authentication security, and forward/backward security for dynamic group key agreement.

3.3.1. Adversary Model

We consider a PPT adversary $\mathcal{A}$ that operates in the Canetti–Krawczyk (CK) model adapted for the UAV-ground cooperative scenario. The adversary $\mathcal{A}$ has the following capabilities:

• Full control over the communication channel: $\mathcal{A}$ can eavesdrop, intercept, modify, replay, inject, and delete any message transmitted over the public wireless channel between UAVs, GCSs, and TA.
• Corruption capability: $\mathcal{A}$ can compromise a subset of UAVs and obtain their long-term secret keys and session-specific ephemeral values, subject to the freshness condition that the target session remains uncorrupted.
• Oracle access: $\mathcal{A}$ interacts with the system through a bounded set of oracles, with explicit query bounds as specified in

  Table 2. Oracle query bounds.

  Oracle	Bound	Description
  ${\mathcal{O}}_{H_i}$	$q_{H_i}$	Queries to $H_i$, $i\in \{1,\dots ,6\}$
  ${\mathcal{O}}_{Send}$	$q_S$	Send queries across all sessions
  ${\mathcal{O}}_{Reg}$	$q_R$	Registration queries
  ${\mathcal{O}}_{Reveal}$	$q_{Rev}$	Session key reveal queries
  ${\mathcal{O}}_{LReveal}$	$q_{LR}$	Long-term key reveal queries
  ${\mathcal{O}}_{Corrupt}$	$q_C$	Entity corruption queries

  .

All query counts are polynomially bounded in the security parameter $\lambda$. We denote the total number of hash queries as $q_H={\sum }_{i=1}^6{q}_{H_i}$.

3.3.2. Session Key Semantic Security (SK-Security)

The SK-security game ${\mathbf{Exp}}_{\mathcal{A}}^{SK}\left(\lambda \right)$ between $\mathcal{A}$ and a challenger $\mathcal{C}$ proceeds as follows.

• Setup. $\mathcal{C}$ executes the TA initialization algorithm with security parameter $\lambda$ to generate the system public parameters $\mathit{params}=\{G,q,P,P_{pub},H_i(1\le i\le 6)\}$. $\mathcal{C}$ registers $n_V$ UAVs and $n_G$ GCSs. $\mathcal{C}$ sends $\mathit{params}$ and all public credentials to $\mathcal{A}$.
• Phase 1. $\mathcal{A}$ adaptively issues at most $(q_{H_i},q_S,q_R,q_{Rev},q_C)$ queries to the following oracles:

  –

  ${\mathcal{O}}_{H_i}\left(m\right)$: The oracle maintains a hash list ${\mathcal{L}}_{H_i}$. If $(m,r)\in {\mathcal{L}}_{H_i}$, it returns r; otherwise, it selects r uniformly at random from ${\mathbb{Z}}_q^{*}$, stores $(m,r)$ in ${\mathcal{L}}_{H_i}$, and returns r.

  –

  ${\mathcal{O}}_{Send}({\mathsf{\Pi }}_U^t,M)$: On input an instance ${\mathsf{\Pi }}_U^t$ of participant $U\in \{U_i,GC{S}_j,TA\}$ at session t and a message M, the oracle simulates the protocol execution and returns the response message.

  –

  ${\mathcal{O}}_{Reg}\left(RI{D}_i\right)$: On input a UAV identity $RI{D}_i$, the oracle executes the registration procedure and returns $\{p{s}_{RI{D}_i},P_{RI{D}_i},l_i\}$.

  –

  ${\mathcal{O}}_{Reveal}\left({\mathsf{\Pi }}_U^t\right)$: On input an instance ${\mathsf{\Pi }}_U^t$ that has completed the session, the oracle returns the group session key $TS{K}_0$. This oracle cannot be queried on the target test session $t^{*}$.

  –

  ${\mathcal{O}}_{Corrupt}\left(U_i\right)$: Returns all long-term secret material of $U_i$, including $\{s_{RI{D}_i},p{s}_{RI{D}_i},l_i\}$. The target session $t^{*}$ must satisfy the freshness condition: neither the owner nor the intended partner of $t^{*}$ is corrupted before the session completes.

• Challenge. $\mathcal{A}$ selects a fresh target session instance ${\mathsf{\Pi }}_U^{t^{*}}$ satisfying the freshness condition. $\mathcal{C}$ flips $b\stackrel{\$}{\leftarrow }\{0,1\}$. If $b=0$, $\mathcal{C}$ returns the real group session key $TS{K}_0$; if $b=1$, $\mathcal{C}$ returns a uniformly random value $S{K}^{*}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\lambda }$.
• Guess. $\mathcal{A}$ outputs a guess $b^{\prime }$ for b.

Definition 1.

The proposed CUBAT-AKA scheme is  SK-secure   if for any PPT adversary $\mathcal{A}$ making at most $(q_{H_i},q_S,q_R,q_{Rev},q_C)$ oracle queries, its advantage

$${\mathbf{Adv}}_{\mathcal{A}}^{SK}\left(\lambda \right)=|Pr[b^{\prime }=b]-1/2|$$

(1)

is negligible in λ.

3.3.3. Entity Authentication Security (EA-Security)

The EA-security game ${\mathbf{Exp}}_{\mathcal{A}}^{EA}\left(\lambda \right)$ proceeds as follows.

• Setup. Identical to the SK-security game.
• Phase 1. $\mathcal{A}$ adaptively issues at most $(q_{H_i},q_S,q_R,q_{LR},q_C)$ queries to ${\mathcal{O}}_{H_i}$, ${\mathcal{O}}_{Send}$, ${\mathcal{O}}_{Reg}$, ${\mathcal{O}}_{Corrupt}$ (identical to SK-security), and additionally:

  –

  ${\mathcal{O}}_{LReveal}\left(U\right)$: Returns the long-term session key $l_i$ (for UAV $U_i$) or $l_j$ (for $GC{S}_j$). This oracle cannot be queried on the target entity $U^{*}$.

• Forgery. $\mathcal{A}$ outputs a forged message $M^{*}$ and identity $I{D}^{*}$ such that: (i) $I{D}^{*}$ is a registered entity neither queried via ${\mathcal{O}}_{LReveal}$ nor corrupted via ${\mathcal{O}}_{Corrupt}$; (ii) $M^{*}$ passes the verification procedure.

Definition 2.

The proposed CUBAT-AKA scheme is  EA-secure   if for any PPT adversary $\mathcal{A}$ making at most $(q_{H_i},q_S,q_R,q_{LR},q_C)$ oracle queries, its advantage

$${\mathbf{Adv}}_{\mathcal{A}}^{EA}\left(\lambda \right)=Pr\left[\mathcal{A}\mathrm{wins}\right]$$

(2)

is negligible in λ.

3.3.4. Forward and Backward Security

Definition 3

(Forward Security). Let $U_x$ depart at time $t_0$, $TS{K}_0^{\mathit{old}}$ be the group key before departure, and $TS{K}_0^{\mathit{new}}$ be the updated key. The scheme satisfies forward security if for any PPT adversary $\mathcal{A}$ making at most $q_{H_5}$ queries to ${\mathcal{O}}_{H_5}$ and possessing all key material of $U_x$, the advantage

$${\mathbf{Adv}}_{\mathcal{A}}^{FS}\left(\lambda \right)=|Pr[\mathcal{A}\left({\mathit{view}}_x\right)=TS{K}_0^{\mathit{new}}]-1/|{\mathbb{Z}}_q^{*}||$$

(3)

is negligible, where ${\mathit{view}}_x$ is the complete view of $U_x$ prior to departure.

Definition 4

(Backward Security). Let $U_n$ join at time $t_1$, $TS{K}_0^{\mathit{prev}}$ be the group key before joining, and $TS{K}_0^{\mathit{curr}}$ be the updated key. The scheme satisfies backward security if for any PPT adversary $\mathcal{A}$ making at most $q_{H_5}$ queries to ${\mathcal{O}}_{H_5}$ and possessing all key material of $U_n$, the advantage

$${\mathbf{Adv}}_{\mathcal{A}}^{BS}\left(\lambda \right)=|Pr[\mathcal{A}\left({\mathit{view}}_n\right)=TS{K}_0^{\mathit{prev}}]-1/|{\mathbb{Z}}_q^{*}||$$

(4)

is negligible, where ${\mathit{view}}_n$ is the complete view of $U_n$ after joining.

4. The CUBAT-AKA Scheme

The CUBAT-AKA scheme described in this paper comprises three phases: the initialize phase, the three-party authentication phase, and the dynamic group key update phase. During the initialize phase, the TA sets all necessary parameters and broadcasts public parameters and UAVs and GCS register with the TA to maintain long-term session keys with it. In the three-party authentication phase, UAVs, the GCS and the TA mutually authenticate each other to ensure the authenticity of UAV identities and the public keys used for key negotiation. In the dynamic group key update phase, the scheme accounts for events where authenticated UAVs join or leave the swarm. It utilizes an improved binary tree structure to achieve efficient reconstruction and distribution of group session keys, enabling authenticated UAVs and the GCS to establish a shared session key. The workflow of this scheme is shown in Figure 2, and the detailed steps for each phase are as follows.

4.1. Initialize Phase

The initialize phase primarily involves the generation of system parameters, the binding of entity identities, and the establishment of a trust chain, including TA initialize, UAV registration and GCS registration.

4.1.1. TA Initialize

The TA initializes all necessary system parameters, thereby establishing the cryptographic foundation for the secure interaction of all subsequent entities. Specifically, given a security parameter $\lambda$ equal to the group order q in the block cipher as input, the TA performs the following steps.

1.

Let G be a cyclic additive group on an elliptic curve over a finite field, where the order of the group is a prime number q and the generator of the group is P.

2.

