A Certificateless Pairing-Free Authentication Scheme for Unmanned Aerial Vehicle Networks

Guangxi Key Laboratory of Cryptography and Information Security, School of Computer Science and Information Security, Guilin University of Electronic Technology, Guilin, China Hangzhou Innovation Institute, Beihang University, Hangzhou, China Cyberspace Security Research Center, Pengcheng Laboratory, Shenzhen, China School of Cyber Security and Computer, Hebei University, Baoding, China School of Information and Communication, Guilin University of Electronic Technology, Guilin, China School of Mathematics and Computing Science, Guilin University of Electronic Technology, Guilin, China


Introduction
Unmanned aerial vehicles in UAVN have been widely used in many civilian and military fields, for example, data collection, communication relay, and military electronic reconnaissance [1]. Unmanned aerial vehicles can be classified into three categories according to the working mode, namely, unmanned aerial vehicles under the control of a remote operator, under the supervision of a remote supervisor, and without an operator and supervisor. UAVNs can be deployed in mesh topology or multistar topology [2]. With the mesh topology, all unmanned aerial vehicles are connected to CMC directly, where all communication between unmanned aerial vehicles and CMC may cause network congestion. Although with the mesh topology, each unmanned aerial vehicle can communicate with each other, it is hard to be expanded and controlled [3]. With the multistar topology, each unmanned aerial vehicle is connected to CMC; thus, any illegal requests or responses in UAVNs can be easily detected.
However, when deployed in an open communication environment, the UAVN system confronts many security issues [4,5]. Due to multiple connections among unmanned aerial vehicles, a malicious entity may control some unmanned aerial vehicle or launch impersonate attacks. us, it is important to enforce a secure and efficient authentication mechanism in UAVNs [6,7]. Recently, Wang et al. [8] proposed an identity-based authentication scheme, which did not consider the verification mechanisms at the AGT side for validating the real sources of the authentication request from CMC and responses from UAVs. Li et al. [9] designed an identity-based aggregate authentication framework in bilinear groups, where the private keys of UAVs are generated by KGC. us, malicious KGC may launch attacks by sending illegal authentication request to AGTs and UAVs.

Our Contributions.
To address the abovementioned issues, this paper proposes a certificateless pairing-free aggregate authentication scheme (CLAS) for UAVNs. In CLAS, KGC is responsible for generating partial private keys for all entities including CMC, AGTs, and UAVs. Each AGT acts as the cluster head of some cluster and plays the role of an intermediate between CMC and UAVs in the respective cluster. Each authentication request from CMC can be validated by AGT, which is then attested and broadcasted to UAVs in its administrative domain. A verification process can be run by each UAV so that the true source of the (forwarded) authentication request can be validated. AGT can aggregate all responses of UAVs in its administrative cluster before performing verification procedure in batch.
en, the response of AGT is further combined with the aggregated responses of UAVs, which can be validated by CMC in batch to complete the authentication process.
is paper describes a concrete CLAS construction based on the certificateless signature technology. Security analysis shows that our CLAS construction can protect malicious entity from forging the authentication request and responses of others and can resist against the malicious KGC. Performance comparison shows that our CLAS construction enjoys better computational efficiency compared with Wang et al.'s scheme [8] and Li et al.'s scheme [9].

