Drone-Assisted Lightweight Authentication Protocol for Unmanned eVTOL Emergency Rescue

Highlights

What are the main findings?

• In this study, we design an authentication architecture for unmanned eVTOL emergency rescue using drones as communication relays.
• Our lightweight and high-security design leverages PUFs embedded in drones, unmanned eVTOLs, and the dispatching center.

What are the implications of the main findings?

• Our protocol enables the safe and efficient execution of rescue missions, even in complex urban environments, and ensures continuity and reliability for actual emergency rescue operations, even under extreme conditions such as 5G signal dead zones.

Abstract

While drones play important roles in areas such as communication and logistics delivery, they have certain limitations in emergency rescue scenarios due to their inability to carry passengers. Building on mature drone technologies such as autonomous flight and environmental perception, unmanned passenger Electric Vertical Take-off and Landing (eVTOL) aircraft are designed with a manned cabin, enabling them to operate without an onboard pilot while rapidly transporting injured people. Consequently, eVTOLs can play a significant role in emergency rescue that cargo-only drones cannot fulfill, as they are capable of rapidly reaching emergency scenes, effectively overcoming the delays caused by traditional ground traffic congestion. Despite their potential, eVTOLs still face several critical obstacles, including signal disruption, limited coverage of dispatching centers, mutual authentication among entities, and concerns related to security and privacy preservation. As a remedy, this paper presents a lightweight authentication protocol leveraging drone assistance to overcome these challenges for unmanned eVTOL emergency rescue. In scenarios where an unmanned eVTOL experiences signal blockage due to dense urban high-rise structures, neighboring drones can serve as a transmission relay to assist the unmanned eVTOL and the dispatch center (DC) in completing mutual authentication and session key negotiation, thereby enabling the unmanned eVTOL to safely complete its mission. To enhance security, physical unclonable functions (PUFs) are integrated into unmanned eVTOLs, drones, and the DC, safeguarding sensitive data against side-channel and physical capture attacks while preserving the confidentiality of unmanned eVTOL identities to mitigate privacy risks. Our protocol achieves provable security in the random oracle model while exhibiting strong resistance to various well-known attacks. Comparative analysis with the existing drone authentication and drone-assisted emergency rescue authentication protocols reveals that our protocol not only provides stronger security guarantees but also maintains a low computational overhead.

1. Introduction

With the acceleration of global urbanization, urban population density continues to rise, and traditional ground transportation systems face increasingly severe challenges in emergency rescue scenarios. Issues such as ground traffic congestion, complex road conditions, and restricted access for emergency vehicles often lead to delays in critical rescue windows, directly endangering the lives of injured individuals. According to statistics from the World Health Organization, approximately 30% of trauma-related deaths occur within four hours of injury, and rescue response speed is a key factor determining the survival rate [1]. Against this backdrop, exploring novel rapid emergency rescue mechanisms has become an urgent priority in the field of urban public safety.

The emergence of the Advanced Air Mobility concept offers a transformative solution for urban emergency rescue [2]. Drones play an important supporting role in emergency rescue, as they are capable of undertaking tasks such as disaster reconnaissance, communications relay, and material delivery, providing real-time information support for rescue command. However, due to their lack of manned capability, drones cannot be used directly in scenarios requiring personnel transport or on-site emergency response. The technical framework of unmanned eVTOLs is based on mature drone technologies, with core technologies such as autonomous flight control, environmental perception, and path planning originating from long-term developments in the field of drone design. As an important extension and upgrade of unmanned systems, unmanned eVTOLs have inherited the intelligent and autonomous characteristics of unmanned systems while compensating for the shortcomings of drones in manned capability. A manned cabin is specifically incorporated into the design, enabling the eVTOL to rapidly transport injured personnel without the need for an onboard pilot. While standard drones are limited by their inability to carry passengers in emergency rescue scenarios and can only perform auxiliary tasks such as delivering medical supplies, unmanned manned-capable eVTOLs can serve as “flying ambulances” by directly transporting injured individuals, achieving a capability leap for unmanned systems from “supporting role” to “core role.”

Due to their vertical take-off and landing capabilities, low-altitude flight characteristics, and electric propulsion advantages, unmanned eVTOL aircraft can overcome ground transportation bottlenecks and establish a three-dimensional emergency rescue network [3]. Compared to traditional ground ambulances, unmanned eVTOLs can reduce urban emergency medical response times from tens of minutes to just a few minutes, significantly improving the survival probability of injured individuals [4]. Unmanned eVTOL emergency rescue systems can cover multiple application scenarios, including urban trauma first aid, emergency transport of acute patients, urgent medical supply delivery, and personnel evacuation from disaster sites, forming an air–ground coordinated three-dimensional emergency support system.

The effective operation of unmanned eVTOL emergency rescue systems heavily relies on reliable air–ground communication networks. During rescue mission execution, unmanned eVTOLs need to transmit real-time high-definition video captured by onboard cameras, real-time vital signs of injured individuals, flight routes, and environmental perception data back to the ground dispatching center, enabling ground command personnel to accurately assess the situation and make informed decisions. Fifth-generation mobile communication technology, with its high bandwidth, low latency, and high reliability characteristics, provides technical support for real-time data transmission between unmanned eVTOLs and dispatching centers. However, in complex urban environments, areas such as dense high-rise districts, tunnels, and underground spaces often experience 5G signal coverage gaps, leading to direct communication link interruptions between unmanned eVTOLs and dispatching centers. In such scenarios, maintaining communication continuity and data security becomes a critical issue requiring urgent resolution.

Communication interruptions not only affect the effective execution of rescue missions but may also introduce severe security risks. Communications between unmanned eVTOLs and dispatching systems rely on open low-altitude wireless channels, making them vulnerable to various network attacks, including eavesdropping, tampering, replay attacks, and false data injection. Attackers may interfere with or hijack communication links to tamper with flight instructions, forge patient data, or steal sensitive information, directly threatening rescue mission safety and patient privacy. Existing UAV authentication protocols mostly assume continuous ground station coverage and fail to adequately consider relay authentication requirements in communication-limited scenarios. Meanwhile, centralized authentication mechanisms exhibit significant limitations in cross-airspace handovers and areas lacking infrastructure. Therefore, designing a lightweight security authentication protocol capable of adapting to communication coverage limitations and supporting relay forwarding holds significant theoretical value and practical importance for ensuring the reliable operation of unmanned eVTOL emergency rescue systems.

Motivation and contributions: The integration of unmanned eVTOL aircraft into urban emergency rescue systems presents a transformative opportunity to significantly reduce response times and enhance public safety outcomes. However, the reliable operation of such systems fundamentally depends on secure and continuous air–ground communications. Most of the existing research on eVTOLs has focused on areas such as flight dynamics, path planning, battery management, and airworthiness certification, rather than security authentication protocols. In this paper, we design an authentication protocol for emergency rescue scenarios following earthquakes or major traffic accidents, where communication is constrained, drones are needed to serve as transmission relays, and unmanned manned-capable eVTOLs are required to perform special emergency rescue missions. To achieve this, we propose a drone-assisted lightweight authentication protocol for unmanned eVTOL emergency rescue. Our main contributions are as follows:

• Novel Drone-Assisted Authentication Architecture for Unmanned eVTOL Emergency Rescue: We propose an authentication protocol specifically designed for unmanned eVTOL emergency rescue scenarios to address the issue of direct communication unavailability with the dispatching center. The protocol enables secure three-party authentication among the unmanned eVTOL, relay drone, and dispatching center, with all messages transmitted via the relay node throughout the authentication process, ensuring that rescue operations can be securely conducted even in complex urban environments.
• Practical Design for Urban Emergency Rescue Scenarios: Unlike existing schemes that assume continuous infrastructure coverage, our protocol fully considers the communication constraints commonly encountered in real-world rescue environments, such as signal blockage caused by urban high-rise buildings and dead zones. The relay-assisted mechanism ensures that authentication and key agreement can still be completed under extreme conditions, including 5G signal dead zones, directly supporting the continuity and reliability requirements of actual emergency rescue missions.
• PUF-Based Lightweight Security Design: By leveraging PUFs embedded in each unmanned eVTOL, drone, and DC, our protocol achieves lightweight authentication without requiring complex cryptographic operations. The PUFs’ challenge–response mechanism provides inherent resistance against physical tampering and enables efficient key generation suitable for resource-constrained aerial platforms.
• Strong Security and High Computational Efficiency: This proposed scheme provides mutual authentication and session key negotiation while withstanding common threats including MITM, replay, and impersonation attacks, while also achieving anonymity and untraceability for unmanned eVTOL identities during relay communications. Compared with some related schemes, our protocol delivers strong security with reduced costs in computation, communication, and storage.

2. Related Work

As an emerging technology, unmanned aerial vehicles (UAVs) have attracted extensive research interest. Although Hooper et al. [5] proposed a multi-layer architecture aimed at protecting commercial drones from DoS and ARP poisoning threats, their approach lacked rigorous formal verification. In 2017, Blazy et al. [6] designed an efficient security protocol for UAV systems, but it failed to adequately resist replay attacks. In 2018, to safeguard real-time UAV data, Cheon et al. [7] proposed the use of homomorphic authenticated encryption technology, albeit at the cost of significant computational overhead. In 2019, TCALAS was presented by Srinivas et al. [8] as a lightweight protocol based on temporary credentials; it was later shown to be susceptible to time asynchrony attacks. Operating on the belief that edge nodes are trustworthy, Gope and Sikdar [9] put forward a PUF-enabled key agreement mechanism that maintains privacy within the edge-assisted IoD environment. Zhang et al. [10] presented a lightweight symmetric key protocol requiring ground station participation in every session, thereby introducing a potential single point of failure. In 2021, Alladi et al. [11] designed a Drone-MAP leveraging 5G technology, characterized by session-specific identity updates, yet it remained susceptible to internal threats. In 2022, Wu et al. [12] advanced this research direction but encountered issues with excessive handover overhead.

