PSL-IoD: PUF-Based Secure Last-Mile Drone Delivery in Supply Chain Management

Abstract

The conventional supply chain management has undergone major advancements following IoT-enabled revolution. The IoT-enabled drones in particular have ignited much recent attention for package delivery in logistics. The service delivery paradigm in logistics has seen a surge in drone-assisted package deliveries and tracking. There have been a lot of recent research proposals on various aspects of last-mile delivery systems for drones in particular. Although drones have largely changed the logistics landscape, there are many concerns regarding security and privacy posed to drones due to their open and vulnerable nature. The security and privacy of involved stakeholders needs to be preserved across the whole chain of Supply Chain Management (SCM) till delivery. Many earlier studies addressed this concern, however with efficiency limitations. We propose a Physical Uncloneable Function (PUF)-based secure authentication protocol (PSL-IoD) using symmetric key operations for reliable last-mile drone delivery in SCM. PSL-IoD ensures mutual authenticity, forward secrecy, and privacy for the stakeholders. Moreover, it is protected from machine learning attacks and drone-related physical capture threats due to embedded PUF installations along with secure design of the protocol. The PSL-IoD is formally analyzed through rigorous security assessments based on the Real-or-Random (RoR) model. The PSL-IoD supports 26.71% of enhanced security traits compared to other comparative studies. The performance evaluation metrics exhibit convincing findings in terms of efficient computation and communication along with enhanced security features, making it viable for practical implementations.

1. Introduction

The logistics industry is experiencing digital transformation incessantly. With the digital transformation, the logistics industry has leveraged many advanced technologies such as Artificial Intelligence, Big Data, blockchain, IoT-enabled drones, and sophisticated security algorithms, to improve efficiency, reliability and reduce overheads [1]. In addition, optimizing other factors in supply chain management, real-time monitoring of logistics, and instant response to emergency situations is one of the growing concerns. The trustworthy, flexible, and efficient last-mile delivery operations in smart logistics may not only enhance customer experience but also bring resilience to the whole supply chain management system. The accessibility for real-time data to all the supply chain segments is the key to innovative and intelligent logistics [2]. These real-time mechanisms of collaboration across the whole supply chain largely help to improve the operational efficiency of the logistics. Earlier, conventional logistics corporations in the late 20th century counted on manual record keeping as well as inventory management. The ICT developments such as barcode and radio frequency identification (RFID) were introduced further to improve the logistics in the 21st century [3]. Currently, IoT-enabled drones along with AI and blockchain technologies considerably improve the efficiency and reliability of real-time data collection in logistics. Drones carry IoT-based sensors for collecting and examining the physical phenomenon such as water level, wind flow, temperature, and humidity. Drone may be inducted in diverse nature of requirements for some organizations, e.g., rescue and surveillance, health management, traffic monitoring, disaster framework, traffic monitoring, precision farming, etc. The communicating unit of an unmanned aerial vehicle (UAV), also termed as drone, forwards messages to a ground controlling station for further computations and decisions [4].

The use of drones for last-mile package delivery in smart logistics can largely reduce the delivery time for rural terrain with underdeveloped infrastructure or catastrophic terrain where traffic cannot make its way effortlessly [5]. Nonetheless, the communication of drones depends on open wireless connectivity which renders it vulnerable to many inherent security attacks. There might be active as well as passive adversaries. The passive nature of adversaries is that they eavesdrop communication messages, while the active nature of adversaries is that they may intercept and delete messages or manipulate through forging it by generating false emergency fire alerts causing heavy losses. The distributed and autonomous drone systems embody a dynamic and critical category of IoT networks exhibiting mobility, irregular connectivity, and resource constraints which collectively result in increased attack surface. Similarly, delivery drones for last-mile delivery in supply chain management exhibiting similar constraints are prone to many security threats comprising the client’s privacy and physical drone assaults [6,7]. Such potential threats could be proactively countered with suitable security fixes comprising the design of effective cryptographic algorithms for various scenarios in logistics management. As these drones are multi-purpose devices and may cover a broad range of applications requiring Wireless Sensor Network (WSN)-based aerial operations, the delivery drones need to be securely programmed so that these can be restricted for last-mile delivery activities [8]. There is always a chance that the drones could be distracted from their specified roles of delivery activities if manipulated by malicious operators; thus, it would be desirable to restrict the drones’ oriented communication channels within the defined limits of logistics operations. Due to involvement of public channel, the delivery drones are largely vulnerable to replay, Man-in-the-Middle (MiTM), physical capture threats, and forgery threats. The drones carry critical secrets in their memory which may be examined or stolen in case of physical capture by malicious adversaries. These risks may be curtailed by embedding modern hardware circuits such as Physical Unclonable Function (PUF) in the drones [9]. These circuits behave in a certain manner that provides a unique output against any number, while each circuit produces a unique output due to its internal distinctive construction. It is unclonable, which is why it acts as a biometric fingerprint for any particular circuit as well as drone. There are many authentication protocols that employ PUF for ensuring physical security; however, its use does not guarantee the protocol is resilient [10,11,12]. A protocol needs to be designed that is not only privacy preserving but also immune to all known threats, including machine learning attacks and physical capture attacks. Therefore, considering this scenario, we propose an anonymous and efficient PUF-enabled authenticated key exchange mechanism for drone-oriented smart logistics.