Related Works.
Taking advantages of recent advancement and development in information and communication technology, unmanned aerial vehicles have been employed to perform some special tasks in real-world applications [10]. In [11], Islam and Shin proposed a blockchain-based solution for safe healthcare, which uses the unmanned aerial vehicle (UAV) to collect health data (HD) from users. Liu et al. [1] presented a detailed survey on the opportunities and challenges of IoE supported by unmanned aerial vehicles. Jiang et al. [12] proposed a trust-based energy efficient data collection with the unmanned aerial vehicle (TEEDC-UAV) scheme, which can prolong lifetime in a trusted way. In the TEEDC-UAV scheme, an ant colony-based unmanned aerial vehicle (UAV) trajectory optimization algorithm was proposed, which constituted the most data anchor points in the working field with the shortest trajectory possible. In view of the untrusted broadcast features and wireless transmission of UAV networks, a novel privacy-preserving secure spectrum trading and sharing scheme based on blockchain technology is proposed in [13].
For the Internet of Drones (IoD) infrastructure, Cho et al. [14] proposed a framework called SENTINEL (Secure and Efficient autheNTIcation for uNmanned aErial vehicLes). Khanh et al. [15] presented a safe and effective authentication mechanism suitable for the dynamic environment of the unmanned aerial vehicle. In order to solve the information security problem of unmanned aerial vehicle ad-hoc network communication, Sun et al. [2] introduced an efficient and energy-saving distributed network architecture based on clustering stratification. Owing to the unreliable wireless channel and high-dynamic topology of Unmanned Aerial Vehicles Ad-Hoc Network (UAANET), the loss of some certain group key broadcast messages by nodes occurs frequently. erefore, Li et al. [16] proposed a mutual-healing group key distribution scheme based on the blockchain. Yang et al. [17] investigated degradation-of-QoS attacks in vehicular ad hoc networks, where the attacker is able to relay the authentication exchanges but cannot relay the service afterwards. In [18], Gope et al. proposed a novel anonymous authentication scheme for RFID-enabled UAV applications using Physically Unclonable Functions (PUF).
Al-Riyami et al. [19] first introduced and made concrete the concept of certificateless public key cryptography (CL-PKC), a model for the use of public key cryptography which avoids the inherent escrow of identity-based cryptography.
Baek et al. [20] considered a relaxation of the original model of CLPKE and proposed a new CLPKE scheme that does not depend on the bilinear pairings. In order to ensure security for interactions between these smart things, Yeh et al. [21] presented a certificateless signature scheme for smart objects in IoT-based pervasive computing environments. Jia et al. [22] made an improvement on the scheme of Yeh et al.'s certificateless signature scheme; they presented an improved scheme and demonstrated its unforgeability against superadversaries in the random oracle model. Zhao et al. [23] presented an advanced efficient CLAS scheme with elliptic curve cryptography for the IoV environment. Furthermore, their scheme used pseudonyms in communications to prevent vehicles from revealing their identity. Shu et al. [24] presented a certificateless aggregate signature scheme for blockchain-based MCPS, which can realize the authentication of related medical staffs, medical equipment, and medical apps, ensure the integrity of medical records, and support the secure storage and sharing of medical information.

Paper Organization.
e structure of this paper is organized as follows. In Section 2, we introduce the system architecture and system requirements for CLAS. A concrete CLAS construction is presented in Section 3, followed by its security and efficiency analysis in Section 4. Finally, Section 5 concludes the paper.

System Architecture and Requirements
is section formalizes the architecture of CLAS and summarizes its system requirements.

System
Architecture. As shown in Figure 1, there are four types of entities in a CLAS system, namely, key generation center (KGC), command center (CMC), reconnaissance unmanned aerial vehicles (UAVs), and aggregators (AGTs). KGC is assumed to be fully trusted by all the entities, which is responsible for initializing the CLAS system by generating system public parameters and producing partial private keys for all entities in UAVNs. After system initialization, CMC performs the mutual authentication process with unmanned aerial vehicles before assigning tasks. CMC initializes the authentication process so that AGT can validate, attest, and broadcast authentication request to its administrated UAVs.
As the intermediary between CMC and UAV, AGT has the computing and communication capabilities to manage its UAV cluster. UAV only has limited short-distance communication capability; thus, its communication with CMC is performed via the AGT in the cluster. Before responding to the authentication request of CMC, each UAV can verify its true source and the attested request. e responses of UAVs in the same cluster can be validated by AGT in batch. en, the response of AGT can be further combined with that of UAVs so that the aggregated response is sent to CMC for validation.

System
Requirements. Similar to [25], we define two types of adversaries for the CLAS system, namely, Type-I adversary and Type-II adversary. A Type-I adversary acts as an outsider who can replace the public keys of CMC, AGT, and UAV but cannot access the master secret key, whereas a Type-II adversary acts as the KGC that can access the master secret key but cannot replace the public keys of CMC, AGT, and UAV. A CLAS system must satisfy the following system requirements.
Unforgeability of authentication request: in the authentication process, for the authentication request generated by CMC, it should be guaranteed that it is existentially unforgeable against Type-I adversary. at is, any entity cannot launch attacks by impersonating CMC to forge an authentication request. Unforgeability of attested request: for the attested authentication request of AGT, it should be guaranteed that it is existentially unforgeable against Type-I adversary. at is, any entity cannot launch attacks by impersonating AGT to forge an attested authentication request. Unforgeability of response: for the responses from UAVs in its administrative cluster of AGT, it should be guaranteed that it is existentially unforgeable against Type-I adversary.
at is, any entity cannot launch attacks by impersonating some UAV to forge a response. Unforgeability of aggregate response: for the attested authentication request of some AGT, it should be guaranteed that it is existentially unforgeable against Type-I adversary.
at is, any entity cannot launch attacks by impersonating AGT to forge an aggregate response. Resistance against malicious KGC: for the whole authentication procedure, it should be guaranteed that it is existentially unforgeable against Type-II adversary.
at is, malicious KGC cannot forge a valid signature of CMC, AGT, or UAV.
A correct CLAS construction should satisfy the following conditions: (1) For the partial private key sent by KGC, it can be successfully verified by respective entity including CMC, AGTs, and UAVs (2) For the authentication request generated by CMC, it can be successfully validated by AGTs (3) For the attested authentication request forwarded by AGT, it can be successfully validated by UAVs in the same cluster (4) For the responses of UAVs, they can be validated by AGT in the same cluster (5) For the aggregate response from AGT, it can be successfully validated by CMC

