0% found this document useful (0 votes)

15 views15 pages

Fuzzy Extractor N

Uploaded by

drbaskerphd

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

15 views15 pages

Fuzzy Extractor N

Uploaded by

drbaskerphd

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 15

This article has been accepted for publication in IEEE Transactions on Vehicular Technology.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TVT.2024.3365992

PAF-IoD: PUF-Enabled Authentication Framework

for the Internet of Drones
Muhammad Tanveer, Abdallah Aldosary, Salah-ud-din Khokhar, Ashok Kumar Das, Saud Alhajaj Aldossari,
Shehzad Ashraf Chaudhry

Abstract—The rise of smart cities and the increasing demand

for drones has sparked considerable interest in the Internet
of Drones (IoD) within the realms of academia and industry.
T HE emergence of the Internet of Things (IoT), 5th gen-
eration mobile network (5G) communication, and Flying
Ad-Hoc Networks (FANET) have propelled the realization
IoD presents a multitude of advantages in smart city settings,
facilitating services like traffic monitoring, environmental surveil- of smart cities [1], [2]. Smart cities leverage these techno-
lance, and disaster management by harnessing the potential logical advancements to optimize resource efficiency, asset
of IoT and Flying Ad-Hoc Networks (FANET) infrastructures. management, and urban services, ultimately improving the
However, the transmission of sensitive messages between drones quality of life for residents. Drones are a significant component
in IoD-based smart cities is disseminated over insecure channels, of FANET, as shown in Fig. 1, deployed in smart cities
leaving them exposed to security vulnerabilities. Furthermore,
drones operating in IoD architectures are prone to physical to collect real-time information regarding the environment,
capture attacks as they operate in unattended environments with road traffic, industrial plant monitoring, etc. The collected
minimal human intervention. Moreover, the limited resources data is then dispatched to the control center using the pub-
of drones pose challenges to the practicality of employing lic communication channel. Additionally, users can directly
computationally intensive cryptographic methods. In response communicate with the drones deployed in the smart city
to these challenges, we introduce PAF-IoD, an authentication
framework that prioritizes security and efficiency. PAF-IoD environment. Thus, the implementation of smart cities faces
leverages physical unclonable functions (PUFs) and the AEGIS numerous challenges, with a significant emphasis on ensuring
authenticated encryption scheme to guarantee trustworthy and the security of the extensive amounts of data collected by
secure communication between users and drones in smart cities. IoT devices and integrated sensors within smart objects such
In terms of security validation, we perform both random and as drones and infrastructure [3]. Within smart city environ-
real model-based formal analyses. Furthermore, we employ the
Scyther tool to ensure the resilience of PAF-IoD against different ments, user authentication holds vital importance, especially
security vulnerabilities. Additionally, an informal analysis is concerning Internet of Drones (IoD) operations. IoD involves
conducted to demonstrate the resilience of PAF-IoD against a diverse array of devices featuring varying capabilities and
various attacks. By introducing PAF-IoD, we offer a secure communication protocols. Numerous IoD devices function
solution that addresses vulnerabilities and resource limitations under constraints like limited processing power, memory, and
associated with drone communication. The proposed framework
guarantees the integrity and confidentiality of data while op- energy resources. Developing authentication schemes that are
timizing computational and communication resources, thereby lightweight, suitable for devices with resource constraints,
enabling reliable and effective IoD operations in smart cities. and incur low communication and computational costs while
Index Terms—Authentication, physical unclonable functions maintaining security poses a considerable challenge [4].
(PUFs), AEGIS, Internet of Drones (IoD).

I. I NTRODUCTION
M. Tanveer is with the School of Systems and Technology (SST), Uni-
versity of Management and Technology, Lahore, Pakistan. (e-mails: tan-
[email protected]).
Abdallah Aldosary is with the Department of Computer Engineering Prince
Sattam bin Abdulaziz University Wadi Addwasir 11991, Ar Riyadh, Saudi
Arabia. (e-mails: [email protected].)
Salah-ud-din Khokhar is with the School of Intelligent Manufacturing
and Control Engineering, Qilu Institute of Technology, No. 3028 Jingshi
East Road, Jinan, 250200, Shandong, PR China. (corresponding author:
[email protected].)
Ashok Kumar Das is with the Center for Security, Theory and Algorithmic
Research, International Institute of Information Technology, Hyderabad 500
032, India (e-mail: [email protected], [email protected]).
Saud Alhajaj Aldossari is with the Department of Electrical Engineering,
Prince Sattam bin Abdulaziz University Wadi Aldawsar, Ar Riyadh, Saudi
Arabia. (e-mails: [email protected].)
Shehzad Ashraf Chaudhry is with the Department of Computer Science and,
Information Technology, College of Engineering, Abu Dhabi University, Abu
Dhabi, United Arab Emirates and is also with the Department of Software Figure 1. Smart city environment.
Engineering, Faculty of Engineering and Architecture, Nisantasi University,
Istanbul, Turkey.(Email: [email protected]).

Authorized licensed use limited to: National Sun Yat Sen Univ.. Downloaded on March 02,2024 at 05:16:12 UTC from IEEE Xplore. Restrictions apply.
© 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Vehicular Technology. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TVT.2024.3365992

A. Motivation and Research Contribution PAF-IoD compared to related security frameworks. In

terms of communication cost, the authentication phase of
This research aims to tackle the challenges associated with PAF-IoD requires only 2400 bits, which is significantly
authentication frameworks in IoD systems deployed within better (9.64% to 41.69% ) compared to other security
smart city environments. Our study focuses on the develop- frameworks in the same domain. This demonstrates the
ment of a secure and efficient authentication framework by efficiency and effectiveness of PAF-IoD’s authentication
leveraging the use of physically unclonable functions (PUFs) mechanism, requiring fewer communication resources.
and authenticated encryption with associative data (AEAD). Furthermore, PAF-IoD excels in terms of authentication
To achieve this objective, we conducted a comprehensive speed, completing the authentication phase in 13.725 ms.
review of the literature on authentication frameworks in IoD This represents a noteworthy improvement (52.32% to
environments. While previous research has proposed various 73.83%) in computational efficiency when compared to
approaches and methodologies, they have demonstrated limita- relevant security frameworks. The reduced authentication
tions such as susceptibility to security attacks and high compu- time enhances the overall responsiveness and perfor-
tation and communication overheads, making them unsuitable mance of PAF-IoD.
for resource-constrained IoD systems. However, our research
introduces a novel approach called PUF-enabled authentication The paper is structured as follows: It begins with an
framework for IoD (PAF-IoD) to overcome these limitations. overview of related works and preliminaries in Sections II and
Our proposed security framework, PAF-IoD, offers several III, respectively. Section IV introduces the system models for
significant contributions: IoD-enabled smart cities, while Section V presents a secure
and lightweight authentication framework for IoD in smart city
• PAF-IoD is a user authentication framework that in- environments using PUF and AEGIS. The security analysis
corporates three factors for authentication. In addition, of PAF-IoD is thoroughly discussed in Section VI, covering
PAF-IoD is designed using AEGIS, an AEAD encryp- informal, formal security analyses, and formal security anal-
tion/decryption scheme, XOR operation, and SHA-256, a ysis using the Scyther tool. In Section VII, a comprehensive
hash function. PAF-IoD aims to enhance the security and comparative analysis of PAF-IoD is conducted, focusing on
privacy of drone-user interactions in the context of the computation and communication overheads, as well as security
IoD. The PAF-IoD framework enables secure information features. Finally, the article concludes in Section VIII.
exchange between the drone and the user by establishing
a mutual authentication process and generating a session
II. R ELATED W ORK
key for secure communications. The key aspect of PAF-
IoD is its innovative password and biometric update In [15], a three-factor user authentication technique is in-
mechanism, which does not require the involvement of troduced, which leverages elliptic curve cryptography (ECC),
the ground station server. Traditionally, when users need the AEAD scheme “AEGIS”, SHA, and XOR operation. The
to update their passwords or biometric data, they would proposed technique security is substantiated via the using the
rely on the central server for authentication and valida- ROR model and the employment of the Scyther tool. The
tion. However, in PAF-IoD, this process can be carried authors in [16] have conceived a resource-efficient security
out directly without the need for constant communication technique for the IoD environment. Their technique uses a
with the server. By eliminating the dependency on the combination of SHA and XOR operations in its design. The
ground station server for password and biometric updates, security of their technique has been corroborated through
PAF-IoD offers greater flexibility and efficiency in user stringent analysis operating the Scyther tool and the ROR
password management. model.
• PAF-IoD effectively mitigates potential security threats In [17], the author design a security technique that facilitates
such as forgery, impersonation, session key disclosure, protected access to information from IoT devices within an
and offline password-guessing attacks. By utilizing PUFs, IoT environment. This technique incorporates AEAD, XOR
PAF-IoD adds an additional layer of protection against operations, and SHA in its design. The security of their
tampering, counterfeiting, and unauthorized access to the presented technique is validated through formal security anal-
drone’s hardware. ysis operating the Scyther and ROR models. The technique
• PAF-IoD undergoes a rigorous assessment of its secu- proposed in [18] is generated operating XOR operations and
rity strength, including formal security analysis using SHA. However, it is important to mention that the technique
Scyther (simulation-based assessment tool) and Real-or- suggested in [18] is vulnerable to numerous security attacks
Random (ROR) (mathematical) model. Additionally, an [19], including impersonation, replay, denial of service (DoS),
informal security analysis is conducted to further evaluate parallel session, and secret credentials leakage attacks. Addi-
the strength of PAF-IoD. This comprehensive approach tionally, the technique offered in [18] lacks mutual authenti-
ensures a thorough evaluation of PAF-IoD’s resistance to cation capabilities.
attacks and session key security. In [20], the author presents a security scheme aimed at
• PAF-IoD undergoes an extensive performance analysis, facilitating secure access to information from IoT devices
considering factors such as computation and commu- deployed in an IoT environment. This scheme employs several
nication costs, and security features. The analysis re- cryptographic techniques, including AEAD, XOR operations,
veals compelling results that highlight the advantages of and a hash function. To assess the security of their proposed

Table I
OVERVIEW OF W EAKNESSES OF THE E XISTING AUTHENTICATION S CHEME FOR I O D E NVIRONMENTS
Reference/Scheme Cryptographic Primitive Used Security Weaknesses/Attack Analysis
[5] SHA + AES + Exclusive-OR Susceptible to node capture, DoS attacks, de-synchronization, and replay attacks.
[6] SHA + ECC + Exclusive-OR Does not ensure user anonymity
[7] SHA + ECC + Exclusive-OR Weak against desynchronization attack.
[8] SHA + ECC + Exclusive-OR Weak against MITM and impersonation attacks.
[9] SHA + AES + Exclusive-OR Exposed to server spoofing and session key compromised attacks.
[10] SHA + Exclusive-OR Prone to stolen verifier attack.
[11] SHA + Exclusive-OR Lacks protection against session key compromise, forgery, and replay attacks.
[12] SHA + Exclusive-OR The scheme lacks the perfect backward secrecy.
[13] SHA + Exclusive-OR Not protects against replay attack.
[14] SHA + bi-linear paring + Exclusive-OR Not protected against impersonation attack.
PAF-IoD SHA + AEAD + Exclusive-OR Protection against various attacks.