1.1. Contribution

Although the drone-led administration of logistics seems to be promising, it carries many inherent security risks. The adversaries may disrupt the whole supply chain management by gaining physical access to the resources of drone. To overcome these concerns, a resiliently crafted authenticated key exchange method is crucial. It not only certifies mutual authenticity and generation of a commonly agreed session key among the members but is also resistant to most of the known threats. We can witness numerous key agreement mechanisms for drone authentication; however, most of these schemes do not cover PUF-based embedded drone communication scenarios with respect to supply chain management or logistics. A few schemes lately could be witnessed for the drone-oriented PUF-based access control technique, with many drawbacks, however. Thus, more drone-led PUF-embedded authentication schemes need to be tailored for logistics systems. The key contribution can be illustrated as follows:

• A privacy-preserving PUF-based drone key agreement scheme (PSL-IoD) is proposed for smart logistics to deliver packages with endorsement to the ultimate customer in the supply chain. The peculiar design of the scheme with a particular emphasis on prudent use of CRP-pairs makes the CRP pairs inaccessible to the adversary on a public channel that facilitates evading machine learning attacks.
• The PSL-IoD employs symmetric key-based lightweight crypto-primitives not only to align with low-end computational resources of the drone but to also boost efficiency of the delivery process in logistics.
• The security properties of PSL-IoD are formally analyzed using the Real-or-Random (RoR)-based random oracle model.
• The performance evaluation of PSL-IoD exhibits that the key agreement scheme is not only efficient in terms of computation and communication than other related schemes but also secure against forgery and physical capture attacks.

1.2. Scheme Organization

The organization of the scheme is mentioned as follows: Section 2 delineates the related work. Section 3 presents the preliminary details along with network architecture and threat model. The proposed model is demonstrated in Section 4. Section 5 describes informal and formal security analysis. Section 6 illustrates the comparative analysis and performance of various schemes. Section 7 concludes the scheme.

2. Literature Review

This section illustrates the literature on the security of IoT-enabled drones as well as logistics in the last few years. Without resolving security and privacy issues, the potential of smart logistics can never be realized in its full capacity. We can observe many promising key agreement protocols as of late [12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34]. In this regard, Koubaa et al. [12] designed an IoD-based authenticated key agreement (AKA) technique for reliable use of resources. Then, Gupta et al. [13] and Lin et al. [14] presented few security issues in IoD-based protocol development with a focus on the requirement of mutual key agreement among the participants. Then, Turkanovic et al. [15] demonstrated a key exchange method related to IoT system. Further, Farash et al. [16] identified few attacks such as session key guessing, impersonation threat, and stolen smart card attack in [15] and proposed an enhanced scheme. Thereafter, Amin et al. [17] pointed out few weaknesses including the offline password guessing attack, forgery, and the ephemeral secret leakage attack in [18]. Bera et al. [18] designed a drone-oriented Elliptic Curve Cryptography (ECC)-based key agreement scheme using blockchain as a central authority. Likewise, Li et al. [19] put forward an ECC-based key agreement protocol for the IoT network; nonetheless, the scheme was not cost-effective due to PKI-based encryption and computational-intensive crypto-primitives. Next, Ever et al. [20] presented an IoD-based key agreement protocol, although it was not only susceptible to physical drone capture attack but also expensive for costly bilinear pairing operations. Thereafter, Cho et al. [21] presented a certificate-oriented authentication scheme for the IoD network; however, the scheme was not protected from the temporary secret key exposure threat. Then, Husnain et al. [22] put forward another lightweight drone-based authentication scheme for smart cities; however, it was not immune to physical drone capture threats. Afterwards, Srinivas et al. [23] demonstrated an IoD-based key agreement scheme comprising temporal credentials. Ali et al. [24] reported that scheme [23] does not sustain privacy and mutual authenticity among participants. Then, Wazid et al. [25] presented an anonymous key agreement scheme for IoD, although it was prone to privileged insider threat in addition to its inability to support mutual authentication for its legal members. Also, Zhang et al. [26] designed an identity-based cryptography (IBC) key agreement scheme from an IoD ecosystem. However, the requirement of storage for the master key in the memory calls into question the practical viability of [26]. Nikooghadam et al. [27] designed an AKA scheme for an IoD-based smart city; however, it was susceptible to impersonation and physical capture threats.

Thereafter, many schemes related to the IoD network presented AKA protocols countering physical counter threats. Gope and Sikdar [28] presented an anonymous PUF-based AKA scheme. Nonetheless, it was prone to the de-synchronization threat as it requires maintaining updated pseudonym identities to keep synchronization among entities. Likewise, Alladi et al. [29] designed a PUF-based AKA technique for a UAV-to-Ground station supporting UAV’s resistance to physical capture threats. Malik et al. [30] also designed a PUF-oriented 5G drone authentication method supporting resistance to physical capture attacks for the drone. Then, Yu et al. [31] designed another PUF-based biometric authentication scheme for smart city drones. Nevertheless, the protocol was faulty due to flaws in the drone registration procedure that hampers the construction of a common session key between legal members. Zhang et al. [33] provided a lightweight PUF-based authentication protocol for IoD. However, it was vulnerable to denial-of-service (DoS) and replay attacks. Park et al. [32] presented another PUF-based AKA technique for the IoD network; however, it was susceptible to Man-in-the-Middle (MiTM) attacks. Badshah et al. [34] designed an ultra-lightweight AKA technique for drones, although it was prone to insider threats in which the privileged insider can recover the user-oriented verifiers and pseudonyms from publicly intercepted contents. More recently, Sousa and Gondim [35] presented a multi-factor user authentication scheme for the IoD network, although this scheme was prone to DoS attacks. Thus, it can be deduced that most of the schemes for drones are prone to several vulnerabilities for the open nature of drone deployment. The above schemes demonstrate that many schemes utilize ECC- as well as ID-based costly operations for authentication of IoT-enabled drones from the ground controlling station, while the rest of the schemes employed symmetric key operations from drone authentication. A few schemes used PUF to evade physical device or drone capture threats. However, despite the use of costly operations, lightweight symmetric, and PUF-based circuits, most of these schemes are vulnerable to several known threats as discussed above, which requires construction of novel drone-based AKA solutions to adapt with current needs of the time.

