Next Article in Journal
Finite-Series Solutions of Hybrid PDE Systems for Conditional Moments of Regime-Switching Extended CEV Processes with Applications in Finance
Next Article in Special Issue
Polygon Dissections via Lucas-Inspired Encoding
Previous Article in Journal
MPM-Based Computational Mechanics Method for Tendon-Driven Hyperelastic Robots Under Target Deformations
Previous Article in Special Issue
Limiting the Number of Possible CFG Derivative Trees During Grammar Induction with Catalan Numbers
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Quantum Secure Authentication and Key Exchange Protocol for UAV-Assisted VANETs

School of Computer Engineering, Keimyung University, Daegu 42601, Republic of Korea
*
Author to whom correspondence should be addressed.
Mathematics 2026, 14(5), 820; https://doi.org/10.3390/math14050820
Submission received: 15 January 2026 / Revised: 17 February 2026 / Accepted: 25 February 2026 / Published: 28 February 2026

Abstract

The integration of unmanned aerial vehicles (UAVs) into vehicular ad hoc networks (VANETs) has emerged as a promising solution to overcome the limited coverage of conventional roadside unit (RSU)-based infrastructures. However, UAVs operate in open environments and cannot be fully trusted, while the rapid advancement of quantum computing threatens the long-term security of classical public-key cryptographic systems. As a result, many existing UAV-based VANET authentication schemes face fundamental limitations in future deployments. Most existing schemes either lack post-quantum security or incur excessive computational and communication overhead, making them unsuitable for real-time and high-mobility vehicular environments. In addition, the common assumptions of trusted UAVs do not align with realistic threat models. To address these issues, this paper proposes a lightweight post-quantum authentication and key exchange protocol based on the module learning with errors (MLWE) problem and physically unclonable functions (PUFs). The proposed scheme treats UAVs as untrusted relay nodes and excludes them from session key generation. Its security is evaluated using informal analysis, the real-or-random (RoR) model, BAN logic, and AVISPA, while performance evaluation indicates improved efficiency compared to existing schemes.

1. Introduction

The advancement of quantum computing has demonstrated the potential to solve the integer factorization and discrete logarithm problems that underpin public-key cryptography, as shown by Shor in 1994 [1] and Grover in 1996 [2]. Consequently, there has been an increasing need for research on post-quantum cryptography capable of replacing conventional public-key systems [3,4,5]. Among post-quantum cryptographic schemes, lattice-based cryptography derives its security from the mathematical hardness of high-dimensional lattice problems and offers high computational efficiency since its operations mainly consist of matrix additions and multiplications. Due to its strong resistance to quantum-computer-based attacks as well as its efficiency, lattice-based cryptography is regarded as one of the most promising approaches in modern cryptography [6,7,8,9].
Research on authentication schemes utilizing lattice-based post-quantum cryptography (PQC) is actively progressing across various fields, and among them, vehicular ad hoc networks (VANETs) are regarded as one of the most critical application domains. VANETs are a core component of smart urban transportation systems that enhance traffic efficiency and safety through communication between vehicles and roadside units (RSUs). If security vulnerabilities exist in this network, the entire urban traffic management infrastructure may face serious disruption [10]. For example, replay attacks and Sybil attacks can inject false traffic information into the system, potentially causing large-scale traffic congestion or interfering with the priority routes of emergency vehicles. In addition, eclipse attacks can isolate a specific vehicle from the network and force it to receive incomplete and adversary-manipulated information instead of legitimate data. Such situations may cause autonomous vehicles to make decisions based on incorrect information, which could ultimately lead to severe accidents. Therefore, VANET security is not merely a matter of traffic control but a fundamental requirement that must be ensured to maintain the overall safety and reliability of the urban transportation ecosystem. However, due to the inherent characteristics of VANETs, where vehicles move at high speeds, it is necessary to achieve a balance between security and efficiency by considering not only security but also the suitability for communication scenarios, fast authentication speed, and continuity of network connectivity [11,12,13].
Meanwhile, in addition to security vulnerabilities, the conventional VANET architecture also suffers from structural limitations. Since RSUs are installed at fixed locations, vehicles may move outside the communication coverage of RSUs when road structures change or urban areas expand, which can result in communication failure. Furthermore, if an excessive number of vehicles are concentrated on a particular RSU, communication delays may occur due to increased computational load. In addition, if physically installed RSUs are damaged by disasters, all vehicles within the affected area may experience communication outages. Consequently, although authentication is a highly critical component in VANETs, the current architectural constraints raise the possibility that the authentication process itself may not be performed reliably. To address these problems, an architecture that integrates unmanned aerial vehicles (UAVs) into the VANET environment has been proposed. Unlike fixed RSUs, UAVs can be rapidly deployed to appropriate locations when necessary and can dynamically move according to traffic density and road conditions. As a result, issues such as coverage gaps, overload, and communication failures caused by physical damage to conventional RSUs can be effectively mitigated. Figure 1 schematically demonstrates how these limitations in traditional VANETs can be alleviated through the use of UAVs. UAVs can extend communication coverage, distribute the traffic load of congested RSUs, and temporarily replace malfunctioning or damaged RSUs, thereby enhancing the overall reliability and service continuity of the network [14].
However, UAVs are more vulnerable to threats such as eavesdropping, spoofing, node compromise, and man-in-the-middle (MITM) attacks than traditional RSUs, since they operate in open environments, have limited physical protection, and rely on wireless communication links. Therefore, to integrate UAVs into VANETs, it is essential to develop authentication and key exchange (AKE) mechanisms that are both robust and efficient. Nevertheless, many of the currently proposed schemes still depend on traditional public-key cryptography, which cannot withstand future quantum-computer-based attacks, and they also suffer from insufficient authentication structures between vehicles and UAVs, making them vulnerable to impersonation attacks. Since UAV-assisted vehicular communication must support real-time decision making and high mobility, an AKE protocol must ensure computational efficiency while providing security not only against existing network threats but also against future quantum attacks. Accordingly, this paper proposes an AKE scheme based on module learning with errors (MLWE) that satisfies the characteristics of the VANET environment while providing resilience against future quantum-computer based attacks.

1.1. Contributions

The main contributions of this paper are as follows:
  • We clearly analyze the limitations of the conventional RSU-based VANET architecture and justify the introduction of a UAV-assisted structure as an effective solution.
  • To ensure secure AKE in the proposed architecture, we design an AKE scheme that combines an MLWE-based key encapsulation mechanism (KEM) and a physical unclonable function (PUF), thereby achieving both security and efficiency.
  • We verify the security of the proposed scheme through formal and informal analyses using AVISPA, the real-or-random (RoR) model, and Burrows–Abadi–Needham (BAN) logic.
  • Through a comparative evaluation with existing studies, we demonstrate that the proposed scheme outperforms previous approaches in terms of both security and efficiency.

1.2. Organization

The remainder of this paper is organized as follows. In Section 2, we analyze how UAV-assisted VANETs have evolved through prior research and examine their remaining limitations. In Section 3, we introduce MLWE and PUFs, which are utilized for AKE in the proposed scheme, and we summarize the attack models used for security analysis along with the notation employed throughout this paper. In Section 4, we present the proposed system model and describe the AKE procedures in detail within this model. In Section 5, we analyze the security of the proposed scheme using both informal and formal methods. In Section 6, we evaluate the superiority of the proposed scheme in terms of security features and computational cost by comparing it with existing VANET authentication protocols. Finally, in Section 7, we present the conclusion of this paper and discuss future research directions.

2. Related Works

VANETs are a core enabling technology of intelligent transportation systems (ITSs). However, conventional VANET infrastructures mainly rely on fixed RSUs, which results in limited communication coverage, increased deployment and maintenance costs, and performance degradation in environments with many physical obstacles or high disaster vulnerability. Due to these structural constraints, traditional VANETs face challenges in ensuring large-scale connectivity with high reliability and low latency. As an alternative to overcome these limitations, the integration of UAVs into VANETs, referred to as UAV-assisted VANETs, has been proposed. This approach has emerged as a significant technological advancement that extends communication coverage and enhances network resilience through a mobile aerial infrastructure. Although UAV-assisted VANETs have become an essential component of ITSs due to these advantages, various security limitations have continuously been raised throughout their development.
From 2016 to 2017, research in this area was in its early stage and primarily focused on communication topology and routing management, while security issues were relatively overlooked. Gupta et al. [15] pointed out that UAV networks operate in highly dynamic environments, fundamentally different from traditional MANETs and VANETs, due to rapidly changing topology, intermittent connectivity, and limited energy resources. They argued that such characteristics are difficult to adequately address using existing network architectures alone. However, their study did not propose specific authentication or cryptographic mechanisms. Similarly, Menouar et al. [16] proposed an architecture that utilizes UAVs as an extended infrastructure to support ITS functionalities such as traffic monitoring, law enforcement, and emergency assistance. Nevertheless, security and privacy protection were not reflected as core design considerations and were instead mentioned only as future research directions. As a result, early UAV-VANET studies largely concentrated on expanding connectivity and improving communication efficiency, while failing to sufficiently address threats such as message falsification, location tracking, and unauthorized access.
Since 2018, UAVs have evolved to serve as auxiliary infrastructure supporting the internet of vehicles (IoV), playing a crucial role in various applications such as data collection, communication relaying, and emergency communication. This transition further emphasized the need for secure communication mechanisms; however, concrete and systematic security designs were still insufficient. For example, Ng et al. [17] discussed the use of UAVs as relay nodes to support federated learning in IoV environments, aiming to enhance data reliability and model integrity. Nonetheless, their work did not sufficiently address potential threats such as adversarial data manipulation or eavesdropping.
As UAV-assisted communication technologies continued to expand, security requirements became increasingly critical, and since 2023, cryptography-based approaches have begun to emerge as a major research trend. El-Zawawy et al. [18] proposed an authentication protocol that integrates ECC with blockchain in an attempt to defend against UAV hijacking and data injection attacks. However, the delay and computational overhead introduced by blockchain verification posed limitations to its applicability in real-time vehicular environments. Similarly, the ECC-based mutual authentication scheme proposed by Miao et al. [19] was criticized for its high computational complexity. In addition, the lightweight authentication method introduced by Cui et al. [20], which utilizes chaotic maps and honeywords, still suffered from synchronization failures and reauthentication overhead in highly mobile environments. Consequently, the trade-off between enhanced security strength and real-time performance and energy efficiency became increasingly evident.
Since 2024, research has expanded beyond purely cryptography-centric approaches toward a broader security paradigm that incorporates trust management and privacy protection. Guo et al. [21] designed a zero-trust-based framework that enables continuous trust verification; however, it did not fully resolve issues related to communication overhead caused by frequent reauthentication and concerns regarding personal data collection. More recently, Choi et al. [22] and Lin et al. [23] proposed lightweight security and privacy-preserving mechanisms that combine PUFs with the concept of dynamic identities. Nevertheless, challenges such as synchronization inconsistencies in multi-UAV environments, insider threats, and the lack of standardized key management remain unresolved. In addition, Telikani et al. [24] highlighted that despite the rapid progress of UAV–ITS integration, the absence of unified security standards and interoperable authentication frameworks continues to be a major obstacle to large-scale practical deployment.
In summary, research on UAV-assisted VANETs has gradually evolved from its initial focus on extending connectivity and designing network architectures to a security-oriented direction that encompasses cryptography-based authentication schemes, trust management, and privacy-preserving mechanisms. However, a lightweight and highly reliable security framework that simultaneously satisfies the characteristics of UAV environments, including real-time constraints, high mobility, and resource limitations, has not yet been fully established. Moreover, the lack of unified security standards and interoperability issues remains a significant barrier to practical deployment. In addition, most existing studies rely on classical public-key cryptographic systems such as ECC, and therefore fail to address the fundamental vulnerabilities that arise in quantum computing environments. Considering these factors, it is essential to develop a new security framework for UAV-assisted VANETs that ensures lightweight operation, real-time performance, and scalability, while also maintaining a stable level of security in the post-quantum era. To meet this need, this study focuses on the design of quantum-resistant security mechanisms for UAV-assisted VANET environments and aims to address the limitations of existing security research.
Table 1 summarizes the previously discussed studies on UAV-assisted VANETs, providing an overview of the technological development trends in this field and the limitations of existing security research.