TA selects a random number $s\in Z_q^{*}$ as the system’s private key and computes the corresponding public key $P_{pub}=sP$ as the system’s public key.

3.

TA selects the following cryptographic hash functions: $H_1:{\mathbb{Z}}_q^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$, $H_2:{\mathbb{Z}}_q^{*}\times {\{0,1\}}^{*}\times G\to {\mathbb{Z}}_q^{*}$, $H_3:{\mathbb{Z}}_q^{*}\times {\mathbb{Z}}_q^{*}\times {\mathbb{Z}}_q^{*}\times {\mathbb{Z}}_q^{*}\to {\mathbb{Z}}_q^{*}$, $H_4:{\mathbb{Z}}_q^{*}\times {\{0,1\}}^{*}\times {\mathbb{Z}}_q^{*}\times {\mathbb{Z}}_q^{*}\to {\mathbb{Z}}_q^{*}$, $H_5:{\{0,1\}}^{*}\times {\mathbb{Z}}_q^{*}\to {\mathbb{Z}}_q^{*}$, $H_6:G\times {\mathbb{Z}}_q^{*}\times {\mathbb{Z}}_q^{*}\to {\mathbb{Z}}_q^{*}$,

4.1.2. UAV Registration

Each UAV $U_i$ must register with the TA, the specific steps are as follows:

1.

$U_i$ chooses its real identity $RI{D}_i\in {\mathbb{Z}}_q^{*}$, randomly selects $v_i\in {\mathbb{Z}}_q^{*}$, sets $s_{RI{D}_i}=v_i$, computes the public value $R_{RI{D}_i}=v_i·P$, and sends $RI{D}_i,R_{RI{D}_i}$ to the TA.

2.

After receiving $RI{D}_i$ from $U_i$, the TA checks whether $RI{D}_i$ already exists. If it exists, the TA sends a failure signal to $U_i$, and $U_i$ needs to reselect $RI{D}_i$. Otherwise, the TA selects a secret value $t_i\in {\mathbb{Z}}_q^{*}$ for the received $RI{D}_i$, computes $P_i=t_i·P$ as the public value, and calculates the adaptively constructed batch public key $BP{K}_{RI{D}_i}=R_{RI{D}_i}-P_{RI{D}_i}$. Then compute $e_i=H_1(RI{D}_i,BP{K}_{RI{D}_i})$, $f_i=H_2(RI{D}_i,BP{K}_{RI{D}_i},P_{pub})$, the partial batch private key $p{s}_{RI{D}_i}=f_i{t}_i-s{e}_i$, and $l_i=H_1(RI{D}_i,s)$, where $l_i$ serves as the long-term session key between the UAV and the TA. The TA sends $\{p{s}_{RI{D}_i},P_{RI{D}_i},l_i\}$ to $U_i$ through a secure channel, completing the registration phase with $U_i$.

4.1.3. GCS Registration

Each $GC{S}_j$ needs to register with the TA and establish a long-term session key, which includes the following steps:

1.

$GC{S}_j$ chooses its identity $I{D}_j\in {\mathbb{Z}}_q^{*}$ and a random number $d\in {\mathbb{Z}}_q^{*}$, computes $Q_j=d·P$, and sends $\{I{D}_j,Q_j\}$ to the TA.

2.

After receiving $\{I{D}_j,Q_j\}$, the TA checks $I{D}_j$ to ensure its uniqueness. If $I{D}_j$ is unique, the TA computes the long-term session key $l_j=H_1(I{D}_j,s)$ with $GC{S}_j$, and sends $l_j$ to $GC{S}_j$ through a secure channel. Here, $l_j$ serves as the long-term session key between the GCS and the TA. Otherwise, $GC{S}_j$ needs to reselect $I{D}_j$.

4.2. Three-Party Authentication Phase

As UAVs are vulnerable to identity spoofing attacks in open environments, it is essential to verify the legitimacy of both the UAV and the Ground Control Station (GCS) before joining FANETs. To this end, this scheme designs a three-party mutual authentication protocol involving the UAV, the GCS and the Trusted Authority (TA). To address the computational burden associated with large-scale UAV access, a batch authentication mechanism has been introduced. By utilizing aggregation verification technology based on elliptic curve signatures, the TA is able to simultaneously verify the legitimacy of identity credentials for multiple UAVs, significantly reducing the average computational overhead per authentication. Furthermore, this scheme innovatively incorporates the Chinese Remainder Theorem (CRT), whereby the GCS aggregates multiple authentication response messages into a single value for broadcast. This effectively optimizes channel bandwidth utilization and system response speed whilst ensuring the security of the three-party mutual authentication. The specific steps are as follows:

1.

$U_i$ obtains the current timestamp $T_i$, selects $k_i\in {\mathbb{Z}}_q^{*}$ and a large prime $m_i\in {\mathbb{Z}}_q^{*}$, computes $K_i=k_i·P$, then computes $h_i=H_2(RI{D}_i,m_i,K_i)$, $f_i=H_2(RI{D}_i,BP{K}_{RI{D}_i},P_{pub})$, $s_i={(k_i+h_i)}^{-1}(s_{RI{D}_i}-f_i^{-1}p{s}_{RI{D}_i})$. Finally, $U_i$ sends $M_1=\{m_i,RI{D}_i,T_i,R_i,s_i,K_i\}$ to $GC{S}_j$.

2.

After receiving the corresponding $M_1$ from multiple UAVs within a period of time, $GC{S}_j$ verifies the validity of each $T_i$. If invalid, $GC{S}_j$ rejects the message and aborts the request. Otherwise, $GC{S}_j$ stores all $M_1$, computes $AUTH=RI{D}_1\oplus \dots \oplus RI{D}_n$, obtains the current timestamp $T_j$, computes the hash value ${\gamma }_j=H_3(I{D}_j,T_j,AUTH,l_j)$, and sends $M_2=\{{\left\{M_1\right\}}_{i=1}^n,I{D}_j,AUTH,T_j,{\gamma }_j\}$ to the TA.

3.

After receiving $M_2$ from $GC{S}_j$, the TA first checks the validity of $T_j$. If valid, the TA recovers $l_j$ by computing $l_j=H_1(I{D}_j,s)$, computes ${\gamma }_j^{\prime }=H_3(I{D}_j,T_j,AUTH,l_j)$, and checks whether ${\gamma }_j^{\prime }$ is equal to ${\gamma }_j$. If they are equal, the TA completes the authentication of $GC{S}_j$.

4.

The TA checks the validity of each $T_i$. If valid, the TA verifies that all received $RI{D}_i$ are legitimate identities. If they are all legitimate,

• Single verification: Compute $e_i^{\prime }=H_1(RI{D}_i,BP{K}_{RI{D}_i})$, $h_i^{\prime }=H_2(RI{D}_i,m_i,K_i)$, $f_i^{\prime }=H_2(RI{D}_i,BP{K}_{RI{D}_i},P_{pub})$, and verify the equation $s_i{K}_i+s_i{h}_i^{\prime }P=BP{K}_{RI{D}_i}+e_i^{\prime }·f_i^{\prime -1}{P}_{pub}$. Then compute ${\eta }_{TA}=H_4(T_{TA},c,RI{D}_i,l_j)$, ${\delta }_{TA}=H_4(T_{TA},Q_j,I{D}_j,l_i)$, and send $M_3=\{T_{TA},c,{\delta }_{TA},{\eta }_{TA}\}$ to $GC{S}_j$.
• Batch verification: Compute $e_i^{\prime }=H_1(RI{D}_i,BP{K}_{RI{D}_i})$, $h_i^{\prime }=H_2(RI{D}_i,m_i,K_i)$, $f_i^{\prime }=H_2(RI{D}_i,BP{K}_{RI{D}_i},P_{pub})$, and verify the equation ${\sum }_{i=1}^n{s}_i{K}_i+\left({\sum }_{i=1}^n{s}_i{h}_i^{\prime }\right)P={\sum }_{i=1}^{n}BP{K}_{RI{D}_i}+\left({\sum }_{i=1}^n{e}_i^{\prime }{f}_i^{\prime -1}\right)P_{pub}$. If the verification succeeds, compute ${\eta }_{TA}=H_4(T_{TA},c,AUTH,l_j)$, $H_{batch}=H_5(RI{D}_1\oplus \dots \oplus RI{D}_n,T_{TA})$, $GVK=H_1(H_{batch},s)$, and compute the group signature ${\delta }_{TA}=H_4(T_{TA},Q_j,I{D}_j,GVK)$. For each UAV, compute $E_i=GVK\oplus H_5(l_i,T_{TA})$, and send $M_3=\{T_{TA},c,{\delta }_{TA},{\eta }_{TA},{\left\{E_i\right\}}_{i=1}^n\}$ to $GC{S}_j$, where c indicates whether the message is for batch authentication or individual authentication: if it is individual authentication, $c=0$; if it is batch authentication, $c=1$.

5.

After receiving $M_3$ from the TA, $GC{S}_j$ checks the validity of $T_{TA}$. If valid, it computes ${\eta }_{TA}^{\prime }=H_4(T_{TA},c,AUTH,l_j)$ (where $AUTH=RI{D}_i$ when $c=0$, and $AUTH=RI{D}_1\oplus \dots \oplus RI{D}_n$ when $c=1$), and verifies whether ${\eta }_{TA}^{\prime }$ equals ${\eta }_{TA}$. If equal, $GC{S}_j$ completes the legitimacy authentication of $U_i$’s identity $RI{D}_i$, and uses the Chinese Remainder Theorem to compute $M={\prod }_{i=1}^n{m}_i$, $M_i={\displaystyle \frac{M}{m_i}}$, $t_i=M_i^{-1}$, and finally obtains $Z=\left({\sum }_{i=1}^n{H}_6(K_i,RI{D}_i,I{D}_j)·t_i·M_i\right)modM$. Then $GC{S}_j$ sends $M_4=\{Z,I{D}_j,c,Q_j,T_{TA},{\delta }_{TA},E_i\}$ to $U_i$.