It can be seen that the design of most of the previous IoT-based authentication schemes is based on costly asymmetric cryptography. However, as of late, we can observe several lightweight PUF-oriented drone authentication protocols using low-cost primitives, although they are vulnerable to many known threats including impersonation, pivileged insider threat, physical device capture threat, Man-in-the-Middle threats, machine learning attacks, etc. Thus, existing drone access control techniques are not meeting the up-to-date requirements of the real-world drone deployments and require even more resilient lightweight PUF-enabled schemes. The brief summary is depicted in

Table 1. Summary of related work.

Schemes	Methodology	Limitations	Year	Limitations Addressed in PSL-IoD
Wazid et al. [27]	Remote user authentication protocol for IoD	Susceptible to privileged insider attack	2018	Yes
Nikooghadam et al. [29]	IoD-oriented key agreement method for smart city surveillance	Prone to impersonation and physical capture threats	2020	Yes
Zhang et al. [12]	Lightweight protocol for IoD	Prone to stolen smart card attack	2020	Yes
Malik et al. [32]	A Proxy Signature-oriented drone key agreement for 5G D2D network	Lacks mutual authenticity	2021	Yes
Hussain et al. [24]	Secure drone-based access control technique for smart city	Lacks resistance to drone capture threat	2022	Yes
Park et al. [34]	PUF enabled drone-based authentication key agreement method	Man-in-the-Middle attack	2023	Yes
Badshah et al. [35]	Ultra-lightweight authentication method for IoD system	Prone to malicious insider attack	2024	Yes
Zhang et al. [35]	A lightweight PUF-based key agreement method for UAVs	Prone to DoS and replay threats	2024	Yes
Alshdadi et al. [11]	A lightweight PUF-enabled protocol for drones	More round trips with communication overheads	2024	Yes
Sousa and Gondim [36]	A multi-factor authentication technique for IoD	Susceptible to d-of-service threat	2025	Yes

.

3. Preliminaries

This section discusses preliminaries with respect to Physical Unclonable Function, network architecture, and the adversary model as demonstrated below.

3.1. Physical Unclonable Function

The Physical Unclonable Function (PUF) is a new hardware-oriented circuit exploiting the physical properties of the chip that lets the circuit behave in a unique way offering an identity-based authentication to the device equivalent to fingerprint [32,33]. These properties are immensely hard to replicate in a new chip, making it a viable option for sophisticated security systems based on Internet of Things, drones, smart gadgets, and overall network security. The microscopic deviations are noticeable in the chip, while even slight changes and irregularities make the chip largely unusable and resilient against physical attacks. The PUF function is $F_D:$ ${\left\{0,1\right\}}^{n_1}\to {\left\{0,1\right\}}^{n_2}$, where D depicts a device carrying $PU{F}_D$ and n₁ and n₂ show the size of strings embedded for the device. The $PU{F}_D$ function bears the following properties:

• It is very complicated to clone or replicate the behavior of any existing PUF chip.
• It is convenient and easy to compute.
• Its result is constantly impulsive.
• It carries a physical micro structure which is mostly a constituent component in other devices.
• Any hardware or equipment carrying this chip receive enhanced security due to inherent device variations.

3.2. Network Architecture

The network architecture for PSL-IoD consists of three distinct entities: (1) user (U_i), (2) ground controlling server (GCS), and (3) drone (D_j) as graphically exhibited in Figure 1. In this model, the GCS must register all users U_i and drones D_j assigned to corresponding flying zones. Although the users can normally track the status of their cargo or delivery packages in the whole supply chain process, this network model takes into consideration the last-mile delivery segment between drone and user with the help of GCS. Alternatively, the drones as a last-mile delivery option in supply chain management receive an authenticated session established with the ultimate customer/user (U_i) by creating an agreed session key SK with the assistance of GCS and deliver the packages after adopting due course of authentication procedures. The details of these entities are illustrated below.

User (U_i). The U_i registers itself with GCS and receives secret credentials in return. Then, it obtains its cargo delivered from the drone entity after establishing a mutual authentication procedure with the help of GCS. The commonly agreed SK is used to communicate with the delivery drone for ultimate service.

Ground Controlling server (GCS). The GCS acts as a trusted authority responsible for registering drones and users. It also ensures that both entities mutually authenticate one another and establish an agreed session key for trusted execution of last-mile delivery.

Drone (Dj): The D_j also becomes registered with GCS and receives secret credentials in return. In addition, it is embedded with the PUF circuit to ensure physical protection from tampering procedures on the part of the adversary. The drone comes into contact with the user after the mutual authentication process facilitated by GCS being online. The commonly agreed SK between user and delivery drone is used to communicate and negotiate for ultimate service. The communication framework is exhibited in Figure 2.

3.3. Adversary Model

An adversary model delineates the assumed capability of the adversary to launch attacks on the contributed protocol. It defines what an adversary can do and what resources it can have. Considering the capability of the state-of-the-art adversary, the protocol needs to be designed. We assume two adversary models, i.e., (1) the Dolev–Yao (DY) model propounded by Dolev and Yao [36] and (2) the Canetti–Krawczyk (CK) model introduced by Canetti and Krawczyk [37]. Both of the models collectively assume the capabilities of adversary $\mathcal{A}$. The DY model acts as a basic theoretical model used extensively by the researchers in security and cryptography. According to the DY model, $\mathcal{A}$ possess the capability to intercept, block, delete, and forward messages, although it lacks the ability of decrypting enciphered messages. $\mathcal{A}$ may initiate replay or retransmission attacks by intercepting the messages. $\mathcal{A}$ may also initiate impersonation threats after eavesdropping personal data of the user. The CK model extends the capability of the adversary beyond the DY-based threat model by incorporating more complicated operations and severe breaches such as exposure to ephemeral secret keys and random nonces.

4. Proposed Technique (PSL-IoD)

We suggest a novel lightweight and privacy preserving PUF-based authenticated key agreement technique (PSL-IoD) for supply chain management encompassing three communication round trips. The session key is mutually developed in the end of the protocol between user U_i and delivery drone D_j with the aid of GCS.