CLAS Construction
is section describes our concrete CLAS construction. e authentication process in UAVNs is shown in Figure 2.
e Discrete Logarithm Assumption in Elliptic Curve (ECDLP): let G be an elliptic curve group with prime order q. Given P and Q ∈ G, any probabilistic polynomial time algorithm ξ would have negligible probability in computing x ∈ Z * q such that Q � xP.

System Setup.
On inputting a security parameter l ∈ Z + , KGC chooses an additive group G with prime order q on some elliptic curve, where P is a generator of G. en, KGC chooses b ∈ Z * q randomly and computes a � e + bH 1 (CMC‖A‖B)modq.
en, KGC sends the partial private key (a, A) to CMC through a secure channel. CMC can validate the partial private key as follows: CMC sets a secret value and generates its public key PK c and private key SK c as follows. CMC chooses a random number s ∈ Z * q and computes en, CMC sets PK c � (A, M) and SK c � (a, s).

Key Generation for
where en, KGC sends the partial private key (y i , Y i ) to W i through a secure channel. e unmanned aerial vehicle W i can validate the partial private key as follows: e unmanned aerial vehicle W i sets a secret value and generates its public key PK i and private key SK i as follows. W i chooses a random number c i ∈ Z * q and computes C i � c i P, where en, the unmanned aerial vehicle W i sets PK i � (Y i , Q i ) and SK i � (y i , c i ).

Authentication Request.
Let T ∈ 0, 1 { } * denote the request information chosen by CMC, which contains the timestamp. CMC randomly picks k ∈ Z * q and computes δ � kP, θ � k + H 3 T‖δ‖CMC‖PK c a + H 2 (CMC‖F)s mod q. If true, then do:   Security and Communication Networks en, CMC sends the authentication request (T, δ, θ) to AGTs.

Request Forwarding.
After receiving the request (T, δ, θ) from CMC, each AGT W n validates its authenticity by checking the following equality: If it holds, then AGT W n accepts the authentication request from CMC, otherwise terminates. AGT W n randomly chooses r n ∈ Z * q and computes R n � r n P, S n � θ + r n + h 4,n y n + h 2,n c n mod q, where h 4,n � H 4 T‖δ‖W n ‖PK n ‖R n , At last, AGT W n broadcasts the tuple of attested authentication request (T, δ, R n , S n ) to all UAVs W i (i � 1, 2, . . . , n − 1) in its administrative domain.

UAV Response.
Once received (T, δ, R n , S n ) from AGT W n , each UAV W i (i � 1, 2, . . . , n − 1) verifies its authenticity by checking the following equality: where If it holds, then UAV W i accepts the authentication request from CMC, otherwise terminates. W i randomly picks f i ∈ Z * q and computes where en, UAV W i sends the response tuple σ i � (V i , L i ) to AGT W n .

AGT Aggregation. Upon receiving the response tuples
en, AGT W n verifies the authenticity of the received response tuples in a batch as follows: where If it holds, then all response tuples of W i (i � 1, 2, . . . , n − 1) are valid; otherwise, W n validates each response tuple in individual to find the invalid one. AGT W n continues to pick a random element f n ∈ Z * q and compute X n � X n−1 + f n P, (33) where L n � f n + h 4,n y n + h 2,n c n mod q, h 4,n � H 4 T‖δ‖W n PK n � � � � � � � �f n P , en, AGT W n sends the aggregate response (X n , Z n ) to CMC.

CMC Verification.
Once received the aggregate response (X n , Z n ) from AGT W n , CMC validates its authenticity by checking the following equality: where If it holds, then AGT W n and UAVs W i (i � 1, 2, . . . , n − 1) are all accepted as legitimate. (1) For the authentication request (T, δ, θ) generated by CMC, equality (16) satisfies as follows:

Security and Communication Networks
(2) For the attested authentication request (T, δ, R n , S n ) from AGT W n , equality (21) satisfies as follows: S n P � θP + r n P + h 4,n y i + h 2,n c n P (3) For the response tuples V i , L i n−1 i�1 from the controlled UAVs W i (i � 1, 2, . . . , n − 1), equality (30) holds as follows: (4) For the aggregate response tuple (V n , L n ) from AGT W n , equality (37) holds as follows: us, the proposed CLAS construction is correct.