Note: SHA: “Secure hash algorithm”; AES: “Advanced encryption standard”.

scheme, the author conducts a formal security analysis using Various three-party authentication frameworks are summa-
the Scyther and ROR model, validating its effectiveness in rized in Table I.
protecting IoT device data.
The authors in [21] introduce a security framework for the III. P RELIMINARIES
IoD environment that utilizes ECC, XOR operations, and a This section is dedicated to discussing essential concepts
secure hash algorithm. They claim that this framework effec- and background information that are pertinent to the proposed
tively defends various security attacks. However, in [22], [23], framework. These preliminary explanations lay the ground-
the authors highlight the limitations of the security framework work for comprehending the subsequent content and contribute
proposed in [21]. In [24], a novel authentication framework to a comprehensive understanding of the proposed framework.
based on PUF and ECC is proposed. The security of this
framework has been verified through rigorous analysis using A. AEGIS
AVISPA and the ROR model. To establish secure communi- Selected as a finalist in the CAESAR competition, AEGIS
cation in IoD deployments, an authentication framework is is an online and lightweight AEAD algorithm that seam-
developed in [25]. This framework is constructed utilizing the lessly blends efficiency with security. Built upon the AES
AEAD and hash function to ensure robust security measures. algorithm, it optimizes the encryption and decryption pro-
In [26], an authentication technique for IoD deployment cesses by reducing the number of steps. AEGIS not only
involving three parties is introduced, which incorporates a demands less computational time compared to AES but also
chaotic map and PUF. The scheme’s security is demonstrated, integrates additional security features. This design takes into
and its validity is verified using the ROR model. Another consideration the limitations of resource-constrained devices
security protocol based on PUF is propounded in [27] to [38]. AEGIS serves as an encryption algorithm that takes
enable secure transmission within IoD deployments. In [28], the “plaintext” (P T ) as input and generates the “ciphertext”
the authors offer an identity-based proxy signcryption strategy (CT ) and authentication parameter (M C) as output. The
to handle data transfer between drones and cloud servers. operational logic for encryption and decryption of AEGIS can
The scheme’s robustness is corroborated by employing the be symbolized as “(CT, M C) = EK {{IV, AD}, P T } and
ROR model, guaranteeing its security. Furthermore, in [29], a (P T, M C1 ) = DK {{IV, AD}, CT }”, respectively, where K
PUF-enabled authentication technique is proposed, eliminating denotes the key, IV represents the “Initialization Vector”, and
the need to store secret keys in devices while maintaining AD signifies the “Associative Data”. The inclusion of M C
desired security features. Additionally, [30] presents a security guarantees the authenticity and integrity of both AD and CT .
technique for allowing secure drone-to-drone communica- In this study, we adopt AEGIS as the designated “encryp-
tion, with its security assessed using BAN logic. Various tion/decryption” algorithm. The operation of the AEGIS is
AEAD schemes are assessed in [31], and an authentication represented in Fig. 2.
framework is formulated in [32] based on one of these
AEAD schemes to secure communication within the smart Definition 1. “The maximum OCCA3 advantage of A on
grid system. Additionally, a security framework is suggested an AEAD scheme can be characterized as the sum of A’s
in [33], employing the hash function and XOR operation. advantage in integrity and chosen plaintext. This OCCA3
The authentication framework outlined in [34] lacks physical advantage of A is formally defined in [31], [32].”
capture security as it does not leverage the PUF function. In
[35], another security framework reveals several weaknesses,
OCCA3
Advφ,A (plt) ≤ AdvφOP RP −CP A (ql, le, plt)
(1)
including vulnerability to parallel session attacks, Man-in-the- +AdvφIN T −CT XT (ql, le, plt),
Middle (MITM) attacks, and impersonation attacks. Addition- In the context of an OCCA3 advantage, φ, ql, le, and plt
ally, this framework exhibits a design flaw that hinders mutual denote the AEAD scheme itself, the number of queries, the
authentication and fails to ensure user anonymity. Moreover, length of queries, and polynomial time, respectively.
the security framework proposed in [36] is susceptible to
drone capture and insider attacks, lacking features such as user
anonymity, message integrity, and confidentiality. Similarly, B. Physical Uncloneable Function
the scheme introduced in [37] is vulnerable to MITM attacks PUFs depend on the intrinsic physical properties of a
and temporary secret leakage. device, such as deviations in delay or impedance generated

by manufacturing disparities. These deviations present diverse A. Authentication Model

types of PUFs, namely ring PUFs, delay-based PUFs, and The depicted architecture in Fig. 3 highlights the drone
arbiter PUFs. The PUF can be compared to the “fingerprint” of service provider setup in the IoD environment, which com-
the hardware, as its response maintains intrinsic identity. This prises the control room with a registration authority (RA),
feature uncovers practical utility within the domain of the IoT “ground-station” server (GSj |j = 1, 2, · · · , N ), users (Ui |i =
for tasks such as key generation or identity authentication. PUF 1, 2, · · · , N ), and drones (Dk |k = 1, 2, · · · , N ).
technology primarily encounters application in contexts that Ground Station Server (GSj ) : The RA is responsible for
mandate strong security measures. The logical expression of a managing the deployment of GSj . Each GSj is assigned to
PUF is illustrated as R = P U F (C), wherein C represents the store the data collected by a drone deployed in a specific
challenge and R signifies the response. To achieve an invariant fly zone. The stored data at GSj is utilized by users or
output from the PUF despite temperature deviations, we utilize organizations to make informed business decisions. Further-
a fuzzy extractor (FE) to make the output stable. more, GSj also stores sensitive information related to drones
and users. This information is used for user authentication
purposes to ensure that only authorized users can access real-
C. Fuzzy Extractor time information from drones.
Drones (Dk ) : The RA deploys drones, such as Dk , in specific
The “FE” is a mechanism specifically crafted to produce a fly zones to collect sensitive information from the underlying
distinctive and random string, known as a key, by utilizing environment. For example, in a smart city scenario, drones
the biometric template BioUi of the entity being analyzed may be deployed to gather real-time information on road traffic
(Ui ). The key generated by the FE possesses the capability of congestion. These drones collect the relevant data, which is
being accurately reproduced. The FE encompasses two algo- then transmitted to the designated GSj , for storage and further
rithms: the generator algorithm (Gen(·)) and the reproduction processing.
algorithm (Rep(·)). While Gen(·) operates probabilistically, Users (Ui ) : Ui needs to authenticate itself with GSj in
Rep(·) functions deterministically. order to access the data stored within it. Additionally, there
The generator algorithm (Gen(·)) accepts BioUi as input are situations where Ui needs to access real-time information
and generates a secret biometric key β ∈ [0, 1]bkl , where bkl directly from Dk . For example, in the case of an ambulance
represents the length of the generated key β. Additionally, driver, they may need real-time information from a drone, such
Gen(·) also produces the reproduction parameter RP . The as Dk , deployed in the smart city to determine the road traffic
logical representation of the Gen(·) function is denoted as conditions and ensure a smooth and efficient route to their
“(β, RP ) = Gen(BioUi )”. The reproduction algorithm, de- destination.
noted as Rep(·), takes BioUi and RP as inputs. It reproduces To address the increasing demand for secure communi-
β if the condition “HD(Bio∗Ui , BioUi ) ≤ ert” is satisfied, cation and overcome related challenges, this paper proposes
where HD and ert represents the hamming distance and a lightweight authentication scheme that leverages PUF to
error tolerance, respectively. The logical representation of the efficiently manage security and communication costs among
Rep(·) algorithm can be expressed as “Rep(Bio∗Ui , RP ) = participating entities. The main objective of this scheme is
β)”. to enhance security measures and ensure the integrity of
communication in the IoD environment. Fig. 1 illustrates an
overview of an IoD monitoring system consisting of multiple
IV. S YSTEM M ODELS flying zones (clusters), each with its unique identifiers. Drones
operating within these zones can establish connections with
The design of PAF-IoD incorporates the utilization of two one another and GSj , which is connected to the control room.
essential models: the authentication model and the threat Authorized external users, equipped with mobile devices, can
model. These models play a crucial role in shaping the overall monitor and access specific drones within designated flying
design and security framework of PAF-IoD. zones, following appropriate authorization procedures.

B. Threat Model
To evaluate the security strength of PAF-IoD, the widely
operated Dolev-Yao (DY) model is operated. The DY model
presumes that an adversary, represented as A, can intercept
any message disseminated over a public or shared channel.
A can then revise and re-transmit elements of the message
to a respective network entity. Additionally, the DY model
takes into account that A can potentially procure data from
the smart device of the user by manipulating power analysis
attacks. Furthermore, the CK-adversary model is employed
in the evaluation. Under this model, A is allowed to engage
Figure 2. Encryption and decryption of AEGIS algorithm. in a message interaction with other network nodes, enabling