6.

After receiving $M_4$ from $GC{S}_j$, $U_i$ checks whether $T_{TA}$ is valid. If valid, it checks the value of c: If $c=0$, compute ${\delta }_{TA}^{\prime }=H_4(T_{TA},Q_j,I{D}_j,l_i)$. Check whether ${\delta }_{TA}^{\prime }$ equals ${\delta }_{TA}$. If equal, check whether $H_6(K_i,RI{D}_i,I{D}_j)=Zmod{m}_i$. If so, establish a secure connection between $GC{S}_j$ and $U_i$, and use $K_i$s to ensure subsequent secure communication, completing $U_i$’s authentication of $GC{S}_j$’s legitimacy. If $c=1$, it is batch verification. $U_i$ computes $GV{K}^{\prime }=E_i\oplus H_5(l_i,T_{TA})$, then computes ${\delta }_{TA}^{\prime }=H_4(T_{TA},Q_j,I{D}_j,GV{K}^{\prime })$. If equal, check whether $H_6(K_i,RI{D}_i,I{D}_j)=Zmod{m}_i$. If so, establish a secure connection between $GC{S}_j$ and $U_i$, and use $K_i$s to ensure subsequent secure communication, completing $U_i$’s authentication of $GC{S}_j$’s legitimacy.

4.3. Dynamic Group Key Update Phase

Following the completion of three-party authentication, authorized UAVs and the GCS will negotiate a shared group session key based on an improved binary tree structure. Key update mechanisms are provided for both scenarios—UAVs joining and leaving FANETs—to ensure forward and backward security.

4.3.1. Key Agreement When a UAV Joins

A new tree-based key agreement algorithm is designed for this scenario to compute the common session key. The UAVs participating in the key agreement process are represented as an ordered sequence $\{U_1,U_2,\dots ,U_{n-1}\}$, where $U_1$ is the first UAV to join, $U_{n-1}$ is the last UAV to join, and the new UAV is $U_n$. Figure 3 shows the progress of key agreement when a UAV joins.

1.

Construct a binary tree $B{T}_n$ to compute the common group key. The structure of $B{T}_n$ satisfies two characteristics: first, the depth of $B{T}_n$ is equal to n, i.e., the current number of UAVs; second, $B{T}_n$ can be generated by inserting $B{T}_{n-1}$ into the right child node of a new complete binary tree consisting of three nodes.

2.

Each node $N_i$ of $B{T}_n$ is labeled with a number i. Each $N_i$ is associated with a tree secret key $TS{K}_i$ and a tree public key $TP{K}_i$ computed as $TP{K}_i=TS{K}_i·P$. The private key of a branch node $N_i$ is computed by the equation $TS{K}_i=H_5(TS{K}_{i+1}·TP{K}_{i+2},\mathrm{index})$, where $index$ is a random number assigned to the node by the GCS to prevent the generation of identical keys. The public key is $TP{K}_i=TS{K}_i·P$, and the private key of all leaf nodes $N_i$ is set to the partial private key $k_i$ of UAV $U_i$.

3.

The secret key $TS{K}_0$ of the root node $N_0$ is the common group session key of $GC{S}_j$ and UAVs $U_1,U_2,\dots ,U_{n-1}$. Before establishing a session with authenticated UAVs, $GC{S}_j$ selects a random number $k_j$ as the partial private key and computes the corresponding partial public key $K_j=k_j·P$ in the same way as the UAVs.

If the n-th UAV $U_n$ authenticated in the previous phase sends a join request to $GC{S}_j$, $GC{S}_j$ updates the binary tree by adding a new leaf node and recursively computes the private and public keys of each branch node using the formula. Then, $GC{S}_j$ selects a random number $b_j$ and computes $B_j=b_j·P$, obtaining the x-axis value $B_j^x$ of point $B_j$. It computes the signature $s_j=b_j^{-1}·\left(h(n,T_j,P{K}_i,TP{K}_{i+2},index)+B_j^x·d\right)$ to obtain the ECDSA signature ${\sigma }_j=(B_j^x,s_j)$. Finally, $GC{S}_j$ broadcasts the tuple $\{P{K}_i,TP{K}_{i+2},n,T_j,{\sigma }_j,inde{x}_n\}$ to nearby UAVs $U_i$, where the index n is used to assist UAVs in maintaining the structure of $B{T}_n$.

After receiving $\{TP{K}_1,TP{K}_2,n,T_j,{\sigma }_j\}$, $U_i$ needs to perform legitimacy verification. First, it checks the validity of the timestamp, then computes $X_j=h(TP{K}_1,TP{K}_2,T_j)·s_j^{-1}·P+B_j^x·s_j^{-1}·Q_j$, and compares whether $X_j$ is equal to $B_j^x$. If equal, $U_i$ accepts the message sent by $GC{S}_j$ and computes the group key $TS{K}_0$ using $\{TP{K}_1,TP{K}_2,T_j\}$.

(a)

First, $U_1$ sends a join request to $GC{S}_j$. $GC{S}_j$ computes $S{K}_0=H_5(k_j·TP{K}_1,{\mathrm{index}}_1)=H_5(k_j·k_1·P,{\mathrm{index}}_1)$, and $P{K}_0=S{K}_0·P$, where $k_j$ is the partial private key of $GC{S}_j$, and broadcasts the message $\{TP{K}_1,TP{K}_2,1,{\mathrm{index}}_1,T_j,{\theta }_1\}$ to $U_1$. It is worth noting that during the authentication phase, the partial public keys of each authenticated UAV have been sent to $GC{S}_j$. After receiving the message, $U_1$ computes $S{K}_0=H_5(k_1·TP{K}_2,{\mathrm{index}}_1)=H_5(k_1{k}_{j}P,{\mathrm{index}}_1)$. For simplicity, we ignore the signature generation and verification process.

(b)

Next, $U_2$ sends a join request to $GC{S}_j$. $GC{S}_j$ computes $S{K}_1=H_5(S{K}_0·TP{K}_1,inde{x}_2)=H_5(S{K}_0·TS{K}_1·P,inde{x}_2)=H_5(H_5(k_j·k_1·P)k_{2}P,inde{x}_2)$, $P{K}_1=S{K}_1·P$, and broadcasts $\{TP{K}_1,TP{K}_2,2,T_j,{\theta }_2,inde{x}_2\}$ to $U_1$ and $U_2$. Where $TP{K}_2=P{K}_0$. For $U_1$, $U_1$ computes $S{K}_1=H_5(S{K}_0·TP{K}_1,inde{x}_2)$, $P{K}_1=S{K}_1·P$, where $S{K}_0$ has been computed in step 1. For $U_2$, $U_2$ computes $S{K}_1=H_5(TS{K}_1·P{K}_0,inde{x}_2)=H_5(k_2{H}_5\left(k_1{k}_{j}P\right)P,inde{x}_2)$.

(c)

Finally, $U_3$ sends a join request to $GC{S}_j$. $GC{S}_j$ computes $S{K}_2=H_5(S{K}_1·TP{K}_1,inde{x}_3)$, $P{K}_2=S{K}_2·P$ and broadcasts $\{TP{K}_1,TP{K}_2,3,T_j,{\theta }_3,inde{x}_3\}$ to $U_1$, $U_2$ and $U_3$. For $U_1$ and $U_2$, they can compute $S{K}_2=H_5(S{K}_1·TP{K}_1,inde{x}_3)$. For $U_3$, $U_3$ computes $S{K}_2=H_5(TS{K}_1·TP{K}_2,inde{x}_3)$.

4.3.2. Key Agreement When a UAV Leaves

If $U_x$ leaves FANETs, $GC{S}_j$ will determine that $U_x$ is a leaving UAV. Assume that n UAVs have joined the grouping process. If a UAV $U_x$ ($1\le x\le n$) becomes a leaving UAV, the old tree $B{T}_n$ becomes $B{T}_{n-1}$ as follows: delete the leaf node $N_{2n-2x+1}$ and the branch node $N_{2n-2x+1}$ of $B{T}_n$, and the underlying subtree consisting of $N_{2n-2x+2},N_{2n-2x+3},\dots$ will move up one level. Figure 4 shows the progress of key agreement when a UAV leaves.

After receiving the leave request from $U_x$, $GC{S}_j$ updates the tree structure (from $B{T}_n$ to $B{T}_{n-1}$), and computes the private and public keys of all updated nodes for $B{T}_{n-1}$. Then, $GC{S}_j$ needs to sign $\{x,n-1,T_j,2\parallel |TP{K}_2,\dots ,(2n-2x)\parallel \left|TP{K}_{2n-2x}\right\}$ to obtain the ECDSA signature ${\sigma }_j$, and broadcasts $\{x,n-1,T_j,2\parallel |TP{K}_2,\dots ,(2n-2x)\parallel \left|TP{K}_{2n-2x}\right\}$. The index number is used together with $TP{K}_i$ to prevent the adversary from changing the relative order of $TP{K}_i$. After receiving the broadcast message, any joined $U_i$ can update the tree structure of $B{T}_n$ according to the number x and n contained in the latest update message of the join phase, and use the required tree public key to compute $SK$. Finally, each UAV needs to update the index of $B{T}_{n-1}$. For each known $x+1<i<n$, subtract 1 from i. Since the signature and verification methods of the message sent by $GC{S}_j$ are exactly the same as those in the UAV join case except for using different hash functions, the signature and verification steps will not be repeated here. To describe the above process more vividly, we give an example where $U_2$ in a four-UAV scenario becomes a leaving UAV, and show how $\{U_1,U_3,U_4\}$ and $GC{S}_j$ compute the new group key.