System Analysis
is section analyzes the security and performance of the proposed CLAS construction.

Security Analysis
Theorem 2. Assume that the ECDLP assumption holds in cyclic group G. e proposed CLAS construction can guarantee the unforgeability of the authentication request from CMC. Proof 2. In the authentication request (T, δ, θ) generated by CMC, the element θ is considered to be a certificateless signature of T‖δ‖CMC‖PK c . It can be seen that θ can serve as the common signature v i in umbur et al.'s scheme [26]. As proved in eorem 1 in [26], their scheme is existentially unforgeable against Type-I adversary, which assumes that the ECDLP assumption holds in additive group G of elliptic curve points. erefore, any attacker cannot forge a valid authentication request of CMC without knowing public key PK c , which implies the unforgeability of the authentication request from CMC can be guaranteed.

Theorem 3. Assume that the ECDLP assumption holds in cyclic group G. e proposed CLAS construction can guarantee the unforgeability of the attested authentication request from AGT.
Proof 3. In the attested request (T, δ, R n , S n ) generated by AGT, the element S n is considered to be a certificateless signature on θ. It can be seen that S n can serve as the common signature v i in umbur et al.'s scheme [26]. As proved in eorem 1 in [26], their scheme is existentially unforgeable against Type-I adversary, which assumes that the ECDLP assumption holds in additive group G of elliptic curve points. erefore, any attacker cannot forge a valid attested request or response of AGT without knowing public key PK n , which implies the unforgeability of the attested authentication request from AGT can be guaranteed.

Theorem 4.
Assume that the ECDLP assumption holds in cyclic group G. e proposed CLAS construction can guarantee the unforgeability of the responses from UAVs. Proof 4. For the response tuple (V i , L i ) generated by UAV W i , it is considered to be a certificateless signature on T‖δ. It can be seen that (V i , L i ) can serve as the common signature v i in umbur et al.'s scheme [26]. As proved in eorem 1 in [26], their scheme is existentially unforgeable against Type-I adversary, which assumes that the ECDLP assumption holds in additive group G of elliptic curve points. erefore, any attacker cannot forge a valid authentication response of UAV without knowing public key PK i , which implies the unforgeability of the responses from UAVs can be guaranteed.

Theorem 5. Assume that the ECDLP assumption holds in cyclic group G. e proposed CLAS construction can guarantee the unforgeability of the aggregate response from AGT.
Proof 5. For the aggregate response tuple (X n , Z n ) generated by CMC, it is considered as the aggregate signature on n individual responses. It can be seen that (X n , Z n ) can serve as the common signature v i in umbur et al.'s scheme [26]. As proved in eorem 1 in [26], their scheme is existentially unforgeable against Type-I adversary, which assumes the ECDLP assumption holds in additive group G of elliptic curve points. erefore, any attacker cannot forge a valid aggregate response of AGT without knowing public key PK i , which implies the unforgeability of the aggregate response from AGT can be guaranteed. Theorem 6. Assume that the ECDLP assumption holds in cyclic group G. e proposed CLAS construction can be resistant to malicious KGC. Proof 6. For the partial private key (y i , Y i ) generated by KGC, it is considered as a Schnorr signature [27] on W i . It can be seen that (y i , Y i ) can serve as the common signature D i in [26]. As proved in eorem 2 in [26], their scheme is existentially unforgeable against Type-II adversary, which assumes that the ECDLP assumption holds in additive group G of elliptic curve points. erefore, any malicious KGC cannot forge valid partial private key of UAVs without knowing master secret key b; thus, the authenticity of KGC can be guaranteed in producing a partial private key.

Functional Comparison.
Wang et al. [8] proposed an identity-based aggregate authentication scheme for UAVNs in bilinear groups. In [8], all UAVs are able to communicate with the CMC through their respective AGTs in the cluster, to perform valid authentication. ere is no mechanism for AGT to validate the authenticity of CMC before forwarding authentication request to UAVs in its administrative domain. Furthermore, when individual responses are aggregated from UAVs in the respective cluster, the AGT does not verify the authenticity of those responses.
Li et al. [9] proposed an aggregate authentication scheme, where the above two mechanisms are introduced to enhance the security of authentication in UAVNs. Note that CMC may be malicious in generating keys for UAVs, which means their scheme cannot resistant against malicious KGC. While in our CLAS construction, the partial private key for UAVs are generated by KGC. e detailed comparison on the functionalities among Wang et al.'s proposal [8], Li et al.'s proposal [9], and our CLAS construction is summarized in Table 1.  [9]. For the aggregate verification by AGT procedure, Li et al.'s scheme [9] requires (n − 1) scalar point multiplications and 3 bilinear pairing operations. In the aggregate verification by CMC procedure, compared with Li et al.'s scheme [9], our scheme requires only (n + 2) scalar point multiplications. More details for comparsion on computation costs are summarized in Table 2.