With the advancement of UAV technology, traditional user-to-UAV authentication protocols are no longer well-suited to current scenarios. Coupled with issues such as user device loss and password leakage, direct UAV-to-UAV authentication has become critically important. In 2020, Yazdinejad et al. [13] sought to address the problem of centralized trust by utilizing blockchain technology to achieve UAV authorization through a public blockchain; however, their method suffered from consensus delay and excessive computational overhead. In 2021, Feng et al. [14] constructed a cross-domain authentication scheme employing threshold signatures and smart contracts, computationally expensive operations are incurred by its extensive employment of Elliptic Curve Cryptography. Khan et al. [15] presented a mechanism built upon hyperelliptic curves to address UAV-enabled Intelligent Transportation Systems (ITSs), but it was later found vulnerable to impersonation attacks. Xiao and Tao [16] introduced SLAKA-IoD, which supports both U2G and U2U authentication, though U2U sessions require GS participation, making the system vulnerable to ground station compromise. In 2022, Masuduzzaman et al. [17] proposed BUST, a traffic management solution that stores authentication logs but does not include active entity authentication. In the same year, Yu et al. [18] developed SLAP-IoD, a lightweight, PUF-based protocol resistant to UAV capture, but it assumes continuous ground connectivity for CRP updates. Also in 2022, Lounis et al. [19] designed a D2D-MAP employing PUFs, yet it transmits identities in plaintext. In 2023, Karmakar et al. [20] proposed UAAS, combining PUFs with a fuzzy extractor, which presents a risk of permanent identity leakage. In 2024, Pu et al. [21] designed an application-aware anonymous protocol using PUFs, but it still relies on centralized components. In 2025, Guo et al. [22] proposed AHA-BV, a scheme supporting batch verification for satellite–terrestrial networks, primarily addressing satellite access issues. Guo et al. [23] developed the N3PA-STIN scheme to enable many users to access networks that combine satellite and ground components, but it faces challenges of high overhead and semi-trusted satellite risks.

Since traditional vehicular network authentication protocols rely on roadside units (RSUs) [24,25], in emergency rescue scenarios, these protocols often encounter problems such as damaged RSUs or a lack of deployment. Consequently, utilizing UAVs as mobile relay nodes to assist in vehicular network authentication has emerged as a novel research direction. In 2022, El-Zawawy et al. [26] proposed an ECC-based UAV-assisted V2V authentication scheme, yet it lacks message integrity guarantees. In 2024, Miao et al. [27] contributed an ECC-based protocol for UAV-assisted vehicular networks that provides conditional privacy, but is vulnerable to physical capture attacks. In 2025, Nyangaresi et al. [28] built a PUF-biometric-ECC authentication protocol for the IoD and claimed it can withstand numerous attacks.

Recently, many researchers have also conducted studies in the field of emergency rescue. In 2022, Wu et al. [29] proposed an edge computing-enabled protocol to maintain available communication for the Internet of Vehicles in rural or disaster areas, providing anonymity and identity traceability, while remaining vulnerable to UAV capture attack. Next year, Liu et al. [30] proposed a UAV-assisted signature scheme for VANETs based on trusted hardware assumptions. In 2024, for the Internet of Vehicles (IoV), Wang et al. [31] introduced a UAV-assisted protocol leveraging PUFs and ECC. However, this scheme suffers from relatively high overhead. In 2025, Xie et al. [32] presented a PUF-based cross-domain anonymous rescue scheme that eliminates the online control center but only supports UAV-ground authentication, not UAV-UAV. Wang et al. [33] designed a UAV swarm rescue protocol that uses the Chinese remainder theorem and chameleon hashing, removing the trusted authority and achieving mutual authentication between UAVs and base stations. Ying et al. [34] introduced a secure and efficient V2ES (Vehicle-to-Edge Server) authentication protocol designed for connected autonomous vehicles, which they integrated with a Faster R-CNN-based object detection scheme. Their study emphasizes a synergistic approach that balances secure edge service access with perception-related tasks, while also exploring efficiency enhancements for real-world deployment, and their primary emphasis lies in V2ES/edge interactions and the fusion of sensing capabilities. Li et al. [35] proposed a rescue-vehicle security scheme using certificateless cryptography to handle both scheduling and access authentication, enabling mutual authentication and key agreement with roadside units to ensure reliable information exchange. However, it remains limited by delays caused by road congestion. In 2026, Xie et al. [36] designed an emergency vehicle avoidance protocol based on ECC, a fuzzy extraction algorithm, and a PUF, enabling avoidance messages to be forwarded to ordinary vehicles before the arrival of emergency vehicles. Compared with related emergency vehicle avoidance protocols, it achieves better security and higher efficiency. Additionally, it adopts a server function partitioning and distributed registration center approach to reduce the burden and risk on the trusted authority during authentication. However, this scheme relies heavily on edge servers.

The existing works exhibit key limitations: cryptography-based schemes are efficient but vulnerable to physical attacks where compromised UAVs reveal all secrets; blockchain-based approaches introduce latency unsuitable for real-time authentication; PUF-based protocols enhance physical security yet suffer from ground connectivity dependence and anonymity gaps; UAV-assisted vehicular protocols neglect UAV security by assuming that UAVs are trustworthy.

Table 1. Summary of related schemes from the past five years.

Scheme	Year	Cryptographic Techniques	Advantages	Limits
[9]	2020	Utilizes PUF	Provides a key agreement mechanism that ensures privacy in edge-assisted IoD	Assumes edge nodes trustworthy
[10]	2020	Utilizes one-way hash function	Provides mutual authentication for user and drone	Does not resist physical capture attack
[11]	2021	Utilizes one-way hash function	Provides resistance to tracking through identity updates	Does not resist internal attacks
[12]	2021	Utilizes fuzzy ex-tractor	Provides mutual authentication for user and drone	Does not resist physical capture attack
[13]	2020	Utilizes blockchain	Provides distributed mutual authentication	Does not resist physical capture attack
[14]	2021	Utilizes PUF	Provides cross-domain mutual authentication	High computational overhead
[15]	2021	Utilizes hyperelliptic curve cryptography	Provides privacy for UAV-enabled ITS	Does not resist impersonation attacks
[16]	2024	Utilizes one-way hash function	Provides lightweight computation	Does not resist GS capture attack
[17]	2022	Utilizes blockchain	Provides decentralized traffic management by storing authentication logs	Cannot provide active authentication; limited scenario applicability
[18]	2022	Utilizes ECC	Provides mutual authentication among UAVs and base station devices.	Does not resist physical capture attack
[19]	2022	Utilizes PUF	Provides direct UAV-to-UAV authentication	Does not achieve anonymity
[20]	2023	Utilizes PUF + fuzzy extractor	Provides mutual authentication between UAV and ground station	Risk of permanent identity leakage
[21]	2024	Utilizes PUF	Provides application-aware anonymous authentication	Still relies on centralized components
[22]	2025	Utilizes one-way hash function	Provides support batch verification for satellite–terrestrial networks	Primarily addresses satellite access, not directly for UAVs
[23]	2025	Utilizes fuzzy extractor	Provides multi-user access for satellite–terrestrial integrated networks	Primarily addresses satellite access, not directly for UAVs
[26]	2022	Utilizes ECC	Provides UAV-assisted V2V authentication	Lacks message integrity guarantee
[27]	2024	Utilizes ECC	Provides conditional privacy for UAV-assisted vehicular networks	Does not resist physical capture attack
[28]	2025	Utilizes PUF + ECC	A novel authentication protocol for the Internet of Drones	-
[29]	2022	Utilizes one-way hash function	Provides anonymity and identity traceability	Does not resist physical capture attack
[30]	2023	Utilizes one-way hash function	Provides anonymity for UAV-assisted VANET	Does not resist physical capture attack
[31]	2024	Utilizes PUF + ECC	Provides three-factor security	Does not keep perfect forward secrecy
[32]	2025	Utilizes PUF	Provides cross-domain anonymous authentication	Focuses on UAV–GS authentication, not UAV–UAV
[33]	2025	Utilizes Chinese remainder theorem + chameleon hash	No trusted authority required during AKA	Does not resist physical capture attack
[35]	2025	Utilizes ECC	Provides secure scheduling for rescue vehicles with certificateless management	Does not resist physical capture attack

summarizes notable related works from the recent five years.

3. System and Adversary Models

3.1. System Model

Figure 1 illustrates the proposed system model, which consists of three entities: the unmanned rescue eVTOLi, the relay Dronej, and the dispatching center (DC).

When the unmanned eVTOLi experiences disrupted direct communication with the DC or flies outside the DC’s coverage area, it randomly selects a surrounding drone as the transmission relay and sends an authentication and message transmission request to that relay drone. With the assistance of Dronej, the unmanned rescue eVTOLi performs authentication with the DC, negotiates a session key, and transmits real-time high-definition video captured by its onboard camera, real-time vital signs of injured individuals, and flight routes back to the DC. It can also deliver supplies, rescue injured personnel, etc., according to the instructions from the DC.

Dronej serves as a relay node to assist the unmanned eVTOLi in completing mutual authentication with the DC when the signal of the unmanned eVTOLi is obstructed. Simultaneously, Dronej itself completes mutual authentication and session key negotiation with both the unmanned eVTOLi or DC. To address the single point of failure issue, an eVTOL can select any surrounding drone as a transmission relay as needed. Once the relay drone fails or is captured, and the eVTOL receives no feedback within an acceptable time threshold, it needs to resend the authentication request or select another drone as the transmission relay.