After $U_x$ leaves, $GC{S}_j$ updates the old tree structure $B{T}_4$ to the new tree structure $B{T}_3$. It sets $TS{K}_6$ of $B{T}_4$ as $TS{K}_4$ of $B{T}_3$, computes $TS{K}_2=H_5(TS{K}_4·TP{K}_3,index)$, $TP{K}_2=TS{K}_2·P$, $S{K}_{new}=H_5(TS{K}_2·TP{K}_1,index)$, and broadcasts $\{x=2,TP{K}_2,TP{K}_4\}$ to $\{U_1,U_3,U_4\}$. For $U_1$, update the tree structure and compute $TS{K}_4=h_6(TS{K}_1·TP{K}_j,index)$, $TS{K}_2=H_5(TS{K}_4·TP{K}_3,index)$, $S{K}_{new}=H_5(TS{K}_2·TP{K}_1,index)$. Note that $U_1$ knows $K_j$ and $TP{K}_3$ from the $TP{K}_4$ generated during the UAV joining process. For $U_3$, update the tree structure and compute $TS{K}_2=H_5(TS{K}_4·TP{K}_3,index)$, $S{K}_{new}=H_5(TS{K}_2·TP{K}_1,index)$. For $U_4$, update the tree structure and compute $TS{K}_2$ and $S{K}_{new}$.

5. Security and Performance Analysis

5.1. Security Analysis

5.1.1. Correctness Analysis

First, we verify the correctness of the single verification equation in the authentication phase. During the UAV registration phase, the TA computes the batch public key $BP{K}_{RI{D}_i}=R_{RI{D}_i}-P_{RI{D}_i}$ and the partial batch private key $p{s}_{RI{D}_i}=f_i{t}_i-s{e}_i$ for each UAV $U_i$, where $s_{RI{D}_i}=U_i$ and $P_i=t_i·P$. In the authentication phase, $V_i$ constructs a signature $s_i$ based on the above parameters, and the TA verifies the authentication equation. Given the registration and authentication parameters, the verification equation can be derived as follows:

$$\begin{array}{cc}\hfill & s_i{K}_i+s_i{h}_i^{\prime }P\hfill \\ \hfill & =\left(k_i+h_i^{-1}{s}_{RI{D}_i}-f_i^{-1}(f_i{t}_i-s{e}_i)\right)(k_{i}P+h_i^{\prime }P)\hfill \\ \hfill & =\left(k_i+h_i^{-1}{s}_{RI{D}_i}-t_i+f_i^{-1}s{e}_i\right)(k_{i}P+h_i^{\prime }P)\hfill \\ \hfill & =(s_{RI{D}_i}-t_i+f_i^{-1}s{e}_i)P\hfill \\ \hfill & =(v_{i}P-t_{i}P)+e_i^{\prime }·f_i^{\prime -1}{P}_{pub}\hfill \\ \hfill & =BP{K}_{RI{D}_i}+e_i^{\prime }·f_i^{\prime -1}{P}_{pub}\hfill \end{array}$$

(5)

In the batch authentication scenario, the TA does not need to verify each UAV individually but instead aggregates the verification equations of n UAVs. By summing the parameters of all UAVs, n independent verifications are compressed into a single equation verification:

$$\begin{array}{cc}\hfill & {\displaystyle \sum _{i=1}^n}{s}_i{K}_i+\left({\displaystyle \sum _{i=1}^n}{s}_i{h}_i^{\prime }\right)P\hfill \\ \hfill & ={\displaystyle \sum _{i=1}^n}\left(k_i+h_i^{-1}{s}_{RI{D}_i}-f_i^{-1}(f_i{t}_i-s{e}_i)\right)(k_i+h_i^{\prime })P\hfill \\ \hfill & ={\displaystyle \sum _{i=1}^n}(s_{RI{D}_i}-t_i+f_i^{-1}s{e}_i)P\hfill \\ \hfill & ={\displaystyle \sum _{i=1}^n}(v_{i}P-t_{i}P)+{\displaystyle \sum _{i=1}^n}{e}_i^{\prime }·f_i^{\prime -1}sP\hfill \\ \hfill & ={\displaystyle \sum _{i=1}^n}BP{K}_{RI{D}_i}+\left({\displaystyle \sum _{i=1}^n}{e}_i^{\prime }{f}_i^{\prime -1}\right)P_{pub}\hfill \end{array}$$

(6)

5.1.2. Formal Security Proofs

Theorem 1.

If the ECDL assumption holds, then CUBAT-AKA is SK-secure. For any PPT adversary $\mathcal{A}$ making at most $(q_{H_1},\dots ,q_{H_6},q_S,q_R,q_{Rev},q_C)$ oracle queries,

$${\mathbf{Adv}}_{\mathcal{A}}^{SK}\left(\lambda \right)\le q_S·q_{H_5}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+{\displaystyle \frac{q_S^2}{2q}}+{\displaystyle \frac{q_{H_5}}{q}}$$

(7)

Proof. 

We prove the theorem through a sequence of games.

Game ${\mathbf{G}}_0$. This is the real SK-security game. By definition, ${\mathbf{Adv}}_{\mathcal{A}}^{{\mathbf{G}}_0}={\mathbf{Adv}}_{\mathcal{A}}^{SK}\left(\lambda \right)$.

Game ${\mathbf{G}}_1$. Identical to ${\mathbf{G}}_0$ except that $\mathcal{C}$ aborts if any two ${\mathcal{O}}_{Send}$ queries produce the same ephemeral public key $K_i=k_{i}P$. By the birthday bound: $|{\mathbf{Adv}}_{\mathcal{A}}^{{\mathbf{G}}_1}-{\mathbf{Adv}}_{\mathcal{A}}^{{\mathbf{G}}_0}|\le q_S^2/\left(2q\right)$.

Game ${\mathbf{G}}_2$. Identical to ${\mathbf{G}}_1$ except that $\mathcal{C}$ selects the target session $t^{*}$ uniformly at random from all $q_S$ sessions at the beginning. If $\mathcal{A}$’s challenge does not match $t^{*}$, $\mathcal{C}$ aborts. This yields ${\mathbf{Adv}}_{\mathcal{A}}^{{\mathbf{G}}_2}={\mathbf{Adv}}_{\mathcal{A}}^{{\mathbf{G}}_1}/q_S$.

Game ${\mathbf{G}}_3$. Identical to ${\mathbf{G}}_2$ except that $\mathcal{C}$ replaces the group session key $TS{K}_0$ of the target session with a uniformly random value regardless of b. We show that any difference between ${\mathbf{G}}_2$ and ${\mathbf{G}}_3$ implies a solver $\mathcal{B}$ for the ECDL problem.

Construction of $\mathcal{B}$. Given an ECDL instance $(P,Q=aP)$ with unknown $a\in {\mathbb{Z}}_q^{*}$, $\mathcal{B}$ proceeds as follows.

Setup: $\mathcal{B}$ selects $s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, sets $P_{pub}=sP$, and publishes $\mathit{params}$. $\mathcal{B}$ initializes hash lists ${\mathcal{L}}_{H_1},\dots ,{\mathcal{L}}_{H_6}$.

Oracle simulation:

• ${\mathcal{O}}_{H_i}(·)$: Simulated consistently via hash list ${\mathcal{L}}_{H_i}$.
• ${\mathcal{O}}_{Send}({\mathsf{\Pi }}_U^t,M)$: For the target session $t^{*}$, $\mathcal{B}$ embeds the ECDL challenge by setting the target UAV $U_{i^{*}}$’s ephemeral public key as $K_{i^{*}}=Q=aP$ (implicitly $k_{i^{*}}=a$). To produce a valid authentication message without knowing a, $\mathcal{B}$ selects $s_{i^{*}}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ and programs ${\mathcal{O}}_{H_2}$: it sets $h_{i^{*}}=H_2(RI{D}_{i^{*}},m_{i^{*}},K_{i^{*}})$ to the unique value satisfying the verification equation $s_{i^{*}}{K}_{i^{*}}+s_{i^{*}}{h}_{i^{*}}^{\prime }P=BP{K}_{RI{D}_{i^{*}}}+e_{i^{*}}^{\prime }·f_{i^{*}}^{\prime -1}{P}_{pub}$. Since $H_2$ is a random oracle and $(RI{D}_{i^{*}},m_{i^{*}},K_{i^{*}})$ has not been previously queried (ensured by ${\mathbf{G}}_1$), this programming is consistent. For all other sessions, $\mathcal{B}$ selects $k_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ honestly and follows the protocol.
• ${\mathcal{O}}_{Reveal}\left({\mathsf{\Pi }}_U^t\right)$: For $t\ne t^{*}$, $\mathcal{B}$ computes and returns $TS{K}_0$ using the known $k_i$ values via the binary tree derivation. For $t=t^{*}$, this query is disallowed.
• ${\mathcal{O}}_{Corrupt}\left(U_i\right)$: For $U_i\ne U_{i^{*}}$, $\mathcal{B}$ returns all secret material (known to $\mathcal{B}$). For $U_{i^{*}}$, $\mathcal{B}$ returns all long-term keys $\{s_{RI{D}_{i^{*}}},p{s}_{RI{D}_{i^{*}}},l_{i^{*}}\}$ but cannot return $k_{i^{*}}=a$; however, by the freshness condition, this query is disallowed for the target session.

Extraction. In the target session, $GC{S}_j$’s ephemeral private key $k_j$ is known to $\mathcal{B}$. The group session key at the root of the binary tree is computed as $TS{K}_0=H_5(k_j·K_{i^{*}},\mathrm{index})=H_5(k_j·aP,\mathrm{index})$. Since $\mathcal{B}$ knows both $k_j$ and $Q=aP$, it can compute $k_j·Q$ directly via scalar multiplication and obtain the target value $W^{*}=k_j·Q\in G$. Then $\mathcal{B}$ monitors all queries to ${\mathcal{O}}_{H_5}$: for each query $(W,\mathrm{idx})$ with $\mathrm{idx}=\mathrm{index}$, $\mathcal{B}$ checks whether $W=W^{*}$ by elliptic curve point comparison. This check requires no discrete logarithm computation or bilinear pairing—it is a direct comparison of two points in G.

