In this section, we analyze the robustness and mutual authentication guarantees of the proposed scheme against various attacks based on informal analysis, the RoR model, BAN logic, and AVISPA.
5.1. Informal Analysis
5.1.1. Replay Attack
Under the Dolev–Yao model, an adversary A can intercept, store, and replay previously transmitted messages over the public channel. For instance, A may replay the message in a different session in an attempt to impersonate . However, the protocol binds all authentication tokens to fresh timestamps and session-specific nonces. In particular, , , and . Therefore, , , and are tightly coupled with the session timestamp and nonce . If A replays an old message, the freshness check of fails. Even if A attempts to manipulate , the hash bindings involving , , and will not be satisfied, causing verification failure. Similarly, later messages such as and are also bound to fresh timestamps and session-dependent secrets. Hence, previously captured messages cannot be reused in subsequent sessions, and the protocol is secure against replay attacks.
5.1.2. MITM Attack
An adversary A may attempt a man-in-the-middle attack by intercepting and modifying the exchanged messages among , , and . However, mutual authentication and session key establishment ultimately depend on the MLWE-derived shared secret . Specifically, generates a random message and computes , transmitting the ciphertext . The RSU recovers using its private key , and then computes . The session key is derived as . Without the legitimate private key , an adversary cannot recover or derive . Any modification of results in an invalid , which consequently invalidates and the authentication tokens , , and . Since forging a consistent session requires solving the underlying MLWE problem or recovering , which is computationally infeasible, the protocol is secure against MITM attacks.
5.1.3. Insider Attack
A malicious insider who has completed registration may attempt to exploit stored registration information together with observed protocol messages to derive authentication credentials or session keys. In the proposed protocol, the authentication parameter is protected by the vehicle’s PUF. It is reconstructed during authentication as and . Since cannot be reproduced without access to the physical PUF device, cannot be reconstructed from registration records alone. Furthermore, the session secret is derived from , which is encapsulated in and recoverable only through MLWE decapsulation using the RSU private key . Without , an insider cannot obtain or . Because the session key depends on both -related values and , an insider observing protocol messages cannot derive a valid session key. Therefore, the protocol is secure against insider attacks.
5.1.4. Privileged Insider Attack
A privileged insider with access to stored registration data such as may attempt to exploit this information to impersonate entities or derive session secrets. However, these stored parameters do not include runtime secrets or PUF-derived responses. The authentication parameter depends on and , which require access to the legitimate physical PUF. Similarly, the session secret is derived from , encapsulated in and recoverable only through MLWE decapsulation using the private key . Since is not stored in registration records and cannot be derived from public information, , and consequently , cannot be computed. Therefore, even a privileged insider with access to registration data cannot reconstruct authentication tokens or establish a valid session key. The protocol is secure against privileged insider attacks.
5.1.5. Vehicle Impersonation Attack
An adversary may attempt to impersonate a vehicle by forging the message . However, such an attempt cannot succeed due to the cryptographic dependencies embedded in these values. The verifier is computed as , where is protected by the vehicle’s PUF and recovered through and . Since the adversary cannot reproduce the PUF response , it cannot derive the correct . Furthermore, is generated as , which binds the true identity to the session secret . Without knowledge of and , the adversary cannot construct a valid . Because both and remain unknown to the adversary, it is infeasible to compute a valid or related authentication tokens. Any forged message will therefore fail the verification procedures, and the proposed protocol is secure against vehicle impersonation attacks.
5.1.6. UAV Impersonation Attack
An adversary may attempt to impersonate a UAV by forging the message . However, the computation of requires the value , which is derived from the PUF response . Specifically, and , and is computed as . Since the adversary cannot obtain the legitimate PUF response , it cannot construct a valid and consequently cannot generate a correct . Therefore, any forged UAV message will fail the RSU’s verification, and the proposed protocol is secure against UAV impersonation attacks.
5.1.7. RSU Impersonation Attack
An adversary may attempt to impersonate an RSU by forging the message . The values and depend on , which can only be derived through either the UAV’s PUF or the RSU’s PUF. Moreover, computing requires knowledge of the session key , and the construction of depends on , which is derived from , obtained via the vehicle or RSU PUF, and the RSU’s private key . Since is protected by the RSU’s PUF, the adversary cannot recover or . Therefore, the proposed protocol is secure against RSU impersonation attacks.
5.1.8. Vehicle Theft Attack
If an adversary physically steals a vehicle, they may extract stored data through invasive or exhaustive extraction techniques. However, the long-term secret information required for authentication remains protected by the vehicle’s PUF. In particular, during authentication the vehicle reconstructs and derives (and similarly recovers from ). Even if , , and are exposed, an adversary cannot reproduce the correct PUF response without access to the genuine unclonable PUF, and thus cannot reconstruct valid (or related authentication materials). Consequently, the extracted data cannot be exploited to compute valid authenticators such as or to impersonate in the AKE phase. Therefore, the proposed protocol is secure against vehicle theft attacks.