The dispatching center possesses strong computing power and storage capacity, both of which are deployed reliably, and serves to handle real-name registration of the unmanned eVTOLi and Dornej, maintaining the mapping between their real and anonymous identities and analyzing, assessing, and making decisions based on the information transmitted back by the unmanned eVTOLi and Dronej.

3.2. Adversary Model

By combining the Dolev–Yao (DY) model [37] with the practical application scenarios of unmanned eVTOLs, the attacker model for unmanned eVTOLs is defined as:

• The adversary can listen to public channel transmissions, as well as tamper with, replay, or inject messages.
• If an adversary can hijack the unmanned eVTOL and drone, they can analyze the stored information.
• An adversary could compromise/capture the unmanned eVTOL and drone.
• The adversary may compromise/capture the dispatching center (DC).
• Only when examining perfect forward secrecy can adversaries be allowed to know the long-term private keys of users and servers.

4. Preliminary

In this section, we explain physical unclonable functions and one-way hash functions.

4.1. Physically Unclonable Function

A physical unclonable function (PUF) is a hardware security primitive that uses inherent physical variations in semiconductor devices to create unique, unpredictable challenge–response pairs [38]. Conceptually analogous to biometric identifiers in humans, PUFs serve as an intrinsic fingerprint for each individual silicon chip. Due to inevitable manufacturing process variations, Integrated Circuits (ICs) exhibit subtle but measurable differences in parameters such as propagation delay, threshold voltage, the gain factor, and other electrical characteristics. PUFs leverage these inherent physical discrepancies to derive device-specific cryptographic keys without the need for non-volatile memory storage.

Unlike traditional cryptographic mechanisms that rely on securely stored digital keys, PUFs implement a challenge–response authentication protocol at the physical level. Upon receiving an input challenge, the PUF generates a response determined by its unique physical microstructure, thereby rendering each circuit effectively unclonable. Moreover, any physical probing or invasive characterization of the PUF unavoidably disturbs its fundamental physical properties, thus modifying the challenge–response behavior and ensuring that sensitive information remains protected even when the device is compromised.

The integration of PUFs into unmanned eVTOL platforms offers a promising countermeasure against capture attacks, to which existing security protocols remain vulnerable. The intrinsic unpredictability of PUF guarantees that the following holds: even if an adversary physically compromises the unmanned eVTOL and extracts stored data, the PUF-protected cryptographic material cannot be replicated or reused. Furthermore, PUF computations are executed at the hardware level with operating frequencies in the MHz range, typically completing within sub-nanosecond intervals. This performance significantly surpasses software-based hash operations, which operate on millisecond timescales, rendering the computational overhead of PUFs negligible. Since PUF-based operations are confined within the unmanned eVTOL hardware, they impose no additional communication burden on the overall system architecture.

Different PUFs can be deployed in eVTOLs and relay drones. Unmanned manned-capable eVTOLs are large-scale, high-value platforms designed for emergency rescue missions. As the cost of a typical eVTOL airframe ranges from 200,000 to 2 million, the incremental cost of integrating a PUF, even a standalone hardware PUF chip (1–5), or utilizing the SRAM PUF that already exists in many microcontrollers, is negligible relative to the overall system cost. For relay drones (e.g., sub-$100 quadcopters), commercial off-the-shelf microcontrollers used in flight controllers (such as the STM32 series or i.MX RT series) already contain embedded SRAM PUFs, which leverage the random power-up state of SRAM cells as a unique fingerprint, incurring no additional hardware cost while providing reasonable environmental stability.

4.2. One-Way Hash Function

A fundamental tool in cryptographic systems is the one-way hash function (often abbreviated as hash function). Its operation takes an arbitrary-length message m and computes a fixed-length digest $h=h\left(m\right)$. The following essential properties characterize such a function:

1.

Fixed Output Length: No matter what finite length the input has, the hash value produced by $H$ always possesses the same predetermined length.

2.

Preimage Resistance (One-Way Property): For a given hash result h, discovering any input m satisfying $H\left(m\right)=h$ is computationally impossible. Hence, the function cannot be inverted.

3.

Collision Resistance: Finding any pair of distinct inputs $m_1$ and $m_2$ (where $m_1\ne m_2$) such that $H\left(m_1\right)=H\left(m_2\right)$.

4.

Second Preimage Resistance: It is practically infeasible for a specified $m_1$, to discover a second distinct $m_2$ (where $m_2\ne m_1$) such that $H\left(m_1\right)=H\left(m_2\right)$.

5.

Pseudo-Randomness (Puzzle-Friendliness): The output of a hash function behaves like a random oracle, meaning there is no efficient method to predict or control the output value by strategically selecting the input.

Beyond these security properties, hash functions are designed to be computationally efficient, allowing for fast calculation of the hash value for any given input. This combination of security and efficiency makes them indispensable for various applications like integrity checking of data, digital signature generation, and password protection.

5. Proposed Protocol

This section details our proposed drone-assisted lightweight authentication protocol for unmanned eVTOL emergency rescue, which comprises three phases: system initialization, registration, and authentication and key agreement. A detailed summary of the notations employed throughout the protocol is provided in

Table 2. Notations and Descriptions.

Notation	Description
$K_{DC}$	Private key of DC
$P{K}_{DC}$	Public key of DC
$P$	Base point of the elliptic curve
$I{D}_{ei},$$I{D}_{dj},$$I{D}_{DC}$	Identities of unmanned eVTOLi, Dronej, DC
$PI{D}_{ei},$$PI{D}_{dj}$	Pseudonymous identity of unmanned eVTOL and Dronej
$B_{ei},$$B_{dj}$	Secret parameter of unmanned eVTOL and Dronej
$PUF\left(\right)$	Physical unclonable function
$(Ch{a}_j, Re{s}_j)$	PUF’ challenges and responses
$h(\cdot )$	Hash function
$T_i$	Timestamps
$\Delta T$	The maximum transmission delay time
$S{K}_{ei-dj}, S{K}_{ei-DC}, S{K}_{DC-dj}$	Session key
$E_{(\cdot )},$$D_{(\cdot )}$	Symmetric encryption/decryption algorithm

.

5.1. Initialization Phase

The dispatching center (DC) generates an elliptic curve $E\left(G{F}_q\right)$, a base point $P$, and a secure hash function $h(\cdot )$. Its identity is $I{D}_{DC}$, and its private and public keys are $K_{DC}$ and $P{K}_{DC}=K_{DC}\cdot P$.

The DC selects a challenge value $a_{DC}$, computes $Re{s}_{DC}=PU{F}_{DC}\left(a_{DC}\right)$, $D_{DC}=K_{DC}\oplus h(1\parallel Re{s}_{DC})$, and stores $\left\{a_{DC},D_{DC}\right\}$.

Finally, DC publishes the public parameters $\left\{E\left(G{F}_q\right),P,h\left(\cdot \right),I{D}_{DC},P{K}_{DC},\Delta T\right\}$.

5.2. Registration Phase

Figure 2 and Figure 3 show the registration processes for unmanned eVTOLs and drones, respectively.

• Unmanned eVTOL Registration phase

• Step ER1: The unmanned eVTOLi (I = 1, 2, 3… t) sends identity ${ID}_{ei}$ to the DC with a secure channel.
• Step ER2: Upon reception of the ${ID}_{ei}$, the DC generates timestamp $T_i$ and computes the following:

  $$Re{s}_{DC}=PU{F}_{DC}\left(a_{DC}\right)$$

  $$K_{DC}=D_{DC}\oplus h\left(1\right|\left|Re{s}_{DC}\right)$$

  $$B_{ei}=h\left({ID}_{DC}\right|\left|{ID}_{ei}\right|\left|K_{DC}\right)$$

  $$PI{D}_{ei}=E_{K_{DC}}\left(I{D}_{ei}\right|\left|T_i\right)$$

Then, the DC sends the message $M_2=\{B_{ei},PI{D}_{ei}\}$ to the unmanned eVTOLi with the same channel.

• Step ER3: Upon reception of the message $M_2=\{B_{ei},PI{D}_{ei}\}$, the unmanned eVTOLi generates challenge value $Ch{a}_i$ and computes the following:

  $$Re{s}_i=PUF\left(Ch{a}_i\right)$$

  $$B_{Vi}=B_{ei}\oplus h\left(Re{s}_i\right)$$

The unmanned eVTOLi stores $\{I{D}_{ei},Ch{a}_i,B_{Vi},PI{D}_{ei}\}$.

2.

Drone Registration phase

• Step DR1: Dronej (j = 1, 2, 3… k) sends identity ${ID}_{dj}$ to the DC with a secure channel.
• Step DR2: Upon reception of the ${ID}_{dj}$, the DC generates timestamp $T_j$ and computes the following:

  $$Re{s}_{DC}=PU{F}_{DC}\left(a_{DC}\right)$$

  $$K_{DC}=D_{DC}\oplus h\left(1\right|\left|Re{s}_{DC}\right)$$

  $$B_{dj}=h\left({ID}_{DC}\right|\left|{ID}_{dj}\right|\left|K_{DC}\right)$$

  $$PI{D}_{dj}=E_{K_{DC}}\left(I{D}_{dj}\right|\left|T_j\right)$$

Then, the DC sends the message $M_2=\{B_{dj},PI{D}_{dj}\}$ to Dronej on the same channel.