Since $H_5$ is a random oracle, $TS{K}_0$ is uniformly distributed unless $\mathcal{A}$ queries ${\mathcal{O}}_{H_5}$ on the exact input $(W^{*},\mathrm{index})$. To construct such a query, $\mathcal{A}$ must compute $k_j·aP$ from the public values $(P,Q=aP,K_j=k_{j}P)$. Since $\mathcal{A}$ does not know $k_j$ (which is internal to the GCS and never published—only $K_j=k_{j}P$ is broadcast), computing $k_j·Q$ from $(P,Q,K_j)$ is the CDH problem, which is at least as hard as ECDL. If $\mathcal{A}$ distinguishes $TS{K}_0$ from random with advantage $\delta$, then $\mathcal{A}$ must query $H_5$ on input $(W^{*},\mathrm{index})$ with probability at least $\delta$. Among the $q_{H_5}$ queries, $\mathcal{B}$ identifies the correct one by point comparison, yielding

$$|{\mathbf{Adv}}_{\mathcal{A}}^{{\mathbf{G}}_2}-{\mathbf{Adv}}_{\mathcal{A}}^{{\mathbf{G}}_3}|\le q_{H_5}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+{\displaystyle \frac{q_{H_5}}{q}}$$

(8)

In ${\mathbf{G}}_3$, the session key is independent of b, so ${\mathbf{Adv}}_{\mathcal{A}}^{{\mathbf{G}}_3}=0$. Combining all transitions,

$${\mathbf{Adv}}_{\mathcal{A}}^{SK}\left(\lambda \right)\le q_S·q_{H_5}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+{\displaystyle \frac{q_S^2}{2q}}+{\displaystyle \frac{q_{H_5}}{q}}$$

(9)

Since ${\mathbf{Adv}}^{ECDL}\left(\lambda \right)$ is negligible, the scheme is SK-secure. □

Theorem 2.

If the ECDL and CDH assumptions hold, then CUBAT-AKA is EA-secure. For any PPT adversary $\mathcal{A}$ making at most $(q_{H_1},\dots ,q_{H_6},q_S,q_R,q_{LR},q_C)$ oracle queries,

$${\mathbf{Adv}}_{\mathcal{A}}^{EA}\left(\lambda \right)\le q_{H_1}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+q_{H_2}^2·{\mathbf{Adv}}^{CDH}\left(\lambda \right)+{\displaystyle \frac{q_{H_3}+q_S}{q}}$$

(10)

Proof. 

Suppose $\mathcal{A}$ wins with advantage $ϵ={ϵ}_1+{ϵ}_2$, where ${ϵ}_1$ is the probability of forging a GCS identity and ${ϵ}_2$ is the probability of forging a UAV identity.

Case 1: Forging a GCS identity (reduction to ECDL).

We construct ${\mathcal{B}}_1$ to solve ECDL using $\mathcal{A}$. Given $(P,Q=sP)$ with unknown s, ${\mathcal{B}}_1$ sets $P_{pub}=Q$.

Oracle simulation.${\mathcal{B}}_1$ programs ${\mathcal{O}}_{H_1}$ as a random oracle with hash list ${\mathcal{L}}_{H_1}$. For ${\mathcal{O}}_{LReveal}\left(GC{S}_j\right)$ on non-target GCSs ($j\ne j^{*}$), ${\mathcal{B}}_1$ selects $l_j\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, stores $(I{D}_j,\perp ,l_j)$ in ${\mathcal{L}}_{H_1}$, and returns $l_j$. For ${\mathcal{O}}_{Send}$ queries involving GCS authentication with ${\gamma }_j=H_3(I{D}_j,T_j,AUTH,l_j)$, ${\mathcal{B}}_1$ computes valid values using the programmed $l_j$.

Extraction. If $\mathcal{A}$ forges a valid ${\gamma }_{j^{*}}^{*}=H_3(I{D}_{j^{*}},T_{j^{*}}^{*},AUT{H}^{*},l_{j^{*}}^{*})$, then $\mathcal{A}$ must have queried $H_3$ with the correct $l_{j^{*}}=H_1(I{D}_{j^{*}},s)$, which requires querying ${\mathcal{O}}_{H_1}$ on $(I{D}_{j^{*}},s^{\prime })$ with $s^{\prime }=s$. ${\mathcal{B}}_1$ scans ${\mathcal{L}}_{H_1}$ and checks each query $(I{D}_{j^{*}},s^{\prime })$ by verifying $s^{\prime }·P\stackrel{?}{=}Q$ via scalar multiplication—no bilinear pairing is needed. If $s^{\prime }·P=Q$, then $s^{\prime }=s$ is the ECDL solution. The probability that $\mathcal{A}$ succeeds without querying $H_1(I{D}_{j^{*}},s)$ is at most $q_{H_3}/q$ (guessing the $H_3$ output). Therefore,

$${\mathbf{Adv}}_{{\mathcal{B}}_1}^{ECDL}\left(\lambda \right)\ge {\displaystyle \frac{{ϵ}_1-q_{H_3}/q}{q_{H_1}}}$$

(11)

Case 2: Forging a UAV identity (reduction to CDH via forking lemma).

We construct ${\mathcal{B}}_2$ to solve CDH using $\mathcal{A}$. Given $(P,X=xP,Y=yP)$ with unknown $x,y$, ${\mathcal{B}}_2$ sets $P_{pub}=X=xP$ (implicitly $s=x$).

Setup. For target UAV $U_{i^{*}}$, ${\mathcal{B}}_2$ sets $R_{RI{D}_{i^{*}}}=Y=yP$ (implicitly $s_{RI{D}_{i^{*}}}=v_{i^{*}}=y$), selects $t_{i^{*}}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, and computes $P_{i^{*}}=t_{i^{*}}P$ and $BP{K}_{RI{D}_{i^{*}}}=Y-P_{i^{*}}=(y-t_{i^{*}})P$. For non-target UAVs, ${\mathcal{B}}_2$ selects all values honestly. For ${\mathcal{O}}_{LReveal}$ on non-target entities, ${\mathcal{B}}_2$ programs the random oracle $H_1$ to return consistent values.

Oracle simulation. For ${\mathcal{O}}_{Send}$ queries involving the target UAV, ${\mathcal{B}}_2$ cannot compute $p{s}_{RI{D}_{i^{*}}}=f_{i^{*}}{t}_{i^{*}}-x{e}_{i^{*}}$ (since x is unknown). Instead, ${\mathcal{B}}_2$ selects $s_{i^{*}}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ and programs ${\mathcal{O}}_{H_2}$ to make the verification equation hold, as in Theorem 1.

Extraction via the forking lemma.

$$s_{i^{*}}^{*}{K}_{i^{*}}^{*}+s_{i^{*}}^{*}{h}_{i^{*}}^{\prime *}P=BP{K}_{RI{D}_{i^{*}}}+e_{i^{*}}^{\prime *}·f_{i^{*}}^{\prime *-1}{P}_{pub}$$

(12)

where $h_{i^{*}}^{\prime *}=H_2(RI{D}_{i^{*}}^{*},m_{i^{*}}^{*},K_{i^{*}}^{*})$, $e_{i^{*}}^{\prime *}=H_1(RI{D}_{i^{*}}^{*},BP{K}_{RI{D}_{i^{*}}})$, $f_{i^{*}}^{\prime *}=H_2(RI{D}_{i^{*}}^{*},BP{K}_{RI{D}_{i^{*}}},P_{pub})$.

${\mathcal{B}}_2$ rewinds $\mathcal{A}$ with the same random tape but a different $H_2$ response $h_{i^{*},2}^{\prime *}\ne h_{i^{*},1}^{\prime *}$ on the forged input, obtaining a second valid forgery. From the two equations,

$$\begin{array}{cc}\hfill s_{i^{*},1}^{*}(K_{i^{*}}^{*}+h_{i^{*},1}^{\prime *}P)& =BP{K}_{RI{D}_{i^{*}}}+e_{i^{*}}^{\prime *}{f}_{i^{*}}^{\prime *-1}·xP\hfill \end{array}$$

(13)

$$\begin{array}{cc}\hfill s_{i^{*},2}^{*}(K_{i^{*}}^{*}+h_{i^{*},2}^{\prime *}P)& =BP{K}_{RI{D}_{i^{*}}}+e_{i^{*}}^{\prime *}{f}_{i^{*}}^{\prime *-1}·xP\hfill \end{array}$$

(14)

Subtracting (14) from (13),

$$s_{i^{*},1}^{*}(K_{i^{*}}^{*}+h_{i^{*},1}^{\prime *}P)-s_{i^{*},2}^{*}(K_{i^{*}}^{*}+h_{i^{*},2}^{\prime *}P)=\mathbf{0}$$

(15)

Let ${\mathsf{\Delta }}_1=s_{i^{*},1}^{*}-s_{i^{*},2}^{*}$ and ${\mathsf{\Delta }}_2=s_{i^{*},1}^{*}{h}_{i^{*},1}^{\prime *}-s_{i^{*},2}^{*}{h}_{i^{*},2}^{\prime *}$. Then ${\mathsf{\Delta }}_1·K_{i^{*}}^{*}+{\mathsf{\Delta }}_2·P=\mathbf{0}$, yielding:

$$K_{i^{*}}^{*}=-{\mathsf{\Delta }}_1^{-1}{\mathsf{\Delta }}_2·P$$

(16)