a comprehensive analysis of potential security vulnerabilities Table II

and threats. By employing both the DY model and the CK- N OTATIONS E MPLOYED IN PAF-I O D
adversary model, the security potency of the scheme can
Notation Description
be rigorously assessed, considering various attack scenarios
A Attacker or adversary
and potential vulnerabilities. These models provide a solid Ui User
framework for evaluating the resilience and robustness of the GSj Ground station
PAF-IoD against diverse adversarial techniques and attacks. Dk , SIDDk , IDk Drone, pseudo-identity, real identity
T1 , T2 , T3 Timestamps
Considering the capabilities of A, it is crucial to develop the Tr , Td Received message time, allowed time delay
PAF-IoD framework to ensure robust security against potential IDGSj , GIDGSj , Identity, long-term key of GSj
attacks and vulnerabilities in the IoD environment. KGSj
The proposed practical authentication framework for the Kg Encryption, decryption key of GSj
P UF , F E Physical unclonable function, fuzzy extractor
IoD environment addresses specific security requirements un- Gen(·), Rep(·), RP Generation, reproduction function, reproduc-
der the defined threat model, encompassing mutual authentication parameter
tion, secure session key establishment, perfect forward secrecy, BioUi Biometric information of user
CHDk , RSP Challenge, response parameters
and the anonymity of users and drones [39], [40]. β Biometric key
Mutual Authentication: The proposed scheme enables regis- IDUi Identity of user
tered entities to verify each other’s identity during peer-to-peer P WUi Password of user
Qx Ciphertexts, where x = 1, 2, 3, . . . , 15
communication. Py Plaintexts, where y = 1, 2, 3, . . . , 5
Session Key: The proposed scheme facilitates the estab- ADz Associative data, where z = 1, 2, 3, . . . , 6
lishment of a secure session key between the drone and user M Cl Authentication parameter, where
l = 1, 2, 3, . . . , 5
for encrypted communication, ensuring confidentiality against RAm Random numbers, where m = 1, 2, 3, . . . , 4
unauthorized access within the IoD network. CTn Ciphertexts, where n = 1, 2, 3, . . . , 4
Perfect Forward Secrecy: Despite potential leakage of long- ⊕ XOR function
∥ Concatenation operation
term credentials, the previously established session key re- H(·) Hash function
mains beyond the attacker’s reach, ensuring ongoing confi-
dentiality.
Anonymity of User and Drone: User and drone identities login and key agreement (LKA), and password and biometric
are kept confidential, preventing any potential attacker from update phase. Table II presents the notations used in PAF-
obtaining this information. IoD along with their respective meanings. In the subsequent
Various Attack Prevention: The authentication mechanism subsections, we provide detailed discussions of each phase.
must be resilient against a diverse range of security attacks
and vulnerabilities to maintain the seamless operation of the A. Enrollment of Ground Station Server
IoD network.
Initially, RA selects a unique identity for the ground station,
denoted as IDGSj , along with a corresponding long-term
V. T HE P ROPOSED PAF-I O D F RAMEWORK
key KGSj . The pseudo identity, GIDGSj , is then computed
PAF-IoD is designed using the AEGIS encryption scheme, as GIDGSj = H(IDGSj ∥ KGSj ). Finally, RA stores
a hash function, fuzzy extractor, PUF, and XOR operations. the parameter {IDGSj , KGSj , GIDGSj } in the database
The framework consists of several key phases: ground station associated with GSj .
server enrollment, smart drone enrollment, user enrollment,
B. Enrollment of Smart Drone
C1 RA conducts the enrollment of the smart drone before its
D1
Internet deployment in the IoD environment. The following sections
Fly zone 1
are imperative for the registration of the smart drone.
C2
1) Step ESD-1: RA selects a challenge CHDk and identity
D2
IDDk sends them to Dk using a secure channel. After getting
Fly zone 2
Mobile Device CHDk from RA, Dk computes (RSP ) = P U F (CHDk ),
(User Ui)
(βk , RP ) = Gen(RSP ), and SIDDk = H(IDDk ∥ βk ).
Ground Station Server
Finally, Dk sends the parameters {βk , CHDk , SIDDk } to
D3
Fly zone 3 GSj utilizing a secure channel and keeps {CHDk , IDDk ,
C3
RP } in its own memory.
Dk
2) Step ESD-2: GSj after getting {βk , CHDk , SIDDk },
Ck Control Room
Fly zone k
computes Kg = H(GIDGSj ∥ KGSj ∥ IDGSj ) and
(CTDk , M CDk ) = EKg {(IVg , ADg ), βk , CHDk }. The size
of Kg is 256 bits and we truncate it to 128 bits. Similarly, the
Remote
Wi-Fi Cluster Public (Insecure Channel) Secure Channel
initialization vector (IVg ) is obtained after the inverting bits
Drone (Dk)
of Kg and associative data ADg = Kg . Finally, GSj stores
Figure 3. Authentication model for IoD environment. {SIDDk , CTDk , M CDk } in its own secure database.

C. Enrollment of User Algorithm 1 Login and Generation of Message M G1

Input: {IDUi , P WUi , BioUi , RA1 , M C1 , M Cr1 , D2 , CTr , RP }
In this phase, the user gets registered with the RA of the Output: {T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 }
drone service provider. During the execution of this phase, the 1: procedure LGM({IDUi , P WUi , BioUi , RA1 , M C1 , M Cr1 , D2 , CTr ,
RP })
RA assigns some secret parameters to the user, which are used 2: (β ∗ ) ← Rep(BioUi , RP )
during the LKA phase. The RA executes the following steps 3: K1∗ ← H(β ∗ ∥ IDUi ∥ P WUi ),
4: Pl∗ ← {β ∗ , IDUi , P WUi },
to register a user. 5: AD1∗ ← (β ∗ ⊕ RA1 ),
1) Step ENU-1: Ui has a smart device SDi equipped with 6: D1∗ ← (β ∗ ⊕ K1∗ ),
7: ((Q∗ ∗ ∗ ∗
1 , Q2 , Q3 ), M C1 ) ← EK1
∗ ∗ ∗
∗ {(IV1 , AD1 ), Pl },
a biometric detector (sensor), which performs the biometric 8: if M C1 ==M C1∗ then
sensing. After getting secret credentials IDUi , P WUi and 9: Local authentication is successful
10: SIDDk ← (D2 ⊕ D1 ⊕ Q∗ 3 ),
BioUi of user, SDi computes (β, RP ) = Gen(BioUi ), 11: (P1 , M Cr1∗
) ← DQ∗ {(IV2∗ , AD2∗ ), CTr },
2
K1 = H(β ∥ IDUi ∥ P WUi ), Pl = {β, IDUi , P WUi }, 12: if M Cr1 ==M Cr1 ∗
then
AD1 = (β ⊕ RA1 ), D1 = (β ⊕ K1 ), (Q1 , Q2 , Q3 ), M C1 )) = 13: P1 = {Qr1 , Qr2 , M Cr , GIDGSj },
14: generate RA2 and T1 ,
EK1 {(IV1 , AD1 ), Pl }, where K1 , Pl , and AD1 represent the 15: P2 ← {RA2 , SIDDk ⊕ RA2 },
encryption key, plaintext, and associative data. Here initializa- 16: AD2 ← (Qr ⊕ M Cr ⊕ T1 ⊕ Qr1 ⊕ Qr2 ),
17: Ke ← (Q∗ 1 ⊕ IDUi ),
tion vector (IV) is obtained after the inverting bits of K1 . 18: ((Q4 , Q5 ), M C2 ) ← EKe {(IV3 , AD3 ), (P2 )},
Moreover, Q1 , Q2 , and Q3 are ciphertext associated with 19: else
20: Execution terminated
β, IDUi , and P WUi , respectively. These cipher texts are 21: end if
generated by the AEGIS encryption algorithm. SDi generates 22: else
23: Execution terminated
a message comprising the parameters {IDUi , Q1 } and sends 24: end if
it to the GSj using a secure communication channel. 25: end procedure
2) Step ENU-2: GSj after getting the parameters {IDUi ,
Q1 }, selects RAr and computes E1 = (IDUi ⊕ Q1 ⊕
RAr ), Kg = H(GIDGSj ∥ KGSj ∥ IDGSj ), and RA1 , M C1 , D2 , CTr , RP }. Moreover, the procedure LGM is
((Qr1 , Qr2 ), M Cr ) = EKg {(IVg , ADg ), E1, RAr }. The size executed on the SDi of Ui . After taking the input parameters,
of Kg is 256 bits and we truncate it to 128 bits. Similarly, the SDi computes biometric key β ∗ , encryption key K1∗ ,
the initialization vector (IVg ) is obtained after the inverting plaintext Pl∗ , associative data AD1∗ , and parameter D1∗ . Here,
bits of Kg and associative data ADg = Kg . GSj also the initialization vector (IV1∗ ) is obtained after inverting the
assigned a list of devices (SIDk |k = 1, 2, 3, · · · , N ) to the bits of K1∗ . Moreover, the SDi computes ciphertext {Q∗1 , Q∗2 ,
Ui , from where the Ui is authorized to access the real-time Q∗3 }, and authentication parameter M C1∗ . Finally, to check
information. In addition, GSj composes a message consisting the validity of secret parameters of Ui , the SDi checks the
of the credentials {Qr , M Cr , SIDk , GIDGSj } and sends it condition M C1 ==M C1∗ on line number ⃝. 8 If this condition
to SDi employing a secure channel. is true, then the SDi generates the message “the local au-
3) Step ENU-3: On getting the credentials {Qr , M Cr , thentication is successful”. Otherwise, the SDi generates the
SIDk , GIDGSj }, SDi computes D2 = (SIDDk ⊕ D1 ⊕ message “execution terminated”.
Q3 ), (CTr , M Cr1 ) = EQ2 {(IV2 , AD2 ), P1 }, where P1 =
After achieving the local authentication, the SDi drives the
{Qr1 , Qr2 , M Cr , GIDGSj } and Q2 is the encryption key.
parameters SIDDk from where Ui will access the real-time
Here initialization vector (IV2 ) is obtained after the inverting ∗
information and computes parameters (P1 , M Cr1 ) using the
bits of Q2 and associative data ADg = Q2 . Finally, SDi stores
AEGIS decryption algorithm and decryption key Q∗2 . Here,
the credentials {CTr , D2 , RP , RA1 , M C1 , M Cr1 , Gen(.),
the initialization vector (IV2∗ ) is obtained after the inverting
Rep(.) } in its own memory. The user registration process is
bits of Q∗2 and associative data AD2∗ = Q2 . The condition
depicted in Fig. 4. ∗
M Cr1 ==M Cr1 is checked on line number 11 ⃝ of algorithm (1)
∗
to check the integrity of (P1 , M Cr1 ). If the condition holds,
D. Login and Key Agreement Phase the SDi gets P1 = {Qr1 , Qr2 , M Cr , GIDGSj }, otherwise,
During this phase, the PAF-IoD scheme establishes a secure the SDi terminates the execution of the authentication process.
channel to facilitate encrypted communication. The LKA pro- Moreover, the SDi selects the random number RA1 and
cesses of the proposed PAF-IoD scheme are described in detail timestamp T1 and computes the plaintext P2 , associative
through the use of Algorithm 1, Algorithm 2, Algorithm 3, and data AD3 , and encryption key Ke. Here, the initialization
Algorithm 4. These algorithms will be thoroughly explained vector (IV3 ) is obtained after inverting all the bits of Ke.
in the subsequent subsection. Furthermore, IV3 will not be transmitted through the public
1) Step ALG-1: The algorithm 1 ensures the local authenti- communication channel. Instead, it will be implicitly derived
cation and generation of M G1 . For this purpose, Ui provides at GSj . Furthermore, the SDi computes cipher texts (Q4 , Q5 ),
its secret parameters, such as identity IDUi and password and authentication parameter M C2 using AEGIS encryption
P WUi . In addition, Ui also imprints the biometric information algorithm. Finally, the SDi constructs a message M G1 with
(BioUi ) on its SDi . It is assumed that the SDi of Ui is parameters {T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 } and sends
equipped with biometric sensing functionality. The procedure M G1 to GSj using a public communication channel.
of login and generation of message M G1 (LGM) starts after 2) Step ALG-2: In this seep algorithm 2 is executed, which
taking the input parameters, such as {IDUi , P WUi , BioUi , checks the authenticity of parameters of message M G1 :{T1 ,

User Ui /SDi Registration Authority/ Ground Station RA/GSj

{IDUi , P WUi and BioUi } {IDGSj , KGSj , GIDGSj }
computes (β, RP ) = Gen(BioUi ), K1 = H(β ∥ IDUi ∥ P WUi ),
selects RAr and computes E1 = (IDUi ⊕ Q1 ⊕ RAr ),
Pl = {β, IDUi , P WUi }, AD1 = (β ⊕ RA1 ), D1 = (β ⊕ K1 ),
Kg = H(GIDGSj ∥ KGSj ∥ IDGSj ), and ((Qr1 , Qr2 ), M Cr ) =
(Q1 , Q2 , Q3 ), M C1 )) = EK1 {(IV1 , AD1 ), Pl },
EKg {(IVg , ADg ), E1, RAr },
RM1 :{IDU , Q1 }
−−−−−−−−i−−−→. RM2 :{Qr ,M Cr ,SIDk ,GIDGSj }
(Ui → RA/GSj ) ←−−−−−−−−−−−−−−−−−−−−.
(RA/GSj → Ui )
computes D2 = (SIDDk ⊕ D1 ⊕ Q3 ), (CTr , M Cr1 ) =
EQ2 {(IV2 , AD2 ), P1 }, where P1 = {Qr1 , Qr2 , M Cr , GIDGSj },
stores the credentials {CTr , D2 , RP , RA1 , M C1 , M Cr1 , Gen(.), Rep(.)
} in its own memory.