Step DR3: Upon reception of the message $M_2=\{B_{dj},PI{D}_{dj}\}$, Dronej generates challenge value $Ch{a}_{i }$ and computes the following:

$$Re{s}_j=\mathrm{P}\mathrm{U}\mathrm{F}\left(Ch{a}_j\right)$$

$$B_{Vj}=B_{uj}\oplus h\left(Re{s}_j\right)$$

Dronej stores $\{{ID}_{dj},Ch{a}_j,B_{Vj},PI{D}_{dj}\}$.

5.3. Authentication and Key Agreement Phase

In this section, we present the authentication and key agreement process. In Figure 4, the framework of the proposed AKA process shows the framework of the authentication process, and Figure 5 provides an elaborate depiction of the authentication and key agreement flow.

• Step AK1: The unmanned eVTOLi computes

  $$Re{s}_i=PUF\left(Ch{a}_i\right)$$

  (1)

  $$B_{ei}=B_{vi}\oplus h\left(Re{s}_i\right)$$

  (2)

  then generates random number $r_1$ and timestamp $T_1$. It then computes

  $$A_1=r_1\cdot P$$

  (3)

  $$C_1=h\left(I{D}_{DC}\right|\left|B_{ei}\right|\left|PI{D}_{ei}\right|\left|A_1\right|\left|T_1\right)$$

  (4)

The unmanned eVTOL randomly selects a surrounding drone as the relay and sends $M_1=\{I{D}_{DC},A_1,C_1,{PI{D}_{ei},T}_1\}$ to the selected relay drone through the public channel.

• Step AK2: Upon receiving the message $\{I{D}_{DC},A_1,C_1,{PI{D}_{ei},T}_1\}$, Dronej first generates timestamp $T_2$ and checks whether $|T_2-T_1|\le \Delta T$ holds; if it holds, Dronej computes

  $$Re{s}_j=PUF\left(Ch{a}_j\right)$$

  (5)

  $$B_{dj}=B_{Vj}\oplus h\left(Re{s}_j\right)$$

  (6)

  then generates random number $r_2$ and computes

  $$A_2=r_2\cdot P$$

  (7)

  $$C_2=h\left(I{D}_{DC}\right|\left|B_{dj}\right|\left|PI{D}_{dj}\right|\left|A_2\right|\left|T_2\right)$$

  (8)

Dronej sends $M_2=\left\{M_1,A_2,C_2,PI{D}_{dj}{,T}_2\right\}$ to the DC through the public channel.

• Step AK3: Upon receiving the message $M_2$, the DC first generates timestamp $T_3$ and checks whether $|T_3-T_2|\le \Delta T$ holds; if it holds, it generates random number $r_3$ and computes

  $$Re{s}_{DC}=PU{F}_{DC}\left(a_{DC}\right)$$

  (9)

  $$K_{DC}=D_{DC}\oplus h\left(1\right|\left|Re{s}_{DC}\right)$$

  (10)

  $$D_{K_{DC}}\left(PI{D}_{ei}\right)=I{D}_{ei}\left|\right|T_i$$

  (11)

  $$B_{ei}=h\left(I{D}_{DC}\right|\left|I{D}_{ei}\right|\left|K_{DC}\right)$$

  (12)

  $$C_1^{\prime }=h\left(I{D}_{DC}\left|\right|PI{D}_{ei}\left|\right|A_1\left|\right|T_1 \right)$$

  (13)

If $C_1^{\prime }\ne C_1$, the process is aborted. Otherwise, it computes

$$D_{K_{DC}}\left(PI{D}_{dj}\right)=I{D}_{dj}\left|\right|T_i$$

(14)

$$B_{dj}=h\left(I{D}_{DC}\right|\left|I{D}_{dj}\right|\left|K_{DC}\right)$$

(15)

$$C_2^{\prime }=h\left(I{D}_{DC}\right|\left|B_{dj}\right|\left|PI{D}_{dj}\right|\left|A_2\right|\left|T_2\right)$$

(16)

If $C_2^{\prime }\ne C_2$, the process is aborted. Otherwise, it computes

$$PI{D}_{ei}^{\prime }=E_{K_{DC}}\left(I{D}_{ei}\right|\left|T_3\right)$$

(17)

$$PI{D}_{dj}^{\prime }=E_{K_{DC}}\left(I{D}_{dj}\right|\left|T_3\right)$$

(18)

$$C_3=r_3\cdot P$$

(19)

$$S{K}_{DC-ei}=h(r_3\cdot A_1|\left|I{D}_{ei}\right|\left|I{D}_{DC}\right)$$

(20)

$$S{K}_{DC-dj}=h(r_3\cdot A_2|\left|I{D}_{dj}\right|\left|I{D}_{DC}\right)$$

(21)

$$C_4=E_{\left(B_{dj}\right)}\left(I{D}_{ei}\right|\left|PI{D}_{dj}^{\prime }\right|\left|C_3\right)$$

(22)

$$C_5=E_{\left(B_{ei}\right)}\left(I{D}_{dj}\right|\left|PI{D}_{ei}^{\prime }\right|\left|C_3\right|\left|A_2\right)$$

(23)

$$C_6=h\left(C_3\right|\left|C_4\right|\left|C_5\right|\left|T_3\right)$$

(24)

The DC sends $M_3=\{C_4,C_5,C_6,T_3\}$ to Dronej through the public channel.

• Step AK4: On receiving the message $\{C_4,C_5,C_6,T_3\}$, Dronej first generates timestamp $T_4$ and checks whether $|T_4-T_3|\le \Delta T$ holds; if it holds, it computes $(I{D}_{ei}||PI{D}_{dj}^{\prime }||C_3)=D_{\left(B_{dj}\right)}\left(C_4\right)$.

The pseudonymous identity is updated to $PI{D}_{dj}^{\prime }$.

$$C_6^{\prime }=h\left(C_3\right|\left|C_4\right|\left|C_5\right|\left|T_3\right)$$

(25)

If $C_6^{\prime }\ne C_6$, the process is aborted. Otherwise, it generates $T_4$ and computes

$$S{K}_{dj-DC}=h(r_2\cdot C_3|\left|I{D}_{dj}\right|\left|I{D}_{DC}\right)$$

(26)

$$S{K}_{dj-ei}=h(r_2\cdot A_1|\left|I{D}_{dj}\right|\left|I{D}_{ei}\right)$$

(27)

$$C_7=h\left(S{K}_{dj-ei}\right|\left|A_2\right|\left|C_3\right|\left|C_5\right|\left|T_4\right)$$

(28)

Dronej sends $M_4=\{C_5,C_7,T_4\}$ to the unmanned eVTOLi through the public channel.

• Step AK5: Upon receiving the message $\{C_5,C_7,T_4\},$ the unmanned eVTOLi first generates timestamp $T_5$ and checks whether $|T_5-T_4|\le \Delta T$ holds; if it holds, it computes

  $$\left(I{D}_{dj}\right|\left|PI{D}_{ei}^{\prime }\right|\left|C_3\right|\left|A_2\right)=D_{\left(B_{ei}\right)}\left(C_5\right)$$

  (29)

The pseudonymous identity is updated to $PI{D}_{ei}^{\prime }$.

$$S{K}_{ei-dj}=h(r_1\cdot A_2|\left|I{D}_{dj}\right|\left|I{D}_{ei}\right)$$

(30)

$$S{K}_{ei-DC}=h(r_1\cdot C_7|\left|I{D}_{ei}\right|\left|I{D}_{DC}\right)$$

(31)

$$C_7^{\prime }=h\left(S{K}_{dj-ei}\right|\left|A_2\right|\left|C_3\right|\left|C_5\right|\left|T_4\right)$$

(32)

If $C_7^{\prime }\ne C_7$, the process is aborted. Otherwise, it completes authentication and key agreement.

6. Formal Security Proof

In this section, we prove the security of our protocol in the random oracle model, analyzing the advantage of a PPT adversary $A$ against its semantic security. The simulated advantage is negligible, confirming the scheme’s practically unbreakable security and adversarial resilience.

6.1. Definition of Random Oracle Model

Definition 1.

(Participants and Partnership): In our scheme, mutual authentication and key agreement involve the cooperation of three parties: namely, the dispatching center (DC), the unmanned eVTOLi (ei), and Dronej (dj). Together, they are referred to as "P". The following notation applies to the i-th instance: $I{n}_P^i,I{n}_{DC}^i,I{n}_{e_i}^i,I{n}_{d_j}^i$. Participants with an identical session identifier ${\mathit{SID}}_P^I$ are considered to belong to the same session. The partner identity of an unmanned eVTOLi $I{n}_{e_i}^i$ (or Dronej $I{n}_{d_j}^i$ ) is denoted as $PI{D}_{e_i}^i$ (or $PI{D}_{d_j}^i$ ). A participant P attains the state $Accep{t}_p^i$ upon receiving a legitimate and valid request. An unmanned rescue eVTOLi $I{n}_{e_i}^i$ and relay Dronej $I{n}_{d_j}^i$ are defined as partners if the following conditions are satisfied:

(1)

Both participants are in the $\mathit{Accept}$ state.

(2)

$SI{D}_{e_i}^i=SI{D}_{d_j}^j$.

(3)

$PI{D}_{e_i}^i=I{n}_{d_j}^i$ and $PI{D}_{d_j}^i=I{n}_{e_i}^i$.

Additionally, the session keys negotiated by both parties must be identical, i.e., $S{K}_{e_i}^i=S{K}_{d_j}$.

Definition 2.