3. Preliminaries

3.1. MLWE

Lattice-based cryptography originates from the learning with errors (LWE) problem proposed by Regev [25], whose average-case hardness is reducible to worst-case lattice problems such as SVP and SIVP. However, conventional LWE-based schemes suffer from inefficiencies due to high-dimensional matrix operations, which motivated the introduction of the ring learning with errors (RLWE) problem by Peikert [26] to improve efficiency using polynomial ring structures. Despite its efficiency benefits, the ring structure in RLWE introduces additional algebraic constraints that may raise concerns regarding structural attacks and limit flexibility in cryptographic design. MLWE further generalizes both LWE and RLWE, providing a flexible framework that balances security and efficiency by combining the matrix-based structure of LWE with the ring structure of RLWE. Langlois and Stehlé [27] showed that MLWE admits average-case to worst-case reductions over standard lattice problems and naturally reduces to RLWE when k = 1 and to LWE when R q = Z q .

3.1.1. Definition of the MLWE Problem

The MLWE problem is parameterized by ( n , q , k , χ ) over the polynomial ring R q = Z q [ X ] / ( X n + 1 ) . Here, n denotes the degree of the polynomial ring, q is a prime modulus that defines the finite field over which the polynomial coefficients are represented, k denotes the dimension of the polynomial vector, and  χ specifies the probability distribution from which the error terms are sampled. Let A R q k × k be sampled uniformly at random, and let secret vectors s and error vectors e be sampled from the distribution χ . The MLWE assumption states that distinguishing valid MLWE samples ( A , A s + e ) from uniformly random samples is computationally infeasible. The hardness of MLWE relies on worst-case lattice problems, providing strong security guarantees in the post-quantum setting.

3.1.2. Crystals-Kyber KEM

In this paper, in order to design the proposed protocol based on the security of MLWE, we adopt the MLWE-based KEM construction proposed in Crystals-Kyber [28]. Crystals-Kyber was ultimately selected as the standard algorithm for the KEM mechanism in the NIST PQC standardization process, and its security and efficiency have been extensively evaluated.
A KEM is a technique that enables two parties to securely establish a shared secret using an asymmetric cryptographic system. According to the official specification, Crystals-Kyber achieves IND-CCA2 (indistinguishability under adaptive chosen-ciphertext attack) security by applying the Fujisaki–Okamoto (FO) transformation to a public-key encryption scheme that is IND-CPA (indistinguishable under chosen-plaintext attack) secure.
Crystals-Kyber consists of the following procedures: key generation, encapsulation, and decapsulation.
  • Key generation: Secret vectors s , e χ k are sampled, and for a random matrix A R q k × k , the following values are computed:
    t = A · s + e , p k = ( A , t ) , s k = s
  • Encapsulation: Using the receiver’s public key p k = ( A , t ) , the sender performs the following procedure. A random message m { 0 , 1 } l is chosen, and  r , e 1 , e 2 χ k are sampled. Then, the following values are computed:
    u = A · r + e 1 , v = t · r + e 2 + Encode ( m )
    Here, u acts as a noise-based random component, while v is responsible for hiding the message. These two values together form the ciphertext, transmitted as
    c t = ( u , v ) , S K = H ( m )
  • Decapsulation: The receiver recovers the message using the secret key s by computing
    m = Decode ( v u · s ) , S K = H ( m )

3.1.3. Message Encoding and Decoding

In Crystals-Kyber schemes, the message m is not encrypted directly. Instead, it is embedded into the Z q domain and included within the ciphertext. The following encoding and decoding functions are used for this purpose. These transformations improve the robustness of message recovery in the presence of noise and enable secure and efficient session key agreement without requiring a reconciliation step.
  • Encode: Each bit m i of the binary message m { 0 , 1 } is mapped as follows:
    Encode ( m i ) = 0 if m i = 0 q 2 if m i = 1
  • Decode: For each polynomial coefficient x Z q obtained during decryption, the following threshold function is applied to recover the corresponding binary value:
    Decode ( x ) = 1 if x q 4 0 otherwise

3.2. Physical Unclonable Function

A PUF, which is designed as a hardware-based one-way hash function, is a physical microstructure characterized by low computational requirements. A PUF generates unique input–output pairs, referred to as challenge–response pairs, that are inherently formed during the fabrication process of semiconductors and integrated circuits. Recently, PUFs have been widely adopted as a key enabling technology to strengthen authentication and key management mechanisms in various lightweight security environments, including IoT, VANETs, drone networks, and wireless medical sensor networks. PUFs generate responses to given challenges by exploiting inherent, device-specific physical variations, typically using a random bit string as the challenge input. Because the fabrication process introduces uncontrollable randomness—even from the manufacturer’s perspective—exact replication is extremely difficult [29,30,31]. Consequently, each PUF produces a distinctive response to the same challenge, and PUFs are widely regarded as resistant to cloning, thereby helping to mitigate attacks such as device replication and physical capture [32].
However, when PUF stability is limited, environmental conditions (e.g., temperature or voltage fluctuations) can affect response reproducibility. To address this issue, several classes of so-called ideal PUFs have been proposed to improve stability across wide operating ranges. For instance, certain designs exploit the randomness of soft gate-oxide breakdown locations or deliberately introduced permanent physical defects to yield more stable responses [33,34]. By adopting such ideal PUF designs, it is possible to reduce computational and storage overhead and to lessen dependence on stability-enhancement mechanisms, such as helper data or fuzzy extractors [35], while still maintaining practical deployability [36].
In this paper, the challenge value is denoted as C H and the corresponding response value as R E , which is expressed as R E = P U F ( C H ) . The fundamental properties of PUFs are as follows.
  • A PUF is a hardware circuit that cannot be cloned, and there exists no P U F ( C H ) such that P U F ( C H ) = P U F ( C H ) .
  • Although P U F ( C H ) = R E can be easily computed, predicting R E for a given C H within polynomial time is computationally infeasible.
  • The output of a PUF is statistically unpredictable. By exploiting the inherent physical randomness of PUFs, intrusive physical attacks can be effectively mitigated.

3.3. Adversary Model

To evaluate the security of the proposed scheme, we adopt the Dolev–Yao (DY) model [37], which is a standard adversarial model in network security analysis. The DY model assumes that an adversary has complete control over the public communication channel, making it well suited for analyzing open and dynamic wireless VANET environments. The specific capabilities and assumptions of the adversary are described as follows.
  • The adversary can eavesdrop on, intercept, modify, delete, and replay all messages transmitted over the wireless communication channel. In addition, the adversary can disrupt ongoing sessions or actively initiate new sessions.
  • The adversary may register as a legitimate user within the network and communicate lawfully with other nodes. Furthermore, based on collected information, the adversary may impersonate a vehicle, UAV, or RSU to participate in the authentication procedure or generate forged messages.
  • The adversary may physically capture a vehicle’s on-board unit (OBU) or a UAV and attempt to extract stored internal information. Therefore, resistance against physical capture attacks is also considered.
  • Although the UAV performs message-relaying and verification functions, it is not assumed to be fully trusted. That is, the UAV is considered a potential attack vector that may behave maliciously or leak stored data. However, by design, the UAV is strictly prevented from directly accessing core secret information, such as users’ real identities or session keys.
  • The adversary may obtain encrypted messages; however, under the assumption of a secure public-key cryptosystem, the adversary cannot recover the plaintext without possessing the corresponding decryption key.
  • The adversary may perform offline guessing attacks, such as repeated hash computations, based on captured messages. Nevertheless, the protocol is designed such that user identity information and secret values are not simultaneously exposed, and disclosure of a single piece of information does not enable the recovery of meaningful secret data.
It is further assumed that the trusted authority is not compromised and that the underlying cryptographic primitives, such as the employed public-key encryption and hash functions, are secure. Attacks targeting physical-layer communication, including jamming or denial-of-service (DoS), as well as side-channel attacks are considered beyond the scope of this work.

3.4. Notation

Table 2 summarizes the notation and symbols used throughout the proposed protocol.

4. Proposed Scheme

We aim to overcome the limitations of conventional public-key cryptographic systems under quantum computing threats and to establish a secure and efficient AKE mechanism for UAV-assisted VANETs. To achieve this objective, we adopt an MLWE-based KEM to ensure resistance against quantum attacks, while maintaining lightweight operation and real-time communication performance suitable for the dynamic characteristics of VANETs. In this section, we first present the overall architecture of the proposed system and the roles of the participating entities. We then describe the initialization and registration procedures, followed by the detailed AKE execution process.

4.1. Communication Entities

The descriptions of the entities participating in the communication are as follows.

4.1.1. Trusted Authority

The trusted authority (TA) is responsible for system initialization and the registration procedures of RSUs, UAVs, and vehicles. The TA distributes the essential parameters that each entity must possess for AKE. Any entity that intends to participate in communication must complete the registration process through the TA before engaging in legitimate communication.

4.1.2. Roadside Units

RSUs are essential infrastructure installed along roadways to enable real-time communication with vehicles. However, they are vulnerable to physical attacks, may be damaged in disaster or emergency situations, and their fixed deployment makes it difficult to adjust coverage. To address these limitations, UAVs can be utilized as auxiliary communication support units. When vehicles receive messages relayed by UAVs, rigorous authentication is required to ensure the reliability of the transmitted information, since inadequate authentication may allow adversaries to introduce malicious UAVs that are difficult to distinguish from legitimate ones. Meanwhile, even when UAVs assist communication, the responsibility for processing vehicular information still remains with the RSUs, and therefore RSUs continually perform the role of establishing session keys with vehicles.