Experimental Performance.
To evaluate the computation cost of our CLAS construction, we conduct experiments using the Java Pairing-Based Cryptography Library (JPBC, http://gas.dia.unisa.it/projects/jpbc/), on a platform with Microsoft Windows 10 operating system, Intel(R) Core(TM) i5-6500 CPU @ 3.20 GHz, and 12 GB RAM. e elliptic curve is of Type A (y 2 � x 3 + x) such that q is a 160 bit prime, and the element size in group G is 512 bits. e performance of the procedures of our CLAS construction is depicted in Figure 3, which are system setup (Setup), key generation (SUMkgen), authentication request generation (REQgen) and attestation (REQfwd), and RAV response (UAVresp). e SUMkgen stage consists of three algorithms, partial key generation for UAV (KGCkgen), key verification for UAV (UAVerify), and key generation for UAV (UAVkgen). e setup algorithm is used to initialize the CLAS system. We can see that the majority of the computation depends on B, which takes roughly 144 msec.
e SUMkgen algorithm is used to generate public and private keys for UAVs, which efficiency depends on the UAVerify and the UAVkgen algorithms. Since the partial private key is generated by KGC, the time for UAVs to generate public and private keys is reduced, which is approximately 24 msec in experiments.
e REQgen algorithm can be run to generate authentication request. Its performance mainly depends on Security and Communication Networks the computation of δ, requiring one scalar point multiplication, whereas Wang et al.'s scheme [8] and Li et al.'s scheme [9] both cost two scalar point multiplications. As depicted in Figure 3, an authentication request is able to be transmitted in less than 24 msec. In the stage of REQfwd, before producing attested request, AGT verifies the authenticity of the authentication request from CMC by checking equality (16), which takes two scalar point multiplications. It requires AGT to forward the request in roughly 0.07 seconds. Before generating a response, each UAV validates the authenticity of the attested request received from its administrative AGT, requiring 5 scalar point multiplications. As a result, it takes about 0.15 seconds for each UAV to run the response procedure, while Li et al.'s scheme [9] requires more computational costs, i.e., 4 bilinear pairing operations.
In the response aggregation procedure, AGT needs to aggregate the elements V i , L i in the received response tuples. It can be seen that prior to the batch verification of these responses, only (n + 1) scalar point multiplications are required in equality (30), as compared to Li et al.'scheme [9].
In the simulation, a variety of scenarios for the number of unmanned aerial vehicles are considered, that is, n � 10, 20, . . . , 100, and the amount of UAVs consists of one AGT and (n − 1) UAVs. AGT aggregates and verifies (n − 1) response tuples of UAVs and further aggregates all the response tuples including its response. e experimental results are shown in Figure 4, which indicates a linear correlation between the computation time of this process and the number of unmanned aerial vehicles in a single cluster.
For the process of aggregating verification by CMC, Figure 5 shows the computation time that the CMC verifies the aggregate response from AGT for a single cluster. We also consider multiple cases where the number of unmanned aerial vehicles in a single cluster are n � 10, 20, . . . , 100, respectively. As shown in equality (37), CMC is required to compute (n + 2) scalar point multiplications. It can be seen from Figure 5 that there is also a linear correlation between the computation time of this process and the number of unmanned aerial vehicles in a single cluster.  (n + 1)T SM (n + 2)T SM Li et al. [9] 2nT SM 2T BP 2T SM (n − 1)T SM + 3T BP nT SM + 3T BP Wang et al. [8] nT

Conclusion
To address the security problems in UAVNs, this paper proposed a CLAS construction without bilinear groups to realize efficient mutual authentication between control center and unmanned aerial vehicles. After the system is initialized, KGC produces the partial private key for each entity. CMC sends the authentication request to AGT; then, AGT forwards the attested request to UAVs in its adminstrative cluster. All response tuples of UAVs are validated by the cluster head AGT and then forwarded to CMC for further verificaton. Security analysis showed that our CLAS construction can not only provide unforgeability for (attested) authentication request and (aggregate) responses but also can resist malicious KGC. Experimental analysis demonstrated that the proposed CLAS construction enjoys practical performance.

Data Availability
No data were used to support the findings of this study.    Security and Communication Networks 9