Figure 4. Enrollment of user in PAF-IoD.

Algorithm 2 Verification of M G1 & Generation of M G2 at GSj Algorithm 3 Verification of M G2 and Generation of M G3

Input: {T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 } Input: {T2 , Q6 , Q7 , Q8 , Q9 , Q10 , M C3 , CHDk , IDDk , RP }
Output: {T2 , Q6 , Q7 , Q8 , Q9 , Q10 , M C3 } Output: {T3 , Q11 , Q12 , Q13 , Q14 , Q15 , M C4 and SKDk }
1: procedure VMG({T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 }) 1: procedure VGM({T2 , Q6 , Q7 , Q8 , Q9 , Q10 , M C3 }),
2: if Td ≤ |Tr − T1 | then 2: if Td ≤ |Tr − T2 | then
3: Kg ← H(GIDGSj ∥ KGSj ∥ IDGSj ) 3: (RSP ) ← P U F (CHDk ),
4: Zx = (IVg∗ , ADg∗ ) 4: (βk ) ← Rep(RSP, RP ),
5: (P ∗ , M Cr∗ ) ← DKg∗ {Zx , Qr1 , Qr2 } 5: SIDDk ← H(IDDk ∥ βk )
6: if M Cr ==M Cr∗ then 6: AD4∗ ← (CHDk ⊕ SIDDk ⊕ T2 ),
7: P ∗ = {E1, RAr } 7: (P4 , M C3∗ )) ← Dβk {(IV4∗ , AD4∗ ), CT },
8: IDUi ⊕ Q1 ← (E1 ⊕ RAr ) 8: if M C3 ==M C3∗ then
9: Ke1 ← (IDUi ⊕ Q1 ) 9: P4 = (Z1 , Z2 , Z3 , Z4 , Z5 ),
10: AD3∗ ← (Qr ⊕ M Cr ⊕ T1 ⊕ Qr1 ⊕ Qr2 ) 10: generate RA4 and T3 ,
11: (P2∗ , M C3 ) ← DKe1 {(IV3∗ , AD3∗ ), Q4 , Q5 } 11: AD6 ← (SIDDk ⊕ RA2 ⊕ Q1 ⊕ IDUi ),
12: if M C3 ==M C2 then 12: K2 ← (Z1 = RA2 ⊕ Q1 ⊕ IDUi ),
13: P2∗ = {RA2 , SIDDk ⊕ RA2 } 13: P4 ← (AD6 ⊕ βk ⊕ RA4 ⊕ IDDk ),
14: SIDDk = {RA2 ⊕ SIDDk ⊕ RA2 } 14: SKDk ← H(Z1 ∥ P4 ∥ T3 ∥ AD6 ),
15: Search the SIDDk in the database 15: SKv ← H(SKDk ),
16: if SIDDk ==SIDDk then 16: P5 ← {P4 , Z2 , Z3 , Z4 , SKv }
17: Gets CTDk and M CDk 17: (CT1 , M C4 ) ← DK2 {(IV6 , AD6 ), P5 },
18: Zx = (IVg∗ , ADg∗ ) 18: else
19: (PDk , M CD ∗
) ← DKg {Zx , CTDk } 19: Execution terminated
k ∗ 20: end if
20: if M CDk ==M CD
k
then
21: else
21: Gets PDk = {βk , CHDk } 22: Execution terminated
22: Generate RA3 , RAn r and T2 23: end if
23: AD4 ← (CHDk ⊕ SIDDk ⊕ T2 ), 24: end procedure
24: E1n ← (IDUi ⊕ Q1 ⊕ RAn r ),
25: P3 ← (E1n , RAn r ),
26: (CT, M Crn )) ← Eβk {(IVg∗ , ADg∗ ), P3 },
27: CT = {Qn n
r1 , Qr2 },
28: Z1 ← RA2 ⊕ Q1 ⊕ IDUi }, condition Td ≤ |Tr − T2 | to validate the timeliness of the
29: Z2 ← Qn r1 ⊕ RA2 ,
30: Z3 ← Qn r2 ⊕ RA2 ,
received message M G2 , where Td , Tr , and T2 denote the time
31: Z4 ← M Crn ⊕ RA2 , delay, message received time at GSj , and message generation
32: Z5 ← IDGSj ⊕ RA3 ,
33: P4 ← (Z1 , Z2 , Z3 , Z4 , Z5 ),
time at Ui . The message M G2 will be considered valid if Td
34: (CT, M C3 ) ← Eβk {(IV4 , AD4 ), P4 }, is below the allowed time delay. Otherwise, GSj terminates
35: else
36: Execution terminated
the authentication process. Further, to validate the authenticity
37: end if of M G2 , GSj computes decryption key Kg and then using the
38: else
39: Execution terminated
decryption algorithm of AEGIS, GSj computes E1, RAr , and
40: end if M Cr∗ after taking the credentials{Qr1 , Qr2 } as the input. The
41: else
42: Execution terminated
size of Kg is initially 256 bits, but we truncate it to 128 bits.
43: end if Likewise, the initialization vector (IVg∗ ) is derived by inverting
44: else
45: Execution terminated
the bits of Kg∗ , and the associative data ADg∗ is set to be equal
46: end if to Kg∗ . In addition, GSj checks the condition on line ⃝ 6 to
47: else
48: Execution terminated
ensure the authenticity of E1 and RAr . If the condition is
49: end if true, then GSj computes decryption key Ke1 and associative
50: end procedure
data AD3∗ and initialization vector IV3∗ . Here, the initialization
vector (IV3∗ ) is obtained after inverting all the bits of Ke1. By
using the decryption algorithm of AEGIS, GSj computes P2∗
Qr , Q4 , Q5 , M Cr , M C2 } and generates the message M G2 and M C3 and to retrieve P2∗ , the condition on line 12 ⃝ must
with parameters {T2 , Q6 , Q7 , Q8 , Q9 , Q10 , M C3 }. The algo- be true. Otherwise, the authentication will be terminated.
rithm 2 is executed by GSj . The procedure “Verification and After validating the authenticity of M G2 , GSj obtains
Generation of message M G2 (VGM)” takes the credentials P2∗ = {RA2 , SIDDk ⊕ RA2 } and SIDDk = {RA2 ⊕
{T1 , Qr , Q4 , Q5 , M Cr , M C2 } as the input and check the SIDDk ⊕ RA2 } and searches SIDDk in its own database.

Algorithm 4 Verification of M G3 checks the condition M C3 ==M C3∗ . If it holds, then Dk gets
Input: {T3 , Q11 , Q12 , Q13 , Q14 , Q15 , M C4 and {Q1 , RA3 } P4 = (Z1 , Z2 , Z3 , Z4 , Z5 ). In addition, Dk proceeds with the
Output: {SKDk and authentication successful}
1: procedure VM({T3 , Q11 , Q12 , Q13 , Q14 , Q15 , M C4 , {Q1 , RA3 }), authentication process by selecting RA4 and T3 . Moreover,
2: if Td ≤ |Tr − T3 | then Dk computes associative data AD6 , encryption key K2 , and
3: AD6∗ ← (SIDDk ⊕ RA2 ⊕ Q∗ 1 ⊕ IDUi ),
4: K3 ← (ZZ1 = RA2 ⊕ Q∗ 1 ⊕ IDUi ),
plaintext P4 . To achieve encrypting the communication with
5: (P5 , M C5 )) ← DK3 {(IV6 , AD6∗ ), CT1 },
∗ ∗
the user, Dk calculates the session key SKDk and session
6: if M C5 ==M C5∗ then,
7: P5 = {P4 , Z2 , Z3 , Z4 , SKv }, key verification parameter SKv . Finally, Dk computes CT1
8: SKDk ← H(ZZ1 ∥ P4 ∥ T3 ∥ AD7 ), and M C4 using the AEGIS encryption algorithm, where
9: SKv1 ← H(SKDk ),
10: if SKv ==SKv1 then, P5 = {P4 , Z2 , Z3 , Z4 , SKv }.
11: Qnr1 ← Z2 ⊕ RA2 , 4) Step ALG-4: The algorithm 4 is executed by the SDi
12: Qnr2 ← Z3 ⊕ RA2 ,
13: M Crn ← Z4 ⊕ RA2 , after receiving M G3 from the Dk . In algorithm 4, the proce-
14: P Trn ← {Qn n n
r1 , Qr2 , M Cr }, dure VM starts after taking the parameters {T3 , Q11 , Q12 , Q13 ,
15: (CTrn , M Cr1n
) ← EQ∗ {(IV2n , AD2n ), P Trn },
16: Update {CTrn , M Cr1 n 2 ∗
} with {CTr , M Cr1 } Q14 , Q15 , M C4 and {Q1 , RA3 } as the input and generates the
17: Both session keys are the same “authentication success message” and session key SKUi . The
18: Authentication successful
19: else line ⃝2 of algorithm 4 ensures timeliness of M G3 by checking
20: Execution terminated the condition Td ≤ |Tr −T3 |. If the condition on line ⃝ 2 holds,
21: end if
22: else then Ui computes associative data AD7 and decryption key
23: Execution terminated K3 on line ⃝ 3 and ⃝,4 respectively. On line ⃝,5 the decryption
24: end if
25: else process is performed after taking the ciphertext CT1 and K3
26: Execution terminated as the input parameters and generates plaintext P5 and M C5 ,
27: end if
28: end procedure where CT1 ={ Q11 , Q12 , Q13 , Q14 , Q15 }.
AEGIS decryption algorithm needs to check the condition
M C5 ==M C5∗ on line ⃝ 6 to check the integrity of the returned
plaintext P5 = {P4 , Z2 , Z3 , Z4 , SKv }. The session key is
Here, SIDDk refers to Dk from where the Ui requires
computed on line ⃝ 8 and the verification parameter for the
⃝
accessing the real-time information. If the condition on line 16
session key is computed on line number ⃝. 9 The verification
holds, then GSj retrieves CTDk and M CDk . Moreover, GSj
∗ parameter is used to check both the session keys device at Dk
computes PDk and M CD by using the AEGIS decryption
k and Ui are the same. For this purpose, a condition is checked
algorithm. The size of Kg is initially 256 bits, but we truncate
⃝, if it holds and verification of the generated session
on line 10
it to 128 bits. Likewise, the initialization vector (IVg∗ ) is
key is successful. Finally, the SDi computes the parameters
derived by inverting the bits of Kg∗ , and the associative data ∗
{CTrn , M Cr1 } using the AEGIS encryption algorithm. Here
ADg∗ is set to be equal to Kg∗ . In addition, GSj checks
initialization vector (IV2n ) is obtained after the inverting bits
the condition on line 20 ⃝ to ensure the integrity of PDk and
∗ of QT2∗ and associative data AD2n = Q2 . SDi replaces {CTrn ,
M CD . If this condition holds, GSj computes parameter E1n , n ∗
k M Cr1 } with {CTr , M Cr1 } in its own memory.
and plaintext P3 . Here, the size of Kg is initially 256 bits,
but we truncate it to 128 bits. Likewise, the initialization
vector (IVg∗ ) is derived by inverting the bits of Kg∗ , and the E. Password and Bio-metric Update Phase
associative data ADg∗ is set to be equal to Kg∗ . Furthermore,
by using the AEGIS encryption algorithm, GSj computes CT This phase of the proposed PAF-IoD enables Ui to update or
and M Crn , where CT = {Qnr1 , Qnr2 }. Here, the initialization change its bio-metrics and password without involving GSj .Ui
vector (IV4 ) is derived by inverting the bits of βK . Finally, can change its password by executing the algorithm 5. In
GSj computes Z1 , Z2 , Z3 , Z4 , and Z5 and constructs a algorithm 5, the biometric and password update procedure
message with parameters {T2 , Q6 , Q7 , Q8 , Q9 , Q10 , M C3 } starts after taking the input parameters, such as {IDUi , P WUoi ,
and send it to Dk via an open communication channel. BiooUi , RAo1 , M C1o , M Cr1
o
, D2o , CTro , RP o , P WUni , BionUi ,
3) Step ALG-3: In this step, the algorithm 3 is executed by RA1 }, where P WUi , BioUi , and RAn1 are the newly selected
n n n