(Query): To simulate the capabilities of an adversary $A$, the following queries are defined:

• Execute Query ($I{n}_P^i$): When this query is executed, $A$ can obtain all publicly transmitted parameters.
• Send Query ($I{n}_P^i,m$): $A$ sends a message m to $I{n}_P^i$. If m is legitimate and correct, $I{n}_P^i$ responds to the message; otherwise, it is ignored.
• Reveal Query ($I{n}_{e_i}^i,I{n}_{d_j}^i$): If the test query has not been executed and the session keys $S{K}_{e_i}^i$ and $S{K}_{d_j}$ have been negotiated, $A$ can obtain the session key by executing this query.
• Corrupt Query ($I{n}_{e_i}^i$): The user’s mobile device stores parameters $\{A_1,A_2,\mathit{Rep}\left(·\right),n\text{}}$; $A$ can obtain these parameters by executing this query.
• Test Query ($I{n}_{e_i}^i,I{n}_{d_j}^i,r$): This query first creates a random bit r. When a session key has been generated and r = 1, A receives the real session key; when r = 0, A receives a random number. If no session key exists, an empty string is returned. The query is limited to a single execution.

Definition 3.

(Freshness): An instance is deemed fresh when it meets all of the criteria listed below:

(1)

The reveal query is never made, and the corrupt query is made at most once.

(2)

The states of both $I{n}_{e_i}^i$ and $I{n}_{d_j}^i$ are Accept.

Definition 4.

(Semantic Security): A random bit $r_{\mathit{guess}}$ is generated to guess the bit r generated by the Test query. If $r_{\mathit{guess}}=r$, it indicates that A has determined whether the test query returned the correct session key, and the semantic security of protocol $\mathit{\Pi }$ is compromised. The probability of this event is defined as ${\mathit{Adv}}_{\mathit{\Pi }}^A=\left|2\mathit{Pr}\right[r_{\mathit{guess}}=r]-1|=\left|2\mathit{Pr}\right[{\mathit{Siccess}}_A]-1|$. If ${\mathit{Adv}}_{\mathit{\Pi }}^A<\mathit{\eta }$, where $\mathit{\eta }$ is a negligible value, then $\mathit{\Pi }$ is considered to possess semantic security.

6.2. Formal Proof

Theorem 1.

We define ${\mathit{Adv}}_{\mathit{\Pi }}^{\mathit{A}}$ as the advantage of a PPT adversary A in breaking protocol Π’s semantic security. Assume that A makes at most $q_{hash}$ queries to the hash oracle, $q_{send}$ to the send oracle, and $q_{exe}$ to the execute oracle. Furthermore, let $l_{\mathit{hash}}$ and $l_{\mathit{nonce}}$ denote the bit lengths of the hash output and the nonce, respectively. The advantage is then bounded as:

$${\mathit{Adv}}_{\mathit{\Pi }}^A\le {\displaystyle \frac{q_{\mathit{hash}}^2}{2^{l_{\mathit{hash}}}}}+{\displaystyle \frac{(q_{\mathit{exe}}+q_{\mathit{send}}{)}^2}{2^{l_{\mathit{nonce}}-1}}}+{2q}_{\mathit{hash}}·({\mathit{Adv}}_A^{\mathit{ECDLP}}+{\displaystyle \frac{1}{2^{l_{\mathit{hash}}}}})$$

Proof. 

Consider a sequence of games $Gam{e}_i$ that captures the semantic security attacks of $A$. Define $Succes{s}_i$ as the event where $A$ violates $\Pi$’s semantic security in ${Game}_i$. The games are described as follows:

${\mathit{Game}}_0$: This simulates a real attack launched by $A$. The adversary first selects a random bit $r_{\mathit{guess}}$. According to the definition, we have the following:

$${\mathit{Adv}}_{\mathit{\Pi }}^A=\left|2\mathit{Pr}\right[{\mathit{Success}}_0]-1|$$

(33)

${\mathit{Game}}_1$: This corresponds to the setting where $A$ initially runs an execute query to retrieve public communication content. As the last step, $A$ conducts a test query to distinguish the actual session key from a random value. The session key in our protocol is referred to as $S{K}_{dj-DC}=h(r_2\cdot C_7|\left|I{D}_{dj}\right|\left|I{D}_{DC}\right)$ $S{K}_{ei-dj}=h(A_2\cdot r_1|\left|I{D}_{dj}\right|\left|I{D}_{ei}\right) S{K}_{ei-DC}=h(r_1\cdot C_7|\left|I{D}_{ei}\right|\left|I{D}_{DC}\right)$. Among the intercepted messages, $A_1$ and $A_2$ are associated with the session key. Nevertheless, the hardness of the CDHP prevents A from linking the intercepted messages to the session key. Consequently, despite having access to all public communication, $A$ remains unable to verify the correctness of the returned session key.

Based on the above analysis, it follows that

$$Pr\left[Succes{s}_1\right]=Pr\left[Succes{s}_0\right]$$

${\mathit{Game}}_2$: In the proposed protocol, messages consist of hash values, the results of exclusive OR (XOR) operations, and nonce. This simulation involves adversary A executing execute queries to obtain messages, followed by send and hash queries to launch collision attacks. By the birthday paradox, the upper bound on the probability of a hash collision equals ${\displaystyle \frac{q_{hash}^2}{2^{l_{hash+1}}}}$. Simultaneously, the probability of a nonce collision is ${\displaystyle \frac{q_{hash}^2}{2^{l_{hash+1}}}}$. Therefore, it can be concluded that

$$Pr[Succes{s}_2]-Pr[Succes{s}_1]\le {\displaystyle \frac{q_{\mathit{hash}}^2}{2^{l_{\mathit{hash}+1}}}}+{\displaystyle \frac{(q_{\mathit{exe}}+q_{\mathit{send}}{)}^2}{2^{l_{\mathit{nonce}}}}}$$

${\mathit{Game}}_3$: In the proposed protocol, $A$ executes Corrupt Query ($I{n}_{e_i}^i)$ to obtain the stored information $\{I{D}_{ei},Ch{a}_i,B_{Vi},PI{D}_{ei}\}$ in the unmanned eVTOL, where $Re{s}_i=PUF\left(Ch{a}_i\right)$ and $B_{Vi}=B_{ei}\oplus h\left(Re{s}_i\right)$. To obtain the critical parameters, A has two options: guess $B_{ei}$ or break the PUF. Let ${\mathit{Adv}}_{PUF}^A$ be the probability of the latter event. Then we get

$$Pr\left[Succes{s}_3\right]-Pr\left[Succes{s}_2\right]\le q_{send} Ad{v}_{PUF}^A$$

${\mathit{Game}}_4$: In the proposed protocol, based on the CDHP and a cryptographic hash function, the protocol generates three session keys: $S{K}_{dj-\mathrm{D}\mathrm{C}}=\mathrm{h}(r_2\cdot C_7|\left|I{D}_{dj}\right|\left|I{D}_{DC}\right)$ $S{K}_{ei-dj}=h(A_2\cdot r_1|\left|I{D}_{dj}\right|\left|I{D}_{ei}\right) S{K}_{ei-DC}=h(r_1\cdot C_7|\left|I{D}_{ei}\right|\left|I{D}_{DC}\right)$ The simulation models $A$’s attempts to compute these keys after issuing execute and $hash$ queries. In scenario one, $A$ performs a hash collision attack, whose maximum probability is ${\displaystyle \frac{q_{\mathrm{h}\mathit{as}\mathrm{h}}}{2^{l_{\mathrm{h}\mathit{as}\mathrm{h}}}}}$. In the second scenario, given $A_1=r_1\cdot P$,$A_2=r_2\cdot P$ and $C_7=r_3\cdot P$, $A$ attempts to compute $r_1\cdot C_7$, with a maximum probability of $q_{\mathrm{h}\mathit{as}\mathrm{h}}·{\mathit{Adv}}_A^{\mathit{ECDLP}}$, where ${\mathit{Adv}}_A^{\mathit{ECDLP}}<\mathit{\eta }$ and $\mathit{\eta }$ is sufficiently small. Therefore, we obtain

$$Pr[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_4]-\mathrm{P}\mathrm{r}[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_3]\le q_{\mathrm{h}\mathit{as}\mathrm{h}}·({\mathit{Adv}}_A^{\mathit{ECDLO}}+{\displaystyle \frac{1}{2^{l_{\mathrm{h}\mathit{as}\mathrm{h}}}}})$$

From the preceding analysis, adversary A derives zero advantage when trying to predict the random bit r, i.e.,

$$Pr\left[Succes{s}_4\right]={\displaystyle \frac{1}{2}}$$

According to Equation (33),

$${\displaystyle \frac{1}{2}}{\mathit{Adv}}_{\mathit{\Pi }}^A=\left|\mathrm{Pr}\left[Succes{s}_0\right]-{\displaystyle \frac{1}{2}}\right|$$

By combining the above equations, we can conclude that

$$\begin{gathered} {\displaystyle \frac{1}{2}}{\mathit{Adv}}_{\mathit{\Pi }}^A=\mid \mathrm{P}\mathrm{r}\left[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_1\right]-\mathrm{P}\mathrm{r}\left[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_4\right]\mid \le \mid Pr\left[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_1\right]-Pr\left[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_{2}n\right]\mid +\mid Pr\left[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_2\right] \\ -Pr\left[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_3\right]\mid +\mid Pr\left[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_3\right]]-Pr[\mathrm{S}\mathrm{u}\mathrm{c}\mathrm{c}\mathrm{e}\mathrm{s}{s}_4]\mid . \end{gathered}$$

That is,

$${\mathit{Adv}}_{\mathit{\Pi }}^A\le {\displaystyle \frac{q_{\mathit{hash}}^2}{2^{l_{\mathit{hash}}}}}+{\displaystyle \frac{(q_{\mathit{exe}}+q_{\mathit{send}}{)}^2}{2^{l_{\mathit{nonce}}-1}}}+2q_{\mathit{hash}}·({\mathit{Adv}}_A^{\mathit{ECDLP}}+{\displaystyle \frac{1}{2^{l_{\mathit{hash}}}}})$$

□

6.3. Formal Security Verification Using ProVerif

ProVerif is a fully automated tool that formally analyzes the security of cryptographic protocols. Recently, as authentication protocols have become widely deployed across many domains, ensuring their security has grown increasingly critical. Nevertheless, the complexity and often untrusted nature of real-world deployment environments make many protocol attacks hard to detect or prevent by manual review alone. To overcome this issue, Bruno Blanchet designed ProVerif—an automatic formal verifier based on the Dolev–Yao [37] model. This tool supports a broad range of cryptographic primitives, including hash functions, Diffie-Hellman key exchange, and public-key encryption. It can verify confidentiality properties and identify potential vulnerabilities; when a flaw exists, the tool outputs a corresponding attack trace.