4.1.3. Unmanned Aerial Vehicles

UAVs are employed as auxiliary devices in situations where RSUs are unable to maintain communication or require additional support, and they function as relays that forward messages received from vehicles to the RSUs. However, similar to RSUs, UAVs are vulnerable to physical attacks. Therefore, sensitive or confidential information is not stored on UAVs, and since the RSUs are the final recipients of the messages, UAVs cannot access or interpret their contents. Consequently, UAVs only assist in the authentication process between vehicles and RSUs and do not participate in session key generation.

4.1.4. Vehicles

All vehicles are equipped with an OBU and can participate in communication after completing the user login process using the information obtained during registration. As the entity responsible for establishing the session key with the RSU, the vehicle initiates the entire session. Since UAVs are regarded as untrusted entities, the real identity of the vehicle is protected during the authentication process, and only the RSU is able to verify it. Ultimately, the session key is exclusively established between the vehicle and the RSU, ensuring that the UAV is completely excluded from the key exchange process.
Figure 2 illustrates the overall system architecture. It shows how the TA, RSUs, UAVs, and vehicles interact with each other through the initialization, registration, and authentication processes.

4.2. Initialization Phase

Before the entire network begins operation, the TA performs an initialization process to configure the public parameters required for secure communication. Figure 3 shows the initialization process of the TA, and the detailed procedure is as follows. The TA first selects a public matrix A R q k × k and a cryptographic hash function h : 0 , 1 * 0 , 1 k , which maps an input of arbitrary length to a fixed-length output. Then, the TA samples the secret key and error vector s , e χ k and computes the corresponding public key as P = A · s + e . After completing these steps, the TA publishes the system parameters A , h ( · ) , P , χ k , so that they can be used by all network entities.

4.3. Registration Phase

All RSUs, UAVs, and vehicles that intend to participate in communication are required to complete a registration process with the TA.

4.3.1. RSU Registration

The registration process of the RSU is illustrated in Figure 4, and the detailed procedure is as follows.
Step 1: 
The RSU R l selects a unique identifier R I D l and randomly samples two vectors s l and e l from the distribution χ k . It then computes P l = A · s l + e l . The pair { R I D l , P l } is transmitted to the TA through a secure channel.
Step 2: 
Upon receiving R I D l from R l , the TA generates a challenge value C H l and sends it to R l via a secure channel.
Step 3: 
After receiving the challenge value C H l , R l generates the response R E l = P U F ( C H l ) using its internal PUF. To conceal the secret key, R l computes S l = s l R E l . Finally, R l stores the set { R I D l , C H l , P l , S l } for future authentication and verification.

4.3.2. UAV Registration

The registration process of the UAV is illustrated in Figure 5, and the detailed procedure is as follows.
Step 1: 
The UAV U j selects a unique identifier U I D j and generates a challenge value C H j . By applying C H j to its internal PUF, U j generates the response R E j = P U F ( C H j ) . Using this response, U j computes Z j 1 = h ( U I D j R E j ) . The computed pair { U I D j , Z j 1 } is then transmitted to the TA through a secure channel.
Step 2: 
Upon receiving { U I D j , Z j 1 } from U j , the TA generates a random nonce n j and forwards the set { U I D j , Z j 1 , n j } to R l . After receiving it, R l computes the PUF response R E l = P U F ( C H l ) and then calculates Z j 2 = h ( U I D j n j R E l s l ) . In addition, R l generates Z j 3 = ( n j Z j 1 ) h ( R E l s l ) and stores the tuple { U I D j , Z j 3 } for subsequent authentication.
Step 3: 
The TA sends Z j 2 received from R l to U j . The UAV then computes Z j 4 = Z j 1 Z j 2 and stores the set { U I D j , C H j , Z j 4 } to complete the registration procedure.

4.3.3. Vehicle Registration

The vehicle registration process is shown in Figure 6, and the detailed procedure is as follows.
Step 1: 
The vehicle V i selects a unique identifier V I D i and sends it to the TA through a secure channel.
Step 2: 
Upon receiving V I D i , the TA generates a random nonce n i and forwards the set { V I D i , n i } to the RSU R l . Then, R l applies the challenge C H l to its PUF to obtain the response R E l = P U F ( C H l ) . Using this response, R l computes Z i 1 = n i h ( V I D i R E l ) and stores the pair { V I D i , Z i 1 } for subsequent authentication.
Step 3: 
The TA sends the received n i to V i . The vehicle then generates a random value s i and a challenge C H i , and computes the corresponding PUF response R E i = P U F ( C H i ) . It then calculates Z i 2 = n i h ( R E i s i ) and derives S i = s i R E i . Finally, V i stores the set { V I D i , C H i , Z i 2 , S i } to complete the registration procedure.

4.4. Authentication and Key Exchange Phase

The vehicle must establish a session key with the RSU while receiving relay support from the UAV for data transmission, and the protocol is designed to enable mutual authentication among the RSU, UAV, and vehicle to ensure secure communication. The AKE procedure is illustrated in Figure 7, and the detailed process is described as follows.
Step 1: 
The vehicle V i computes the PUF response R E i = P U F ( C H i ) using its identifier V I D i as input, and derives S i = s i R E i and n i * = Z i 2 h ( R E i s i ) . It then generates random vectors r i , t i 1 , t i 2 χ k and a message m i { 0 , 1 } k . After generating a timestamp T S 1 , the following computations are performed: u i = A T · r i + t i 1 , v i = P i · r i + t i 2 + E n c o d e ( m i ) , c i = ( u i , v i ) , and  k i = h ( m i ) . The vehicle then computes T I D i = V I D i h ( k i T S 1 ) , V 1 = h ( V I D i n i n i * k i T S 1 ) , V 2 = h ( T I D i U I D j n i ) , and  N 1 = n i h ( V I D i n i k i T S 1 ) . Finally, V i sends { T I D i , c i , V 1 , V 2 , N 1 , T S 1 } to U j .
Step 2: 
Upon receiving the message, U j first verifies the validity of T S 1 and then generates its own timestamp T S 2 . It subsequently computes R E j = P U F ( C H j ) , Z j 1 * = h ( U I D j R E j ) , and  Z j 2 * = Z j 3 Z j 1 * . Next, it computes V 3 = h ( T I D i U I D j V 1 Z j 2 * T S 2 ) . Finally, U j forwards the set { T I D i , U I D j , c i , V 3 , N 1 , T S 1 , T S 2 } to the RSU R l .
Step 3: 
Upon receiving the request, R l verifies the timestamp T S 2 and computes its PUF response R E l = P U F ( C H l ) . It then derives S i * = S l R E l , n i = Z j 3 h ( R E l s l ) , and  Z j = h ( U I D j n i R E l s l ) . After that, R l computes V 3 * = h ( T I D i U I D j V 1 Z j T S 2 ) and checks whether V 3 * = V 3 . If the verification is successful, R l generates the session key S K = h ( V I D i U I D j R I D l n i k i T S 3 ) , computes N 2 = n i * h ( Z j T S 3 ) , and generates V 4 = h ( R I D l U I D j Z j n i * T S 3 ) and V 5 = h ( R I D l V I D i S K T S 3 ) . Finally, R l sends { R I D l , N 2 , V 4 , V 5 , T S 3 } to U j .
Step 4: 
After receiving the message, U j first verifies T S 3 , and then computes n i = N 2 h ( Z j T S 3 ) and V 4 * = h ( R I D l U I D j Z j n i T S 3 ) to verify whether V 4 * = V 4 . It also computes V 2 * = h ( T I D i U I D j n i ) and checks whether V 2 * = V 2 . If all verifications are successful, U j generates a new timestamp T S 4 and computes V 6 = h ( T I D i U I D j n i V 5 T S 4 ) . It then sends { R I D l , U I D j , V 5 , V 6 , T S 4 } to V i .
Step 5: 
Finally, V i verifies the freshness of T S 4 and computes V 6 * = h ( T I D i U I D j n i V 5 T S 4 ) to check whether V 6 * = V 6 . If the verification succeeds, the vehicle derives the session key S K * = h ( V I D i U I D j R I D l n i k i T S 3 ) and computes V 5 * = h ( R I D l V I D i S K * T S 3 ) to verify whether V 5 * = V 5 . Once all verification steps are successfully completed, mutual authentication among V i , U j , and  R l is achieved. Thereafter, a secure session key is successfully established between V i and R l , ensuring confidential communication.

4.5. Vehicle Revocation

The proposed scheme provides robust resistance against various network and physical attacks by utilizing Crystals-Kyber KEM and PUF. However, practical deployment requires consideration of additional threat scenarios, such as physical OBU damage, UAV capture, PUF spoofing, and long-term secret leakage. To address these issues, we define a dynamic revocation mechanism.
In this framework, a vehicle V i is designated for revocation if it meets any of the following criteria: (1) extraction of internal stored values due to OBU theft or damage; (2) compromise of long-term secret information; (3) repeated inconsistencies in PUF responses to the same challenge indicating hardware unreliability; or (4) repeated transmission of false information and violations of network operational policies.
Vehicles identified by these conditions are registered in a revocation list ( R L ) managed by the T A , with the specific procedure for revocation and authentication filtering detailed in Algorithm 1. During the authentication and key establishment process, the  R S U verifies the vehicle’s identity. If  V i is found to be compromised, the  R S U immediately sends a revocation request containing V I D i to the T A . Upon receipt, the  T A updates the R L and distributes it to all R S U s . Subsequently, any R S U performing authentication cross-references the R L ; if V I D i is present, the process is terminated, and the request is rejected to ensure network integrity.
Algorithm 1 Vehicle Authentication and Dynamic Revocation Procedure
Require: 
V i , R S U , T A , R L
Ensure: 
Session Key S K or V I D i added to R L
  1:
Step 1: Vehicle Authentication Request
  2:
V i sends authentication request with V I D i to R S U .
  3:
Step 2: RL Verification (by RSU)
  4:
if   V I D i R L   then
  5:
    R S U rejects the request and terminates the session. {Vehicle is revoked}
  6:
else
  7:
    R S U proceeds with authentication.
  8:
   Step 3: Authentication and Anomaly Detection
  9:
   if Authentication is successful and No malicious behavior detected then
10:
      R S U and V i establish Session Key S K .
11:
     Service granted to V i .
12:
   else
13:
     {Condition: PUF mismatch, OBU compromise, or protocol violation}
14:
      R S U identifies V i as a malicious/compromised vehicle.
15:
      R S U T A : { V I D i ,   Revocation_Request }
16:
   end if
17:
end if
18:
Step 4: RL Update and Distribution (by TA)
19:
if   T A receives Revocation Request for V I D i  then
20:
    T A updates Revocation List: R L R L { V I D i } .
21:
    T A broadcasts the updated R L to all R S U s in the network.
22:
end if

5. Security Analysis

In this section, we analyze the robustness and mutual authentication guarantees of the proposed scheme against various attacks based on informal analysis, the RoR model, BAN logic, and AVISPA.