Dk . The procedure “verification and generation of message parameters and other are the old parameters stored in the
M G3 ” (VGM) starts after taking the parameters {T2 , Q6 , memory of the SDi of Ui . The algorithm 5 generates the new
Q7 , Q8 , Q9 , Q10 , M C3 , RP } as input and generates the parameters, such as {CTrn , D2n , RP n , RAn1 , M C1n , M Cr1 n
,
massage M G3 with parameters {T3 , Q11 , Q12 , Q13 , Q14 , Q15 , Gen(.), Rep(.)} and replaces them with {CTr , D2 , RP o ,
o o

M C4 }. At first, Dk checks the freshness of M G2 through RAo1 , M C1o , M Cr1o

, Gen(.), Rep(.)} in the memory of SDi
the condition Td ≤ |Tr − T2 |. If the message is fresh then of Ui .
Dk continues the authentication process. Otherwise, terminates
the authentication process. Further, Dk retrieves CHDk from VI. S ECURITY A NALYSIS
its own memory, and computes RSP using the physically
unclonable function, stable encryption key βk using a fuzzy Both formal and informal security evaluations are employed
extractor, and associative data AD4∗ . Here, the initialization to verify the draft PAF-IoD’s trustworthiness. Additionally,
vector (IV4∗ ) is derived by inverting the bits of βK . By using we utilized the software program Scyther for confirming the
AEGIS decryption algorithm, Dk computes {P4 , M C3∗ } and advised PAF-IoD’s security.

Algorithm 5 Bio-metric and Password Update or delayed massage. Thus, PAF-IoD is resistant to the relay
o
Input: {IDUi , P WU , Bioo o o o o o
Ui , RA1 , M C1 , M Cr1 , D2 , CTr , RP , P WUi ,
o n
attack.
i
BionUi , RA n
1 }
Output: {CTrn , D2n , RP n , RAn n n 3) DoS Attack: In the PAF-IoD scheme, it is crucial for Ui
1 , M C1 , M Cr1 , Gen(.), Rep(.)}
1: procedure BPU({IDUi , P WUoi , BiooUi , RAo1 , M C1o , M Cr1 o
, D2o , CTro , to successfully complete local authentication before sending
RP o , P WU n
, Bion n
Ui , RA1 }),
i the authentication request to GSj . To achieve local authenti-
2: (β o ) ← Rep(Bioo Ui , RP ),
3: K1o ← H(β o ∥ IDUi ∥ P WU o
), cation, the SDi of Ui verifies certain conditions, specifically
i
4: Plo ← {β o , IDUi , P WU o
i
}, M C1 ==M C1∗ and M Cr1 ==M Cr1 ∗
. If any of these conditions
5: AD1o ← (β o ⊕ RAo 1 ),
6: D1o ← (β o ⊕ K1o ),
fail to hold, the SDi of Ui terminates the authentication
7: ((Q1 , Q2 , Q3 ), M C1o ) ← EK o {(IV1o , AD1o ), Plo },
o o o
1
process. This approach prevents Ui from inundating GSj
8: if M C1 ==M C1o then with excessive authentication requests that could potentially
9: SIDDk ← (D2o ⊕ D1o ⊕ Qo 3 ),
10: (P1 , M Cr1 o
) ← DQo {(IV2o , AD2o ), CTro }, overwhelm its resources. As a result, the proposed PAF-
o 2
11: if M Cr1 ==M Cr1 then IoD scheme exhibits resistance against denial-of-service (DoS)
12: P1 = {Qr1 , Qr2 , M Cr , GIDGSj },
13: (β n , RP n ) ← Gen(Bion
attacks.
Ui ),
14: K1o ← H(β n ∥ IDU n
∥ P WU n
), 4) MITM Attack: As per the threat model outlined in
n n i n i
15: Pl ← {β , IDUi , P WU },
i Section IV-B, the adversary A is capable of capturing the
16: AD1n ← (β n ⊕ RAn 1 ),
17: D1n ← (β n ⊕ K1n ),
message M G1 :{T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 } through
18: ((Qn n n n
1 , Q2 , Q3 ), M C1 ) ← EK1
n n n
n {(IV1 , AD1 ), Pl }, an eavesdropping attack. Subsequently, A aims to establish a
19: D2n ← SIDDk ⊕ D1n ⊕ Qn 3, session key with Dk with the assistance of GSj . To accomplish
20: (CTrn , M Cr1 n
) ← EQn {(IV2n , AD2n ), P1 },
21: else
2
this, A modifies the contents of the captured messages and
22: Execution terminated re-transmits the modified message to GSj . Upon receiving the
23: end if
24: else modified message, GSj verifies the integrity and authenticity
25: Execution terminated of the message by checking the conditions M Cr ==M Cr and
26: end if
27: end procedure M C3 ==M C2 . If any of these conditions fail, GSj rejects the
message and terminates the authentication process. Similar
integrity and authenticity checks are performed on M G2 and
A. Informal Security Analysis M G3 using the conditions M C3 ==M C3 and M C5 ==M C5∗ ,
respectively. The conditions M Cr ==M Cr∗ and M C3 ==M C2 ,
The non-mathematical approach to security evaluation is M C3 ==M C3∗ , M C5 ==M C5∗ will not hold for the modified
referred to as informal security analysis. We elucidate the version of the messages M G1 , M G2 and M G3 , respectively.
PAF-IoD’s immunity against various weaknesses in security In this way, the proposed PAF-IoD can resist MITM attack.
in informal security assessment. 5) Impersonation Attack: According to the threat/attack
1) Anonymous/Untraceable Communication: In PAF-IoD, model discussed in Section IV-B, A can capture the all the
M G1 :{T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 }, M G2 :{T2 , communicated messages. To impersonate as Ui , A requires
Q6 , Q7 , Q8 , Q9 , Q10 , M C3 }, and M G3 :{T3 , Q11 , Q12 , to construct the message M G1 :{T1 , Qr1 , Qr2 , Q4 , Q5 ,
Q13 , Q14 , Q15 , M C4 } are communicated to accomplish the M Cr , M C2 }. For constructing a valid M G1 , A require
LKA phase. All the messages are incorporated with the latest knowing the parameters Q∗1 and IDUi . The parameters Q∗1
time stamps and fresh random numbers. All the parameters of and IDUi used in the encryption process, which generates
M G1 , M G2 , and M G3 are dynamic, and A cannot determine the components {Qr2 , Q4 , Q5 , M C2 } of the message M G1 .
any correlation between the captured message from two differ- In addition, A also requires to know the secret key Kg ,
ent authentication sessions. In addition, it is not possible for to get the parameters Q∗1 and IDUi from Qr1 and Qr2 .
A to obtain the real identity or other credentials from M G1 , However, parameters {Q∗1 , IDUi } and Kg are known only to
M G2 , and M G3 for tracking the user. In this way, PAF-IoD Ui and GSj . Thus, A cannot generate a valid M G1 without
can achieve anonymous ad untraceable communication in the knowing Q∗1 , IDUi , and Kg . Therefore, PAF-IoD is resistant to
IoD environment. user impersonation attacks. Moreover, A cannot construct the
2) Replay Attack: In the LKA phase, there are three mes- messages M G2 :{T2 , Q6 , Q7 , Q8 , Q9 , Q10 , M C3 } without
sages, such as M G1 :{T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 }, knowing βk , CHDk and Kg . Here, the credentials βk and
M G2 :{T2 , Q6 , Q7 , Q8 , Q9 , Q10 , M C3 }, and M G3 :{T3 , CHDk are stored in encrypted form in the database of GSj ,
Q11 , Q12 , Q13 , Q14 , Q15 , M C4 } are disseminated by the where the encryption is performed using Kg . The parameters
IoD network participants. All the messages are incorporated βk and CHDk , and Kg are known only to GSj and Dk . Thus,
with the latest timestamps to ensure the freshness of the PAF-IoD can prevent ground station impersonation attacks.
messages. For instance, M G1 is incorporated with T1 and at Similarly, without knowing the para maters RA2 , Q1 , SIDDk ,
GSj the freshness of M G1 is verified through the condition and IDUi , A is unable to generate a valid M G3 :{T3 , Q11 ,
Td ≤ |Tr −T1 |. If the value of the Td is within the allowed time Q12 , Q13 , Q14 , Q15 , M C4 }. In this way, the proposed PAF-
delay threshold, then M G1 is contemplated as a licit message. IoD is resilient against the drone impersonation attack.
Otherwise, M G1 is contemplated as delayed or invalid, and 6) ESL Attack: The session key SKDk (= SKUi ), essential
all the replayed or delayed messages are dropped by the for achieving encrypted communication in the proposed PAF-
receiving network entity. The same is the case with M G2 and IoD scheme, is derived as SKDk (= SKUi ) = H(Z1 ∥ P4 ∥
M G3 . In this way, the proposed PAF-IoD detects the replayed T3 ∥ AD6 ), where Z1 = ZZ1 , where Z1 corresponds to ZZ1