This reveals the discrete logarithm of $K_{i^{*}}^{*}$ as $k_{i^{*}}^{*}=-{\mathsf{\Delta }}_1^{-1}{\mathsf{\Delta }}_{2}modq$, which ${\mathcal{B}}_2$ can directly compute. Substituting back into the original Equation (12) and using $BP{K}_{RI{D}_{i^{*}}}=(y-t_{i^{*}})P$ and $P_{pub}=xP$,

$$s_{i^{*}}^{*}(k_{i^{*}}^{*}+h_{i^{*}}^{\prime *})P=(y-t_{i^{*}})P+e_{i^{*}}^{\prime *}{f}_{i^{*}}^{\prime *-1}·xP$$

(17)

Since ${\mathcal{B}}_2$ now knows $s_{i^{*}}^{*}$, $k_{i^{*}}^{*}$, $h_{i^{*}}^{\prime *}$, $t_{i^{*}}$, $e_{i^{*}}^{\prime *}$, $f_{i^{*}}^{\prime *}$ (all computable scalars), it extracts

$$e_{i^{*}}^{\prime *}{f}_{i^{*}}^{\prime *-1}·xP=s_{i^{*}}^{*}(k_{i^{*}}^{*}+h_{i^{*}}^{\prime *})P-(y-t_{i^{*}})P$$

(18)

The right-hand side involves $yP=Y$ (known) and all other known scalars, so ${\mathcal{B}}_2$ computes ${\left(e_{i^{*}}^{\prime *}{f}_{i^{*}}^{\prime *-1}\right)}^{-1}$ times the right-hand side to obtain $xP=X$ (already known). However, the value y can be extracted from the scalar equation: $s_{i^{*}}^{*}(k_{i^{*}}^{*}+h_{i^{*}}^{\prime *})=(y-t_{i^{*}})+e_{i^{*}}^{\prime *}{f}_{i^{*}}^{\prime *-1}x$, which gives $y=s_{i^{*}}^{*}(k_{i^{*}}^{*}+h_{i^{*}}^{\prime *})+t_{i^{*}}-e_{i^{*}}^{\prime *}{f}_{i^{*}}^{\prime *-1}x$. Since this is a linear equation in two unknowns x and y, ${\mathcal{B}}_2$ uses the second forked equation to obtain a second independent linear equation, solving for both x and y, and thereby computing $xyP$.

By the forking lemma, if $\mathcal{A}$ succeeds with probability ${ϵ}_2$ and makes $q_{H_2}$ queries,

$${\mathbf{Adv}}_{{\mathcal{B}}_2}^{CDH}\left(\lambda \right)\ge {ϵ}_2\left({\displaystyle \frac{{ϵ}_2}{q_{H_2}}}-{\displaystyle \frac{1}{q}}\right)$$

(19)

Combining. Since $ϵ={ϵ}_1+{ϵ}_2$ and both ${\mathbf{Adv}}^{ECDL}\left(\lambda \right)$ and ${\mathbf{Adv}}^{CDH}\left(\lambda \right)$ are negligible,

$${\mathbf{Adv}}_{\mathcal{A}}^{EA}\left(\lambda \right)\le q_{H_1}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+q_{H_2}^2·{\mathbf{Adv}}^{CDH}\left(\lambda \right)+{\displaystyle \frac{q_{H_3}+q_S}{q}}$$

(20)

Hence, the scheme is EA-secure. □

Theorem 3.

If the ECDL assumption holds and $H_5$ is modeled as a random oracle, then CUBAT-AKA satisfies forward security (Definition 3). Concretely,

$${\mathbf{Adv}}_{\mathcal{A}}^{FS}\left(\lambda \right)\le q_{H_5}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+{\displaystyle \frac{q_{H_5}}{q}}$$

(21)

Proof. 

Suppose $\mathcal{A}$ possesses the complete view ${\mathit{view}}_x=\{k_x,{\left\{TS{K}_i^{\mathit{old}}\right\}}_{i\in \mathit{path}\left(x\right)},{\left\{TP{K}_i\right\}}_{i\in \mathit{tree}}\}$ of the departing UAV $U_x$.

After $U_x$ departs, the GCS removes its leaf node from $B{T}_n$ to form $B{T}_{n-1}$ and recomputes all affected path keys. Let node j be the sibling of $U_x$’s former leaf with updated key $TS{K}_j^{\mathit{new}}$. The updated parent is $TS{K}_p^{\mathit{new}}=H_5(TS{K}_j^{\mathit{new}}·TP{K}_r,{\mathrm{idx}}_p)$, propagating to the new root $TS{K}_0^{\mathit{new}}$.

We construct a reduction to ECDL. Given $(P,Q^{*}=a^{*}P)$ with unknown $a^{*}$, $\mathcal{B}$ sets the remaining honest node’s tree private key as $TS{K}_j^{\mathit{new}}=a^{*}$ and publishes $TP{K}_j^{\mathit{new}}=Q^{*}$. Since $U_x$ does not possess $TS{K}_j^{\mathit{new}}$ (it belongs to an honest UAV), $\mathcal{A}$ must compute $TS{K}_p^{\mathit{new}}=H_5(a^{*}·TP{K}_r,{\mathrm{idx}}_p)$.

Since $H_5$ is a random oracle, $TS{K}_p^{\mathit{new}}$ is uniformly random unless $\mathcal{A}$ queries ${\mathcal{O}}_{H_5}$ on input $(a^{*}·TP{K}_r,{\mathrm{idx}}_p)$. $\mathcal{B}$ knows $TP{K}_r=\beta P$ (where $\beta$ is the tree private key of a non-affected node known to the GCS), and can compute the target value $W^{*}=a^{*}·TP{K}_r=a^{*}\beta P=\beta ·Q^{*}$ via scalar multiplication of the known $\beta$ with the known $Q^{*}$. For each query $(W,\mathrm{idx})$ to ${\mathcal{O}}_{H_5}$ with $\mathrm{idx}={\mathrm{idx}}_p$, $\mathcal{B}$ checks $W\stackrel{?}{=}{W}^{*}$ by elliptic curve point comparison—no bilinear pairing is required.

If $\mathcal{A}$ can compute $TS{K}_0^{\mathit{new}}$ without querying $H_5$ on the correct input, the probability is at most $q_{H_5}/q$. Therefore,

$${\mathbf{Adv}}_{\mathcal{A}}^{FS}\left(\lambda \right)\le q_{H_5}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+{\displaystyle \frac{q_{H_5}}{q}}$$

(22)

Since ${\mathbf{Adv}}^{ECDL}\left(\lambda \right)$ is negligible, forward security is satisfied. □

Theorem 4.

If the ECDL assumption holds and $H_5$ is modeled as a random oracle, then CUBAT-AKA satisfies backward security (Definition 4). Concretely,

$${\mathbf{Adv}}_{\mathcal{A}}^{BS}\left(\lambda \right)\le q_{H_5}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+{\displaystyle \frac{q_{H_5}}{q}}$$

(23)

Proof. 

Suppose $\mathcal{A}$ possesses the complete view ${\mathit{view}}_n=\{k_n,{\left\{TS{K}_i^{\mathit{curr}}\right\}}_{i\in \mathit{path}\left(n\right)},\left\{TP{K}_i^{\mathit{curr}}\right\},$$\left\{TP{K}_i^{\mathit{prev}}\right\}\}$ of the newly joined UAV $U_n$.

The previous group session key was $TS{K}_0^{\mathit{prev}}=H_5(TS{K}_2^{\mathit{prev}}·TP{K}_1^{\mathit{prev}},{\mathrm{idx}}_0)$, computed from the old tree $B{T}_{n-1}$ that existed before $U_n$ joined. Since $U_n$ was not present in the previous session, it does not possess any old tree private keys.

We reduce to ECDL. Given $(P,Q^{**}=a^{**}P)$ with unknown $a^{**}$, $\mathcal{B}$ embeds a critical old tree private key as $TS{K}_c^{\mathit{prev}}=a^{**}$ and publishes $TP{K}_c^{\mathit{prev}}=Q^{**}$. To compute $TS{K}_0^{\mathit{prev}}$, $\mathcal{A}$ must evaluate $H_5$ on an input involving $a^{**}·TP{K}_d^{\mathit{prev}}$ for some sibling node d. By the same argument as Theorem 3, $\mathcal{B}$ computes the target value $W^{**}=a^{**}·TP{K}_d^{\mathit{prev}}$ via scalar multiplication using known values and monitors ${\mathcal{O}}_{H_5}$ queries by point comparison.

Additionally, since $H_5$ is a one-way random oracle, $\mathcal{A}$ cannot invert the current hash chain values $\left\{TS{K}_i^{\mathit{curr}}\right\}$ to recover $\left\{TS{K}_i^{\mathit{prev}}\right\}$, as the old and new trees use different inputs and $\mathrm{index}$ values. Therefore,

$${\mathbf{Adv}}_{\mathcal{A}}^{BS}\left(\lambda \right)\le q_{H_5}·{\mathbf{Adv}}^{ECDL}\left(\lambda \right)+{\displaystyle \frac{q_{H_5}}{q}}$$

(24)

Since ${\mathbf{Adv}}^{ECDL}\left(\lambda \right)$ is negligible, backward security is satisfied. □

Theorem 5.

If CUBAT-AKA is SK-secure (Theorem 1), EA-secure (Theorem 2), forward-secure (Theorem 3), and backward-secure (Theorem 4), then the scheme resists all attacks in the threat model.

Proof. 

Resistance against eavesdropping attacks. An eavesdropper captures $\{K_i=k_{i}P,R_i,BP{K}_{RI{D}_i}\}$ from protocol messages. Recovering $\{k_i,v_i\}$ requires solving ECDL. The group key $TS{K}_0=H_5(TS{K}_1·TP{K}_2,\mathrm{index})$ depends on secret tree keys; computing $TS{K}_i$ from $TP{K}_i=TS{K}_i·P$ requires ECDL. Formally guaranteed by Theorem 1.