5.1. Informal Analysis

5.1.1. Replay Attack

Under the Dolev–Yao model, an adversary A can intercept, store, and replay previously transmitted messages over the public channel. For instance, A may replay the message { T I D i , c i , V 1 , V 2 , N 1 , T S 1 } in a different session in an attempt to impersonate V i . However, the protocol binds all authentication tokens to fresh timestamps and session-specific nonces. In particular, T I D i = V I D i h ( k i T S 1 ) , V 1 = h ( V I D i n i n 1 k i T S 1 ) , and N 1 = n 1 h ( V I D i n i k i T S 1 ) . Therefore, T I D i , V 1 , and N 1 are tightly coupled with the session timestamp T S 1 and nonce n 1 . If A replays an old message, the freshness check of T S 1 fails. Even if A attempts to manipulate T S 1 , the hash bindings involving k i , n i , and V I D i will not be satisfied, causing verification failure. Similarly, later messages such as { R I D l , N 2 , V 4 , V 5 , T S 3 } and { R I D l , U I D j , V 5 , V 6 , T S 3 , T S 4 } are also bound to fresh timestamps and session-dependent secrets. Hence, previously captured messages cannot be reused in subsequent sessions, and the protocol is secure against replay attacks.

5.1.2. MITM Attack

An adversary A may attempt a man-in-the-middle attack by intercepting and modifying the exchanged messages among V i , U j , and R l . However, mutual authentication and session key establishment ultimately depend on the MLWE-derived shared secret k i . Specifically, V i generates a random message m i and computes k i = h ( m i ) , transmitting the ciphertext c i = ( u i , v i ) . The RSU R l recovers m i * = D e c o d e ( v i u i T · s l * ) using its private key s l , and then computes k i * = h ( m i * ) . The session key is derived as S K = h ( V I D i * U I D j R I D l n 1 * k i * T S 3 ) . Without the legitimate private key s l , an adversary cannot recover m i or derive k i . Any modification of c i results in an invalid k i , which consequently invalidates S K and the authentication tokens V 4 , V 5 , and V 6 . Since forging a consistent session requires solving the underlying MLWE problem or recovering s l , which is computationally infeasible, the protocol is secure against MITM attacks.

5.1.3. Insider Attack

A malicious insider who has completed registration may attempt to exploit stored registration information together with observed protocol messages to derive authentication credentials or session keys. In the proposed protocol, the authentication parameter n i is protected by the vehicle’s PUF. It is reconstructed during authentication as R E i * = P U F ( C H i ) and n i * = Z i 2 h ( R E i * S i ) . Since R E i * cannot be reproduced without access to the physical PUF device, n i cannot be reconstructed from registration records alone. Furthermore, the session secret k i = h ( m i ) is derived from m i , which is encapsulated in c i = ( u i , v i ) and recoverable only through MLWE decapsulation using the RSU private key s l . Without s l , an insider cannot obtain m i or k i . Because the session key S K = h ( V I D i * U I D j R I D l n 1 * k i * T S 3 ) depends on both n i -related values and k i , an insider observing protocol messages cannot derive a valid session key. Therefore, the protocol is secure against insider attacks.

5.1.4. Privileged Insider Attack

A privileged insider with access to stored registration data such as { R I D l , P l , U I D j , Z j 1 , V I D i } may attempt to exploit this information to impersonate entities or derive session secrets. However, these stored parameters do not include runtime secrets or PUF-derived responses. The authentication parameter n i depends on R E i * = P U F ( C H i ) and n i * = Z i 2 h ( R E i * S i ) , which require access to the legitimate physical PUF. Similarly, the session secret k i = h ( m i ) is derived from m i , encapsulated in c i = ( u i , v i ) and recoverable only through MLWE decapsulation using the private key s l . Since s l is not stored in registration records and cannot be derived from public information, k i , and consequently S K , cannot be computed. Therefore, even a privileged insider with access to registration data cannot reconstruct authentication tokens or establish a valid session key. The protocol is secure against privileged insider attacks.

5.1.5. Vehicle Impersonation Attack

An adversary may attempt to impersonate a vehicle by forging the message { T I D i , c i , V 1 , V 2 , N 1 , T S 1 } . However, such an attempt cannot succeed due to the cryptographic dependencies embedded in these values. The verifier V 1 is computed as V 1 = h ( V I D i n i n 1 k i T S 1 ) , where n i is protected by the vehicle’s PUF and recovered through R E i * = P U F ( C H i ) and n i * = Z i 2 h ( R E i * S i ) . Since the adversary cannot reproduce the PUF response R E i * , it cannot derive the correct n i . Furthermore, T I D i is generated as T I D i = V I D i h ( k i T S 1 ) , which binds the true identity V I D i to the session secret k i . Without knowledge of V I D i and k i , the adversary cannot construct a valid T I D i . Because both n i and V I D i remain unknown to the adversary, it is infeasible to compute a valid V 1 or related authentication tokens. Any forged message will therefore fail the verification procedures, and the proposed protocol is secure against vehicle impersonation attacks.

5.1.6. UAV Impersonation Attack

An adversary may attempt to impersonate a UAV by forging the message { T I D i , U I D j , c i , V 1 , V 3 , N 1 , T S 1 , T S 2 } . However, the computation of V 3 requires the value Z j 2 * , which is derived from the PUF response R E j * = P U F ( C H j ) . Specifically, Z j 1 * = h ( U I D j R E j * ) and Z j 2 * = Z j 4 Z j 1 * , and V 3 is computed as V 3 = h ( T I D i U I D j V 1 Z j 2 * T S 2 ) . Since the adversary cannot obtain the legitimate PUF response R E j * , it cannot construct a valid Z j 2 * and consequently cannot generate a correct V 3 . Therefore, any forged UAV message will fail the RSU’s verification, and the proposed protocol is secure against UAV impersonation attacks.

5.1.7. RSU Impersonation Attack

An adversary may attempt to impersonate an RSU by forging the message { R I D l , N 2 , V 4 , V 5 , T S 3 } . The values V 4 and N 2 depend on Z j 1 , which can only be derived through either the UAV’s PUF or the RSU’s PUF. Moreover, computing V 5 requires knowledge of the session key S K , and the construction of S K depends on k i , which is derived from n i , obtained via the vehicle or RSU PUF, and the RSU’s private key s l . Since s l is protected by the RSU’s PUF, the adversary cannot recover k i or S K . Therefore, the proposed protocol is secure against RSU impersonation attacks.

5.1.8. Vehicle Theft Attack

If an adversary physically steals a vehicle, they may extract stored data { V I D i , C H i , Z i 2 , S i } through invasive or exhaustive extraction techniques. However, the long-term secret information required for authentication remains protected by the vehicle’s PUF. In particular, during authentication the vehicle reconstructs R E i * = P U F ( C H i ) and derives n i * = Z i 2 h ( R E i * S i ) (and similarly recovers s i * from S i R E i * ). Even if C H i , Z i 2 , and S i are exposed, an adversary cannot reproduce the correct PUF response R E i * without access to the genuine unclonable PUF, and thus cannot reconstruct valid n i (or related authentication materials). Consequently, the extracted data cannot be exploited to compute valid authenticators such as V 1 = h ( V I D i n i n 1 k i T S 1 ) or to impersonate V i in the AKE phase. Therefore, the proposed protocol is secure against vehicle theft attacks.

5.1.9. UAV Capture Attack

An adversary may physically capture a UAV and extract the stored items { U I D j , C H j , Z j 4 } . However, the captured data alone is insufficient to forge valid UAV-side authentication tokens. In the proposed protocol, the UAV computes R E j * = P U F ( C H j ) and derives Z j 1 * = h ( U I D j R E j * ) , then obtains Z j 2 * = Z j 4 Z j 1 * , which is required to generate V 3 = h ( T I D i U I D j V 1 Z j 2 * T S 2 ) . Without the genuine PUF response R E j * , an adversary cannot compute Z j 1 * and thus cannot recover Z j 2 * from Z j 4 . As a result, any attempt to forge { T I D i , U I D j , c i , V 1 , V 3 , N 1 , T S 1 , T S 2 } will fail the RSU verification of V 3 . Therefore, the proposed protocol is resistant to UAV capture attacks.

5.1.10. RSU Table Leakage Attack

An adversary may attempt to extract the table stored in the RSU, i.e., { R I D l , C H l , P l , S l , U I D j , Z j 3 , V I D i , Z i 1 } . Nevertheless, leaking these stored parameters does not enable the adversary to reconstruct the secret values required for authentication or to derive the session key. In the AKE phase, the RSU derives PUF-dependent secrets by computing R E l * = P U F ( C H l ) and recovering s l * = S l R E l * , and it further computes Z j 2 * * = h ( U I D j n j * R E l * s l * ) to verify V 3 via V 3 * = h ( T I D i U I D j V 1 Z j 2 * * T S 2 ) . Moreover, the RSU must decapsulate the MLWE ciphertext by computing m i * = D e c o d e ( v i u i T · s l * ) and k i * = h ( m i * ) , which are subsequently used to derive S K = h ( V I D i * U I D j R I D l n 1 * k i * T S 3 ) . Since the critical PUF response R E l * cannot be derived from C H l alone and the private key material s l * cannot be reconstructed without R E l * , the adversary cannot compute valid authentication tokens or the session key using only the leaked table information. Therefore, the proposed scheme is secure against RSU table leakage attacks.

5.1.11. Session Key Disclosure Attack

An adversary may attempt to recover the session key by combining previously obtained information with values observed over the public channel. In the proposed protocol, the session key is computed as S K = h ( V I D i * U I D j R I D l n 1 * k i * T S 3 ) , where the critical component k i * is established through the MLWE-based KEM. Specifically, k i * = h ( m i * ) and m i * = D e c o d e ( v i u i T · s l * ) , which requires the RSU’s private key s l * to decapsulate the ciphertext c i = ( u i , v i ) . Since s l * is protected via the RSU’s PUF by s l * = S l R E l * with R E l * = P U F ( C H l ) , an adversary observing c i and public transcripts cannot reconstruct s l * and thus cannot obtain m i * or k i * . Furthermore, n 1 * is also entangled with the authenticated transcript through N 1 = n 1 h ( V I D i n i k i T S 1 ) and subsequent verifications, preventing an attacker from substituting values to derive a consistent S K . Therefore, under the assumed security of the MLWE problem and the unclonability of the PUF, neither passive observation nor combined attacks enable session key disclosure.

5.1.12. Key-Compromise Impersonation Attack

Consider the compromise of vehicle-side secrets such as n i or s i belonging to V i . An adversary may attempt to use these leaked values to impersonate an RSU or UAV toward V i , or to forge valid authentication messages. However, establishing a valid session still requires the computation of k i , which is derived as k i = h ( m i ) , where m i is encapsulated in the MLWE ciphertext c i = ( u i , v i ) . Recovering m i requires decapsulation using the RSU private key s l via m i * = D e c o d e ( v i u i T · s l * ) . Since s l * is protected through the RSU’s PUF by s l * = S l R E l * with R E l * = P U F ( C H l ) , an adversary cannot derive k i without access to the legitimate RSU device. Moreover, the session key is computed as S K = h ( V I D i * U I D j R I D l n 1 * k i * T S 3 ) , which depends on k i . Therefore, even if n i or s i are compromised, the adversary cannot impersonate another entity toward V i without knowledge of k i . Hence, under the assumption that PUF-protected private keys remain secure, the protocol is resistant to KCI attacks.