5.1.9. UAV Capture Attack
An adversary may physically capture a UAV and extract the stored items . However, the captured data alone is insufficient to forge valid UAV-side authentication tokens. In the proposed protocol, the UAV computes and derives , then obtains , which is required to generate . Without the genuine PUF response , an adversary cannot compute and thus cannot recover from . As a result, any attempt to forge will fail the RSU verification of . Therefore, the proposed protocol is resistant to UAV capture attacks.
5.1.10. RSU Table Leakage Attack
An adversary may attempt to extract the table stored in the RSU, i.e., . Nevertheless, leaking these stored parameters does not enable the adversary to reconstruct the secret values required for authentication or to derive the session key. In the AKE phase, the RSU derives PUF-dependent secrets by computing and recovering , and it further computes to verify via . Moreover, the RSU must decapsulate the MLWE ciphertext by computing and , which are subsequently used to derive . Since the critical PUF response cannot be derived from alone and the private key material cannot be reconstructed without , the adversary cannot compute valid authentication tokens or the session key using only the leaked table information. Therefore, the proposed scheme is secure against RSU table leakage attacks.
5.1.11. Session Key Disclosure Attack
An adversary may attempt to recover the session key by combining previously obtained information with values observed over the public channel. In the proposed protocol, the session key is computed as , where the critical component is established through the MLWE-based KEM. Specifically, and , which requires the RSU’s private key to decapsulate the ciphertext . Since is protected via the RSU’s PUF by with , an adversary observing and public transcripts cannot reconstruct and thus cannot obtain or . Furthermore, is also entangled with the authenticated transcript through and subsequent verifications, preventing an attacker from substituting values to derive a consistent . Therefore, under the assumed security of the MLWE problem and the unclonability of the PUF, neither passive observation nor combined attacks enable session key disclosure.
5.1.12. Key-Compromise Impersonation Attack
Consider the compromise of vehicle-side secrets such as or belonging to . An adversary may attempt to use these leaked values to impersonate an RSU or UAV toward , or to forge valid authentication messages. However, establishing a valid session still requires the computation of , which is derived as , where is encapsulated in the MLWE ciphertext . Recovering requires decapsulation using the RSU private key via . Since is protected through the RSU’s PUF by with , an adversary cannot derive without access to the legitimate RSU device. Moreover, the session key is computed as , which depends on . Therefore, even if or are compromised, the adversary cannot impersonate another entity toward without knowledge of . Hence, under the assumption that PUF-protected private keys remain secure, the protocol is resistant to KCI attacks.
5.1.13. Anonymity
In the proposed protocol, the vehicle communicates using a temporary identifier derived as . Since is a session-dependent secret established via the MLWE-based KEM and known only to and , the real identity is never transmitted over the public channel. Because recovering from requires knowledge of , which in turn depends on the RSU’s private key, external observers cannot obtain the true identity of the vehicle. Therefore, the protocol provides anonymity for participating vehicles.
5.1.14. Untraceability
The pseudonym is generated using session-specific values and , both of which are freshly generated in each session. Since changes due to new randomness in and the MLWE encapsulation, and varies per session, is unlinkable across different sessions. Consequently, an external adversary observing multiple protocol executions cannot correlate different values to the same . Therefore, the proposed protocol achieves untraceability for vehicular communications.
5.1.15. Conditional Traceability
Although a fresh pseudonym is generated in each session to ensure anonymity and unlinkability, the RSU retains the capability to trace a pseudonym to the real identity when necessary. Since the RSU participates in the MLWE decapsulation process to recover and compute , it can derive during authentication. Thus, in the event of malicious behavior, the RSU can correlate authentication transcripts with stored secret information and recover the true identity of the vehicle. This mechanism enables conditional traceability while preserving privacy under normal operation.
5.1.16. Perfect Forward Secrecy
All session-specific secrets in the AKE phase are freshly generated. The value is randomly chosen in each session, leading to a fresh . The nonce and timestamps such as are also newly generated. Since the session key depends on fresh randomness and on , which is derived from the MLWE encapsulation process, compromise of long-term stored data or previous session keys does not enable an adversary to derive future session keys. Therefore, the protocol achieves perfect forward secrecy under the MLWE hardness assumption.
5.1.17. Key Freshness
The session key is computed as , where , , and are session-dependent values. The nonce is randomly generated in each execution, and is derived from a freshly chosen encapsulated through MLWE. Because these inputs are independently regenerated in every session, each instance of is independent from previous session keys. This prevents key reuse and ensures that compromise of one session does not affect others. Hence, the protocol guarantees key freshness.
5.1.18. Mutual Authentication
Three-party mutual authentication is achieved through the verification of hash-based authenticators. The RSU authenticates and by verifying and . The UAV authenticates and through verification of and . Finally, the vehicle authenticates and by verifying and . Each authentication token is bound to session-specific nonces and timestamps, such as and . Long-term secrets involved in these computations are protected by PUF-derived responses and private keys. Consequently, only legitimate entities can produce valid authenticators, and the protocol ensures secure three-party mutual authentication.