generated during the LKA phase. This session key combines Freshness: A is unable to disclose the session key established
various long and short-term secret parameters. The long-term betweenϕIU1i and ϕID3k during the LKA phase.
confidential credentials of the entity participating part in the Adversary:The capabilities of A are outlined in Section IV-B.
authentication procedure would still need to be obtained even Furthermore, A executes simulations of various queries to
if A is able to breach the short-term confidential credentials. carry out different attacks on PAF-IoD.
Consequently, A should concurrently hold both the long-term
Theorem 1. Let A be a polynomial-time plt adversary that is
confidential credentials and the short-term confidential creden-
executing against PAF-IoD. The advantage of A in breaching
tials to be able to undermine the security of the session key
the security of PAF-IoD’s session key can be calculated as
created through the authentication procedure. The suggested
follows:
PAF-IoD technique is still resistant to the ESL attack without 2
access to these confidential credentials. AF −IoD Hq2 Hpuf Sq
Adv P
A (plt) ≤ + + bkl−1
7) Physical Capture Attack: A has the capability to capture 2|HoL| 2|P U F | 2 · |P L|
a drone Dk , which is deployed in the IoD environment. Dk is OCCA3
+2 · Adv AEAD,A (plt)
a tamper-proof device and A after capturing A tries to arm (2)
it. As the proposed PAF-IoD is designed using PUF, which In the given context, the terms Hq2 , Sq , |P L|, and 2bkl ,
changes its behavior when A attempts to harm the device. |HoL| represent the hash function, send queries, password
Any harm to the tamper-proof Dk leads to the generation of length, bio-metric key length, and the length of out of the
an incorrect response. Thus, the incorrect response will not hash function, respectively. Additionally, Adv OCCA3 (plt) [31]
A
generate the desired output during the execution of the LKA denotes the advantage of adversary A in compromising the
phase of PAF-IoD. In addition, βk and CHDk are stored in security of AEAD.
encrypted form at GSj . Thus, after capturing Dk , A cannot
compromise the session key and effectuate any well-known Proof. The proof of Theorem 1 is illustrated through a series
attack. Therefore, the proposed PAF-IoD is resistant to drone of five consecutive games (Gz |z = 0, 1, 2, 3, 4) [33]. Addi-
physical capture attacks. tionally, the notation ”Adv G ” represents the probability of
8) Bio-metric and Password Change Attack: By leveraging adversary A winning by correctly guessing the true value of
power analysis attacks, A can acquire the following creden- bit ”b” in each game Gt .
tials CTr , D2 , RP , RA1 , M C1 , M Cr1 , Gen(.), Rep(.)} after G0 : In this game, which corresponds to the real attack
capturing the SDi of Ui . The objective of A in this attack is to scenario, all Oracle queries are responded to truthfully in
modify or update the password and biometric information of compliance with the specifications of the protocol. Based on
Ui . To accomplish this, A randomly selects sensitive param- the security definition, we have the following:
eters BioA A A
Ui , IDUi and P WUi , and performs the following Adv P AF −IoD
(plt) = |2 · Adv G0 − 1|. (3)
A
computations: β = Rep(BioA
A
Ui , RP ), K1
A
= H(β A ∥
A G1 : In this game, A is allowed to capture messages,
IDU i
∥ P WUAi ), PlA = {β A , IDU
A
i
, P WUAi }, AD1A = (β A ⊕ namely M G1 :{T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 },
RA1 ), D1A = (β A ⊕ K1A ), and ((QA A A A
1 , Q2 , Q3 ), M1 ) = M G2 :{T2 , Q6 , Q7 , Q8 , Q9 , Q10 , M C3 }, and M G3 :{T3 ,
EK1A (IV1A , AD1A ), PlA }. Finally, A needs to verify the con- Q11 , Q12 , Q13 , Q14 , Q15 , M C4 } through an eavesdropping
dition M C1 == M C1A . However, without knowledge of the attack, accomplished by the Execute(ϕIU1i , ϕIGS
2
, ϕID3k ) query.
j
secret and valid credentials of Ui , this condition cannot be After capturing the messages, A aims to deduce a valid
satisfied. Additionally, during the LKA phase, the biometric session key SKDk (= SKUi ) == H(Z1 ∥ P4 ∥ T3 ∥ AD6 ),
key is utilized, which is challenging to generate and guess. which is a combination of temporary credentials (RNa , RNb ,
Given these constraints, it becomes difficult for A to ensure RNd , CTmg2 ) and long-term credentials (A1 , SIDi , DSK,
the condition M C1 == M C1A . Therefore, the proposed PAF- GK). At the end of G1, A performs Reveal(ϕI1 ) to dis-
IoD offers resistance against biometric and password update close the speculated session key and subsequently uses the
attacks. T est(ϕI1 ) query to assess the difference between the actual
session key and an arbitrary bit. Since A lacks both the long-
B. Security Analysis Using Random-or-Real Model term and short-term parameters, it is unable to construct a
The Real-or-Random model [9] functions as a formal proof valid session key. Consequently, the likelihood of A winning
analysis, confirming the protocol’s session key security. This is minimal. Thus, G0 and G1 are indistinguishable. Therefore,
lays the foundations for implementing the PAF-IoD into the we have the following:
ROR model. Participants, adversaries, and queries all exist in Adv G1 = Adv G0 (4)
the framework of our scheme. G2 : In this game, an active attack is initiated by A through
Participants: Participants refer to the entities involved in the the use of hash (HoL) queries. In the context of PAF-IoD,
communication within the proposed PAF-IoD. There are three the session key is derived using the SHA algorithm on the
primary participants in PAF-IoD, namely Uj , GSj , and Dk . side of Ui and SDi . A aims to find a collision by making
We represent the instances I1 , I2 , and I3 of Uj , GSj , and Dk HoL queries in order to compromise the security of the SK.
as ϕIU1i , ϕGS
I2
j
, and ϕI3
Dk , respectively, which act as oracles. However, the probability of successfully detecting a collision
Partnership: In the acceptance state, the instances ϕIU1i and is extremely low. In addition, A in this game also employs
ϕID3k become partners if they possess a shared session key. queries Send and P U F . As stated in Section III-B, cloning the

Table III
ROR MODEL Q UERIES

Query Description
Execute(ϕIU1 , ϕIGS
2
, ϕID3 ) This query simulates a passive attack. This query gives A access to all of the messages delivered during the PAF-IoD’s secure channel setup process.
i j k
Test(ϕI1 ) To determine if the speculative session key is a real session key or a random result, A runs this query.
Reveal(ϕI1 ) The session key sustained by oracle ϕI1 is made available to A by using this query.
Send(ϕI1 , M G) This query launches an active attack. Furthermore, ϕI1 is able to send M G as a message to ϕp2 and receive an answer in return.
CorruptSD(ϕI1 ) This query is used by A to get the long-term credentials stored in the memory of SDi .

PUF is highly challenging or even impossible. Consequently, By using (8) and (10), we obtain
the A’ advantage does not increase in G2. Thus, we have 1 AF −IoD
.Adv P
A (plt) = |Adv G1 − Adv G4 | (11)
2
2
Hq2 Hpuf Upon considering the triangular inequality, we have
Adv G2 − Adv G1 ≤ + . (5)
2|HoL| 2|P U F |
|Adv G1 − Adv G4 | ≤ |Adv G1 − Adv G2 |
G3 : In this game, A initiates an active attack using the +|Adv G2 − Adv G4 |
CorruptSD(ϕI1 ) query. By seizing the SCR, the attacker can (12)
obtain the credentials {CTr , D2 , RP , RA1 , M C1 , M Cr1 , ≤ |Adv G1 − Adv G2 | + |Adv G2 − Adv G3 |
Gen(.), Rep(.)} stored in the memory of the SCR. A attempts +|Adv G3 − Adv G4 |.
to guess the identity, password, and biometric key of Uj . By using (5), (7), and (12), we get
However, the probability of correctly guessing the biometric Hq2 2
Hpuf Sq
AF −IoD
1
key is 2bkl , which is negligible. Furthermore, it is important Adv P
A (plt) ≤ + + bkl−1
|HoL| |P U F | 2 · |P L|
to note that only a restricted number of incorrect password
attempts are permitted. With these probabilities in mind, we +2.Adv OCCA3
AEAD,A (plt).
can draw the following conclusions. (13)
Sq ■
Adv G3 − Adv G2 ≤ bkl . (6)
2 · |P L|
G4 : In this game, an active attack is carried out using C. Scyther Based Security Analysis
Execute(ϕIU1i , ϕIGS2
j
, ϕID3k ). By enabling this query, an adver- There are various automated tools available for validating
sary A can capture all the communicated messages, denoted the resilience of the proposed security framework against
as M G1 :{T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 }, M G2 :{T2 , different attacks. Two commonly used software tools for
Q6 , Q7 , Q8 , Q9 , Q10 , M C3 }, and M G3 :{T3 , Q11 , Q12 , Q13 , ensuring the security properties of the proposed protocol are
Q14 , Q15 , M C4 }. The primary objective of A is to obtain AVISPA and Scyther. In our case, we have chosen to utilize
all the secret parameters utilized in the construction of the Scyther to guarantee the resilience of PAF-IoD against a wide
session key. However, in the proposed PAF-IoD framework, range of attacks. Our preference for Scyther is due to several
all communicated messages are encrypted using the AEGIS reasons. Firstly, Scyther provides a graphical representation
encryption algorithm. It is important to note that AEGIS is when it detects attacks against the proposed security frame-
considered secure and the advantage an adversary A has work, whereas AVISPA does not generate attack graphs. This
in compromising the security (confidentiality and integrity) visual representation enhances the understanding of attack
of AEGIS in polynomial time is negligible (as defined in scenarios. Secondly, Scyther has the capability to validate
Definition 1). Thus, in order to compromise the security of multi-protocol attacks, whereas AVISPA does not provide
the proposed PAF-IoD, A would need to breach the security verification for such attacks. This is particularly important for
of the AEGIS encryption algorithm. Based on the definition assessing the robustness of the security framework in real-
provided in Definition 1, we can conclude the following: world scenarios involving multiple protocols. Additionally,
Adv G4 − Adv G3 ≤ Adv OCCA3
AEAD,A (plt). (7) Scyther allows for the verification of the proposed security
After completing all (Gz |z ∈ [0, 3]), the adversary A does framework using both bounded and unbounded numbers of
not gain any significant advantage in acquiring the accurate sessions, providing flexibility in analyzing different scenarios.
bit “b”. Therefore, we can conclude that On the other hand, AVISPA only supports verification through
a bounded number of sessions. Lastly, it is worth mentioning
that “AVISPA” employs the “High-level protocol specifica-
Adv G4 = 1/2 (8) tion language (HLPSL)”, while Scyther utilizes the “Security
protocol description language (SPDL)” for implementing the
From (3) and (4), we get
proposed security framework. The choice of Scyther aligns
AF −IoD 1
Adv P
A (plt) = |2 · Adv G0 − |. (9) with our implementation requirements and allows for effective
2 analysis and validation of the security framework.
From (9), we get
1 Scyther is a powerful automated tool used for validating,
AF −IoD
.Adv P
A (plt) = |Adv G0 − Adv G4 |. (10) verifying, and analyzing security frameworks and techniques.
2
Authorized licensed use limited to: National Sun Yat Sen Univ.. Downloaded on March 02,2024 at 05:16:12 UTC from IEEE Xplore. Restrictions apply.
© 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Vehicular Technology. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TVT.2024.3365992