Resistance against replay attacks. Each message includes a fresh timestamp $T_i$ and a random nonce $k_i$. Replaying $M_1=\{m_i,RI{D}_i,T_i,R_i,s_i,K_i\}$ fails the timestamp check. Modifying $T_i$ invalidates $s_i$ since $h_i=H_2(RI{D}_i,m_i,K_i)$ binds the signature to the original parameters. Under the random oracle model, forging a valid $s_i$ for modified parameters requires solving ECDL.

Resistance against man-in-the-middle attacks. The three-party mutual authentication ensures: (i) TA authenticates GCS via ${\gamma }_j=H_3(I{D}_j,T_j,AUTH,l_j)$ using the exclusive long-term key $l_j$; (ii) TA authenticates UAVs via the batch verification equation; (iii) GCS authenticates TA via ${\eta }_{TA}=H_4(T_{TA},c,AUTH,l_j)$; (iv) UAVs authenticate GCS via ${\delta }_{TA}=H_4(T_{TA},Q_j,I{D}_j,l_i)$ (single) or $H_4(T_{TA},Q_j,I{D}_j,GVK)$ (batch) and CRT confirmation $H_6(K_i,RI{D}_i,I{D}_j)=Zmod{m}_i$. Forging any value requires the corresponding secret keys. Formally guaranteed by Theorem 2.

Resistance against impersonation attacks. Directly guaranteed by Theorem 2. Impersonating UAV $U_i$ requires forging $s_i={(k_i+h_i)}^{-1}(s_{RI{D}_i}-f_i^{-1}p{s}_{RI{D}_i})$, which requires the private credentials $\{s_{RI{D}_i},p{s}_{RI{D}_i}\}$. Impersonating GCS requires $l_j=H_1(I{D}_j,s)$ involving the system master key s. Both are infeasible under ECDL/CDH.

Resistance against collusion attacks. Colluding UAVs $\{U_{i_1},\dots ,U_{i_m}\}$ possess only their own leaf private keys $\{k_{i_1},\dots ,k_{i_m}\}$. Computing any non-leaf tree key requires $TS{K}_i=H_5(TS{K}_{i+1}·TP{K}_{i+2},\mathrm{index})$, which needs both children’s private keys. Since honest UAVs’ private keys are protected by ECDL (only $K_i=k_{i}P$ is disclosed) and $H_5$ is a random oracle, no shortcut computation exists.

Forward and backward security. Formally proven in Theorems 3 and 4 with explicit advantage bounds. □

5.2. Performance

The efficiency of our CUBAT-AKA is evaluated through theoretical and performance analyses and is compared with the excellent existing AKA schemes CBACS [39] and FBIA [40].

5.2.1. Function Comparison

Table 3. Functional comparison.

Function	[39]	[40]	[41]	[42]	[43]	[24]	Ours
Identity authentication	🗸	🗸	🗸	🗸	🗸	🗸	🗸
Key agreement	×	🗸	×	×	×	×	🗸
Batch request verification	🗸	×	🗸	×	🗸	×	🗸
Dynamic member management	×	×	🗸	🗸	🗸	🗸	🗸
Bilinear-pairing-free	🗸	🗸	🗸	🗸	🗸	🗸	🗸
Forward security	🗸	🗸	🗸	🗸	🗸	🗸	🗸
Backward security	×	×	×	🗸	🗸	🗸	🗸

🗸: supported; ×: not supported.

presents a multi-dimensional comparison between our scheme and related schemes including CBACS [39], FBIA [40], and others. It can be observed that our scheme achieves lightweight three-party identity authentication and key agreement, and effectively overcomes the performance bottleneck of traditional schemes under massive access by introducing batch request verification. Meanwhile, it leverages the improved binary tree key agreement to enable efficient dynamic member management, significantly reducing the computation and communication overhead during frequent UAV entry and exit compared to existing schemes. Furthermore, the entire design adheres to a bilinear-pairing-free lightweight approach and satisfies perfect forward security, substantially enhancing its functional completeness and cross-domain scalability in complex UAV networking environments.

5.2.2. Theoretical Analysis

To theoretically evaluate the complexity of the CUBAT-AKA scheme, we conduct a detailed theoretical analysis of its computational and communication overhead, and compare it with the CBACS scheme [39] and the FBIA scheme [40]. Both the CBACS scheme [39] and the FBIA scheme [40] adopt the current mainstream edge computing architecture, which is highly consistent with the three-party authentication framework designed in this paper in terms of physical deployment. The CBACS scheme [39] emphasizes direct authentication and privacy protection, while the FBIA scheme [40] focuses on using a layered fog structure to reduce authentication delay. Comparing CUBAT-AKA with these two schemes can clearly demonstrate how the proposed scheme further reduces communication overhead while ensuring the same level of privacy strength.

Table 4. Definitions of cryptographic operations.

Operation	Definition
$T_{pm}$	Execution time of elliptic curve point multiplication operation
$T_{pa}$	Execution time of elliptic curve point addition operation
$T_{bp}$	Bilinear pairing operation
$T_{crt}$	Execution time of aggregation or decomposition operations using the Chinese Remainder Theorem
$T_h$	Execution time of cryptographic hash function
$T_{exp}$	Modular exponentiation operation

describes and defines the main cryptographic operations involved in the proposed scheme and the comparison schemes.

Table 5. Computational overhead comparison.

Scheme	UAV Side	GCS Side	TA Side
CBACS [39]	$n(3T_{pm}+T_{exp}+3T_h)$	$n(2T_{pm}+T_{exp}+2T_h)$	$2n{T}_{pm}+2n{T}_h$
FBIA [40]	$2n{T}_{pm}+3n{T}_h$	$3n{T}_{pm}+4n{T}_h$	$2n{T}_{pm}+2n{T}_h$
Proposed Scheme	$2T_{pm}+T_{crt}+4T_h$	$(n+1)T_{pm}+T_{crt}+2n{T}_h$	$2T_{pm}+2T_{pa}+3T_h$

shows the trend of computational complexity during the authentication process of different entities as n changes. When the UAV scale n continues to grow, the proposed scheme has significant advantages in computational efficiency. On the TA side, the aggregate verification technology compresses n independent verifications into a single equality verification, making the computational overhead maintain near-constant-level growth under large-scale access, which is far superior to the linear growth pattern of the CBACS scheme [39] and the FBIA scheme [40]. On the GCS side, the efficient CRT modular operation replaces the complex bilinear pairing operation, significantly reducing the processing delay of intermediate nodes. On the UAV side, the computational overhead of the proposed scheme does not increase linearly with the total number of UAVs n, and the binary tree structure ensures efficient key reconstruction. In summary, through algorithm structure optimization, the proposed scheme greatly improves the real-time response capability of the system in high-concurrency scenarios while ensuring security.

Table 6. Communication overhead comparison.

Scheme	UAV Side	GCS Side	TA Side
CBACS [39]	$(40n+168)$ bytes	$(244n+44)$ bytes	$(120n+4)$ bytes
FBIA [40]	$(60n+128)$ bytes	$(244n+64)$ bytes	$(120n+4)$ bytes
Proposed Scheme	$(20n+248)$ bytes	$(164n+164)$ bytes	$(20n+44)$ bytes

shows the trend of theoretical communication overhead of different schemes as the UAV scale continues to grow. From the computational complexity comparison, it can be intuitively seen that when the UAV scale expands, the proposed scheme exhibits significant scalability advantages in communication bandwidth utilization. Specifically, the CBACS scheme [39] and the FBIA scheme [40] require frequent interactions with complete authentication credentials and multiple rounds of retransmission information during UAV joining or key update, which easily leads to channel congestion in FANET environments. In contrast, by introducing an improved binary tree structure, the proposed scheme successfully reduces the communication overhead of key updates, and combined with CRT aggregation verification technology, achieves constant-level encapsulation of authentication response messages. This means that the communication overhead growth curve of the proposed scheme is significantly flat, and the communication overhead will not rise rapidly with the surge in UAV scale. Therefore, the proposed scheme can effectively alleviate the wireless channel pressure in high-concurrency scenarios, and has higher transmission efficiency and stability in large-scale dynamic FANETs.

5.2.3. Empirical Tests

The experimental simulation environment of the proposed scheme is based on a host equipped with an Intel Core i7-12700H CPU and 16GB of RAM. The scheme prototype is implemented using Python 3.9 combined with cryptographic libraries such as PyCryptodome and ecdsa. During the simulation, to ensure rigorous logical support for the communication overhead analysis, parameters are uniformly set based on the security strength of a 160-bit elliptic curve. The point coordinates of the additive cyclic group G, the scalar field ${\mathbb{Z}}_q^{*}$, and the anti-replay timestamp T are mapped to 40 bytes, 20 bytes, and 4 bytes, respectively. The execution time of basic cryptographic operations in the experiments is obtained by averaging multiple samples to ensure data accuracy. After simulation, the overhead of the basic cryptographic operations used in the experiments is shown in

Table 7. Execution time of cryptographic operations.

Operation	Overhead (s)
$T_{pm}$	0.362
$T_{pa}$	0.001
$T_{bp}$	5.114
$T_{crt}$	0.018
$T_h$	0.002
$T_{exp}$	0.760

.

We conduct a multi-dimensional evaluation of the performance of the proposed scheme. To objectively reflect the performance of the scheme under different swarm densities, we design two typical application scenarios:

• Scenario 1 focuses on the baseline performance when a single UAV accesses, i.e., the three-party authentication key agreement between one UAV, one GCS, and one TA.
• Scenario 2 focuses on scalability in high-density scenarios, simulating a complex environment where multiple UAVs make concurrent requests.