5.1.13. Anonymity

In the proposed protocol, the vehicle communicates using a temporary identifier T I D i derived as T I D i = V I D i h ( k i T S 1 ) . Since k i is a session-dependent secret established via the MLWE-based KEM and known only to V i and R l , the real identity V I D i is never transmitted over the public channel. Because recovering V I D i from T I D i requires knowledge of k i , which in turn depends on the RSU’s private key, external observers cannot obtain the true identity of the vehicle. Therefore, the protocol provides anonymity for participating vehicles.

5.1.14. Untraceability

The pseudonym T I D i is generated using session-specific values k i and T S 1 , both of which are freshly generated in each session. Since k i changes due to new randomness in m i and the MLWE encapsulation, and T S 1 varies per session, T I D i is unlinkable across different sessions. Consequently, an external adversary observing multiple protocol executions cannot correlate different T I D i values to the same V I D i . Therefore, the proposed protocol achieves untraceability for vehicular communications.

5.1.15. Conditional Traceability

Although a fresh pseudonym T I D i is generated in each session to ensure anonymity and unlinkability, the RSU retains the capability to trace a pseudonym to the real identity when necessary. Since the RSU participates in the MLWE decapsulation process to recover m i * and compute k i * , it can derive V I D i * = T I D i h ( k i * T S 1 ) during authentication. Thus, in the event of malicious behavior, the RSU can correlate authentication transcripts with stored secret information and recover the true identity of the vehicle. This mechanism enables conditional traceability while preserving privacy under normal operation.

5.1.16. Perfect Forward Secrecy

All session-specific secrets in the AKE phase are freshly generated. The value m i is randomly chosen in each session, leading to a fresh k i = h ( m i ) . The nonce n 1 and timestamps such as T S 3 are also newly generated. Since the session key S K = h ( V I D i * U I D j R I D l n 1 * k i * T S 3 ) depends on fresh randomness and on k i , which is derived from the MLWE encapsulation process, compromise of long-term stored data or previous session keys does not enable an adversary to derive future session keys. Therefore, the protocol achieves perfect forward secrecy under the MLWE hardness assumption.

5.1.17. Key Freshness

The session key is computed as S K = h ( V I D i * U I D j R I D l n 1 * k i * T S 3 ) , where n 1 * , k i * , and T S 3 are session-dependent values. The nonce n 1 is randomly generated in each execution, and k i is derived from a freshly chosen m i encapsulated through MLWE. Because these inputs are independently regenerated in every session, each instance of S K is independent from previous session keys. This prevents key reuse and ensures that compromise of one session does not affect others. Hence, the protocol guarantees key freshness.

5.1.18. Mutual Authentication

Three-party mutual authentication is achieved through the verification of hash-based authenticators. The RSU authenticates V i and U j by verifying V 1 and V 3 . The UAV authenticates V i and R l through verification of V 2 and V 4 . Finally, the vehicle authenticates U j and R l by verifying V 5 and V 6 . Each authentication token is bound to session-specific nonces and timestamps, such as V 1 = h ( V I D i n i n 1 k i T S 1 ) and V 6 = h ( T I D i U I D j n 1 V 5 T S 4 ) . Long-term secrets involved in these computations are protected by PUF-derived responses and private keys. Consequently, only legitimate entities can produce valid authenticators, and the protocol ensures secure three-party mutual authentication.

5.2. Formal Analysis Using AVISPA

To formally verify the proposed protocol, we employ AVISPA [38], a widely used tool for security evaluation. AVISPA is a well-known simulation framework for verifying the security of internet protocols and applications, and it is particularly effective in assessing vulnerabilities such as replay attacks and MITM attacks. The tool uses code written in the high-level protocol specification language (HLPSL) and supports four backend verification engines: the constraint-logic-based attack searcher (CL-AtSe), the on-the-fly model checker (OFMC), the SAT-based model checker (SATMC), and the tree automata-based protocol analyzer (TA4SP). For security property evaluation, HLPSL code is first translated into an intermediate format using the HLPSL2IF translator, after which the backend models perform formal verification.
To validate the security properties of the proposed protocol, the communication procedures described in Section 4 were implemented in HLPSL. Each participating entity (vehicle, UAV, and RSU) was modeled according to its defined operations in the AKE process. The corresponding HLPSL code for each entity is presented in Figure 8.
In this paper, the OFMC and CL-AtSe backend modules were used to simulate the proposed scheme. Figure 9 presents the simulation results, demonstrating that the outputs of both the OFMC and CL-AtSe backend models are classified as SAFE. Therefore, the proposed scheme is capable of resisting replay attacks and MITM attacks.

5.3. Formal Analysis Using the RoR Model

In this paper, we prove the semantic security of the proposed protocol using the RoR model [39]. This model has been widely adopted in prior studies [22,40] for analyzing the security of authentication protocols. In the RoR model, an adversary A interacts with protocol instances and attempts to distinguish the session key S K from a random value. Each participating instance is denoted as p t , where p represents the entity identifier (e.g., V i , U j , R k ) and t denotes the instance index. Under the RoR framework, the adversary A can perform both active and passive attacks by issuing a set of queries to reveal information about the session key, which are summarized in Table 3.
In this paper, P U F and H a s h denote the output ranges of the PUF P U F ( · ) and the hash function H ( · ) , respectively. In addition, q p and q h represent the number of PUF and hash queries performed by the adversary A.
Proof. 
Let A d v ( A ) denote the advantage of adversary A in distinguishing the session key. The security is analyzed through a sequence of games G 0 to G 4 as follows:
  • G 0 : In the initial game, A has no information. Therefore,
    A d v ( A ) = A d v G 1 ( A )
  • G 1 : A issues Execute queries and can observe the complete transcripts. Since S K = h ( V I D i U I D j R I D l n 1 k i T S 3 ) and k i is derived through an IND-CCA-secure MLWE-based KEM, A cannot infer S K through passive observation alone. Thus,
    A d v G 0 ( A ) = A d v G 1 ( A )
  • G 2 : A is allowed to perform Send and Hash queries. The only way to reveal S K is to find a collision in the hash function h ( · ) . Using the birthday bound,
    A d v G 2 ( A ) A d v G 1 ( A ) q h 2 2 H a s h
  • G 3 : A may issue malicious queries and attempt to extract the secret credentials { V I D i , C H i , Z i 2 , S i } from the vehicle via power analysis attacks. However, note that N 1 = n 1 h ( V I D i n i k i T S 1 ) and n i = Z i 2 h ( R E i s i ) . To expose the session key, A must guess n i using Send and PUF queries. Hence,
    A d v G 3 ( A ) A d v G 2 ( A ) q p 2 2 P U F
  • G 4 : Finally, the success of A depends on recovering k i by inverting the MLWE-based ciphertext c i , which is computationally infeasible under the MLWE assumption:
    A d v G 4 ( A ) A d v G 3 ( A ) A d v A M L W E
By the triangle inequality:
A d v G 4 ( A ) A d v G 1 ( A ) A d v G 4 ( A ) A d v G 3 ( A ) + A d v G 3 ( A ) A d v G 2 ( A ) + A d v G 2 ( A ) A d v G 1 ( A ) q h 2 2 H a s h + q p 2 2 P U F + A d v A M L W E
Therefore, the overall advantage of the adversary is bounded as
A d v ( A ) q h 2 2 H a s h + q p 2 2 P U F + A d v A M L W E
Thus, the proposed protocol is semantically secure under the RoR model, assuming the hardness of the hash function, the PUF, and the MLWE problem. □

5.4. Formal Analysis Using BAN Logic

To demonstrate the correctness of the proposed protocol, we employ BAN logic [41]. BAN logic is a formal analytical method used to verify whether a shared session key can be securely established among communicating entities within a security protocol.
The BAN logic-based analysis proceeds as follows. First, the security goals of the protocol are defined. Then, the protocol messages are transformed into their idealized abstract forms. Subsequently, the required initial assumptions are specified, and the axioms and inference rules of BAN logic are applied to verify whether each communicating party can derive the intended security properties.
Before conducting the BAN logic analysis, we define the notation used throughout the formal reasoning process, along with brief explanations. The primary BAN logic symbols employed in this paper are summarized in Table 4.

5.4.1. BAN Logic Rules

1.
Message meaning rule (MMR):
ρ 1 ρ 1 K ρ 2 , ρ 1 ( s 1 ) K ρ 1 ρ 2 s 1
2.
Nonce verification rule (NVR):
ρ 1 # ( s 1 ) , ρ 1 ρ 2 s 1 ρ 1 ρ 2 s 1
3.
Jurisdiction rule (JR):
ρ 1 ρ 2 s 1 , ρ 1 ρ 2 s 1 ρ 1 s 1
4.
Belief rule (BR):
ρ 1 ( s 1 , s 2 ) ρ 1 s 1
5.
Freshness rule (FR):
ρ 1 # ( s 1 ) ρ 1 # ( s 1 , s 2 )

5.4.2. Goals

The authentication goals are to establish that both the vehicle V i and the base RSU R S U d d believe they share a common session key S K , and that each believes the other believes so as well.
Goal 1: 
V i V i S K R l
Goal 2: 
R l V i S K R l
Goal 3: 
V i R l V i S K R l
Goal 4: 
R l V i V i S K R l

5.4.3. Idealized Forms

The idealized message forms are defined as follows. M s g 1 and M s g 2 mean that V i and R l send the confidential values. In the proposed protocol, U j acts as an intermediary between the vehicle V i and the RSU R l . Although U j participates in the mutual authentication process to verify the legitimacy of the communicating parties, it is not a trusted authority and does not contribute to the computation of the session key S K . Therefore, U j is excluded from the BAN logic derivation, and only V i and R l are considered for the formal analysis of the key exchange process.
MSG1: 
V i R l : { V I D i , n 1 , T S 1 } k i
MSG2: 
R l V i : { V I D i , n 1 , T S 3 } k i

5.4.4. Assumptions

A 1 : 
R l # ( T S 1 )
A 2 : 
R l V i k i R l
A 3 : 
R l V i ( V i S K R l )
A 4 : 
V i # ( T S 3 )
A 5 : 
V i V i k i R l )
A 6 : 
V i R l ( V i S K R l )

5.4.5. BAN Logic Proof

Proof. 
The process of analysis using BAN logic includes the detailed steps below.
Step 1: 
According to M s g 1 , S 1 is derived.
S 1 : R l { V I D i , n 1 , T S 1 } k i
Step 2: 
Applying S 1 and A 2 to the MMR, S 2 is obtained.
S 2 : R l V i ( V I D i , n 1 , T S 1 )
Step 3: 
Applying A 1 to the FR, S 3 is obtained.
S 3 : R l # ( V I D i , n 1 , T S 1 )
Step 4: 
Applying S 2 and S 3 to the NVR, S 4 is obtained.
S 4 : R l V i ( V I D i , n 1 , T S 1 )
Step 5: 
According to M s g 2 , S 5 is obtained.
S 5 : V i { V I D i , n 1 , T S 3 } k i
Step 6: 
Applying S 5 and A 5 to the MMR, S 6 is obtained.
S 6 : V i R l ( V I D i , n 1 , T S 3 )
Step 7: 
Applying A 4 to the FR, S 7 is obtained.
S 7 : V i # ( V I D i , n 1 , T S 3 )
Step 8: 
Applying S 6 and S 7 to the NVR, S 8 is obtained.
S 8 : V i R l ( V I D i , n 1 , T S 3 )
Step 9: 
R l and V i believe that the other party can compute the session key S K = h ( V I D i U I D j R I D l n 1 k i T S 3 ) . Because S K can be calculated using the shared values,
S 9 : R l V i V i S K R l ( Goal 4 )
S 10 : V i R l V i S K R l ( Goal 3 )
Step 10: 
Applying S 9 and A 3 to the JR, S 11 is obtained. And applying S 10 and A 6 to the JR, S 12 is obtained.
S 11 : R l V i S K R l ( Goal 2 )
S 12 : V i V i S K R l ( Goal 1 )

6. Performance Analysis

6.1. Comparison of Security Features

A comparative analysis was conducted to evaluate the security capabilities of the proposed scheme and other related approaches [18,19,22,42,43]. The results are summarized in Table 5. The comparison shows that the proposed scheme provides stronger and more comprehensive security guarantees than existing protocols.