Table IV
PARAMETER S IZE AND C OMPUTATIONAL T IME

Operation Symbol Ui /Dk GSj Parameters

“AEAD based encryption (AEGIS)” Tae 0.391 ms 0.06 ms Block size (128 bits)
“ECC-point scalar multiplication” Tecc 2.97 ms 0.96 ms ECC point size (320 bits)
“Symmetric encryption” Tenc 0.594 ms 0.0694 ms ID size (128 bits)
“ECC point addition” Teca 0.121 ms 0.0102 ms Random number size (128 bits)
“Hash function (SHA-256)” Th 0.371 ms 0.0499ms HASH size (160 bits)
“F E-based key generation/reproduction” Tb ≈ Tecc 2.97 ms 0.96 ms MC size (128 bits)

cryptographic operations, we calculate the average execution

time over a hundred iterations. In addition, to compute the
communication cost, we consider the size of the hash algo-
rithm output, point size, random number size, identity size,
biometric key, and M C, which are 256 bits, 320 bits, 128 bits,
Figure 5. Scyther-based security analysis. 128 bits, 256 bits, and 128 bits, respectively. The execution
time of PUF is 4 µs [41]. The computational complexities
associated with various cryptographic operations and the size
It offers unique features that set it apart from other state-of- of various parameters are summarized in Table IV.
the-art mechanisms, and it is readily accessible for use. One
of Scyther’s notable strengths is its utilization of a ”pattern
A. Security Comparison
refinement algorithm” that enables concise expressions of sets
of traces. These expressions play a crucial role in classifying Security frameworks are crucial for safeguarding sensitive
security threats and potential protocol behaviors. Scyther has information, systems, and physical locations from unautho-
gained significant recognition and adoption within research cir- rized access. These frameworks implement various controls
cles due to its effectiveness. In the case of the proposed PAF- such as authentication, access controls, and encryption to
IoD, the implementation is carried out using the SPDL. The restrict access exclusively to authorized individuals. However,
SPDL script represents three key roles: Ui (user), GSj (ground it has been observed that certain existing authentication frame-
station), and Dk (smart drone). The SPDL script includes works have limitations and vulnerabilities. The authentication
various claims associated with each role. Scyther validates all framework presented in [34] lacks physical capture security
these claims, as demonstrated Fig. 5. This validation process as it does not utilize the PUF function. In [35], another se-
further strengthens the confidence in the security guarantees curity framework, several weaknesses are identified, including
provided by the PAF-IoD framework. vulnerability to parallel session attacks, MITM attacks, and
impersonation attacks. The framework also exhibits a design
VII. P ERFORMANCE E VALUATION flaw that hampers mutual authentication and fails to ensure
user anonymity. Furthermore, the security framework proposed
In this section, we conduct a comprehensive comparison in [36] is susceptible to drone capture and insider attacks. It
between the proposed PAF-IoD framework and the authenti- also lacks features such as user anonymity, message integrity,
cation frameworks presented in [35], [34], [36], and [37] . The and confidentiality. Similarly, the scheme proposed in [37] is
comparison focuses on various aspects, including communi- weak against MITM attacks and temporary secret leakage. In
cation and computational overheads, as well as security func- contrast, the proposed PAF-IoD offers enhanced security and
tionalities. By evaluating PAF-IoD against these frameworks, advanced functionalities compared to these relevant authenti-
we can assess its performance, efficiency, and effectiveness in cation frameworks. A comprehensive comparison of security
providing secure communication in the IoD environment. features is provided in Table V.
We utilize the following system configurations for simu-
lating the ground station (GSj ): “Core i5 CPU, Quad-core,
2.0 GHz, operating system Ubuntu, and 4GB RAM.” For B. Computational Cost
simulating drone Dk and user Ui , we employ the Raspberry The computational cost represents the CPU utilization
Pi-3, which features a “quad-core ARM Cortex-A7 CPU at different nodes involved in the LKA process. A lower
running at 900MHz, 1GB RAM”, and Ubuntu as the operating computational cost indicates a more efficient authentication
system. We represent the computational time of the “hash scheme. In the proposed PAF-IoD scheme, the computational
algorithm, ECC scalar point multiplication, ECC addition, costs at Ui , GSj , and Dk for completing the LKA process
symmetric encryption/decryption, AEAD-based symmetric en- are 4Th + 5Tae + Tb ≈ 6.41 ms, Th + 5Tae ≈ 0.35
cryption/decryption, PUF, and biometric fuzzy extractor” as ms, and 3Th + 2Tae + Tb + Tp ≈ 4.87 ms, respectively.
“Th , Tecc , Teca , Tenc , Tae , Tp , and Tb ”, respectively. The The cumulative computational cost of the proposed PAF-
implementation of cryptographic operations in the proposed IoD scheme is 13Th + 12Tae + 2Tb + Tp ≈ 11.628. In the
PAF-IoD and other related security frameworks is facilitated authentication framework presented in [34], the computational
by the ”Pycrypto” library, a Python-based cryptographic li- costs at Ui , GSj , and Dk are 15Th + 4Tecc + 3Teca + Tb ≈
brary. To determine the computational cost or time of specific 26.97 ms, 9Th + 2Tecc + 2Teca + 2Tenc ≈ 2.49 ms, and

Table V
S ECURITY F EATURES

Features [35] [34] [36] [37] PAF-IoD

“P WUi guessing attack” ✓ ✓ ✓ ✓ ✓
“Dk impersonation attack” × ✓ × ✓ ✓
“Ui impersonation attack” × ✓ ✓ ✓ ✓
“GSj impersonation attack” ✓ ✓ ✓ ✓ ✓
“MITM attack” × ✓ ✓ × ✓
“User Anonymity” × ✓ × ✓ ✓
“Privilege insider attack” ✓ ✓ ✓ ✓ ✓
“Mutual authentication” × ✓ ✓ ✓ ✓
“IDUi guessing attack” ✓ ✓ × ✓ ✓
“Physical Uncloneable Function” × × × × ✓
“Identity guessing attack” × ✓ × ✓ ✓
“DoS attack” ✓ ✓ ✓ ✓ ✓
“TSL attack” ✓ ✓ ✓ × ✓
Figure 6. Comparison of computational required by Ui , GSj , and Dk for
✓: framework support the feature; × : framework does not support the accomplishing the LKA phase.
feature

10Th + 4Tecc + 2Teca ≈ 14.97 ms, respectively. The total

computation required by the framework proposed in [34] is
34Th +8Tecc +7Teca +2Tenc +Tb ≈ 44.42 ms. The authentica-
tion framework proposed in [35] requires computational costs
at Ui , GSj , and Dk of 16Th +6Tecc +2Teca +Tb ≈ 12.92 ms,
11Th +2Tecc +2Teca ≈ 1.89 ms, and 8Th +4Tecc +Teca ≈ 9.58
ms, respectively. The total computational cost required by [35]
to accomplish the LKA phase is 35Th +12Tecc +5Teca +Tb ≈
24.390 ms. The user authentication framework proposed in
[36] requires computational costs at Ui , GSj , and Dk of 6Th +
3Tenc +3Tecc ≈ 17.82 ms, 9Th +7Tenc +Tecc ≈ 6.06 ms, and
5Th +3Tenc +2Tecc ≈ 16.33 ms, respectively. The aggregated
computational cost to accomplish the authentication phase in Figure 7. Computational overhead for accomplishing the LKA phase.
[36] is 20Th + 13Tenc + 5Tecc ≈ 40.211 ms. In addition, the
computational cost of the authentication techniques presented
Q6 , Q7 , Q8 , Q9 , Q10 , M C3 }, and M G3 :{T3 , Q11 , Q12 , Q13 ,
in [37] is 18Th +16Tecc ≈ 39.138 ms, while the computational
Q14 , Q15 , M C4 } to complete the LKA phase. Here, the size
costs at Ui , GSj , and Dk are 8Th + 5Tecc ≈ 20.78 ms,
of the messages M G1 , M G2 , and M G3 are {32 + 128 + 128
6Th + 6Tecc ≈ 2.53 ms, and 4Th + 5Tecc ≈ 15.83 ms,
+ 128 + 128 + 128 + 128 } = 800 bits, {32 + 128 + 128 +
respectively. Fig. 6 illustrates the computational cost at Ui ,
128 + 128 + 128 + 128 } = 800 bits, {32 + 128 + 128 + 128 +
GSj , and Dk . From the figure, it is evident that the proposed
128 + 128 + 128 } = 800 bits, respectively. The total number
PAF-IoD requires fewer computational resources at Ui , GSj ,
of bits changed during the LKA phase are {800 + 800 +
and Dk compared to other schemes. Additionally, Fig. 7
800} = 2400 bits. There are three messages exchanged during
provides a comparison of the total computational resources
the login, and the key agreement phase of the authentication
between PAF-IoD and other relevant security frameworks.
framework proposed in [34]. The aggregated communication
In the LKA scheme, GSj plays a critical role as the main
cost to accomplish the LKA phase is 3040 bits. The authen-
component. Therefore, an efficient authentication framework is
tication framework proposed in [36] accomplishes its LKA
one that demands fewer computational resources at GSj . The
phase using four messages. As a result, the communication
proposed PAF-IoD demonstrates greater efficiency compared
cost required by [36] totals 3264 bits. By employing a four-
to related security frameworks, as it requires fewer computa-
message exchange, the authentication framework presented in
tional resources at GSj , as shown in Fig. 8.
[35] successfully completes its LKA phase. Consequently, the
communication cost for this framework amounts to a total
C. Communication Cost of 2656 bits. Moreover, the communication cost required by
The communication cost plays a vital role in evaluating the the authentication framework proposed in [37] is 4116 bits
efficiency of an authentication framework during the LKA to complete its LKA process. Fig. 9 presents a comparative
phase. A more efficient security scheme is characterized by analysis of the communication cost between PAF-IoD and
an authentication framework where participants transmit fewer other related security frameworks. It provides insights into
bits to complete the LKA phase. Reduced bit transmission the communication efficiency of PAF-IoD compared to the
not only signifies improved communication efficiency but also existing schemes. Bandwidth plays a crucial role in network
leads to lower energy consumption. In the proposed PAF- infrastructure, and it is essential to develop protocols that
IoD, all the participants exchange three messages, such as operate efficiently without consuming excessive bandwidth.
M G1 :{T1 , Qr1 , Qr2 , Q4 , Q5 , M Cr , M C2 }, M G2 :{T2 , This holds true for authentication frameworks, where it is

Figure 8. Computational overhead GSj with the increase of authentication Figure 10. Comparison of bandwidth requirement for accomplishing the LKA
requests. phase with the increase in users.

munication cost (ranging from 9.64% to 41.69% ) and a low

computational cost (also ranging from 52.32% to 73.83%).
In future work, we plan to integrate the blockchain technol-
ogy alongside the AEAD scheme to provide the robust security
traits in the IoD environments.