In our verification, we first define the communication channels, basic data types, and several operations (hash, elliptic-curve, and physical unclonable functions) in Figure 6. Figure 7 defines attack events and regular events together with their logical relationships. The execution flow of the unmanned eVTOL is depicted in Figure 8, and within our proposed scheme, the eVTOL follows the steps shown in Figure 8 to complete authentication. Similarly, the processes of the drone and the dispatching center are presented in Figure 9 and Figure 10, respectively. Figure 11 illustrates the overall flow. The results in Figure 12 show that the attacker cannot obtain the session keys $S{K}_{dj-\mathrm{D}\mathrm{C}}$, $S{K}_{ei-dj}$, and $S{K}_{ei-DC}$, the unmanned eVTOL identity $I{D}_{ei}$, the drone identity $I{D}_{dj}$, or the DC private key $K_{DC}$, thereby proving that our protocol is resilient to attacks on these parameters, and that the underlying logic is valid and workable.

7. Informal Security Analysis

• Verification Table Theft Attack

Since the proposed protocol does not store a verification table in the unmanned eVTOL, drone, or dispatching center, the protocol is resistant to verification table theft attacks.

2.

Replay Attack

In the proposed scheme, each message transmission is combined with a timestamp and a random nonce (or secret parameter), forming a dual verification mechanism of timestamp and secret parameter. When an attacker replays an intercepted message, the protocol first ensures the timestamp is still fresh. For replays that occur within ΔT, it also checks whether the random number or secret parameter carried by the message is correct.

Specifically, $M_1$ contains timestamp $T_1$, a random nonce $r_1$, and secret parameter $B_{ei}$ (contained in $C_1$), which is verified by the DC. Message $M_2$ similarly contains timestamp $T_2$, a random nonce $r_2$, and the shared secret parameter $B_{dj}$ (contained in $C_2$), which is also verified by the DC.

Since the random numbers or secret parameters are single-use and unpredictable, even if an attacker successfully replays a message within the time window, the authentication will fail due to parameter mismatch, and the session key cannot be obtained. Therefore, the proposed scheme can resist replay attacks.

3.

Physical Capture Attack

Once a relay drone is captured, the attacker will attempt to obtain the secret values of the relay drone. Since PUFs are designed to be tamper-resistant, physical probing will irreversibly alter the challenge–response behavior of the PUF. Moreover, the relay drone’s PUF is used only for the relay drone’s own authentication to the DC and does not store any secret values of the eVTOL or the DC. Therefore, capturing a relay does not compromise past or future sessions between the eVTOL and the DC. On the other hand, if the captured relay drone affects message transmission, the eVTOL will continue to send authentication requests to surrounding relay drones after the tolerance time threshold is exceeded, thereby minimizing the impact on the rescue mission.

4.

Impersonation Attacks

If an attacker captures and attempts to impersonate an unmanned eVTOL, they would need to know ${\mathit{B}}_{\mathit{e}\mathit{i}}$. On the unmanned eVTOL side, ${\mathit{B}}_{\mathit{e}\mathit{i}}$ is protected by the PUF, making it impossible for the attacker to compute ${\mathit{B}}_{\mathit{e}\mathit{i}}$. Therefore, the attacker cannot impersonate the unmanned eVTOLi.

For the same reason, the attacker cannot obtain the secret parameters ${\mathit{B}}_{\mathit{d}\mathit{j}}$ and ${\mathit{K}}_{\mathit{D}\mathit{C}}$ stored inDronej and the DC, and thus cannot launch impersonation attacks.

5.

Forgery Attacks

Assume that attacker $\mathit{A}$ attempts to authenticate as an unmanned eVTOL. During the authentication phase, the attacker must forge ${\{\mathit{B}}_{\mathit{e}\mathit{i}},\mathit{P}\mathit{I}{\mathit{D}}_{\mathit{e}\mathit{i}},{\mathit{r}}_{\mathbf{1}},{\mathit{T}}_{\mathbf{1}}\}$, but ${\mathit{r}}_{\mathbf{1}}$ is a random nonce, $\mathit{P}\mathit{I}{\mathit{D}}_{{\mathit{e}}_{\mathit{i}}}$ is the pseudonymous identity of the unmanned eVTOL, ${\mathit{B}}_{\mathit{e}\mathit{i}}={\mathit{B}}_{\mathit{V}\mathit{i}}\oplus \mathit{h}\left(\mathit{R}\mathit{e}{\mathit{s}}_{\mathit{i}}\right)$, $\mathit{P}\mathit{I}{\mathit{D}}_{{\mathit{e}}_{\mathit{i}}}={\mathit{E}}_{{\mathit{K}}_{\mathit{D}\mathit{C}}}(\mathit{I}{\mathit{D}}_{{\mathit{e}}_{\mathit{i}}}\parallel {\mathit{T}}_{\mathit{i}})$, and $\mathit{P}\mathit{I}{\mathit{D}}_{{\mathit{e}}_{\mathit{i}}}$ is updated after authentication. Since the attacker does not know ${\mathit{B}}_{{\mathit{e}}_{\mathit{i}}}$ and $\mathit{P}\mathit{I}{\mathit{D}}_{{\mathit{e}}_{\mathit{i}}}$, they cannot compute the correct ${\mathit{C}}_{\mathbf{1}}$. Here, ${\mathit{B}}_{\mathit{e}\mathit{i}}$ cannot be forged by $\mathit{A}$ because it is protected by the PUF. Therefore, the attacker cannot successfully forge the user identity.

Similarly, forging a relay drone is also infeasible because its ${\mathit{B}}_{\mathit{d}\mathit{j}}$ is also protected by the PUF. Furthermore, the attacker cannot forge messages to pass authentication, as the identity authentication information from the unmanned eVTOLi, Dronej, and the DC conceals shared secrets. Without knowledge of these shared secrets, any forgery attack is bound to fail.

6.

Know Session Key Attack

The session keys $\mathit{S}{\mathit{K}}_{\mathit{D}\mathit{C}-\mathit{e}\mathit{i}}=\mathit{h}({\mathit{r}}_{\mathbf{3}}\cdot {\mathit{A}}_{\mathbf{1}}|\left|\mathit{I}{\mathit{D}}_{\mathit{e}\mathit{i}}\right|\left|\mathit{I}{\mathit{D}}_{\mathit{D}\mathit{C}}\right)$,$\mathit{S}{\mathit{K}}_{\mathit{D}\mathit{C}-\mathbf{d}\mathit{j}}=\mathit{h}({\mathit{r}}_{\mathbf{3}}\cdot {\mathit{A}}_{\mathbf{2}}|\left|\mathit{I}{\mathit{D}}_{\mathbf{d}\mathit{j}}\right|\left|\mathit{I}{\mathit{D}}_{\mathit{D}\mathit{C}}\right)$, and $\mathit{S}{\mathit{K}}_{\mathit{e}\mathit{i}-\mathbf{d}\mathit{j}}=\mathit{h}({\mathit{r}}_{\mathbf{1}}\cdot {\mathit{A}}_{\mathbf{2}}|\left|\mathit{I}{\mathit{D}}_{\mathbf{d}\mathit{j}}\right|\left|\mathit{I}{\mathit{D}}_{\mathit{e}\mathit{i}}\right).$ Session key establishment relies on the ECDLP and a cryptographic hash function. An adversary who acquires these session keys remains unable to derive any long-term keys.

7.

Perfect Forward Secrecy

Assume an attacker has obtained all the long-term keys. Since the session key ${\mathit{S}\mathit{K}}_{\mathit{D}\mathit{C}-\mathit{e}\mathit{i}}=\mathit{h}({\mathit{r}}_{\mathbf{3}}\cdot {\mathit{A}}_{\mathbf{1}}|\left|\mathit{I}{\mathit{D}}_{\mathit{e}\mathit{i}}\right|\left|\mathit{I}{\mathit{D}}_{\mathit{D}\mathit{C}}\right)$ is negotiated based on the Computational Diffie–Hellman Problem (CDHP), the attacker cannot obtain the nonce ${\mathrm{r}}_1$ and ${\mathrm{r}}_3$ or compute ${\mathrm{r}}_1·{\mathrm{r}}_3·\mathrm{P}$. Therefore, the proposed protocol guarantees perfect forward secrecy. Even when an adversary knows all long-term keys, they cannot recover any previously established session key.

8.