Figure 5 shows the computational overhead of each entity in the single-UAV scenario. When there is only one UAV, in the authentication and key agreement phases of the CBACS scheme [39], the computational overheads of the UAV, GCS, and TA are $3T_{pm}+1T_{exp}+3T_h=1.852$ s, $2T_{pm}+1T_{exp}+2T_h=1.488$ s, and $2T_{pm}+2T_h=0.728$ s, respectively, resulting in a total computational overhead of 4.068 s. In the authentication and key agreement phases of the FBIA scheme [40], the computational overheads of the UAV, GCS, and TA are $2T_{pm}+1T_{pa}+3T_h=0.731$ s, $3T_{pm}+2T_{pa}+4T_h=1.096$ s, and $2T_{pm}+2T_h=0.728$ s, respectively, resulting in a total computational overhead of 2.555 s. In the authentication and key agreement phases of the proposed scheme, the computational overheads of the UAV, GCS, and TA are $2T_{pm}+1T_{crt}+4T_h=0.750$ s, $2T_{pm}+1T_{pa}+2T_h+1T_{crt}=0.747$ s, and $2T_{pm}+2T_{pa}+3T_h=0.732$ s, respectively, resulting in a total computational overhead of 2.229 s.

The above results present a performance comparison of the three schemes in Scenario 1. As can be seen from Figure 5, in the computational overhead comparison for the single-UAV scenario, the total overhead of the proposed scheme is significantly lower than that of the CBACS scheme [39] and superior to that of the FBIA scheme [40]. Specifically, the proposed scheme imposes a lighter computational burden on the UAV side, which benefits from the design that avoids bilinear pairing operations, thereby effectively reducing computational latency and improving overall processing efficiency.

In particular, as the UAV scale n continues to grow, the proposed scheme demonstrates a significant leading advantage in computational efficiency. On the TA side, thanks to the batch aggregate verification technology, the proposed scheme compresses n independent signature verifications into a single equality verification, making the computational time maintain near-constant low growth under large-scale access, effectively avoiding the problem in the CBACS scheme [39] and FBIA scheme [40] where computational pressure surges with the increase in the number of UAVs. On the GCS side, the efficient CRT modular operation replaces complex bilinear pairing or multiple point multiplication operations, significantly reducing the processing delay of edge nodes.The UAV-side communication overhead as the swarm scale increases is shown in Figure 6.

The above analysis is conducted under the 160-bit elliptic-curve setting. To verify that the efficiency advantage of the proposed scheme is preserved under stronger security parameters required by modern deployments, we further evaluate the total three-party computation cost under a 256-bit curve (P-256), as shown in Figure 7. The 256-bit values are estimated based on known ECC operation scaling factors. Although the 256-bit setting naturally incurs higher overhead due to more costly point multiplication, both curves exhibit the same growth trend, indicating that the proposed scheme remains efficient and practical when migrated to a higher security level.

While the preceding results are derived from operation-level cost composition, we additionally measure the actual end-to-end authentication latency to reflect real runtime behavior, as shown in Figure 8. The latency is measured from the moment a UAV sends $M_1$ until it accepts $M_4$, averaged over 200 independent runs with error bars denoting $\pm 1$ standard deviation. Consistent with the operation-level analysis, the proposed CUBAT-AKA scheme achieves lower latency than CBACS [39] and FBIA [40] across all swarm sizes ($n=1$ to 100), and the gap widens as n increases. This trend directly stems from the batch aggregate verification mechanism on the TA side: as the number of concurrently accessing UAVs grows, the per-request verification cost of the proposed scheme is amortized, whereas the comparison schemes suffer from linearly accumulating verification delay.

Figure 6, Figure 9 and Figure 10 show the communication overhead of the UAV, GCS, and TA as the UAV scale increases, respectively. At $n=1$, the total communication overhead comparison is as follows: In the authentication and key agreement phases of the CBACS scheme [39], the communication overheads of the UAV, GCS, and TA are 164 bytes, 248 bytes, and 144 bytes, respectively, resulting in a total communication overhead of 536 bytes. In the authentication and key agreement phases of the FBIA scheme [40], the communication overheads of the UAV, fog node, and TA are 164 bytes, 228 bytes, and 124 bytes, respectively, resulting in a total communication overhead of 516 bytes. In the authentication and key agreement phases of our proposed scheme, the communication overheads of the UAV, GCS, and TA are 264 bytes, 328 bytes, and 64 bytes, respectively, resulting in a total communication overhead of 656 bytes.

In the initial authentication phase, the total communication volume of the proposed scheme is 656 bytes, which is slightly higher than that of the CBACS scheme [39] (536 bytes) and the FBIA scheme [40] (516 bytes). This is because we have reserved a certain amount of security context parameters in the interaction packets to support subsequent distributed key generation and dynamic member management. However, as the UAV scale n expands, the bandwidth advantage of the proposed scheme begins to overtake. As shown in Figure 6, Figure 9 and Figure 10, with the increase in UAV scale, the growth rate of communication overhead of the proposed scheme on both the UAV and GCS sides is much lower than that of the CBACS [39] and FBIA [40] schemes. Especially on the TA side, when the number of UAVs reaches 50, the overhead is only about one-sixth of that of the comparison schemes, which greatly optimizes the system response speed and channel bandwidth utilization.

Returning to the batch verification mechanism that underlies the authentication efficiency advantage, Figure 11 reports the TA-side verification time as the batch size b varies. The single (one-by-one) verification baseline grows linearly with b, while the batch verification of the proposed scheme maintains near-constant overhead, confirming that n independent verifications are effectively compressed into a single equality check. It is worth noting that when a batch contains an invalid or malicious request, the aggregate verification fails as a whole; in this case, the TA falls back to individual verification to efficiently isolate the faulty request, thereby preserving both security and the efficiency of the common case.

Beyond authentication efficiency, the dynamic group key management capability is equally critical in highly dynamic FANET scenarios where UAVs frequently join and leave. Figure 12 evaluates the key update overhead of the improved binary tree structure in terms of the number of updated tree nodes. As the group size n increases from 4 to 256, the update overhead of the proposed scheme remains close to constant for both join and leave operations, exhibiting clear $O(logn)$ growth, whereas a linear-update baseline grows to $O\left(n\right)$. This logarithmic scalability ensures that the cost of session key reconstruction stays low even under frequent membership changes, which is essential for maintaining real-time secure group communication in large-scale UAV swarms.

In summary, through the collaborative design of batch aggregate verification and binary tree-based key agreement, the CUBAT-AKA scheme achieves dual optimization of authentication computational overhead and dynamic key update cost while ensuring complete security. As the scale of accessing UAVs increases, the performance advantages of the proposed scheme over similar schemes become increasingly prominent. It has good scalability and can effectively meet the actual deployment requirements in large-scale, highly dynamic FANET scenarios.

5.3. Deployment Considerations and Limitations

For practical deployment, two limitations of the current design should be made explicit.

First, regarding the dependence on TA availability, the TA is required to be online and trusted during the registration phase, where it issues long-term session keys, and during the three-party authentication phase, where it performs batch verification of UAV credentials. Therefore, the initial access of UAVs depends on TA availability, and an unavailable TA would prevent new UAVs from completing authentication, constituting a potential single-point-of-failure risk. Nevertheless, once a UAV has been authenticated and the group session key has been established, the subsequent dynamic group key updates for join and leave events are performed solely by the GCS and the participating UAVs without further TA involvement. Thus, the operational phase of the swarm does not rely on continuous TA availability.

Second, regarding cross-GCS handover, the current scheme does not yet provide a dedicated handover mechanism. When a UAV moves from the coverage of one GCS to another, it must re-execute the three-party authentication procedure with the new GCS. This introduces an additional handover latency on the order of one full authentication round, which, based on our single-UAV evaluation in Section 5.2.3, corresponds to approximately the per-UAV authentication cost. In high-mobility scenarios where management domains change frequently, such repeated authentication may accumulate non-negligible overhead.

Addressing these two limitations, namely decentralizing the TA trust assumption and designing lightweight cross-GCS handover authentication, constitutes our future work, as discussed in Section 6.

6. Conclusions

This paper addresses the dual challenges faced by Flying Ad Hoc Networks (FANETs) in open airspace—namely, inefficient authentication and the complexity of dynamic group key agreement—by proposing the CUBAT-AKA scheme, a lightweight authentication key agreement scheme based on batch authentication, the Chinese Remainder Theorem and an improved binary tree structure. The scheme utilizes elliptic curve aggregation verification technology to enable batch verification of multiple UAV identities by the TA. Combined with CRT to optimize authentication response broadcasting on the GCS side, this effectively alleviates computational and communication pressures in high-concurrency access scenarios, At the key agreement level, the improved binary tree structure reduces the complexity of group key updates from linear to logarithmic order, whilst a precise path reconstruction mechanism strictly ensures both forward and backward security when membership changes dynamically. Security analysis and performance evaluation demonstrate that s CUBAT-AKA, under the random oracle model, is resistant to various types of attacks, including eavesdropping, replay, man-in-the-middle, impersonation and collusion. Furthermore, it outperforms comparable schemes in terms of both computational and communication overhead, exhibiting excellent practicality and scalability.

However, the approach proposed in this paper still has certain limitations. The current design assumes that the TA is always trustworthy and remains online, which poses a potential risk of a single point of failure in actual deployment, furthermore, the approach has not yet fully addressed the issue of authentication continuity when UAVs switch between different GCS coverage areas, which may result in additional handover overhead in scenarios involving high-speed flight where management domains change frequently. Future work will address these shortcomings by exploring the introduction of threshold mechanisms or a consortium blockchain architecture to enhance the decentralization of the TA, and by designing more efficient, lightweight handover authentication protocols for cross-domain roaming scenarios, with the aim of providing more comprehensive security support for more complex UAV swarm systems.