Table 2. Symbols with definitions.

Symbols	Definition
GCS:	Ground Controlling Server
Ui, Dj:	ith User, jth drone
IDu, IDDj:	Identities of Ui and Dj
PIDu:	Pseudo-identity of Ui
PUFi:	Physical Cloneable Function for Ui
PWDu/BIOu	Password and Biometric identity of Ui
$GEN()/REP():$	Fuzzy Extractor Generation and Reproduction
au, bd	Random nonces
$\mathcal{A}$:	Attacker
SK:	Session key shared between Ui and Dj

exhibits the notations used in PSL-IoD. The PSL-IoD consists of three phases: (1) drone enrollment process, (2) user enrollment process, and (3) mutual authenticating process. The detailed narrative of each phase is mentioned below.

4.1. Drone Enrolment Process

The drone D_j is registered by GCS on a secure channel. For this purpose, the D_j initiates the following procedure:

• The D_j selects its identity ID_Dj, generates a random challenge c_d $ϵ$ Z_P, and computes r_d = PUF(c_d). Then, it submits registration request {ID_Dj, c_d, r_d} to GCS.
• The GCS, upon receiving the request, selects k_d $ϵ$ Z_P and computes TID_Dj = h(ID_Dj||k_d), Sec_Dj = h(TID_Dj||S_G||k_d) and R_dg = E_KG (r_d). It stores {ID_Dj, c_d, R_dg, TID_Dj, Sec_Dj} in its database and submits {TID_Dj, Sec_Dj} to Dj as shown in Figure 3.
• D_j, upon receiving the parameters, stores them in its memory safely.

4.2. User Enrollment Process

The user Ui employs the following steps to register itself with GCS:

• The user selects its identity ID_u, password PWD_u, and a random integer b_u$\mathsf{ϵ}$ Z_P. Then, it computes Gen (BIO_u) = ($\delta$_u, $\eta$_u), HPW_u = h(PWD_u||$\delta$_u), TID_u = h(ID_u||b_u). Then, Ui sends {TID_u, HPW_u, loc_u} to the GCS using secure channel.
• The GCS selects a random integer k_u $\mathsf{ϵ}$ Z_P and calculates Sec_u = h(TID_u ||k_u ||S_G), r_d = D_KG (R_dg), C_u= HPW_u ⊕ Sec_u, X_u = h(k_u||r_d), and PID_u = E_KG(k_u, TID_u). Then, it stores {PID_u, TID_u, Sec_u, k_u} in a repository while sending {PID_u, C_u, TID_Dj, X_u} to U_i to finalize the registration.
• Next, the Ui computes Sec_u = HPW_u ⊕ C_u, D_u = h(Sec_u||TID_u||HPW_u), N_u = h($\delta$_u ||PWD_u) ⊕ b_u, R_u = TID_u ⊕ TID_Dj ⊕ X_u, and stores {C_u, D_u, TID_Dj, N_u, $\eta$_u, PID_u, R_u} parameters in the smart card safely as shown in Figure 4.

4.3. Mutual Authentication Process

In this phase, the user verifies the drone on a public channel with the help of GCS. The Ui and Dj establish an agreed session key after utilizing all steps in this phase. This phase takes three round trips to complete the protocol, i.e., (1) Ui-to-GCS, (2) GCS-to-Dj, and (3) Dj-to-Ui. The steps incorporated in this process are explained below.

• Initially, the Ui inputs identity ID_u and password PWD_u and imprints a biometric BIO_u. Next, it calculates $\delta$_u′ = Rep (BIO_u, $\eta$_u), HPW_u′ = h(PWD_u||$\delta$_u′), b_u = h($\delta$_u||PWD_u) ⊕ N_u, TID_u = h(ID_u||b_u), Sec_u′ = HPW_u′ ⊕ C_u and D_u′ = h(Sec_u′||TID_u||HPW_u′). Then, it verifies D_u′? = D_u. If it is not true, Ui aborts. Otherwise, Ui generates a_u $\mathsf{ϵ}$ Z_P, computes H₁ = h(PID_u||TID_u||TID_Dj||T₁), E_u = E_Secu (a_u, TID_Dj), and submits M₁ = { PID_u, H₁, E_u, T₁} to GCS.
• The GCS, after receiving the authentication request, checks the freshness of T₁ using T₁ − T_c < ΔT. Then, it retrieves {TID_u, Sec_u, k_u} in line with PID_u, and computes (a_u, TID_Dj) = D_Secu (E_u). Then, it retrieves {ID_Dj, c_d, r_d, Sec_Dj} using TID_Dj, and computes H₁ = h(PID_u||TID_u||TID_Dj||T₁) to verify H₁ ? = H₁. If it is not true, the GCS aborts. Otherwise, it computes H₂ = h(TID_u || TID_Dj ||T₂), PID_u^new = E_KG(k_u, TID_u), E_GCS = E_SecDj (PID_u^new, k_u, c_d, a_u, TID_u) and submits M₂ = {H₂, T₂, E_GCS} to Dj for further verification as displayed in Figure 5.
• The Dj checks expiry of timestamp using T₂ − Tc < ΔT. If it is fresh, it further calculates (PID_u^new, k_u, c_d, a_u, TID_u) = D_SecDj (E_GCS), r_d = PUF(c_d), X_u = h(k_u||r_d), H₂′ = h(TID_u||TID_Dj||T₂), and verifies H₂′ ? = H₂. In the case it is not true, it abandons the session. Otherwise, it generates b_d $\mathsf{ϵ}$ Z_P and computes SK = h(PID_u^new||TID_u||a_u||X_u||b_d||TID_Dj), H₃ = h(PID_u^new||SK||b_d||TID_Dj), W_d = h(TID_u||X_u||a_u) ⊕ b_d, and V_d = h(TID_u||a_u) ⊕ PID_u^new. Then, it submits the message M₃ = {W_d, V_d, H₃} to Ui for final verification.
• The Ui, upon the receipt of M₃, computes PID_u^new = h(TID_u||a_u) ⊕ V_d, b_d = h(TID_u||X_u||a_u) ⊕ W_d, SK′ = h(PID_u^new||TID_u||a_u||X_u||b_d||TID_Dj) and H₃ = h(PID_u^new||SK||b_d||TID_Dj). Then, it verifies H₃ ? = H₃. If it is true, it validates Dj and replaces PID_u with PID_u^new in its smart card.

5. Security Analysis

In this section, both informal and formal security analysis pertaining to PSL-IoD are comprehensively discussed.

5.1. Informal Security Analysis

(a)

Mutual Authenticity

In PSL-IoD, the Ui authenticates GCS as well as Dj on account of verification for the H₃ parameter after computing H₃ = h(PID_u^new||SK||b_d||TID_Dj). Ui knows the fact that the session key SK′ = h(PID_u^new||TID_u||a_u||X_u||b_d||TID_Dj) cannot be constructed by the adversary without compromising GCS and Dj entities and obtaining the secrets held with them. The a_u can only be extracted from E_u by the GCS entity having access to the shared secret Sec_u, while X_u = h(k_u||r_d) can only be computed by legal Dj having the specified PUF circuit. Likewise, GCS authenticates Ui on account of verification of H₁ = h(PID_u||TID_u||TID_Dj||T₁); as it can discern, only a valid Ui has access to effective TID_u parameter. Similarly, Dj verifies the validity of Ui after checking the validity of the H₂′ = h(TID_u||TID_Dj||T₂) parameter along with its freshness. Thus, the PSL-IoD ensures mutual authentication for all legitimate participants.

(b)

Anonymity and non-traceability

The PSL-IoD supports anonymity as the scheme does not propagate the original identity of the user on communication; rather, it submits the pseudonym identity TID_u to GCS for making itself authenticated. In addition, there is no single piece of content in communicated messages that remains the same across various communicative sessions among the same participants.

(c)

Replay attack

In PSL-IoD, an adversary could initiate replaying the messages to masquerade any legal entity and come into session key agreement in any possible way. However, the PSL-IoD employs timestamps to check the freshness of messages which makes it infeasible for the adversary to replay the contents without becoming noticed by the legal participants.

(d)

Impersonation attack

If $\mathcal{A}$ attempts to impersonate either as Ui, GCS, or Dj, it will not be able to achieve this since these entities hold private and master secrets along with embedded PUF circuits to thwart any possibility of impersonation or Man-in-the-Middle-based threat.

(e)

Drone physical capture threat

An adversary may attempt recovering critical secrets from the memory of the captured drone and compute previous session keys. In PSL-IoD, if an adversary attempts to compute r_d = PUF(c_d) as well as X_u = h(k_u||r_d) for any user or clone it after physically approaching the drone, it may not be able to achieve this primarily due to the change in PUF-generated identifier signaling to the system regarding the tampering attempt. Thus, the PSL-IoD is protected from physical drone capture attacks.

(f)

Session-specific temporary secret leakage threat

In PSL-IoD, even if the short-term secrets of the user such as a_u for various sessions are revealed to the adversary, the latter may not compute previous session keys related to the user. The construction of session key SK = h(PID_u^new||TID_u||a_u||X_u||b_d||TID_Dj) requires many other parameters besides short session-specific short-term secrets to compute it. That is, it requires access to TID_u, X_u, b_d, and TID_Dj parameters.

(g)

Perfect forward secrecy

The PSL-IoD supports perfect forward secrecy even if the long-term master secret key K_G of GCS is revealed to the adversary. In the proposed scheme, the adversary needs to approach both long-term master secret K_G and all verifiers stored in the database either for drones or users to calculate past session keys established between the user and the specified drone.

(h)

Resistance to machine learning attacks

The PSL-IoD may resist machine learning (ML) attacks. An adversary requires access to adequate CRP pairs to initiate brute force attacks for guessing other pairs against the same PUF-circuit. In PSL-IoD, the adversary may not access either challenge or response out of CRP pairs that render the proposed scheme immune to ML attacks.

5.2. Formal Security Analysis

The Real-or-Random (RoR) model-oriented formal security analysis is employed to prove the security of a mutually settled session key in PSL-IoD. This analysis framework was suggested by Canetti et al. [37,38]. It is based on scientific formulations for proving the features of authentication techniques and compromising the session key through probabilistic calculations using various rounds of games. The illustration of proof is given below.

Participants: It is assumed that the participants $U_i^{\alpha }$, $D_j^{\beta },$ and ${GCS}^{\gamma }$ are $\alpha$th, $\beta$th, and $\gamma$th oracle instances of Ui, Di, and GCS, respectively.

Accept state: The oracle $U_i^{\alpha }$ is said to be in the accept state when it receives the last message of the PSL-IoD communication protocol. After concatenation of all communication messages, it assigns the session-based identifier to the established session sid.

Effectiveness: The oracles $U_i^{\alpha } \mathrm{and} D_j^{\beta }$ are said to be valid instances in the case the malicious attacker remains unsuccessful in establishing SK between user and drone.

Cooperation: The suggested protocol employs the protocol identifier sid to establish a collaborative association between user- and drone-based oracle instances $U_i^{\alpha } \mathrm{and} D_j^{\beta }$, which is followed with the accept state.

The malicious adversary may use the oracles as per the CK-compliant threat model which is shown in

Table 3. Queries with semantics.