6.2. Computational Cost Analysis

We analyze the computational costs incurred during the AKE phases of the proposed protocol and compare them with those of existing approaches [18,19,22,42,43]. The total computational overhead of each protocol is quantitatively evaluated based on the execution times of the cryptographic primitives employed in their authentication procedures. Table 6 summarizes the measured execution times of the cryptographic primitives under both RSU and UAV/vehicle configurations, including SHA-256 hashing, AES-128 encryption and decryption, ECC multiplication and addition, and Kyber-512 encapsulation and decapsulation operations. To more realistically approximate resource-constrained environments, we constructed a virtualization-based hardware limitation setup using Oracle VM VirtualBox. Two representative configurations were defined as follows:
  • RSU: 4 GB memory, six processor cores, and a CPU execution cap set to 100%.
  • UAV/Vehicle: 4 GB memory, four processor cores, and a CPU execution cap set to 40%.
In the UAV/vehicle configuration, the number of processor cores was reduced from six to four and the CPU execution cap was limited to 40%. By combining the reduced core allocation (approximately 67% of the RSU configuration) with the execution cap constraint, the environment was modeled to provide approximately 27% of the effective processing capability of the RSU configuration. This configuration is intended to reflect the fact that vehicular OBUs and UAV onboard platforms typically rely on ARM-based low-power system-on-chip (SoC) architectures, which exhibit lower computational performance than desktop/server-class x86 CPUs in terms of core count, clock frequency, and cache capacity [44,45,46]. Furthermore, prior VANET and UAV platform studies report that embedded vehicular and UAV boards are subject to size, weight, and power constraints, resulting in substantially lower computational capabilities compared to infrastructure-grade or desktop environments [46,47,48]. Furthermore, according to Xia et al. [49], the execution time of the fuzzy extractor is considered equivalent to that of elliptic curve point multiplication. Therefore, we assume T f = T e m in both experimental settings for the computational cost analysis.
Table 7 and Figure 10 present the summarized computational costs of each protocol, calculated using the operation times described above. The costs were analyzed based on the cryptographic operations performed by different entities, including the vehicle, UAV, and RSU, and the execution times are aggregated in milliseconds.
The total computational cost of the proposed scheme is approximately 0.07221 ms, achieving up to an 85% reduction compared with the schemes of Ghosh et al. (0.43013 ms), Miao et al. (0.46832 ms), and El-Zawawy et al. (0.55055 ms). This improvement primarily results from the structural design of the proposed protocol, in which mutual authentication and session key establishment are simultaneously achieved through a single pair of MLWE-based KEM encapsulation and decapsulation operations. Unlike existing approaches that rely on multiple ECC operations or repeated symmetric-key encryptions, the proposed method minimizes expensive computations and avoids redundant cryptographic primitives. In particular, the computational cost on the UAV side is only 0.00238 ms, which is the lowest among all the compared schemes, demonstrating high practicality in UAV-assisted VANET environments where UAVs must perform real-time relay and verification tasks. Furthermore, both RSU-side and vehicle-side computation costs remain low, confirming that the proposed scheme provides a balanced combination of efficiency and real-time performance across all participating entities.
Additionally, scalability with respect to an increasing number of vehicles must be considered. Figure 11 presents a comparison of the total computational cost as the number of vehicles increases. The proposed scheme incurs lower computational overhead than existing approaches, enabling efficient operation even in high-density vehicular environments.

6.3. Communication Cost Analysis

This section analyzes the communication overhead of the proposed scheme under bandwidth constraints in practical VANET environments. The vehicular communication setting is assumed to be based on dedicated short-range communications (DSRC), where the physical layers (PHY) and MAC layers comply with the IEEE 802.11p standard. IEEE 802.11p supports data rates ranging from 3 Mbps to 27 Mbps over a 10 MHz channel. The analysis is conducted based on the IEEE 802.11p-based DSRC standard described in [50].
According to the IEEE 802.11 specification, the maximum MAC frame body size is 2304 bytes. In the proposed scheme, the size of each message component is defined as follows: an ID and verification data occupy 32 bytes each, a timestamp requires 4 bytes, and the Crystals-Kyber KEM ciphertext has a size of 768 bytes. Based on these parameters, the message size of { T I D i , c i , V 1 , V 2 , N 1 , T S 1 } is 900 bytes, whereas that of { T I D i , U I D j , c i , V 1 , V 3 , N 1 , T S 1 , T S 2 } is 936 bytes. In addition, the message sizes of { R I D l , N 2 , V 4 , V 5 , T S 3 } and { R I D l , U I D j , V 5 , V 6 , T S 3 , T S 4 } are 132 bytes and 136 bytes, respectively. The maximum message size is therefore 936 bytes, which is well below the MAC frame body limit of 2304 bytes. As a result, MAC-layer fragmentation is not required, thereby avoiding additional overhead and retransmission delays.
In terms of transmission latency, the largest message (936 bytes) corresponds to 7488 bits. At a PHY data rate of 3 Mbps, the transmission time is approximately 2.5 ms, while it decreases to approximately 1.25 ms at 6 Mbps. Even when additional protocol overhead, such as MAC headers and PHY preambles, is taken into account, the overall transmission delay remains within the millisecond range.
To reflect realistic traffic density, a medium-density VANET scenario is considered in which 50 vehicles broadcast authentication-related messages at a frequency of 10 Hz. Under this setting, each vehicle generates approximately 936 bytes × 10 = 9360 bytes per second, corresponding to about 74.9 kbps. The aggregate channel load for 50 vehicles is therefore approximately 3.74 Mbps, corresponding to about 62% channel occupancy at a 6 Mbps PHY rate and approximately 31% at 12 Mbps.
IEEE 802.11p-based vehicular networks incorporate congestion control mechanisms, such as SAE J2945.1 and ETSI DCC [51], which dynamically adjust transmission rates under increased channel load conditions. Furthermore, considering the packet delivery ratio (PDR) degradation caused by distance and obstacles [52,53], the effective channel load perceived by a specific RSU or UAV is typically lower than the theoretical aggregate load. Therefore, in practical deployments, the channel occupancy is expected to remain below saturation levels. Overall, the communication overhead introduced by the proposed scheme remains within feasible bandwidth limits for medium-density VANET environments.

7. Conclusions

In this paper, we proposed a novel authentication and key exchange protocol that combines MLWE and PUF technologies to address security vulnerabilities in UAV-assisted VANET environments and overcome the limitations of conventional public key-based authentication frameworks. The proposed scheme enhances structural security by treating UAVs as untrusted relay nodes and ensures that a secure session key is established exclusively between vehicles and RSUs. Furthermore, the protocol is designed with lightweight computational operations, taking into account the characteristics of VANETs that require high mobility and real-time communication, thereby achieving both strong security and high efficiency.
Security evaluation demonstrated that the proposed scheme is secure against various attacks, including replay, MITM, impersonation, and insider attacks, validated through informal analysis, RoR model-based formal proof, BAN logic reasoning, and AVISPA-based simulation. In addition, performance analysis revealed that the proposed approach significantly reduces computational overhead compared with existing UAV-assisted VANET authentication protocols, particularly minimizing the burden on UAVs, which confirms its suitability for real-time vehicular communication environments.
Future work will focus on developing an extended security framework that considers load balancing and mobility management in large-scale vehicular networks with cooperative multi-UAV support, as well as optimizing the protocol and conducting further simulation studies for real-world deployment.

Author Contributions

Conceptualization, Y.P.; methodology, H.P.; software, H.P.; validation, H.P.; formal analysis, H.P.; investigation, H.P.; writing—original draft, H.P.; writing—review and editing, Y.P.; supervision, Y.P.; project administration, Y.P.; funding acquisition, Y.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported by the Bisa Research Grant of Keimyung University in 2025 (Project No: 20250485).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The data presented in this study are openly available in [AVISPA] [https://github.com/wonny0124/AVISPA/blob/main/AVISPA_simulation, accessed on 17 February 2026].