Session Key Secrecy

Because the session keys are $S{K}_{DC-ei}=h(r_3\cdot A_1|\left|I{D}_{ei}\right|\left|I{D}_{DC}\right)$,$S{K}_{DC-dj}=h(r_3\cdot A_2|\left|I{D}_{dj}\right|\left|I{D}_{DC}\right)$, and $S{K}_{ei-dj}=h(r_1\cdot A_2|\left|I{D}_{dj}\right|\left|I{D}_{ei}\right),$ they do not appear in any authentication messages. ${\mathrm{r}}_3·{\mathrm{r}}_1·\mathrm{P}$, ${\mathrm{r}}_3·{\mathrm{r}}_2·\mathrm{P}$, and ${\mathrm{r}}_1·{\mathrm{r}}_2·\mathrm{P}$ are Diffie–Hellman values. Therefore, the Computational Diffie–Hellman Problem (CDHP)’s hardness prevents an adversary from deriving the session key.

9.

Man-in-the-Middle (MITM) Attack

Mounting a man-in-the-middle attack against the proposed scheme would require the adversary to both capture and modify the transmitted messages. Nevertheless, as previously outlined, messages such as ${\mathit{M}}_{\mathbf{1}}=\{\mathit{I}{\mathit{D}}_{\mathit{D}\mathit{C}},{\mathit{A}}_{\mathbf{1}},{\mathit{C}}_{\mathbf{1}},{\mathit{P}\mathit{I}{\mathit{D}}_{\mathit{e}\mathit{i}},\mathit{T}}_{\mathbf{1}}\}$ and ${\mathit{M}}_{\mathbf{3}}=\{{\mathit{C}}_{\mathbf{4}},{\mathit{C}}_{\mathbf{5}},{\mathit{C}}_{\mathbf{6}},{\mathit{T}}_{\mathbf{3}}\}$, are confidentiality-protected, and their integrity is safeguarded by cryptographic mechanisms. Consequently, while an adversary may be capable of intercepting these messages, any attempt to modify them would be detected or rendered infeasible due to the employed security primitives. Thus, MITM attacks cannot compromise the proposed scheme.

10.

Desynchronization Attack

In our protocol, first, during the AKA phase, the dispatching center (DC), the drone, and the eVTOL ensure message freshness by checking timestamps and secret parameters. At the same time, if a session cannot be completed normally due to message interception or packet loss, the eVTOL will reselect a relay drone to reinitiate the session. Second, the DC maintains forward security and anonymity with the eVTOL/drone by updating pseudonymous identifiers (PIDs). Specifically, each time after generating a session key, the DC generates a new pseudonym and sends it to eVTOLi and Dronej, and the device subsequently replaces the old pseudonym with the new one. This update process relies on the transmission of messages M3/M4. When an attacker blocks and intercepts M3/M4, due to the construction of pseudonyms as $\mathit{P}\mathit{I}{\mathit{D}}_{\mathit{e}\mathit{i}}={\mathit{E}}_{{\mathit{K}}_{\mathit{D}\mathit{C}}}\left(\mathit{I}{\mathit{D}}_{\mathit{e}\mathit{i}}\right|\left|{\mathit{T}}_{\mathit{i}}\right)$ and $\mathit{P}\mathit{I}{\mathit{D}}_{\mathit{d}\mathit{j}}={\mathit{E}}_{{\mathit{K}}_{\mathit{D}\mathit{C}}}\left(\mathit{I}{\mathit{D}}_{\mathit{d}\mathit{j}}\right|\left|{\mathit{T}}_{\mathit{j}}\right)$, the DC does not need to maintain any mapping table between pseudonyms and real identities. When a device initiates an authentication request using an old pseudonym, the DC can decrypt the pseudonym to obtain the device’s real identity and process the request normally. Even if the device fails to receive the latest pseudonym update, the DC can still identify the device and re-assign a new pseudonym to it after generating the session key. Therefore, even if an attacker successfully implements packet loss or interception, our protocol can still achieve implicit state synchronization through the DC’s decryption capability, inherently resisting desynchronization attacks by design, thereby ensuring the availability and robustness of the protocol.

11.

Anonymity and Unlinkability

The proposed scheme ensures both anonymity and unlinkability for participating entities. In each session, the unmanned eVTOLi and Dronej generate a fresh pseudo-identity, which is cryptographically uncorrelated to their real identities and to the pseudo-identities used in other sessions. As a result, these pseudo-identities provide strong anonymity and prevent any linking of different sessions to the same entity. Furthermore, all transmitted messages are dynamically composed using timestamps and random nonces, ensuring that no two sessions produce linkable message patterns. This design effectively thwarts both identity disclosure and trajectory tracking attacks.

12.

Insider Attack

The use of a PUF ensures that secret parameters within the unmanned eVTOLi and Dronej remain unreachable to any attacker, whether internal or external. Hence, our solution withstands privileged insider attacks.

13.

Mutual Authentication

Messages ${\mathit{M}}_{\mathbf{1}}$ and ${\mathit{M}}_{\mathbf{4}}$ enable mutual authentication between the unmanned rescue eVTOLi and both the relay Dronej and the DC. Meanwhile, ${\mathit{M}}_{\mathbf{2}}$ and ${\mathit{M}}_{\mathbf{3}}$ serve to establish mutual authentication between the relay Dronej and the DC.

8. Performance Evaluation

In this section, we conduct a comparative analysis between our proposed protocol and the existing schemes within the domains of UAV authentication and UAV-assisted authentication.

8.1. Security Comparison

Table 3. Comparison of security properties.

Attacks/Properties	[25]	[27]	[28]	[31]	[32]	[33]	Ours
Verification Table Theft Attacks	✓	✓	✓	✓	✓	✓	✓
Replay Attack	✓	✓	✓	✓	✓	✓	✓
Physical Capture Attack	✕	✕	✓	✓	✓	✕	✓
Forgery Attacks	✓	✓	✓	✓	✓	✓	✓
Impersonation Attack	✓	✓	✓	✓	✓	✓	✓
Know Session Key Attack	✓	✓	✓	✓	✓	✓	✓
Perfect Forward Secrecy	✓	✓	✓	✕	✓	✓	✓
Session Key Secrecy	✓	✓	✓	✓	✓	✓	✓
MITM Attack	✓	✓	✓	✓	✓	✓	✓
Anonymity and Unlinkability	✓	✓	✕	✓	✓	✓	✓
Insider Attack	✓	✓	✓	✓	✓	-	✓
Mutual Authentication	✓	✓	✓	✓	✓	✓	✓
Desynchronization Attack	✓	✓	✓	✓	✓	✓	✓

Note. ✓: resist attacks/provide properties; ✕: suffer attacks/not provide properties; -: Not considered.

compares the security of our scheme with related protocols [25,27,28,31,32,33], and the results show that our scheme achieves a higher security. The reason for selecting these references is that there is currently no authentication protocol specifically designed for eVTOLs, while the selected schemes either provide corresponding solutions for similar specific scenarios or adopt relevant key technologies, and each of these papers offers valuable insights. In refs. [25,27], the protocol does not deploy PUFs in the USP or devices to protect secret information. Once an attacker launches a side-channel attack or captures a USP or device, the attacker can launch various attacks, such as impersonation attacks. In ref. [28], because the authentication request {${PID}_i,D_1,D_2,D_3$} is unchanged in each session and therefore exhibits linkability. In ref. [31], the scheme is similar to our assumed target scenario. However, in its authentication process, the session key structure is $S{K}_{jl}=H\left(r_1\right|\left|r_2\right|\left|PI{D}_j\right|\left|PI{D}_l\right|\left|{Ch}_j\right)$. Once the long-term private keys and fixed secret values of the control center (CC) and the drone are obtained by an attacker, the attacker can recover the pseudonym (PID) and $(r_1,r_2)$ thereby compute the session key. Therefore, this protocol cannot guarantee perfect forward secrecy. The authors of ref. [33] propose an AKA scheme between drones and a ground station for secure communication between drone swarms in emergency rescue operations. However, this scheme also does not deploy PUFs in the devices to protect secret information. Therefore, once an attacker launches a side-channel attack or captures a device, the attacker can launch various attacks, such as impersonation attacks. Hence, this scheme cannot effectively resist physical capture attacks; once an attacker captures a drone, the system’s security will be severely compromised.

8.2. Computational Cost

Table 4. Computation cost.

Operation	Description	Execution Time
$T_h$	One-way hash function	0.009 ms
$T_{\mathit{ecm}}$	Elliptical curve scalar multiplication	2.610 ms
$T_{\mathit{eca}}$	Elliptical curve addition	0.012 ms
$T_{PUF}$	Physical unclonable function	0.009 ms
$T_{\mathit{enc}/\mathit{dec}}$	Symmetric encryption/decryption	0.51 ms

presents the experimental running times of various operations under the experimental environment of a Raspberry Pi 4B (quad-core 64-bit ARM Cortex-A72, 1.5 GHz, 2-GB LPDDR4 SDRAM), where $T_h, T_{\mathit{ECC}}, T_{\mathit{PUF}}, T_{\mathit{eca}} \mathrm{and} T_{\mathit{enc}/\mathit{dec}}$ represent the costs of executing a “one-way hash function”, “elliptic curve scalar multiplication”, “physical unclonable function”, “elliptical curve addition” and “symmetric key encryption/decryption”, respectively. The bitwise XOR operation is negligible, as it is considerably lower compared to other operations.

We chose this experimental environment because the Raspberry Pi 4B (quad-core ARM Cortex-A72) is representative of high-end UAV onboard computers, given that both are based on the ARMv8-A architecture. This ensures similarity in fundamental arithmetic logic and memory access patterns. However, compared to typical flight controllers, the Raspberry Pi provides greater power and thermal headroom. Consequently, our experimental results represent a performance upper bound; in actual UAV deployments, moderate additional delays may arise from power constraints or real-time task preemption.

Table 5. Comparison of computation cost.