Queries	Semantics
Execute ($U_i^{\alpha }$, $D_j^{\beta }$ and ${GCS}^{\gamma }$)	The Execute query is based on the eavesdropping threat. $\mathcal{A}$ prompts this oracle to eavesdrop messages communicated among Ui, Dj and GCS on the public channel.
Reveal ($U_i^{\alpha }$, $D_j^{\beta }$)	By employing Reveal query, the SK established between Ui and Dj is exposed to $\mathcal{A}$.
Send ($U_i^{\alpha }$, $\mathrm{M}\mathrm{s}\mathrm{g}$)	The Send query is modeled as an active threat by $\mathcal{A}$ through submitting it to user Ui.
Corrupt ($D_j^{\beta }$)	The Corrupt oracle is used by $\mathcal{A}$ to obtain all secrets accumulated in the repository of Dj.
Test ($U_i^{\alpha }$, $D_j^{\beta }$)	The Test query is utilized to validate the security of SK. For this objective,$\mathcal{A}$ uses a fair coin c in the beginning of trial. Then, the attacker executes the Test oracle, and c may result in the following: c = 0: the resultant SK established between $U_i^x$ and $D_j^y$ is not fresh and is a randomly defined key of the same length; c = 1: the SK is accurate and also not expired; c = $\perp$: the resultant SK could not be created, or the oracle is invalid.

.

Theorem 1.

We assume any polynomial time t attacker$\mathcal{A}$breaking into PSL-IoD. In the RoR model, we can approximate the benefit of A between Ui and Dj for obtaining SK in PSL-IoD as mentioned below:

$${Adv}_{\mathcal{A}}^{PAL – IoD }\left(t\right) \le {\displaystyle \frac{w_{h_s}^2}{\left|H\right|}}+ {\displaystyle \frac{w_{p_f}^2}{\left|PUF\right|}}+max\{{\displaystyle \frac{w_{s_n}}{2^{l_p-1}|Dict|}}, {\displaystyle \frac{w_{s_n}}{2^{l_h-1}}}\}$$

(1)

In Equation (1), the |Dict|, |PUF|, |H|, l_p, and l_h characterize the length of password dictionary (uniformly distributed), PUF outcome space, hash function-based space, length for PUF-based factors, and length of hash function, respectively [39]. In addition, w_h, w_p, and w_s symbolize the number of queries for corresponding hash function, PUF, and Send oracle, respectively.

Proof. 

This proof involves five rounds of games in aggregate, i.e., from Gm_R0 to Gm_R4. ${Win}_{\mathcal{A}}^{{Gm}_{Ri}}$ (t) describes the attacker’s advantage for guessing the parameter c with high probability in Gm_Ri. Hence, the benefit of $\mathcal{A}’\mathrm{s}$ guessing may be shown as $\mathrm{P}\mathrm{r} [{Win}_{\mathcal{A}}^{{Gm}_{Ri}}$ (t)$]$ [40].

Game Gm_R0: The starting game Gm_R0 simulates an actual security experiment between $\mathcal{A}$ and challenger $\mathcal{C}$ against the contributed protocol $\mathcal{P}$. The bit c is chosen by the attacker in the beginning of Gm_R0. The probability of winning the game is dependent on the chance that PSL-IoD may not provide resilience from the attack initiated from $\mathcal{A}$. According to the definition of semantic security in PSL-IoD [41], we have

$${Adv}_{\mathcal{A}}^{PSL-IoD }\left(t\right)=|2 .Pr[{Win}_{\mathcal{A}}^{{Gm}_{R0}}]-1$$

(2)

Game Gm_R1: Gm_R1 is modeled as an eavesdropping attack. Under this game, all of the communicated messages M₁ = {PID_u, H₁, E_u, T₁}, M₂ = {H₂, T₂, E_GCS}, M₃ = {W_d, V_d, H₃} exchanged among U_i, GCS and D_j during the mutual authentication procedure are intercepted with the simulation of the Execute (.) query. The attacker performs the Test query for verifying whether the output is a real session key SK or any random value. The session key constructed between U_i and D_j is SK = h(PID_u^new||TID_u||a_u||X_u||b_d||TID_Dj) where X_u = h(k_u||r_d). For deriving the session key, the attacker needs to calculate PID_u^new, TID_u, a_u, X_u, b_d, and TID_Dj. However, for computing these parameters, $\mathcal{A}$ needs to know about high-entropy long-term credentials K_G, PUF-generated response, access to GCS repository, and ephemeral secrets such as a_u and b_d. The interception of communication messages on the public channel does not help the attacker in compromising long- or short-term credentials, and the probability of winning game Gm_R1 also does not increase at all for the attacker [42]. Thus,

$$Pr[{Win}_{\mathcal{A}}^{{Gm}_{R1}}]=\mathit{Pr}\left[{Win}_{\mathcal{A}}^{{Gm}_{R0}}\right]$$

(3)

Game Gm_R2: Gm_R2 serves as an active attack with added simulations for Send (.) and Hash (.) queries. The adversary in this game attempts to impersonate and convince legal participants to receive the tampered messages. The attacker could frequently initiate Hash (.) queries for checking collisions in message digests for {M₁, M₂, M₃}; however, each of these messages is embedded with fresh timestamps, random nonces, and pseudonym identities other than long-term secrets. Thus, there is a negligibly small probability of collisions while employing the Send (.) query initiated by $\mathcal{A}$. Using the birthday paradox [43], we have

$$| Pr [{Win}_{\mathcal{A}}^{{Gm}_{R2}}]-[{Win}_{\mathcal{A}}^{{Gm}_{R1}}] | \le {\displaystyle \frac{w_{h_s}^2}{2|H|}}$$

(4)

Game Gm_R3: Gm_R3 is an extension of Gm_R2 with added simulation of the PUF query. Again, employing the birthday paradox, we obtain

$$| Pr[{Win}_{\mathcal{A}}^{G_{R3}}]-Pr[{Win}_{\mathcal{A}}^{G_{R2}}]| \le {\displaystyle \frac{w_{P_f}^2}{2|PUF|}}$$

(5)