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Shor, P.W. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; pp. 124–134. [Google Scholar]
  2. Grover, L.K. A fast quantum mechanical algorithm for database search. In Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; pp. 212–219. [Google Scholar]
  3. Kumar, M.; Pattnaik, P. Post quantum cryptography (pqc)-an overview. In Proceedings of the 2020 IEEE High Performance Extreme Computing Conference (HPEC), Waltham, MA, USA, 22–24 September 2020; pp. 1–9. [Google Scholar]
  4. Joseph, D.; Misoczki, R.; Manzano, M.; Tricot, J.; Pinuaga, F.D.; Lacombe, O.; Leichenauer, S.; Hidary, J.; Venables, P.; Hansen, R. Transitioning organizations to post-quantum cryptography. Nature 2022, 605, 237–243. [Google Scholar] [CrossRef] [PubMed]
  5. Alagic, G.; Bros, M.; Ciadoux, P.; Cooper, D.; Dang, Q.; Dang, T.; Kelsey, J.; Lichtinger, J.; Liu, Y.K.; Miller, C.; et al. Status Report on the Fourth Round of the Nist Post-Quantum Cryptography Standardization Process; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2025.
  6. Hasija, T.; Ramkumar, K.; Kaur, A.; Mittal, S.; Singh, B. A survey on nist selected third round candidates for post quantum cryptography. In Proceedings of the 2022 7th International Conference on Communication and Electronics Systems (ICCES), Coimbatore, India, 22–24 June 2022; pp. 737–743. [Google Scholar]
  7. Park, H.; Park, Y. Formal Security Analysis of the Authentication Protocol in Smart Cities Using AVISPA. In Proceedings of the International Conference on Computational Science; Springer: Berlin/Heidelberg, Germany, 2025; pp. 3–17. [Google Scholar]
  8. Park, H.; Son, S.; Park, Y.; Park, Y. Provably Quantum Secure Three-Party Mutual Authentication and Key Exchange Protocol Based on Modular Learning with Error. Electronics 2024, 13, 3930. [Google Scholar] [CrossRef]
  9. Prajapat, S.; Gautam, D.; Kumar, P.; Jangirala, S.; Das, A.K.; Park, Y.; Lorenz, P. Secure lattice-based aggregate signature scheme for vehicular Ad Hoc networks. IEEE Trans. Veh. Technol. 2024, 73, 12370–12384. [Google Scholar] [CrossRef]
  10. Son, S.; Lee, J.; Park, Y.; Park, Y.; Das, A.K. Design of blockchain-based lightweight V2I handover authentication protocol for VANET. IEEE Trans. Netw. Sci. Eng. 2022, 9, 1346–1358. [Google Scholar] [CrossRef]
  11. Wazid, M.; Singh, J.; Pandey, C.; Sherratt, R.S.; Das, A.K.; Giri, D.; Park, Y. Explainable deep Learning-Enabled malware attack detection for IoT-Enabled intelligent transportation systems. IEEE Trans. Intell. Transp. Syst. 2025, 26, 7231–7244. [Google Scholar] [CrossRef]
  12. Wazid, M.; Bagga, P.; Das, A.K.; Shetty, S.; Rodrigues, J.J.; Park, Y. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J. 2019, 6, 8804–8817. [Google Scholar] [CrossRef]
  13. Gautam, D.; Thakur, G.; Kumar, P.; Das, A.K.; Park, Y. Blockchain assisted intra-twin and inter-twin authentication scheme for vehicular digital twin system. IEEE Trans. Intell. Transp. Syst. 2024, 25, 15002–15015. [Google Scholar] [CrossRef]
  14. Kwon, D.; Son, S.; Kim, M.; Lee, J.; Das, A.K.; Park, Y. A secure self-certified broadcast authentication protocol for intelligent transportation systems in UAV-assisted mobile edge computing environments. IEEE Trans. Intell. Transp. Syst. 2024, 25, 19004–19017. [Google Scholar] [CrossRef]
  15. Gupta, L.; Jain, R.; Vaszkun, G. Survey of important issues in UAV communication networks. IEEE Commun. Surv. Tutor. 2015, 18, 1123–1152. [Google Scholar] [CrossRef]
  16. Menouar, H.; Guvenc, I.; Akkaya, K.; Uluagac, A.S.; Kadri, A.; Tuncer, A. UAV-enabled intelligent transportation systems for the smart city: Applications and challenges. IEEE Commun. Mag. 2017, 55, 22–28. [Google Scholar] [CrossRef]
  17. Ng, J.S.; Lim, W.Y.B.; Dai, H.N.; Xiong, Z.; Huang, J.; Niyato, D.; Hua, X.S.; Leung, C.; Miao, C. Joint auction-coalition formation framework for communication-efficient federated learning in UAV-enabled Internet of Vehicles. IEEE Trans. Intell. Transp. Syst. 2020, 22, 2326–2344. [Google Scholar] [CrossRef]
  18. El-Zawawy, M.A.; Brighente, A.; Conti, M. Authenticating drone-assisted internet of vehicles using elliptic curve cryptography and blockchain. IEEE Trans. Netw. Serv. Manag. 2022, 20, 1775–1789. [Google Scholar] [CrossRef]
  19. Miao, J.; Wang, Z.; Ning, X.; Shankar, A.; Maple, C.; Rodrigues, J.J. A UAV-assisted authentication protocol for internet of vehicles. IEEE Trans. Intell. Transp. Syst. 2024, 25, 10286–10297. [Google Scholar] [CrossRef]
  20. Cui, J.; Liu, X.; Zhong, H.; Zhang, J.; Wei, L.; Bolodurina, I.; He, D. A practical and provably secure authentication and key agreement scheme for UAV-assisted VANETs for emergency rescue. IEEE Trans. Netw. Sci. Eng. 2023, 11, 1454–1468. [Google Scholar] [CrossRef]
  21. Guo, Z.; Cao, J.; Wang, X.; Zhang, Y.; Niu, B.; Li, H. UAVA: Unmanned aerial vehicle assisted vehicular authentication scheme in edge computing networks. IEEE Internet Things J. 2024, 11, 22091–22106. [Google Scholar] [CrossRef]
  22. Choi, J.; Kwon, D.; Son, S.; Park, Y.; Das, A.K.; Park, Y. A PUF-Based Lightweight Authentication Scheme for UAV-Assisted Internet of Vehicles. IEEE Trans. Intell. Transp. Syst. 2025, 26, 13782–13798. [Google Scholar] [CrossRef]
  23. Lin, L.; Shangguan, R.; Ge, H.; Liu, Y.; Zhou, Y.; Zhou, Y. Mutual Identity Authentication Based on Dynamic Identity and Hybrid Encryption for UAV–GCS Communications. Drones 2025, 9, 422. [Google Scholar] [CrossRef]
  24. Telikani, A.; Sarkar, A.; Du, B.; Santoso, F.; Shen, J.; Yan, J.; Yong, J.; Yap, E. Unmanned aerial vehicle-aided intelligent transportation systems: Vision, challenges, and opportunities. IEEE Commun. Surv. Tutor. 2025, 27, 3772–3819. [Google Scholar] [CrossRef]
  25. Regev, O. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005; pp. 84–93. [Google Scholar]
  26. Peikert, C. A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 2016, 10, 283–424. [Google Scholar] [CrossRef]
  27. Langlois, A.; Stehlé, D. Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 2015, 75, 565–599. [Google Scholar] [CrossRef]
  28. Avanzi, R.; Bos, J.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.M.; Schwabe, P.; Seiler, G.; Stehlé, D.; et al. CRYSTALS-Kyber algorithm specifications and supporting documentation. NIST PQC Round 2019, 2, 1–43. [Google Scholar]
  29. Gao, Y.; Al-Sarawi, S.F.; Abbott, D. Physical unclonable functions. Nat. Electron. 2020, 3, 81–91. [Google Scholar] [CrossRef]
  30. Yu, S.; Park, K.; Park, Y. A Machine Learning Attack-Resistant PUF-based Robust and Efficient Mutual Authentication Scheme in Fog-enabled IoT Environments. IEEE Internet Things J. 2025, 12, 20652–20669. [Google Scholar] [CrossRef]
  31. Yu, S.; Park, Y. A robust authentication protocol for wireless medical sensor networks using blockchain and physically unclonable functions. IEEE Internet Things J. 2022, 9, 20214–20228. [Google Scholar] [CrossRef]
  32. Yu, S.; Das, A.K.; Park, Y.; Lorenz, P. SLAP-IoD: Secure and lightweight authentication protocol using physical unclonable functions for internet of drones in smart city environments. IEEE Trans. Veh. Technol. 2022, 71, 10374–10388. [Google Scholar] [CrossRef]
  33. Chuang, K.H.; Bury, E.; Degraeve, R.; Kaczer, B.; Linten, D.; Verbauwhede, I. A physically unclonable function using soft oxide breakdown featuring 0% native BER and 51.8 fJ/bit in 40-nm CMOS. IEEE J. Solid-State Circuits 2019, 54, 2765–2776. [Google Scholar] [CrossRef]
  34. Wang, W.C.; Yona, Y.; Diggavi, S.N.; Gupta, P. Design and analysis of stability-guaranteed PUFs. IEEE Trans. Inf. Forensics Secur. 2017, 13, 978–992. [Google Scholar] [CrossRef]
  35. Alruwaili, O.; Alotaibi, F.M.; Tanveer, M.; Chaoui, S.; Armghan, A. PSAF-IoT: Physically secure authentication framework for the Internet of Things. IEEE Access 2024, 12, 78549–78561. [Google Scholar] [CrossRef]
  36. Sarbishaei, G.; Modarres, A.M.A.; Jowshan, F.; Khakzad, F.Z.; Mokhtari, H. Smart home security: An efficient multi-factor authentication protocol. IEEE Access 2024, 12, 106253–106272. [Google Scholar] [CrossRef]
  37. Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 2003, 29, 198–208. [Google Scholar] [CrossRef]
  38. Armando, A.; Basin, D.; Boichut, Y.; Chevalier, Y.; Compagna, L.; Cuéllar, J.; Drielsma, P.H.; Héam, P.C.; Kouchnarenko, O.; Mantovani, J.; et al. The AVISPA tool for the automated validation of internet security protocols and applications. In Proceedings of the International Conference on Computer Aided Verification; Springer: Berlin/Heidelberg, Germany, 2005; pp. 281–285. [Google Scholar]
  39. Abdalla, M.; Fouque, P.A.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. In Proceedings of the International Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2005; pp. 65–84. [Google Scholar]
  40. Ju, S.; Park, H.; Son, S.; Kim, H.; Park, Y.; Park, Y. Blockchain-assisted secure and lightweight authentication scheme for multi-server internet of drones environments. Mathematics 2024, 12, 3965. [Google Scholar] [CrossRef]
  41. Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst. (TOCS) 1990, 8, 18–36. [Google Scholar] [CrossRef]
  42. Ghosh, H.; Das, D.; Bagchi, S. UMAPE: A UAV-Assisted Secure Mutual Authentication Protocol Using Edge-Computing for Enhanced IoV Systems. In Proceedings of the 2025 IEEE 25th International Symposium on Cluster, Cloud and Internet Computing (CCGrid), Tromsø, Norway, 19–22 May 2025; pp. 205–214. [Google Scholar]
  43. Zhang, J.; Cui, J.; Zhong, H.; Bolodurina, I.; Liu, L. Intelligent drone-assisted anonymous authentication and key agreement for 5G/B5G vehicular ad-hoc networks. IEEE Trans. Netw. Sci. Eng. 2020, 8, 2982–2994. [Google Scholar] [CrossRef]
  44. Gupta, K.; Sharma, T. Changing trends in computer architecture: A comprehensive analysis of arm and x86 processors. Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol. 2021, 7, 619–631. [Google Scholar] [CrossRef]
  45. Mejias, L.; Diguet, J.P.; Dezan, C.; Campbell, D.; Kok, J.; Coppin, G. Embedded computation architectures for autonomy in unmanned aircraft systems (UAS). Sensors 2021, 21, 1115. [Google Scholar] [CrossRef]