Scheme	Computation Cost	Time (ms)
[25]	$10T_{ecm}+1T_{PUF}+16T_h+3T_{enc/dec}$	$\approx$27.783 $\mathrm{ms}$
[27]	$10T_{ecm}+T_{eca}+18T_h+2T_{enc/dec}$	$\approx$27.294 $\mathrm{ms}$
[28]	$9T_h+1T_{PUF}+10T_{ecm}$	$\approx$26.19 $\mathrm{ms}$
[31]	$52T_h+12T_{ecm}+3T_{PUF}$	$\approx$33.318 $\mathrm{ms}$
[32]	$8T_h+2T_{PUF}+10T_{ecm}+3T_{enc/dec}$	$\approx$27.72 $\mathrm{ms}$
[33]	$14T_{ecm}+11T_h$	$\approx$36.639 $\mathrm{ms}$
Ours	$19T_h+3T_{PUF}+9T_{ecm}+6T_{enc/dec}$	$\approx$26.748 $\mathrm{ms}$

compares the computational overhead of our protocol against that of existing related schemes. As illustrated, the PUF and ECC-based V2G communications in [25] demonstrate a computational overhead of 27.783 ms, and the UAV-assisted vehicle authentication protocols reported in [27] demonstrate a computational overhead of 27.294 ms. The cost-effective PUF- and ECC-based authentication protocol reported in [28] demonstrates an overhead of 26.19 ms. The scheme in [31] utilizes UAVs as relay nodes in an airborne backup network within post-disaster emergency communication networks to assist emergency communication vehicles, with an authentication protocol overhead of 33.318 ms. The representative PUF-based IoD authentication scheme presented in [32] exhibits an overhead of 27.72 ms, whereas the schemes in [33], with an authentication protocol for UAV swarms in emergency rescue missions, have an overhead of 36.639 ms. In contrast, the proposed protocol requires only 26.748 ms. While the computational overhead of our proposed protocol is marginally higher than that of [28], in a drone relay network scenario, the computing capabilities of eVTOLs, UAVs, and the DC are sufficient to handle authentication requests. The computational resources required by our protocol are far lower than the available computing power of typical onboard equipment, thus fully meeting the real-time demands of actual emergency communication.

8.3. Communication Cost

The volume of exchanged information is another factor that affects communication efficiency. In our environment, the lengths are set as follows: SHA-256 outputs 256 bits, AES-128 symmetric encryption works with 128 bits, an ECC point is defined as 160 bits, and a random number is 256 bits. Additionally, identity, password, counter, and timestamp each have a length of 16 bits. In the AKA phase, the cost in our protocol is $\{I{D}_{DC},A_1,C_1,{PI{D}_{ei},T}_1\}+\left\{I{D}_{DC},M_1,A_2,C_2,PI{D}_{dj}{,T}_2\right\}$ + $\{C_4,C_5,C_6,T_3\}+\{C_5,C_7,T_4\}$ = $\{16+160+256+16+16\}+\left\{16+464+160+256+16+16\right\}+\{128+128+256+16\}+\{128+256+16\}=2320$ bits. Moreover, the communication time overheads for [25,27,28,31,32,33] are 2336 bits, 3088 bits, 2128 bits, 2976 bits, 752 bits, and 1536 bits, respectively. From

Table 6. Comparison of communication cost.

Scheme	No. of Messages	Bits
[25]	4	2336
[27]	4	3088
[28]	3	2128
[31]	4	2976
[32]	2	752
[33]	3	1536
Ours	4	2320

, the communication cost is higher than that of the AKA schemes in [28,32,33] and significantly lower than that of the AKA schemes in [25,27,31]. However, references [28,32,33] only realized two-party communication between the drone and the GS. Although our communication overhead is not the lowest, in a UAV emergency rescue relay network scenario, the communication throughput of a 5G link can reach at least 100 Mbps. The communication bandwidth required by our protocol is approximately 2.3 Kbps, which is far lower than the available bandwidth, thus fully meeting the real-time authentication requirements in actual emergency rescue scenarios.

8.4. Storage Cost

According to

Table 7. Comparison of storage cost.

Scheme	Total (Bits)
[25]	1280
[27]	2080
[28]	2048
[31]	3072
[32]	1168
[33]	1440
Ours	1824

, in the key agreement phase, the storage cost of our scheme is higher than that of the AKA schemes in references [25,32,33], but lower than that of the AKA schemes in references [27,28,31]. Although our storage overhead is not the lowest, in the UAV relay network scenario, the storage capacity of eVTOLs, UAVs, and the ground control center can typically reach several gigabytes or even higher. The storage space required by our protocol is only about a few thousand bits, which is far lower than the available storage of typical onboard equipment, thus fully meeting the key agreement and authentication requirements in actual emergency rescue scenarios.

8.5. End-to-End Delay

In our proposed drone-assisted authentication scenario, the delay mainly stems from cryptographic operations and the number of transmission hops among the eVTOL, relay drone, and dispatch center. Since our protocol avoids high-overhead operations (such as bilinear pairings or modular exponentiations) and relies only on lightweight symmetric encryption, hash operations, and ECC scalar multiplication, the total computation time is less than 27 ms. Moreover, in a 5G communication environment, the total end-to-end delay is less than 30 ms, which is acceptable for pre-rescue mission authentication.

Setting of the tolerance threshold ($\Delta T$): Based on our experimental measurements of the end-to-end delay along the eVTOL-to-drone-to-DC relay path (the average computation time for one authentication is approximately 27 ms), and considering that the end-to-end delay is at most 30 ms in a 5G communication environment, we set the timestamp freshness threshold to ΔT = 0.5 s, providing a sufficient margin for worst-case delays.

8.6. Energy Cost

eVTOLs and drones have limited energy, so energy consumption needs to be conserved during the authentication process. Based on our measurements on a Raspberry Pi 4B platform (quad-core 64-bit ARM Cortex-A72, 1.5 GHz, 2 GB LPDDR4 SDRAM), computing one SHA-256 hash, one AES-128 encryption, and one ECC scalar multiplication requires approximately 0.25 µJ, 8.6 µJ, and 80 mJ, respectively.

Table 8. Comparison of energy cost.

Scheme	Cost (mJ)
[25]	$\approx$830.05 $\mathrm{m}\mathrm{J}$
[27]	$\approx$804.5172 $\mathrm{m}\mathrm{J}$
[28]	$\approx$800.00225 mJ
[31]	$\approx$960.013 mJ
[32]	$\approx$800.0278 $\mathrm{m}\mathrm{J}$
[33]	$\approx$1120.00275 mJ
Ours	$\approx$720.05635 mJ

presents a comparison of the energy consumption of our scheme and other related protocols during the authentication process. Among them, ref. [33] has the highest energy consumption at 1120.00275 mJ, followed by the schemes in [25,27,28,31,32] and at 830.05$\mathrm{m}\mathrm{J}$, 804.5172 mJ, 800.00225 mJ, 960.013 mJ and 800.0278 mJ, respectively. The energy consumption of our scheme is 720.05635 mJ, meaning that our protocol is the most energy-efficient. Furthermore, the energy consumption of the protocol is far less than the 100–300 joules required for a micro-drone to fly for one second, or the 160,000 joules required for a manned-grade eVTOL (e.g., Alia CX300) to fly for one second. Therefore, the energy consumption of the proposed protocol does not have a substantial impact on flight endurance.

From the perspective of balancing computational cost, communication cost, storage cost, energy overhead, security, and practical applicability, although our scheme does not achieve the lowest computational, communication, or storage overhead compared with all other schemes, our protocol achieves security while still meeting the requirements of emergency rescue after the eVTOL has moved beyond the DC coverage area.

9. Conclusions

The rapid rise in the low-altitude economy, driven by autonomous aerial vehicles and eVTOLs, has spawned a wide range of applications in emergency rescue. Because unmanned manned-capable eVTOLs can not only bypass traffic congestion or disruptions to quickly reach accident sites in emergency rescue scenarios, but also conduct reconnaissance, deliver supplies, and rapidly transport injured persons, they play a vital role in emergency rescue. In view of practical challenges such as signal interruption and limited coverage of dispatch centers, this paper designs a drone-assisted authentication and key agreement protocol between an unmanned manned-capable eVTOL and the dispatch center. The proposed protocol overcomes several limitations found in existing protocols: the lack of consideration of relay node failure in drone-to-drone communication protocols, the inability to achieve perfect forward secrecy of session keys in existing drone-assisted emergency communication protocols, as well as vulnerabilities to device capture attacks, impersonation attacks, and privacy leakage. Formal security proofs and informal security analysis demonstrate that the proposed protocol is secure. Meanwhile, our simulation conducted on a Raspberry Pi 4B experimental environment shows that the execution time of our protocol is 26.748 ms, achieving higher computational efficiency compared to related schemes.

It should be noted that the proposed scheme still has certain limitations. The protocol is a theoretical solution for drone-assisted unmanned manned-capable eVTOL authentication in emergency rescue scenarios and has not yet been experimentally validated on real drones, unmanned manned-capable eVTOLs, and dispatch centers. Computational overhead simulations were conducted on a Raspberry Pi 4B platform. Although this platform is relatively close to actual drones, it does not account for additional delays that may arise from power constraints and real-time task preemption. Moreover, the adopted PUF only considers its security, without taking into account issues such as its cost and environmental robustness. Therefore, deploying and testing the proposed protocol in real-world application scenarios constitutes the primary direction of our future work. On the other hand, given that eVTOLs play a significant role in the low-altitude economy, including air passenger transport and aerial logistics, we will propose appropriate schemes tailored to these scenarios accordingly.