Game Gm_R4: Gm_R4 simulates Gm_R2 with an added Corrupt (.) oracle query. Employing this game, the attacker gains access to all stored factors including {C_u, D_u, TID_Dj, N_u, $\eta$_u, PID_u, R_u}. To guess the ID_u and PWD_u, the attacker needs access to the user’s biometric factor BIO_u which cannot be recovered in a polynomial amount of time [43]. To guess the identity or the password, the number of attempts from the corrupt query may reach the maximum limit. Likewise, the attacker may attempt to extract all stored secrets from the memory of drone D_j upon physically capturing it. However, the probability to guess PUF-oriented critical secret of length l_p can be estimated as ${\displaystyle \frac{1}{2^{l_p}}}$ [41]. The probability of each attempt from the adversary’s end remains less than the specified threshold. Thus, the chance that the attacker wins this game is

$$| Pr[{Win}_{\mathcal{A}}^{G_{R4}}]-Pr[{Win}_{\mathcal{A}}^{G_{R3}}] |\le max\{{\displaystyle \frac{w_{s_n}}{2^{l_p}.|D|}}, {\displaystyle \frac{w_{s_n}}{2^{l_h}}}\}$$

(6)

Subsequently, after modeling oracle queries, $\mathcal{A}$ need to guess the value of factor c with the help of the Test query for winning this game [44,45]. Therefore, $Pr [{Win}_{\mathcal{A}}^{{Gm}_{R4}}]$ exhibits the advantage of the adversary for predicting c as given in the following equation:

$$Pr [{Win}_{\mathcal{A}}^{{Gm}_{R4}}]={\displaystyle \frac{1}{2}}$$

(7)

Using Equations (2), (3) and (7), we have

$$\begin{gathered} {Adv}_{\mathcal{A}}^{PSL-IoD }=2. | Pr[{Win}_{\mathcal{A}}^{{Gm}_{R0}}]-{\displaystyle \frac{1}{2}} | \\ =2. | Pr[{Win}_{\mathcal{A}}^{{Gm}_{R1}}]-Pr [{Win}_{\mathcal{A}}^{{Gm}_{R4}}] | \end{gathered}$$

(8)

We can apply the principle of triangular inequality [43,46] with the help of Equations (4)–(6) and infer the following results:

$$\begin{gathered} =| Pr [{Win}_{\mathcal{A}}^{{Gm}_{R4}}]-Pr[{Win}_{\mathcal{A}}^{{Gm}_{R1}}] |\le |Pr[{Win}_{\mathcal{A}}^{{Gm}_{R4}}]-Pr[{Win}_{\mathcal{A}}^{{Gm}_{R3}}] | \\ +|Pr[{Win}_{\mathcal{A}}^{{Gm}_{R3}}]-Pr[{Win}_{\mathcal{A}}^{{Gm}_{R1}}] |\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} \\ \le | Pr[{Win}_{\mathcal{A}}^{{Gm}_{R4}}] - Pr[{Win}_{\mathcal{A}}^{{Gm}_{R3}}] |+| Pr [{Win}_{\mathcal{A}}^{{Gm}_{R3}}] -Pr[{Win}_{\mathcal{A}}^{{Gm}_{R2}}] | \\ +| Pr[{Win}_{\mathcal{A}}^{{Gm}_{R2}}]- Pr[{Win}_{\mathcal{A}}^{{Gm}_{R1}}] |\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} \end{gathered}$$

(9)

$$\le {\displaystyle \frac{w_{h_s}^2}{2 \left|H\right|}}+{\displaystyle \frac{w_{p_f}^2}{2 \left|PUF\right|}}+max\{{\displaystyle \frac{w_{s_n}}{2^{l_p}|D|}}, {\displaystyle \frac{w_{s_n}}{2^{l_h}}}\}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}$$

Using Equations (8) and (9), we obtain the following findings:

$${Adv}_{\mathcal{A}}^{PSL-IoD }(t)\le {\displaystyle \frac{w_{h_s}^2}{|H|}}+{\displaystyle \frac{w_{p_f}^2}{|PUF|}}+max\{{\displaystyle \frac{w_{s_n}}{2^{l_p-1}|D|}}, {\displaystyle \frac{w_{s_n}}{2^{l_h-1}}}\}$$

□

6. Performance Evaluation

We conducted a comparative analysis of the proposed PSL-IoD with other contemporary schemes focusing on security functionality as well as computational and communicational overheads. For evaluating the computational costs and latency of drone-based schemes [17,19,20,27,32,33,35], an experiment was performed using a mobile phone with a 2.45 Ghz processor having 4 GB memory, Android (4.4.2), for drones and the user. Another experiment was performed for a server using 2.9 Ghz CPU with 6 GB memory and a Windows 10 operating system. The system was configured using a Python 3.13-assisted cryptographic library called “Pycrypto”. To compute the primitive-based computational cost and time, we calculated the average execution latency over a hundred iterations. The experimental cost of these primitives in line with the above-mentioned experiment is shown in

Table 4. Computational delay for each primitive.

Crypto-Primitives	Ui	GCS	Dj
Th	0.015	0.006	0.011
Ta	0.025	0.007	0.017
TS	0.033	0.011	0.018
TPUF	0.075	0.003	0.005
TPM	6.218	0.997	4.801
Tfe	0.097	-	0.089

.

Table 5. Attack Resistance Attributes and Comparison.

	[17]	[20]	[27]	[19]	[32]	[33]	[35]	PSL-IoD
ARA1	×	×	+	+	+	+	+	+
ARA2	+	+	+	+	+	+	×	+
ARA3	+	+	×	+	+	+	+	+
ARA4	×	+	×	+	+	+	+	+
ARA5	+	+	+	+	×	+	+	+
ARA6	+	+	+	+	+	+	+	+
ARA7	+	+	+	+	+	×	+	+
ARA8	+	+	+	+	+	×	+	+
ARA9	+	×	×	×	+	+	+	+
ARA10	+	+	+	+	+	×	×	+

ARA1: Anonymity and non-traceability, ARA2: Conforms to mutual authentication, ARA3: Withstands impersonation attack, ARA4: Withstands drone capture threat, ARA5: Withstands MiTM attack, ARA6: Conforms to forward secrecy, ARA7: Session key secrecy, ARA8: Withstands replay threat, ARA9: Withstands stolen device threat, ARA10: Withstands DoS threat, $+$: Security trait supported, $\times$: Security trait not supported.

exhibits comparison attributes for security features of various IoT- or drone-based authentication protocols [17,19,20,27,32,33,35], [PSL-IoD]. It can be witnessed that scheme [17] could not support anonymity and also lacks resistance to physical drone capture threats. Scheme [20] has privacy concerns and is also not immune to stolen device attacks initiated by the adversary. Likewise, scheme [27] does not counter impersonation attacks, and it is susceptible to physical device as well as drone capture attacks. Scheme [19] does not show resistance to stolen device attacks that may be initiated by the attacker on PSL-IoD. Similarly, [32] is not resilient against Man-in-the-Middle attacks, while scheme [33] is not resilient against replay attacks and denial-of-service (DoS) attacks. Scheme [35] does not support mutual authentication for its legal members, and it is also susceptible to DoS threats.

The computational cost of schemes [17,19,20,27,32,33,35], [PSL-IoD] is demonstrated in

Table 6. Computational and communicational overheads.

	Ui	GCS	Dj	Total Computational Cost (ms)	Communication (bits)
[17]	Tfe + 12Th	9Th	8Th	Tfe + 29Th ≈ 0.6	2176
[20]	6Th + 4TPM + 1Ta	-	6Th + 6TPM + 2Ta	12Th + 10TPM + 3Ta ≈ 62.435	2336
[27]	6Th + 2TPM	8Th	5Th + 2TPM	19Th+ 4TPM ≈ 22.23	2496
[19]	11Th	6Th	10Th	27Th ≈ 0.311	3292
[32]	Tfe + 11Th	11Th	Tfe + 10Th	2Tfe + 32Th ≈ 0.529	2560
[33]	8Th	6Th	2TPUF + 6Th	2TPUF + 20Th ≈ 0.372	3008
[35]	Tfe + 1TPM + 1Ta + 7Th	2Ta + 2Th	2TPM + 1Ta + 3Th	Tfe + 3TPM + 4Ta + 12Th ≈ 16.12	1824
PSL-IoD	9Th + Ts	2Th + 3Ts	TPUF + 6Th + Ts	TPUF + 17Th + 5Ts ≈ 0.302	2528

. In this table, notations T_h, T_a, T_PUF, T_PM, T_S, and T_fe represent the timing latency of hash operation, point addition, PUF-based operation, ECC-oriented scalar point multiplication, symmetric key and fuzzy extractor operation, respectively. Figure 6 depicts a high-level pseudo-code for computing the timing of each operation in the experiment. We can see that schemes [17,19,20,27,32,33,35] take T_fe + 29T_h, 12T_h + 10T_PM + 3T_a, 19T_h + 4T_PM, 27T_h, 2T_fe + 32T_h, 2T_PUF + 20T_h, T_fe + 3T_PM + 4T_a + 12T_h, and T_PUF + 17T_h + 5T_s, respectively. The computational latency for schemes may be computed as 0.6 ms, 62.43 ms, 22.23 ms, 0.31 ms, 0.529 ms, 0.372 ms, 16.12 ms, and 0.302 ms, respectively. It can be witnessed in Figure 7 that the computational cost and latency of PSL-IoD is less than that of the compared schemes.

For calculating communication costs of comparative protocols, we assume that the bit lengths for the exchanged crypto-primitive factors in communication messages for hash digest function, original identity, pseudo-identity, random integer, ECC operation, and timestamp are 256 bits, 160 bits, 128 bits 160 bits, 320 bits, and 32 bits, respectively. The communication cost of schemes [17,19,20,27,32,33,35], [PSL-IoD] is computed as 2176 bits, 2336 bits, 2496 bits, 3292 bits, 2560 bits, 3008 bits, 1824 bits, and 2528 bits, respectively. Our scheme requires lesser communication cost in comparison with [19,32,33]. Although schemes [17,20,27,35] take less communication overhead than PSL-IoD, these schemes are prone to many security limitations as depicted in Table 6. Figure 8 depicts total energy cost, i.e., energy consumption for computation and communication, in millijoules (mJ) by considering the estimated energy cost per byte as computed in [39,45]. It can be witnessed from this table that besides maintaining a high degree of security, PSL-IoD requires the least energy consumption for computation and communication of bytes in comparison with other related studies.

7. Conclusions

Drones can automate delivery and warehouse operations with least operational overhead. This work suggests the use of PSL-IoD, a lightweight and provably secure authentication protocol specifically designed for smart logistics environment. The customer can monitor package delivery status through a real-time tracking process by initiating PSL-IoD. The PSL-IoD generates a mutually agreed session between ultimate user and drone with embedded PUF to settle the authenticated last-mile delivery process in the supply chain management framework. A crucial aspect of the proposed scheme is that it not only ensures resilience from machine learning as well as physical drone capture threats but also supports perfect forward secrecy using low-end symmetric key-based operational primitives. The security features of PSL-IoD are proven under RoR-based random oracle model which ensures that the established session key between the participants is mutually agreed upon and protected from known threats. The performance evaluation exhibits that PSL-IoD is not only secure but also efficient in terms of computational and communicational overheads. The industrial implications of PSL-IoD for smart city managerial administrators are self-evident. In the future, we plan to work on more scalable adaptations of the proposed scheme by considering optimal batch authentication protocol designs for drone interactions with the ground station server.