IX. ACKNOWLEDGMENT
This study is supported via funding from Prince Sattam bin
Abdulaziz University project number (PSAU/2024/R/1445)

Figure 9. Comparison of communication cost required for accomplishing the R EFERENCES

LKA phase.
[1] A. Irshad, S. A. Chaudhry, A. Ghani, and M. Bilal, “A secure blockchain-
oriented data delivery and collection scheme for 5g-enabled iod envi-
ronment,” Computer Networks, vol. 195, p. 108219, 2021.
important to prioritize bandwidth efficiency. In Fig. 10, a [2] P. Yang, X. Cao, T. Q. S. Quek, and D. O. Wu, “Networking of
comparative analysis of bandwidth consumption is presented internet of uavs: Challenges and intelligent approaches,” IEEE Wireless
as the number of users increases in the network. Notably, Communications, pp. 1–11, 2022.
[3] S. O. Ajakwe, D.-S. Kim, and J. M. Lee, “Drone transportation system:
the proposed PAF-IoD demonstrates superior performance in Systematic review of security dynamics for smart mobility,” IEEE
terms of utilizing low bandwidth resources compared to other Internet of Things Journal, 2023.
related frameworks. [4] A. Derhab, O. Cheikhrouhou, A. Allouch, A. Koubaa, B. Qureshi,
M. A. Ferrag, L. Maglaras, and F. A. Khan, “Internet of Drones
security: Taxonomies, open issues, and future directions,” Vehicular
Communications, p. 100552, 2022.
VIII. C ONCLUSION [5] R. Vinoth, L. J. Deborah, P. Vijayakumar, and N. Kumar, “Secure
multifactor authenticated key agreement scheme for industrial iot,” IEEE
Securing information in the infrastructure of the Internet Internet of Things Journal, vol. 8, no. 5, pp. 3801–3811, 2020.
of Drones (IoD) poses significant challenges. We proposed [6] J. Won, S.-H. Seo, and E. Bertino, “Certificateless cryptographic pro-
tocols for efficient drone-based smart city applications,” IEEE Access,
an innovative authentication mechanism called PAF-IoD that vol. 5, pp. 3721–3749, 2017.
combines physical unclonable functions (PUFs) and authenti- [7] M. Wazid, A. K. Das, N. Kumar, and M. Alazab, “Designing authenti-
cation encryption to guarantee secure and private communica- cated key management scheme in 6G-enabled network in a box deployed
for industrial applications,” IEEE Transactions on Industrial Informatics,
tion among constituents within the IoD network. The PAF-IoD vol. 17, no. 10, pp. 7174–7184, 2021.
framework enabled the user and the Ground Station (GS) to [8] J. Srinivas, A. K. Das, M. Wazid, and A. V. Vasilakos, “Designing
mutually authenticate before the GS helps the user and the secure user authentication protocol for big data collection in IoT-based
intelligent transportation system,” IEEE Internet of Things Journal,
drone to generate a session key. Then, encrypted communi- vol. 8, no. 9, pp. 7727–7744, 2021.
cations are accomplished utilizing the generated session key. [9] Z. Ali, S. A. Chaudhry, M. S. Ramzan, and F. Al-Turjman, “Securing
We conducted both informal and formal ROR-based security smart city surveillance: A lightweight authentication mechanism for
evaluations to verify PAF-IoD’s security. Additionally, we unmanned vehicles,” IEEE Access, vol. 8, pp. 43 711–43 724, 2020.
[10] J. Srinivas, A. K. Das, N. Kumar, and J. J. P. C. Rodrigues,
used software tools to show capability of PAF-IoD to resist “TCALAS: Temporal credential-based anonymous lightweight authenti-
several security attacks. Finally, we evaluated the performance cation scheme for Internet of Drones environment,” IEEE Transactions
of PAF-IoD in terms of communication and computational on Vehicular Technology, vol. 68, no. 7, pp. 6903–6916, 2019.
[11] T. Alladi, V. Chamola, N. Kumar et al., “PARTH: A two-stage
costs. Our evaluation revealed that PAF-IoD offers enhanced lightweight mutual authentication protocol for UAV surveillance net-
security functionalities while demanding a relatively low com- works,” Computer Communications, vol. 160, pp. 81–90, 2020.

[12] M. Wazid, A. K. Das, N. Kumar, A. V. Vasilakos, and J. J. P. C. grids applications,” Journal of Information Security and Applications,
Rodrigues, “Design and analysis of secure lightweight remote user vol. 71, p. 103336, 2022.
authentication and key agreement scheme in Internet of Drones deploy- [33] S. A. Chaudhry, A. Irshad, M. A. Khan, S. A. Khan, S. Nosheen,
ment,” IEEE Internet of Things Journal, vol. 6, no. 2, pp. 3572–3584, A. A. AlZubi, and Y. B. Zikria, “A lightweight authentication scheme
2019. for 6G-IoT enabled maritime transport system,” IEEE Transactions on
[13] M. Nikooghadam, H. Amintoosi, S. H. Islam, and M. F. Moghadam, Intelligent Transportation Systems, vol. 24, no. 2, pp. 2401–2410, 2023.
“A provably secure and lightweight authentication scheme for Internet [34] A. Irshad, G. A. Mallah, M. Bilal, S. A. Chaudhry, M. Shafiq, and
of Drones for smart city surveillance,” Journal of Systems Architecture, H. Song, “SUSIC: A secure user access control mechanism for SDN-
vol. 115, p. 101955, 2021. enabled IIoT and cyber physical systems,” IEEE Internet of Things
[14] Y. Kirsal Ever, “A secure authentication scheme framework for Journal, pp. 1–1, 2023.
mobile-sinks used in the Internet of Drones applications,” Computer [35] J. Srinivas, A. K. Das, M. Wazid, and A. V. Vasilakos, “Designing
Communications, vol. 155, pp. 143–149, 2020. [Online]. Available: secure user authentication protocol for big data collection in IoT-based
https://www.sciencedirect.com/science/article/pii/S014036641930790X intelligent transportation system,” IEEE Internet of Things Journal,
[15] M. Tanveer, A. U. Khan, N. Kumar, and M. M. Hassan, “RAMP-IoD: vol. 8, no. 9, pp. 7727–7744, 2020.
A robust authenticated key management protocol for the Internet of [36] B. A. Alzahrani, A. Barnawi, and S. A. Chaudhry, “A resource-friendly
Drones,” IEEE Internet of Things Journal, vol. 9, no. 2, pp. 1339–1353, authentication protocol for UAV-based massive crowd management
2022. systems,” Security and Communication Networks, vol. 2021, pp. 1–12,
[16] R. Amin, S. Jayaswal, V. Sureshkumar, B. Rathore, A. Jha, and 2021.
M. Abdussami, “IoDseC++: authenticated key exchange protocol for [37] V. Sureshkumar, R. Amin, V. Vijaykumar, and S. R. Sekar, “Robust
cloud-enable internet of drone communication,” Journal of Ambient secure communication protocol for smart healthcare system with fpga
Intelligence and Humanized Computing, pp. 1–14, 2023. implementation,” Future Generation Computer Systems, vol. 100, pp.
[17] M. Tanveer, A. Alkhayyat, A. U. Khan, N. Kumar, and A. G. Alharbi, 938–951, 2019.
“REAP-IIoT: Resource-efficient authentication protocol for the indus- [38] H. Wu and B. Preneel, “AEGIS: A fast authenticated encryption al-
trial Internet of Things,” IEEE Internet of Things Journal, vol. 9, no. 23, gorithm,” in Selected Areas in Cryptography–SAC 2013: 20th Interna-
pp. 24 453–24 465, 2022. tional Conference, Burnaby, BC, Canada, August 14-16, 2013, Revised
[18] Y. Zhang, D. He, L. Li, and B. Chen, “A lightweight authentication and Selected Papers 20. Springer, 2014, pp. 185–201.
key agreement scheme for Internet of Drones,” Computer Communica- [39] M. Tanveer, A. Badshah, H. Alasmary, S. A. Chaudhry et al., “Cmaf-
tions, vol. 154, pp. 455–464, 2020. iiot: Chaotic map-based authentication framework for industrial internet
[19] S. Hussain, M. Farooq, B. A. Alzahrani, A. Albeshri, K. Alsubhi, and of things,” Internet of Things, vol. 23, p. 100902, 2023.
S. A. Chaudhry, “An efficient and reliable user access protocol for [40] M. Tanveer, H. Alasmary, N. Kumar, and A. Nayak, “Saaf-iod: Secure
Internet of Drones,” IEEE Access, pp. 1–1, 2023. and anonymous authentication framework for the internet of drones,”
[20] M. Tanveer, G. Abbas, Z. H. Abbas, M. Bilal, A. Mukherjee, and K. S. IEEE Transactions on Vehicular Technology, 2023.
Kwak, “LAKE-6SH: Lightweight user authenticated key exchange for [41] T. Alladi, N. Naren, G. Bansal, V. Chamola, and M. Guizani, “Se-
6LoWPAN-based smart homes,” IEEE Internet of Things Journal, vol. 9, cAuthUAV: A novel authentication scheme for UAV-ground station and
no. 4, pp. 2578–2591, 2022. UAV-UAV communication,” IEEE Transactions on Vehicular Technol-
ogy, vol. PP, 10 2020.
[21] S. Hussain, S. A. Chaudhry, O. A. Alomari, M. H. Alsharif, M. K. Khan,
and N. Kumar, “Amassing the security: An ECC-based authentication
scheme for Internet of Drones,” IEEE Systems Journal, vol. 15, no. 3,
pp. 4431–4438, 2021.
[22] T. Wu, X. Guo, Y. Chen, S. Kumari, and C. Chen, “Amassing the
security: An enhanced authentication protocol for drone communications
over 5G networks,” Drones, vol. 6, no. 1, p. 10, 2022.
[23] M. Zhang, C. Xu, S. Li, and C. Jiang, “On the security of an ECC-based
authentication scheme for Internet of Drones,” IEEE Systems Journal,
vol. 16, no. 4, pp. 6425–6428, 2022.
[24] S. Yu, A. K. Das, Y. Park, and P. Lorenz, “SLAP-IoD: Secure and
lightweight authentication protocol using physical unclonable functions
for Internet of Drones in smart city environments,” IEEE Transactions
on Vehicular Technology, vol. 71, no. 10, pp. 10 374–10 388, 2022.
[25] M. Tanveer, H. Shah, S. A. Chaudhry, A. Naushad et al., “PASKE-
IoD: Privacy-protecting authenticated key establishment for Internet of
Drones,” IEEE Access, vol. 9, pp. 145 683–145 698, 2021.
[26] C. Pu, A. Wall, K.-K. R. Choo, I. Ahmed, and S. Lim, “A lightweight and
privacy-preserving mutual authentication and key agreement protocol for
Internet of Drones environment,” IEEE Internet of Things Journal, vol. 9,
no. 12, pp. 9918–9933, 2022.
[27] K. Lounis, S. H. H. Ding, and M. Zulkernine, “D2D-MAP: A drone
to drone authentication protocol using physical unclonable functions,”
IEEE Transactions on Vehicular Technology, vol. 72, no. 4, pp. 5079–
5093, 2023.
[28] M. A. Khan, H. Shah, S. U. Rehman, N. Kumar, R. Ghazali, D. Shehzad,
and I. Ullah, “Securing Internet of Drones with identity-based proxy
signcryption,” IEEE Access, vol. 9, pp. 89 133–89 142, 2021.
[29] P. Gope and B. Sikdar, “An efficient privacy-preserving authenticated
key agreement scheme for edge-assisted Internet of Drones,” IEEE
Transactions on Vehicular Technology, vol. 69, no. 11, pp. 13 621–
13 630, 2020.
[30] R. Karmakar, G. Kaddoum, and O. Akhrif, “A PUF and fuzzy extractor-
based UAV-ground station and UAV-UAV authentication mechanism
with intelligent adaptation of secure sessions,” IEEE Transactions on
Mobile Computing, pp. 1–18, 2023.
[31] F. Abed, C. Forler, and S. Lucks, “General classification of the authen-
ticated encryption schemes for the CAESAR competition,” Computer
Science Review, vol. 22, pp. 13–26, 2016.
[32] M. Tanveer, M. Ahmad, H. S. Khalifa, A. Alkhayyat, and A. A. Abd
El-Latif, “A new anonymous authentication framework for secure smart