  46. Ahmed, F.; Jenihhin, M. A survey on UAV computing platforms: A hardware reliability perspective. Sensors 2022, 22, 6286. [Google Scholar] [CrossRef]
  47. Madhuvanthi, T.; Revathi, A. A survey on UAV network for secure communication and attack detection: A focus on Q-learning, blockchain, IRS and mmWave technologies. KSII Trans. Internet Inf. Syst. (TIIS) 2024, 18, 779–800. [Google Scholar]
  48. Haidar, F.; Makassikis, M.; Sall, M.; Bakhti, H.; Kaiser, A.; Lonc, B. Experimentation and assessment of pseudonym certificate management and misbehavior detection in C-ITS. IEEE Open J. Intell. Transp. Syst. 2021, 2, 128–139. [Google Scholar] [CrossRef]
  49. Xia, Y.; Qi, R.; Ji, S.; Shen, J.; Miao, T.; Wang, H. PUF-Assisted Lightweight Group Authentication and Key Agreement Protocol in Smart Home. Wirel. Commun. Mob. Comput. 2022, 2022, 8865158. [Google Scholar] [CrossRef]
  50. Kenney, J.B. Dedicated short-range communications (DSRC) standards in the United States. Proc. IEEE 2011, 99, 1162–1182. [Google Scholar] [CrossRef]
  51. Bazzi, A. Congestion control mechanisms in IEEE 802.11 p and sidelink C-V2X. In Proceedings of the 2019 53rd Asilomar Conference on Signals, Systems, and Computers, Pacific Grove, CA, USA, 3–6 November 2019; pp. 1125–1130. [Google Scholar]
  52. Sepulcre, M.; Gonzalez-Martin, M.; Gozalvez, J.; Molina-Masegosa, R.; Coll-Perales, B. Analytical models of the performance of IEEE 802.11 p vehicle to vehicle communications. IEEE Trans. Veh. Technol. 2021, 71, 713–724. [Google Scholar] [CrossRef]
  53. Gozálvez, J.; Sepulcre, M.; Bauza, R. IEEE 802.11 p vehicle to infrastructure communications in urban environments. IEEE Commun. Mag. 2012, 50, 176–183. [Google Scholar] [CrossRef]
Figure 1. UAV-assisted solutions for issues in VANET environments.
Figure 1. UAV-assisted solutions for issues in VANET environments.
Mathematics 14 00820 g001
Figure 2. System architecture.
Figure 2. System architecture.
Mathematics 14 00820 g002
Figure 3. TA initialization phase.
Figure 3. TA initialization phase.
Mathematics 14 00820 g003
Figure 4. RSU registration phase.
Figure 4. RSU registration phase.
Mathematics 14 00820 g004
Figure 5. UAV registration phase.
Figure 5. UAV registration phase.
Mathematics 14 00820 g005
Figure 6. Vehicle registration phase.
Figure 6. Vehicle registration phase.
Mathematics 14 00820 g006
Figure 7. Authentication and key exchange phase.
Figure 7. Authentication and key exchange phase.
Mathematics 14 00820 g007
Figure 8. HLPSL specification of the proposed protocol.
Figure 8. HLPSL specification of the proposed protocol.
Mathematics 14 00820 g008
Figure 9. Result of AVISPA simulation.
Figure 9. Result of AVISPA simulation.
Mathematics 14 00820 g009
Figure 10. Comparison of computation cost. Refs. [18,19,22,42,43].
Figure 10. Comparison of computation cost. Refs. [18,19,22,42,43].
Mathematics 14 00820 g010
Figure 11. Scalability analysis in terms of the number of vehicles. Refs. [18,19,22,42,43].
Figure 11. Scalability analysis in terms of the number of vehicles. Refs. [18,19,22,42,43].
Mathematics 14 00820 g011
Table 1. Overview of research trends and security limitations in UAV-assisted VANETs.
Table 1. Overview of research trends and security limitations in UAV-assisted VANETs.
AuthorMain ContributionsLimitations/Challenges
Gupta et al. [15]Identified UAV networks as fundamentally different from MANETs/VANETs due to high mobility, intermittent connectivity, and limited energy.Did not propose authentication or encryption mechanisms; focused mainly on topology characteristics.
Menouar et al. [16]Proposed UAVs as extended ITS infrastructure supporting traffic monitoring, law enforcement, and emergency assistance.Security and privacy not incorporated as core design factors; only mentioned as future research directions.
Ng et al. [17]Utilized UAVs as relay nodes in IoV to support federated learning and enhance data reliability and model integrity.Did not sufficiently address adversarial data manipulation or eavesdropping threats.
El-Zawawy et al. [18]Developed BDIVE protocol combining ECC and blockchain to defend against UAV hijacking and data injection.Blockchain verification introduces high latency and computational overhead, limiting real-time applicability.
Miao et al. [19]Designed ECC-based mutual authentication protocol for UAV–vehicle secure communication.Computational complexity too high for resource-constrained UAV environments.
Cui et al. [20]Proposed lightweight authentication using chaotic maps and honeywords for UAV–vehicle communication.Synchronization failures and reauthentication overhead in highly dynamic mobility environments.
Guo et al. [21]Introduced zero-trust-based UAVA framework for continuous trust verification.Frequent reauthentication causes communication overhead; privacy concerns due to continuous data collection.
Choi et al. [22]Proposed lightweight authentication using PUF and dynamic identity for UAV environments.Synchronization mismatches, insider threats, and multi-UAV trust management challenges remain.
Lin et al. [23]Proposed DIHE protocol enabling mutual authentication and anonymity between UAVs and control stations.Lack of standardized key management limits interoperability and deployment scalability.
Telikani et al. [24]Analyzed UAV–ITS integration status and categorized UAV roles across multiple dimensions.Pointed out the absence of unified security standards and interoperable frameworks as key deployment barriers.
Table 2. Notation used in the scheme.
Table 2. Notation used in the scheme.
NotationDescription
V i , U j , R l i-th vehicle, j-th UAV, l-th RSU
V I D i , U I D j , R I D l Identifier of V i , U j , R l
T I D i Pseudonym identifier of V i
A d Public matrix A R k × l
s , s d Secret key of R A , R d
p , p d Public key of R A , R d
c i = ( u i , v i ) Ciphertext
k i Shared secret key
Encode ( · ) Encoding function
Decode ( · ) Decoding function
C H i , C H j , C H l r PUF challenge of V i , U j , R l
R E i , R E j , R E l r PUF response of V i , U j , R l
T S 1 , T S 2 , T S 3 , T S 4 Timestamps
S K a Session key
h ( · ) Hash function
Bitwise XOR operation
Concatenation operator
u t Transpose of vector u
Table 3. Queries and description in RoR model.
Table 3. Queries and description in RoR model.
QueryDescription
E x e c u t e ( p V i t 1 , p U j t 2 , p R l t 3 ) Simulates passive eavesdropping, where A collects all exchanged messages during the protocol run.
C o r r u p t ( p V i t 1 ) Grants A access to the internal memory of the vehicle V i , exposing stored parameters such as { V I D i , C H i , Z i 2 , S i } .
S e n d ( p t , M ) Models active attacks by letting A send forged messages M to any participant instance and observe the output.
T e s t ( Π * ) Used once to challenge the security of the protocol. If  c = 1 , the real session key S K is returned; if c = 0 , a random string of the same length is returned. A must guess the value of c.
Table 4. BAN logic notation.
Table 4. BAN logic notation.
NotationDescription
ρ 1 , ρ 2 Two principals
s 1 , s 2 Two statements
ρ 1 | s 1 ρ 1  believes  s 1
ρ 1 | s 1 ρ 1 once said  s 1
ρ 1 s 1 ρ 1  controls  s 1
ρ 1 μ 1 ρ 1  receives  s 1
# s 1 s 1 is fresh
( s 1 ) K s 1 is encrypted with K
ρ 1 K ρ 2 ρ 1 and ρ 2 have shared key K
S K The session key
Table 5. Comparison of security properties across protocols.
Table 5. Comparison of security properties across protocols.
Security PropertyChoi et al. [22]Ghosh et al. [42]Miao et al. [19]El-Zawawy et al. [18]Zhang et al. [43]Proposed
Replay Attack××
MITM Attack×××××
Insider Attack×
Vehicle Impersonation×××××
UAV Impersonation×××××
RSU Impersonation××
Privileged Insider Attack×
Vehicle Theft××××
UAV Capture×××××
Session Key Disclosure×××
RSU Table Leakage Attack××××
Anonymity××
Untraceability×××
Session Key Inconsistency×
Post-Quantum Security×××××
ID Synchronization Problem××
✓: guarantees the security feature, ×: does not guarantee the security feature, −: does not consider the security feature
Table 6. Execution times of cryptographic primitives.
Table 6. Execution times of cryptographic primitives.
OperationSymbolRSU (ms)UAV/Vehicle (ms)
Hash T h 0.00040.0011
Fuzzy extractor T f 0.03540.0956
AES encryption T s e n c 0.00010.0003
AES decryption T s d e c 0.00010.0004
ECC multiplication T e m 0.03540.0956
ECC addition T e a 0.00060.0017
Kyber encapsulation T k e n c 0.02740.0739
Kyber decapsulation T k d e c 0.03490.0943
Table 7. Comparison cost comparison.
Table 7. Comparison cost comparison.
ProtocolVehicle (ms)UAV (ms)RSU (ms)Total Cost (ms)
Choi et al. [22] 10 T h + T f 0.1065 8 T h 0.0087 14 T h 0.0055 0.1207
Ghosh et al. [42] 3 T h + 4 T e m + T e a 0.3874 4 T h + 5 T e m + T e a 0.4841 3 T h + 3 T e m 0.1074 0.9789
Miao et al. [19] 6 T h + 4 T e m + 4 T e a 0.3907 4 T h + 3 T e m 0.2911 8 T h + 6 T e m + T s e n c + T s d e c 0.2159 0.8977
El-Zawawy et al. [18] 6 T h + 4 T e m + 4 T e a 0.3959 11 T h + 9 T e m + 8 T e a 0.8863 6 T h + 2 T e m + 4 T e a 0.0758 1.3580
Zhang et al. [43] 5 T h + 2 T e m + T s e n c 0.1968 4 T h + T e m + T s e n c + T s d e c 0.1002 7 T h + T e m + T s e n c + 2 T s d e c 0.0386 0.3356
Proposed 8 T h + T k e n c 0.0826 6 T h 0.0065 11 T h + T k d e c 0.0987 0.1878
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Park, H.; Park, Y. Quantum Secure Authentication and Key Exchange Protocol for UAV-Assisted VANETs. Mathematics 2026, 14, 820. https://doi.org/10.3390/math14050820

AMA Style

Park H, Park Y. Quantum Secure Authentication and Key Exchange Protocol for UAV-Assisted VANETs. Mathematics. 2026; 14(5):820. https://doi.org/10.3390/math14050820

Chicago/Turabian Style

Park, Hyewon, and Yohan Park. 2026. "Quantum Secure Authentication and Key Exchange Protocol for UAV-Assisted VANETs" Mathematics 14, no. 5: 820. https://doi.org/10.3390/math14050820

APA Style

Park, H., & Park, Y. (2026). Quantum Secure Authentication and Key Exchange Protocol for UAV-Assisted VANETs. Mathematics, 14(5), 820. https://doi.org/10.3390/math14050820

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop