A Drone-Assisted Anonymous Authentication and Key Agreement Protocol with Access Control for Accident Rescue in the Internet of Vehicles

Abstract

The drone-assisted Internet of Vehicles (DIoV) displays great potential in the punctual provision of rescue services without geographical limitations. To ensure data security in accident response and rescue services, authentication schemes with access control are employed. These schemes ensure that only specific rescue vehicle operators acting within a valid period can achieve mutual authentication from a designated processor, while access for mismatched, revoked, or expired users is denied. However, the current alternatives fail to ensure session key forward secrecy, entities’ mutual authentication, and user anonymity, thereby compromising users’ privacy and the security of communications. Moreover, executing too many time-consuming operations on vehicles’ resource-constrained devices inevitably degrades the performance of the authentication protocol. Balancing security and performance in the design of an authentication protocol with access control presents a significant challenge. To address this, a more efficient and robust authentication with access control has been designed. The proposed protocol ensures user anonymity through dynamic pseudonym allocation, achieves forward secrecy by excluding the long-term key from session key generation, and obtains mutual authentication by verifying the integrity of the messages exchanged. According to the security and performance analysis, it is demonstrated that the proposal is a robust, efficient, and cost-effective solution. In particular, the proposal can reduce the computational overhead by 66% compared to recent alternatives.

1. Introduction

Originally utilized for military purposes, drones—or unmanned aerial vehicles—are anticipated to become integral to the Internet of Vehicles (IoV), leveraging their capabilities for three-dimensional movement, high maneuverability, autonomous operation, and communication processing [1]. In remote mountainous regions, the traditional communication infrastructure fails to support timely data transmission for the IoV, particularly during critical periods such as vehicle accidents [2].

In the traffic accident rescue scenario of the DIoV, shown in Figure 1, the drone of the command center, serving as a drone gateway, provides prompt and sustainable services to facilitate accident investigations, and it allows the different departments in urban areas to quickly dispatch their own rescue vehicles to offer accident and emergency services (e.g., fire and medical services and road traffic accident clearing).

However, malicious entities illegally accessing and potentially disrupting the transmitted data pose a significant safety hazard that cannot be overlooked in traffic accident rescue scenarios [3,4]. The technologies of multi-factor authentication (involving a password, a smart card and other factors) and key agreement [5,6] can be used to protect the transmitted data from unauthorized access or disruption. Upon mutual authentication, tunnels are built among rescue vehicles’ users and the processor, and a session key will be established for secure communication [7,8].

Furthermore, an issue arises regarding how to provide specific rescue vehicles with legal access to particular data within a valid period, highlighting the need for fine-grained access control [9]. In this type of scheme, depending on the type and responsibilities of the rescue vehicle, only a specific rescue vehicle’s user is allowed to obtain mutual authentication from a designated processor, while other users that are mismatched, revoked, or overdue are not entitled to certification. As shown in Figure 1, the processors (PS), which include the fire rescue processor, medical processor and road traffic accident clearing processor, can only interact with their respective rescue vehicles to ensure secure and accurate emergency services.

Existing authentication schemes with access control [10,11,12,13,14,15,16], however, fail to ensure the security of the session key and the privacy of the user [17]. Moreover, the large number of operations consumes vast amounts of storage, bandwidth and computational power, which drains the capacity of energy-limited vehicle networking devices such as vehicles’ processors. Addressing the design of a more efficient and robust authentication scheme with access control, a new scheme for DIoV is studied in this paper, in which four key points are considered, as listed below.

Firstly, by defining the control policy and obeying the mechanism in which the message is delivered first, received later and verified last, the proposed scheme can meet the requirement that any rescue vehicle’s user can only obtain authentication and negotiate the session key from the specified processor within the validity period. It is noted that the communication entities must verify one another’s identities to satisfy mutual authentication. Alternative schemes [10,12,13,15] do not adhere to this important principle since there is a lack of authentication whereby the message receiver (i.e., the user) verifies the identity of the message sender (i.e., the DG).

Secondly, during the registration phase, the user in the rescue vehicle is free to select a password; however, there is no password verification table stored in the drone as a relay node, which can eliminate the risk of password exposure. Moreover, via the “mod” operation, the system can resist smart card loss attacks and password guessing attacks [18,19].

Thirdly, in the authentication phase, the user interacts with the DG by using a pseudonym. Note, that the dynamic of a pseudonym preserves the user’s anonymity. Additionally, regarding the session key of the user and processor, the long-term key of the DG is no longer used to compute the session key, so the session key adheres to forward secrecy.

Lastly, from the perspective of performance in terms of storage, communication and computational costs, the designed scheme can minimize these costs as much as possible in the energy-limited DIoV.

The remainder of this paper is organized as follows. Section 2 describes the related works, and then the designed scheme is shown in Section 3. In Section 4, the security analysis is provided, and the performance analysis of the proposed scheme is shown in Section 5. Finally, Section 6 gives a brief conclusion and highlights the ongoing research work.

2. Related Works

Initially, Das [20] introduced a two-factor authentication protocol incorporating both a password and a smart card to secure communications within wireless sensor networks (WSNs). Additionally, the European Union’s General Data Protection Regulation (GDPR) has been implemented to enhance the security and privacy of vehicle accident data [9]. It is thus necessary to design authentication protocols with access control for the DIoV.

Our examination of existing research on the DIoV reveals a lack of protocols incorporating access control specifically designed for the DIoV. Specifically, there are mainly works that enable the vehicle’s authentication with a trusted authority [21,22] and decentralized blockchain platform [23], which is similar to an ordinary authentication scenario in the IoT [18,24,25]. Other studies consider the vehicles’ batch authentication by using signature fusion technology [26] and cross-domain authentication based on a two-way synchronization database mechanism [27]. Moreover, in the field of smart healthcare, some research works on authentication with access control can be found.

Utilizing the Chinese Remainder Theorem (CRT), Srinivas et al. [10] proposed a secure user authentication and access control scheme within a Cloud-of-Things-centric (CoTC) environment, specifically for wearable device monitoring systems. A notable observation is that, for forward secrecy, in their scheme, the long-term key does not need to be involved in constructing the session key. However, it is clear that significantly more storage resources would be consumed in their scheme and that no mutual authentication exists between the CoTC and sensor nodes.

Subsequently, Ref. [11] introduced an e-health-oriented scheme that integrates authentication, key agreement and access control guided by a control string specified by the medical server. Furthermore, they were the first to propose a method to transfer the ownership of patient information from the former physician to a new one, in order to allow more effective medical treatment. However, note that this scheme does not satisfy forward secrecy, or three-factor security and is not resistant to the inevitable type-l node capture attack [17].

In 2019, Banerjee et al. [12] introduced a method for time-limited user authentication and access control, whereby access privileges are automatically revoked upon the expiration of the allocated authentication period. In [12], ensuring the integrity and security of passwords is identified as a fundamental criterion, necessitating the development of a more robust authentication framework.

In the following year, after cryptanalyzing the developed scheme in [12] regarding its security flaws, such as its susceptibility to smart card loss attacks and stolen verifier attacks, Kumar et al. [13] provided an improved scheme that could effectively preserve users’ privacy (anonymity and password security). Nonetheless, the issues of forward secrecy and vulnerability to type-I node capture attacks remain concerns regarding the session key’s security.

Furthermore, Alzahrani et al. [14] found that the scheme in [12] cannot complete the authentication between the user and sensor node. To address the design flaw in [12], an improved scheme, ILAS-IoT, was presented in which, with the help of a gateway node, the user and a sensing device can complete the authentication phase. However, the security flaws (i.e., the failure to provide forward secrecy and resist type-I node capture attacks) that were analyzed previously were alleviated with the application of the scheme in [14].

In the context of wireless medical sensor networks, Yao et al. [15] highlighted the limitations of existing authentication mechanisms, specifically architectural inefficiencies and overlooked security flaws. They recommended a multi-faceted authentication architecture addressing user–server, patient–server and user–patient authentication. Nevertheless, the method’s resistance to password-guessing attacks, precipitated by the password verification table, requires strengthening to prevent the disclosure of users’ passwords.

Recently, focusing on securing communications in the edge-enabled Internet of Medical Things, Seyed Ahmad Soleymani et al. [16] used digital signatures and proposed an authentication and Authenticated Key Exchange (AKE) protocol. In their scheme, the user, edge node and medical center can be authenticated mutually to generate a final session key $SK=h(r_{sk}·R_{mc}|\left|R_u\right||r_{sk}·R_{mc})$, in which $SK$ is determined by the values of these three entities. However, session-specific temporary information attacks (also known as ephemeral secret leakage attacks) directly threaten the integrity of $SK$.

3. The Proposed Scheme

In this section, we propose a three-factor user authentication and key agreement protocol for the DIoV, featuring access control mechanisms. This protocol ensures that users from rescue vehicles obtain mutual authentication exclusively from designated processors on accident vehicles, based on their department and service type. However, users from rescue vehicles who have mismatched credentials, revoked access, or expired credentials will be denied authentication by the processor. We further describe the system model of our proposed scheme below.

3.1. System Model

The system model shown in Figure 2 consists of four entities: the command center (CC), the rescue vehicle (RV), the drone gateway (DG) and the accident vehicle (AV), with a series of transaction processors ($P{S}_j$). Further, the DG computes and then transmits messages between the RV’s user and $P{S}_j$; $P{S}_j$ collects certain real-time data from the accident vehicles, such as traffic transactions, medical transactions and fire transactions, enabling the users in the RVs to access real-time data to enable prompt rescue operations.

In Figure 2, we depict the secure channel transmissions (marked as ‘1’) occurring during the registration phase and the public channel transmissions (marked as ‘2’) taking place during the login and authentication phases. We then detail the authentication and key agreement process among the involved entities. Initially, the CC sets up the authentication system, generating long-term keys, secret values and public parameters. Users from rescue vehicles ($U_i$) register with the CC through a secure channel, submitting registration requests and receiving a smart card from the CC. Similarly, $DG$ and $P{S}_j$ submit their identities to the CC via a secure channel to obtain identity-related secret values.

During the authentication phase, $U_i$ sends a login request to the $DG$, which then verifies $U_i$’s identity and determines their eligibility for authentication with the appropriate $P{S}_j$. Subsequently, the $DG$ conveys a verification message to $P{S}_j$; upon $P{S}_j$ authenticating the identity of $DG$, it calculates and sends back a message containing a session key and authentication parameters. The $DG$, after verifying $P{S}_j$’s message, forwards it to $U_i$, who then authenticates $DG$, extracts the key parameters and recomputes the session key.

Additionally, the definitions of some terms used in the proposed scheme are listed in

Table 1. Definitions of symbols used in the proposed scheme.

Symbol	Definition	Symbol	Definition
⊕	XOR operation	$P{W}_i$	$U_i$’s password
h(·)	secure hash function	$I{D}_i$	$U_i$’s real identity
$\left|\right|$	concatenate operation	$PI{D}_i$	$U_i$’s pseudonym
$BKG$(·)	bio key generation	$bi{o}_i$	$U_i$’s biometric information
$P{S}_j$	identifier of processor in $A{V}_j$	$LT{K}_i\left(LT{K}_j\right)$	$U_i$’s ($P{S}_j$’s) secret value
$U_i$	legitimate user of rescue vehicle $R{V}_i$	$AVI{D}_j$	$A{V}_j$’s unique identity
$\to ,\Rightarrow$	public channel, secure channel	$x,y$	long-term key pair of $DG$

Note. Similarly to [28], this paper uses $BKG(·)$ to indicate the entire step dealing with the user’s biometric information, i.e., $BKG(·)\iff Gen(·)+Rep(·)$. Given the limited space, researchers can refer to the detailed $Gen(·),Rep(·)$ in [28]’s Sec. II-B.

.

3.2. System Setup Phase

In this phase, firstly, $CC$ initiates an elliptic curve $E\left({\mathbb{F}}_{\mathbb{p}}\right)$ over a prime finite field ${\mathbb{F}}_{\mathbb{p}}$. Based on $E\left({\mathbb{F}}_{\mathbb{p}}\right)$, $CC$ specifies an additive subgroup G with a $q$—order generator P, where p, q are two large primes with $\left|q\right|=n$, where n is a security parameter. Secondly, $CC$ selects long-term key pair $x,y\in {\mathbb{F}}_{\mathbb{p}}$ and stores two secret values $x,y$ temporarily, and parameters $\left\{E\left({\mathbb{F}}_{\mathbb{p}}\right),P\right\}$ are public, respectively. It is noted that in order to achieve a high security level for a long-term key pair, a 320-bit ECC can be adopted, in which the length of the secret key is 160 bits and the ECC point is 320 bits [29,30].

By running the following operations in Section 3.3, Section 3.4 and Section 3.5, the proposed scheme of authentication with access control, mutual authentication, user anonymity and forward secrecy can be achieved.

•

Authentication with access control: Since $CC$ defines the control policy and DG obeys the mechanism by which the message is delivered first, received later and verified last, the proposed scheme can meet the requirement that any rescue vehicle’s user can only achieve authenticity and negotiate the session key from the specified processor within the validity period.

•

Mutual authentication: During authentication with access control, the communication entities must verify one another’s identities to obtain mutual authentication. However, in alternative schemes [10,12,13,15], the user does not check the identity of the DG or gateway node and so [10,12,13,15] do not satisfy the need for mutual authentication.

•

User anonymity: In the proposed scheme, the user uses a pseudonym provided by the CC in advance to communicate with the DG in a public channel. The pseudonym prevents the adversary from tracking the real user and thus preserves the user’s anonymity well.

•

Forward secrecy: During the generation of the session key, the scheme excludes the long-term key. Meanwhile, the alternative schemes [11,12,13,14] cannot achieve forward secrecy for the session key, given that the generation of their session keys relies on the long-term key.

3.3. Registration Phase

The registration phase enables the vehicle $A{V}_j$ and the user of $RV$ to complete the registration of related identity information in $CC$; meanwhile, the user of the rescue vehicle and $A{V}_j$ receive feedback from $CC$ to prepare for future authentication with access control. Specifically, three parts constitute the registration phase: one for $A{V}_j$ with its processors $P{S}_j$, one for user $U_i$ of $RV$ and the last one for $DG$.

For the registration of some vehicle $A{V}_j$, three steps are required, as described below.

(1)

$A{V}_j$ securely sends its identity $AVI{D}_j$ and a series of identifiers $P{S}_j$ to the $CC$ ($A{V}_j\Rightarrow CC:\left\{AVI{D}_j,P{S}_j\right\}$).

(2)

$CC$ computes and returns $LT{K}_j=h(AVI{D}_j\left|\right|x)$ to $P{S}_j$ in $A{V}_j$ also via the secure channel ($CC\Rightarrow P{S}_j:\left\{LT{K}_j\right\}$).

(3)

$CC$ accumulates and lists all enrolled $P{S}_j$, i.e., $\Delta S=\left\{P{S}_j\right\}$.

For the user $U_i$ of rescue vehicle $RV$, she/he also needs to complete the registration operation with $CC$.

(1)

$U_i$ chooses his/her identity, password pair $(I{D}_i,P{W}_i)$ and a random number r and computes $HP{W}_i=h(I{D}_i\left|\right|P{W}_i)$ mod $n_0$, $A_0=HP{W}_i\oplus r$, where $n_0=2^8$, as an integer [24].

(2)

$U_i$ sends $A_0$ to $CC$ via the secure channel ($U_i$⇒$CC:\left\{A_0\right\}$).

(3)

Upon $CC$ obtaining the registration request $A_0$, $CC$ records the current registration timestamp $T_{reg}$, generates a pseudonym $PI{D}_i$ for $U_i$ and computes $LT{K}_i=h(PI{D}_i\left|\right|x)$, $A_1=LT{K}_i\oplus A_0$ and $EI{D}_i=h(PI{D}_i{\left|\right|y)}^{-1}·T_{reg}$. It is noted that the output of computing $h\left(PI{D}_i\right|\left|y\right)$ is inverse in $Z_q^{*}$, i.e., $h(PI{D}_i{\left|\right|y)}^{-1}\in Z_q^{*}$.

(4)

According to $U_i$’s rescue department, $CC$ generates a credential $toke{n}_{R{V}_i}$ and designates a finite time period $\Delta T_{auth}$ (e.g., 2024/04–2025/04) to enable authentication and specifies the corresponding $P{S}_j$ set, i.e., $\Delta S_{R{V}_i}=\left\{P{S}_j\right\}$ with an authorized polynomial $f_i\left(t\right)=h\left(x\right||toke{n}_{R{V}_i})+{\prod }_{P{S}_j\in \Delta S_{R{V}_i}}(t-h(PI{D}_i\left|\right|P{S}_j\left)\right)$ over $Z_p^{*}$, where $\Delta S_{R{V}_i}\subseteq \Delta S$.

(5)

$CC$ encrypts $\{f_i\left(t\right),\Delta T_{auth},EI{D}_i,toke{n}_{R{V}_i}\}$ and obtains ciphertexts $F_i\left(t\right)$, i.e., $F_i\left(t\right)=E_{h\left(x\right|\left|y\right)}[f_i\left(t\right),\Delta T_{auth},EI{D}_i,toke{n}_{R{V}_i}]$.

(6)

$CC$ inserts all parameters $\left\{PI{D}_i,BKG(·),A_1,\Delta S_{R{V}_i},F_i\left(t\right),SUM\right\}$ into the smart card $S{C}_i$, where the parameter “$SUM$” denotes the maximum number of times that the smart card enables $U_i$ to attempt the following login phase if $U_i$ forgets the password.

(7)

$CC$ sends the smart card $S{C}_i$ to $U_i$ via the secure channel ($CC$⇒$U_i:\left\{S{C}_i\right\}$).

(8)

Upon receiving $S{C}_i$, $U_i$ further inputs his/her bio-information $bi{o}_i$, and then the smart card computes $LT{K}_i=A_0\oplus A_1$, $LT{K}_{ii}=BKG\left(bi{o}_i\right)$ and $A_2=h(I{D}_i\left|\right|P{W}_i\left|\right|LT{K}_i\left|\right|LT{K}_{ii}\left|\right|\Delta S_{R{V}_i})$ mod $n_0$ and updates $A_1=LT{K}_i\left|\right|\Delta S_u\oplus HP{W}_i$.

(9)

Finally, the smart card stores $<PI{D}_i,BKG(·),A_1,A_2,F_i\left(t\right),SUM>$.

During $DG$’s registration, it receives a key pair $(x,y)$ and a set $\Delta S=\left\{P{S}_j\right\}$ from $CC$ through a secure channel. This provision is critical in facilitating subsequent authentication with access control processes.

To authenticate with a given $P{S}_j$ on an accident vehicle, a user from a rescue vehicle ($U_i$) must undergo the following login and authentication phases. Figure 3 provides a comprehensive overview of all the steps involved in these phases to facilitate the readers’ understanding.

3.4. Login Phase

In the login phase, $U_i$ enters his/her related identity, password and bio-information into the smart card; then, this smart card verifies the real identity of $U_i$. If this is completed, the smart card transmits $U_i$’s further authentication request to $DG$. The detailed steps are shown below.

(1)

$U_i$ inputs $(I{D}_i^{*},P{W}_i^{*})$ and bio-information $bi{o}_i^{*}$ to the smart card.

(2)

The smart card computes the following values: $HP{W}_i^{*}=h(I{D}_i^{*}\left|\right|P{W}_i^{*})$ mod $n_0$, $LT{K}_i^{*}\left|\right|\Delta S_{R{V}_i}^{*}=HP{W}_i^{*}\oplus A_1$, $LT{K}_{ii}^{*}=BKG\left(bi{o}_i^{*}\right)$, $A_2^{*}=$ $h\left(I{D}_i^{*}\right|\left|P{W}_i^{*}\right|\left|LT{K}_i^{*}\right|\left|LT{K}_{ii}^{*}\right||\Delta S_{R{V}_i}^{*})$ mod $n_0$.

(3)

Then, the smart card checks whether $A_2^{*}=A_2$ holds or not, where $A_2$ has been stored in the smart card during the registration phase. If not, the smart card stops this session and meanwhile updates the value of $SUM$ by adding the number 1. If $SUM$ exceeds the maximal value, such as 3, this smart card will be suspended until $U_i$ re-registers.

(4)

Otherwise, the smart card extracts timestamp $T_1$, selects random numbers $r_u$, $r_u^{\prime }\in Z_p^{*}$ and the processor with identity $P{S}_j$ from $\Delta S_{R{V}_i}$, which $U_i$ wishes to obtain authentication, and computes the following values: $A_3=r_u·P$, $C_1=h(r_u^{\prime }\left|\right|T_1\left)\right||A_3\oplus h(LT{K}_i\left|\right|T_1)$, $C_2=\Delta S_{R{V}_i}\oplus h(PI{D}_i\left|\right|h(r_u^{\prime }\left|\right|T_1\left)\right)$, $C_3=h(PI{D}_i\left|\right|P{S}_j\left|\right|A_3\left|\right|\Delta S_{R{V}_i}\left|\right|T_1)$.

(5)

Lastly, the smart card sends the authentication request containing $\left\{PI{D}_i,P{S}_j,F_i\left(t\right),C_1,C_2,C_3,T_1\right\}$ to $DG$ via the open channel (Login: $U_i\to DG:\{PI{D}_i,P{S}_j,F_i\left(t\right),C_1,C_2,C_3,T_1\}$).

3.5. Authentication Phase

In the authentication phase, we mainly consider the mutual authentication in $U_i\rightleftharpoons DG\rightleftharpoons P{S}_j$, and then a session key $SK$ between $U_i$ and $P{S}_j$ will be negotiated and used to protect the secret information in future communications.

The first step is Auth-1, where $DG$ verifies the identity of the user and transmits a related message to $P{S}_j$. The detailed operations are shown in the following.

(1)

Given an authentication request $\left\{PI{D}_i,P{S}_j,F_i\left(t\right),C_1,C_2,C_3,T_1\right\}$ from $U_i$, $DG$ first determines whether the time gap of the current timestamp $T_c$ and $T_1$ is less than a threshold value $\Delta T$ or not (i.e., $|T_c-T_1|<\Delta T$). If $|T_c-T_1|>\Delta T$, $DG$ stops this session.

(2)

Otherwise, $DG$ decrypts $F_i\left(t\right)$ to recover $\{f_i\left(t\right),\Delta T_{auth},EI{D}_i,toke{n}_{R{V}_i}\}$ by using symmetric key $h\left(x\right|\left|y\right)$ and checks if $toke{n}_{R{V}_i}\ne$ is null. If not, it means that this user’s access has been revoked.

(3)

Otherwise, $DG$ verifies whether $f_i\left(h\right(PI{D}_i\left|\right|P{S}_j\left)\right)=h\left(x\right||toke{n}_{R{V}_i})$. If not, $DG$ directly discards this request, since $U_i$ at this time is not authorized (or does not match) to run authentication with $P{S}_j$ (i.e., $P{S}_j\notin \Delta S_{R{V}_i}$).

(4)

Otherwise, $DG$ computes $LT{K}_i^{*}=h(PI{D}_i\left|\right|x)$, $h(r_u^{\prime *}\left|\right|T_1^{*}\left)\right||A_3^{*}=C_1\oplus h(LT{K}_i^{*}\left|\right|T_1)$ and $\Delta S_{R{V}_i}^{*}=C_2\oplus h(PI{D}_i\left|\right|h(r_u^{\prime *}\left|\right|T_1^{*}\left)\right)$. At this moment, $DG$ checks if $EI{D}_i^{*}·h(PI{D}_i\left|\right|y)=h\left(y\right||PI{D}_i)$. If this holds, it means that $U_i$’s authentication service has been revoked, and $DG$ discards this session.

(5)

Otherwise, $DG$ verifies if $|T_c-EI{D}_i^{*}·h(PI{D}_i\left|\right|y\left)\right|\in \Delta T_{auth}$. If not, this denotes that $U_i$’s time allocated to run authentication with $P{S}_j$ has been exceeded, and $DG$ stops this session.

(6)

Otherwise, $DG$ computes values $C_3^{*}=h(PI{D}_i\left|\right|P{S}_j^{*}\left|\right|A_3^{*}\left|\right|\Delta S_{R{V}_i}^{*}\left|\right|T_1^{*})$ and checks if $C_3^{*}=C_3$; if so, $DG$ randomly selects a nonce $r_g$, extracts the timestamp $T_2$ and then computes $LT{K}_j=h(AVI{D}_j\left|\right|x)$, $C_4=A_3\left|\right|r_g\oplus h(LT{K}_j\left|\right|P{S}_j)$, $C_5=P{S}_j\left|\right|h\left(LT{K}_i\right)\oplus h(LT{K}_j\left|\right|r_g)$ and $C_6=h(A_3\left|\right|r_g\left|\right|LT{K}_j\left|\right|P{S}_j\left|\right|T_2)$.

(7)

$DG$ transmits the message $\left\{PI{D}_i,C_4,C_5,C_6,T_2\right\}$ to $P{S}_j$ in the open channel, denoted by Auth-1: $DG\to P{S}_j$: $\left\{PI{D}_i,C_4,C_5,C_6,T_2\right\}$).

To facilitate the readers’ understanding, we give the following remark on how the user in a rescue vehicle can only obtain authentication with a specified $P{S}_j$ and be authenticated within a specified time period.

Remark 1. 

A user $U_i$ associated with a set $\Delta S_{R{V}_i}=\left\{P{S}_j\right\}$ can only be authorized to query authentication with a designated $P{S}_j\in \Delta S_{R{V}_i}$. In the event that $U_i$ wishes to query authentication with some unauthorized node $P{S}_k\notin \Delta S_{R{V}_i}$, this request will be directly declined by $DG$ finding $f_i\left(h\right(PI{D}_i\left|\right|P{S}_k\left)\right)\ne h\left(x\right||toke{n}_{R{V}_i})$, since only the PS’s identifier in $\Delta S_{R{V}_i}$ meets polynomial $f_i\left(t\right)$, which is preset by $CC$, and this $f_i\left(t\right)$ is unknown to $U_i$. Thus, each $U_i$ will only run authentication with a corresponding authorized $P{S}_j$.

Remark 2. 

Regarding authentication within a specific timeframe, one occasion is that without retirement or dismissal, some $U_i$’s time allocated for authentication may be exceeded. At this time, by $DG$ checking $|T_c-EI{D}_i·h(PI{D}_i\left|\right|y\left)\right|\notin \Delta T_{auth}$, $U_i$ cannot run authentication with his/her authorized $P{S}_j$ any longer. In the event of retirement and dismissal for $U_i$, regardless of whether $|T_c-EI{D}_i·h(PI{D}_i\left|\right|y\left)\right|\in \Delta T_{auth}$ or not, $U_i$ cannot run authentication with his/her authorized $P{S}_j$ any longer by only $DG$ checking if $toke{n}_{R{V}_i}$= null. This is because, before this authentication session, $DG$ has preset the future token $toke{n}_{R{V}_i}^{new}$= null to revoke this $U_i$ (here, this preset operation can be seen in the update step of  Auth-3).

In the following Auth-2, via the received message $\{PI{D}_i,C_4,C_5,C_6,T_2\}$, $P{S}_j$ verifies the identity of $DG$ and then uses the user’s and its own secret to negotiate a session key. The detailed operations can be seen below.

(1)

Upon receiving the message $\left\{PI{D}_i,C_4,C_5,C_6,T_2\right\}$, $P{S}_j$ first checks whether $|T_c-T_2|<\Delta T$. If not, $P{S}_j$ stops this session.

(2)

Otherwise, $P{S}_j$ obtains $A_3^{*}\left|\right|r_g^{*}=C_4\oplus h(LT{K}_j\left|\right|P{S}_j)$, and computes $P{S}_j^{*}\left|\right|h\left(LT{K}_i^{*}\right)=C_5\oplus h(LT{K}_j\left|\right|r_g^{*})$, $C_6^{*}=h(A_3^{*}\left|\right|r_g^{*}\left|\right|LT{K}_j\left|\right|P{S}_j^{*}\left|\right|T_2)$ and checks if $C_6^{*}=C_6$. If not, $P{S}_j$ ceases the subsequent operations.

(3)

Otherwise, $P{S}_j$ selects a nonce $r_s$, extracts a corresponding timestamp $T_3$ and computes $A_4=r_s·P$, $A_5=r_s·A_3$.

(4)

$P{S}_j$ computes a session key $SK=h\left(A_5\right|\left|PI{D}_i\right|\left|AVI{D}_j\right|\left|P{S}_j\right|\left|h\left(LT{K}_i\right)\right)$, and then it computes $C_7=AVI{D}_j\oplus h\left(r_g\right)$, $C_8=A_4\left|\right|h\left(SK\right||r_g)\oplus LT{K}_j$, $C_9=h(A_4\left|\right|h\left(SK\right||r_g\left)\right||LT{K}_j\left|\right|T_3)$, $C_{10}=h\left(SK\right||r_g)\oplus LT{K}_j\oplus h(A_4\left|\right|SK)$.

(5)

Eventually, $P{S}_j$ sends the message $\left\{C_7,C_8,C_9,C_{10},T_3\right\}$ to $DG$ via the open channel, denoted by Auth-2: $P{S}_j\to DG$$:\left\{C_7,C_8,C_9,C_{10},T_3\right\}$.

Following this, in Auth-3 $DG$ receives $P{S}_j$’s message and verifies the identity of $P{S}_j$. Then, for the user, $DG$ updates the authentication parameters, which include the access control. Further, $DG$ sends the updated message to the user. The detailed operations can be seen in Auth-3.

(1)

With the message sent from $P{S}_j$, $DG$ first checks whether $|T_c-T_3|<\Delta T$. If not, $DG$ stops this session.

(2)

Otherwise, $DG$ computes the values $AVI{D}_j^{*}=C_7\oplus h\left(r_g\right)$, $LT{K}_j^{*}=h(AVI{D}_j^{*}\left|\right|x)$, $A_4^{*}\left|\right|h(S{K}^{*}\left|\right|r_g^{*})=C_8\oplus LT{K}_j^{*}$, $C_9^{*}=h(A_4^{*}\left|\right|h(S{K}^{*}\left|\right|r_g^{*}\left)\right||LT{K}_j^{*}\left|\right|T_3)$ and checks if $C_9^{*}=C_9$. If not, $DG$ terminates this authentication.

(3)

Otherwise, $DG$ obtains $h(A_4\left|\right|SK)=C_{10}\oplus h\left(SK\right||r_g)\oplus LT{K}_j$ and runs the following update operations.

(4)

$DG$ updates a new pseudonym $PI{D}_i^{new}$ for $U_i$.

(5)

$DG$ updates $LT{K}_i^{new}=h(PI{D}_i^{new}\left|\right|x)$.

(6)

$DG$ updates $toke{n}_{R{V}_i}^{new}=toke{n}_{R{V}_i}$. Of course, if the user needs to be revoked, $toke{n}_{R{V}_i}^{new}$= null.

(7)

$DG$ updates $EI{D}_i^{new}=h(PI{D}_i^{new}{\left|\right|y)}^{-1}·T_c$.

(8)

$DG$ updates $\Delta T_{auth}^{new}$ and sets $f_i^{new}\left(t\right)=h\left(x\right||toke{n}_{R{V}_i}^{new})+$ ${\prod }_{AVI{D}_j\in \Delta S_{R{V}_i}^{new}}(t-h(PI{D}_i^{new}\left|\right|P{S}_j\left)\right)$, where $\Delta S_{R{V}_i}^{new}=\Delta S_{R{V}_i}$ with no change for the processor(s); or $\Delta S_{R{V}_i}^{new}=\Delta S_{R{V}_i}+\Delta S_{R{V}_i}^{add}$ with an added new processor(s); or $\Delta S_{R{V}_i}^{new}=\Delta S_{R{V}_i}-\Delta S_{R{V}_i}^{del}$ with a deleted processor(s); or $\Delta S_{R{V}_i}^{new}=\Delta S_{R{V}_i}-\Delta S_{R{V}_i}^{del}+\Delta S_{R{V}_i}^{add}$ with a deleted and then a newly added processor(s).

(9)

$DG$ further computes $F_i{\left(t\right)}^{new}=E_{h\left(x\right|\left|y\right)}[f_i^{new}\left(t\right),\Delta T_{auth}^{new},EI{D}_i^{new},toke{n}_{R{V}_i}^{new}]$, $C_{11}=LT{K}_i^{new}\oplus LT{K}_i$, $C_{12}=PI{D}_i^{new}\left|\right|A_4\left|\right|\Delta S_{R{V}_i}^{new}\oplus h(LT{K}_i^{new}\left|\right|A_3)$, and then $C_{13}=h(PI{D}_i^{new}\left|\right|\Delta S_u^{new}\left|\right|h(A_4\left|\right|SK\left)\right||F_i^{new}\left(t\right))$.

(10)

$DG$ transmits message $\left\{F_i^{new}\left(t\right),C_{11},C_{12},C_{13}\right\}$ to $U_i$ in the open channel, denoted by Auth-3: $DG\to U_i:\left\{F_i^{new}\left(t\right),C_{11},C_{12},C_{13}\right\}$.

After receiving the response from $DG$, $U_i$ authenticates the $DG$’s identity and re-computes the session key. Finally, $U_i$ stores the related updated authentication parameters.

(1)

$U_i$ computes: $LT{K}_i^{new*}=C_{11}\oplus LT{K}_i$, $PI{D}_i^{new*}\left|\right|A_4^{*}\left|\right|\Delta S_{R{V}_i}^{new*}=C_{12}\oplus h(LT{K}_i^{new*}\left|\right|A_3)$, $A_5^{*}=r_u·A_4^{*}$ and $S{K}^{*}=h(A_5^{*}\left|\right|PI{D}_i\left|\right|AVI{D}_j\left|\right|P{S}_j\left|\right|h\left(LT{K}_i\right))$.

(2)

$U_i$ computes $C_{13}^{*}=h(PI{D}_i^{new*}\left|\right|\Delta S_{R{V}_i}^{new*}\left|\right|h(A_4^{*}\left|\right|S{K}^{*}\left)\right||F_i^{new}\left(t\right))$ and then checks if $C_{13}^{*}=C_{13}$. If not, $U_i$ discards this session.

(3)

If “=” holds, $U_i$ regards this $S{K}^{*}$ as the negotiated session key $SK$.

(4)

$U_i$ updates $A_1^{new}=LT{K}_i^{new}\oplus HP{W}_i,A_2^{new}=h(I{D}_i\left|\right|P{W}_i\left|\right|LT{K}_i^{new}\left|\right|LT{K}_{ii}\left|\right|\Delta S_{R{V}_i}^{new})$ mod $n_0$.

(5)

$U_i$ replaces parameters $\left\{PI{D}_i,A_1,A_2,F_i\left(t\right)\right\}$ with $\left\{PI{D}_i^{new},A_1^{new},A_2^{new},F_i^{new}\left(t\right)\right\}$ in smart card $S{C}_i$.

3.6. Password Change Phase

For enhanced security, users ($U_i$) are able to modify or update their password independently, without necessitating an interaction with the command center ($CC$). This process is bifurcated into two primary stages: the verification of the user’s identity, executed by the smart card, followed by $U_i$’s update of the parameters, including $P{W}_i,A_1,A_2$. The procedural steps for these operations are delineated as follows.

(1)

As described in the login phase, $U_i$ first enters the old password $P{W}_i^{old}$ and identity $I{D}_i$ in the smart card.

(2)

When the smart card verifies that $A_2^{*}=A_2$ holds, it enables $U_i$ to choose a new password $P{W}_i^{new}$, and it updates $HP{W}_i^{new}=h(I{D}_i\left|\right|P{W}_i^{new})$ mod $n_0$, $A_1^{new}=LT{K}_i\oplus HP{W}_i^{new}$, $A_2^{new}=h(I{D}_i\left|\right|P{W}_i^{new}\left|\right|LT{K}_i\left|\right|LT{K}_{ii}\left|\right|\Delta S_{R{V}_i})$ mod $n_0$

(3)

The smart card finally replaces parameters $\left\{A_1,A_2\right\}$ with $\left\{A_1^{new},A_2^{new}\right\}$.

4. Security Analysis of the Proposed Scheme

To properly validate the authentication with access control operation in the application layer, the proposed scheme should be robust in the underlying layer. Next, the security and reliability are further analyzed in the formal analysis (Section 4.1) and the heuristic analysis (Section 4.2).

4.1. Formal Analysis of the Proposed Scheme

In this part, we introduce some basics for the formal proof in Section 4.1.1; then, in Section 4.1.2, we give the detailed security proof in the form of Theorem 1.

4.1.1. Basics for Formal Proof

Before the simulation, the simulator initiates an elliptic curve $E\left({\mathbb{F}}_{\mathbb{p}}\right)$ over a prime finite field ${\mathbb{F}}_{\mathbb{p}}$. Based on $E\left({\mathbb{F}}_{\mathbb{p}}\right)$ and a security parameter n, the simulator specifies a $q$—order additive subgroup G with a generator P, where p, q are two large primes with $\left|q\right|=n$, and the size of P is 320 bits. Next, $U_i$ obtains the information $\left\{I{D}_i,P{W}_i,Bi{o}_i\right\}$ and the smart card that contains {$PI{D}_i,BKG(·),A_1,A_2,EI{D}_i,F_i\left(t\right),SUM$}; $CC$ generates a long-term key pair $x,y$; $P{S}_j$ owns the identity–secret key pair $\{AVI{D}_j,LT{K}_j\}$.

Then, three entities $U_i$, $DG$, $P{S}_j$ involved in the proposed scheme $\mathbb{S}$ instantiate instances ${\prod }_{U_i}^u,{\prod }_{DG}^g,{\prod }_{P{S}_j}^s$, respectively. If there is no need to differentiate the three instances, the instance can be simply marked as ${\prod }^t$. Further, each instance will be regarded as an oracle; that is, upon receiving an input message that is valid/incorrect or null, the oracle will correspondingly accept/reject it or return “⊥”, meaning that there is no response.

Additionally, we introduce some terms used in the security proof below.

$\mathit{Accepted}\mathit{state}$. An instance $\begin{array}{c}{\prod }^t\end{array}$ will be an accepted state if $\begin{array}{c}{\prod }^t\end{array}$ receives the last expected protocol message. Meanwhile, the ordered concatenation of all sent and received messages will shape the session identifier of $\begin{array}{c}{\prod }^t\end{array}$ in each session.

$\mathit{Partnering}$. Two instances ${\prod }^{t_1},{\prod }^{t_2}$ are partnered if these two accepted states’ instances ${\prod }^{t_1},{\prod }^{t_2}$ are authenticated mutually with the identical session identification being normally shared; meanwhile, ${\prod }^{t_1},{\prod }^{t_2}$ are partners.

$\mathit{Adversary}$. An eCK (extended Canetti–Krawczyk) adversary $\mathcal{A}$ is capable of interacting with users ($U_i$), the drone gateway ($DG$) or any processor ($P{S}_j$) by initiating information queries to their respective oracles and a simulator. Utilizing the responses obtained, $\mathcal{A}$ endeavors to compromise the integrity of the authentication messages and the established session key. The potential queries that $\mathcal{A}$ can execute, leveraging the capacities outlined for an eCK adversary in

Table 2. Description of eCK (extended Canetti–Krawczyk) adversary capacities [31].

I*	Attack Capacities
C1	$\mathcal{A}$ can acquire previous session keys between communication entities
C2	$\mathcal{A}$ can learn $DG$’s secret key pair when considering the system’s eventual failure
C3	$\mathcal{A}$ can obtain ephemeral secrets when testing the security of the session key
C4	$\mathcal{A}$ can fully control the open channel and then intercept, modify, insert and delete any transmitted messages from the open channel
C5	$\mathcal{A}$ can enumerate all items offline in the Cartesian product of identity space and password space $D_{id}$ × $D_{pw}$ within polynomial time
C6	$\mathcal{A}$ can break some processor and then extract the stored sensitive data and even control the broken processor to participate in the next communication interaction
C7	In a 3-factor user authentication scheme, $\mathcal{A}$ can compromise two of the three following factors: (a) password; (b) data in the smart card; (c) bio-information

, include the following:

• $Execute$($\begin{array}{c}{\prod }_{U_i}^u,{\prod }_{DG}^g,{\prod }_{P{S}_j}^s\end{array}$). $\mathcal{A}$ can run a query to simulate the entire authentication process and obtain a desirable message exchange among $U_i,DG$ and $P{S}_j$.
• $Send$($\begin{array}{c}{\prod }^t,m\end{array}$). In a ‘send’ query, $\mathcal{A}$ can send a message m and then launch an active attack for a participating instance $\begin{array}{c}{\prod }^t\end{array}$. According to the $\mathbb{S}$, if m is valid and ${\prod }^t$ has also received the message m, this simulator returns a response.
• $SessionKeyReveal$ ($\begin{array}{c}{\prod }^t\end{array}$). In this query, besides the session key to be tested, $\mathcal{A}$ can obtain the other session keys via $SessionKeyReveal$ ($\begin{array}{c}{\prod }^t\end{array}$).
• $EphemeralKeyReveal$ ($\begin{array}{c}{\prod }^t\end{array})$. This query means that adversary $\mathcal{A}$ can obtain the entities’ ephemeral secrets, such as nonces or random numbers.
• $Corrupt$($\begin{array}{c}{\prod }_{U_i}^u\end{array},\alpha \in \{-1,0,1\}$). In this query, according to the value $\alpha$, $\mathcal{A}$ can acquire related authentication factors stored in $U_i$. Specifically, $\mathcal{A}$ retrieves passwords (to $\alpha =-1$), data stored in the smart card (to $\alpha =0$) and bio-information $bi{o}_i$ (to $\alpha =1$).
• $Corrupt$($\begin{array}{c}{\prod }_{DG}^g\end{array}$). In this query, $\mathcal{A}$ can grasp the long-term key pair $(x,y)$.
• $Corrupt$($\begin{array}{c}{\prod }_{P{S}_j}^s\end{array}$). This query states that the secret of $P{S}_j$ can be obtained by $\mathcal{A}$.

$\mathit{Freshness}$. Three instances $\begin{array}{c}{\prod }_{U_i}^u\end{array}$, $\begin{array}{c}{\prod }_{DG}^g\end{array}$ and $\begin{array}{c}{\prod }_{P{S}_j}^s\end{array}$ are fresh if $\mathcal{A}$ does not grasp the session key between $U_i$ and $P{S}_j$ by using the reveal queries shown above.

$\mathit{Test}$($\begin{array}{c}{\prod }^t\end{array}$). The ’test’ query evaluates the semantic security of the session key $SK$, and, in this query, $\mathcal{A}$ is capable of querying only once. According to $\mathbb{S}$, the instance $\begin{array}{c}{\prod }^t\end{array}$ can be $\begin{array}{c}{\prod }_{U_i}^u\end{array}$ or $\begin{array}{c}{\prod }_{P{S}_j}^s\end{array}$. Generally, “⊥” (null) will be returned if instance $\begin{array}{c}{\prod }^t\end{array}$ has not computed the $SK$ or $\begin{array}{c}{\prod }^t\end{array}$ is not fresh, or $\mathit{Test}$($\begin{array}{c}{\prod }^t\end{array}$) has been queried before the ‘test’ query. Otherwise, the oracle in this query will choose one unbiased coin $b\in \{0,1\}$. With the value of b, $\mathit{Test}$($\begin{array}{c}{\prod }^t\end{array}$) returns the final result, i.e., “result = the real session key” (if $b=1$) or “result = a random string that has the same length as the session key” (if $b=0$).

$\mathit{Semantic}\mathit{Security}$. For a given scheme $\mathbb{S}$, a probabilistic polynomial time (PPT) adversary $\mathcal{A}$ has made a sequence of queries including Execute$(·)$, Send$(·)$, Corrupt$(·)$, and Reveal$(·)$. Now, $\mathcal{A}$ wishes to guess the value of b in the Test query and return a guessed value $b^{*}$. Let $Succ\left(\mathcal{A}\right)$ denote the advantage of $\mathcal{A}$ correctly guessing $b^{*}$ of b, i.e., $b^{*}=b$. Then, we define the advantage of $\mathcal{A}$ whereby $\mathcal{A}$ successfully breaks the session key’s semantic security in the following:

$$Ad{v}_{\mathbb{S}}^{\mathcal{A}}=2\mathrm{Pr}\left[Succ\left(\mathcal{A}\right)\right]-1$$

4.1.2. Semantic Security Proof

In the following, Theorem 1 derives the advantage whereby $\mathcal{A}$ can break the semantic security of the session key in the proposed scheme.

Theorem 1. 

Let $\mathbb{S}$ be the designed scheme and $\left|\mathcal{D}\right|$ be the space of the password. Then, a PPT adversary $\mathcal{A}$, by querying Execute$(·)$$q_e$ times, Send$(·)$$q_s$ times, Hash$(·)$$q_h$ times and Biohashing$(·)$$q_{BKG(·)}$ times, breaks the semantic security of the session key in $\mathbb{S}$ with the following advantage $Ad{v}_{\mathbb{S},\mathcal{D}}^{\mathcal{A}}$, which is less than

$\frac{q_h^2+6q_s}{2^{l_1}}+\frac{{(q_s+q_e)}^2}{p}+\frac{q_{BKG(·)}^2+2q_{BKG(·)}}{2^{l_2}}+2(C^{\prime }{q}_{send}^{s^{\prime }}+Ad{v}_p^{ECDL}\left(n\right)+Ad{v}_p^{ECCDH}\left(n\right))$

Proof. 

Here, we give the theorem’s proof by setting a sequence of games, namely Game₁ to Game₉. Moreover, let $Suc{c}_l$ denote that $\mathcal{A}$ correctly guesses the b in the $Test$ query of Game_l, $\{l=1,2,\cdots ,9\}$.

Game₁: This game simulates a real attack under the random-or-real oracle. Then, the oracle directly chooses a bit b. Thus,

$$Ad{v}_{\mathbb{S},\mathcal{D}}^{\mathcal{A}}=2\mathrm{Pr}\left[{\mathit{Succ}}_1\right]-1$$

(1)

Game₂: This game maintains a hash list ${\Psi }_h$ and a BKG(·) list ${\Phi }_{BKG(·)}$. The adversary $\mathcal{A}$ queries a hash value $h\left(\gamma \right)$; then, the hash oracle ${\Theta }_h$ takes $\gamma$ to retrieve ${\Psi }_h$. If there is a retrieved hash value $h\left(\gamma \right)$ in ${\Psi }_h$, ${\Theta }_h$ returns $h\left(\gamma \right)$. Otherwise, a random string $\psi$ will be returned to $\mathcal{A}$, while $(\gamma ,\psi )$ is stored in ${\Psi }_h$. As for BKG(·)’s oracle ${\Theta }_{BKG(·)}$, it is simulated in the same way with hash oracle ${\Theta }_h$.

Based on the known two lists, $\mathcal{A}$ executes a $Test$ query to guess the value of b. Factually, given $SK=h\left(A_5\right|\left|PI{D}_i\right|\left|AVI{D}_j\right|\left|P{S}_j\right|\left|h\left(LT{K}_i\right)\right)$, it states that the secret values, including $U_i$’s $r_u$, $LT{K}_i$ and $P{S}_j$’s $r_s$, are embedded in the $SK$. Thus, without the secret values, $\mathcal{A}$ cannot compute $SK$ and has no way to decide whether $b=0$ or $b=1$.

Hence, the advantage of winning this game is equal to that of Game₁, i.e.,

$$\mathrm{Pr}\left[{\mathit{Succ}}_1\right]=\mathrm{Pr}\left[{\mathit{Succ}}_2\right]$$

(2)

Game₃: Based on Game₂, $\mathcal{A}$ in Game₃ initiates an active attack to convince a communication entity to accept a forged message by executing queries $Send(·)$, $Hash(·)$, $Biohashing(·)$. When compared with Game₂, only when a collision is found can a forged message be made, and $\mathcal{A}$’s advantage can be achieved in Game₃. Equally, if the following collisions occur, the game is aborted.

(i) $\mathcal{A}$ can find a collision in the hash values or BKG(·)’s outputs, and the probability is $\frac{q_h^2}{2^{l_1+1}}$ or $\frac{q_{BKG(·)}^2}{2^{l_2+1}}$, where $l_1$ and $l_2$ denote the length of the output by function $h(·)$ and BKG(·), respectively.

(ii) Another collision that $\mathcal{A}$ is capable of finding is the choice of random numbers ($r_u,r_u^{\prime },r_g,r_s\in Z_p^{*}$), with a probability of $\frac{{(q_s+q_e)}^2}{2p}$.

Thus, we have

$$|\mathrm{Pr}\left[{\mathit{Succ}}_3\right]-\mathrm{Pr}\left[{\mathit{Succ}}_2\right]|⩽\frac{q_h^2}{2^{l_1+1}}+\frac{q_{\mathrm{BKG}(·)}^2}{2^{l_2+1}}+\frac{{(q_s+q_e)}^2}{2p}$$

(3)

Game₄: $\mathcal{A}$ in this game wishes to guess $C_3$, $C_6$, $C_9$, $C_{13}$ without initiating a hash query or BKG(·) query.

Obviously, we can obtain

$$|\mathrm{Pr}\left[{\mathit{Succ}}_4\right]-\mathrm{Pr}\left[{\mathit{Succ}}_3\right]|⩽\frac{q_s}{2^{l_1}}$$

(4)

Game₅: In this game, $\mathcal{A}$ also tries to guess $A_1$, but without initiating a hash query or BKG(·) query.

Similarly, we can obtain

$$|\mathrm{Pr}\left[{\mathit{Succ}}_5\right]-\mathrm{Pr}\left[{\mathit{Succ}}_4\right]|⩽\frac{q_s}{2^{l_1}}$$

(5)

Game₆: In this game, via the $Corrupt$($\begin{array}{c}{\prod }_{U_i}^u\end{array},\alpha$) query, $\mathcal{A}$ plans to compute $A_2$. There are three cases considered.

▸

Case₁, $Corrupt$($\begin{array}{c}{\prod }_{U_i}^u\end{array},\alpha =-1,0$): The probability that $\mathcal{A}$ guesses the user’s bio-information is less than $\frac{q_{BKG(·)}}{2^{l_2}}$;

▸

Case₂, $Corrupt$($\begin{array}{c}{\prod }_{U_i}^u\end{array},\alpha =0,1$): Based on the technology of “fuzzy keywords + honeywords”, the probability that $\mathcal{A}$ guesses $U_i$’s password is no more than $C^{\prime }{q}_{send}^{s^{\prime }}$, in which $\mathcal{A}$ has made at most $q_{send}$ active attacks in password space $\mathcal{D}$, and $C^{\prime }$, $s^{\prime }$ are parameters that can be depicted by a linear regression [32].

▸

Case₃, $Corrupt$($\begin{array}{c}{\prod }_{U_i}^u\end{array},\alpha =-1,1$): The probability that $\mathcal{A}$ guesses the key value of $A_1$ is less than $\frac{q_s}{2^{l_1}}$;

Therefore, we can obtain

$$|\mathrm{Pr}\left[{\mathit{Succ}}_6\right]-\mathrm{Pr}\left[{\mathit{Succ}}_5\right]|⩽C^{\prime }{q}_{\mathit{send}}^{s^{\prime }}+\frac{q_s}{2^{l_1}}+\frac{q_{\mathit{BKG}}(·)}{2^{l_2}}$$

(6)

Game₇: In this game, $\mathcal{A}$ interacts with the $EphemeralKeyReveal$ ($\begin{array}{c}{\prod }^t\end{array})$ oracle and $SessionKeyReveal$ ($\begin{array}{c}{\prod }^t\end{array})$ oracle. Then, $\mathcal{A}$ will obtain some outdated session keys $S{K}_{outdated}$, the nonces $r_u,r_s$. Following this, $\mathcal{A}$ wishes to corrupt the $LT{K}_i$. Similarly, given the technology of “fuzzy keywords + honeywords”, $\mathcal{A}$ cannot grasp $LT{K}_i$ from smart card $S{C}_i$. Another possible variation is that $\mathcal{A}$ tries to find a collision in the hash values.

Thus, we have

$$|\mathrm{Pr}\left[{\mathit{Succ}}_7\right]-\mathrm{Pr}\left[{\mathit{Succ}}_6\right]|⩽\frac{q_h^2}{2^{l_1+1}}$$

(7)

Game₈: In this game, by executing the $Corrupt$($\begin{array}{c}{\prod }_{P{S}_j}^s\end{array}$) query and $Corrupt$($\begin{array}{c}{\prod }_{DG}^g\end{array}$) query, $\mathcal{A}$ can obtain the secret value $LT{K}_j$ of $P{S}_j$ and further $A_3,A_4$. However, given $A_3$ (resp. $A_4$) in the 320-bit elliptic curve, $\mathcal{A}$ cannot resolve $r_u$ (resp. $r_s$) from $A_3$ (resp. $A_4$), based on the fact that no available PPT solution can be used to break the elliptic curve discrete logarithm problem (ECDLP) [33].

Thus, the following deduction holds:

$$|\mathrm{Pr}\left[{\mathit{Succ}}_8\right]-\mathrm{Pr}\left[{\mathit{Succ}}_7\right]|⩽{\mathit{Adv}}_{\mathit{p}}^{\mathit{ECDL}}\left(\mathit{n}\right)$$

(8)

where $Ad{v}_p^{ECDL}\left(n\right)$ denotes the advantage whereby $\mathcal{A}$ breaks the (ECDLP) problem.

Game₉: This game simulates the case in which $\mathcal{A}$ tries to compute the session key; at this time, $\mathcal{A}$ no longer asks queries $Execute(·)$, $Send(·)$ and $Corrupt(·)$. However, given $A_3,A_4$ in the 320-bit elliptic curve, $\mathcal{A}$ cannot resolve $r_u,r_s$ to obtain $A_5$, based on the fact that no available PPT solution can be used to break the elliptic curve computational Diffie–Hellman (ECCDH) problem [34].

In particular,

$$|\mathrm{Pr}\left[{\mathit{Succ}}_9\right]-\mathrm{Pr}\left[{\mathit{Succ}}_8\right]|⩽{\mathit{Adv}}_{\mathit{p}}^{\mathit{ECCDH}}\left(\mathit{n}\right)$$

(9)

where $Ad{v}_p^{ECCDH}\left(n\right)$ denotes the advantage whereby $\mathcal{A}$ solves the (ECCDH) problem.

At present, $\mathcal{A}$ has no non-negligible advantage to guess b than $\frac{1}{2}$ and so $\mathrm{Pr}\left[{\mathit{Succ}}_9\right]=\frac{1}{2}$.

Hence, from Equations (1)–(9) and the triangular inequality, we obtain

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill Ad{v}_{\mathbb{S},\mathcal{D}}^{\mathcal{A}}& =2\mathrm{Pr}\left[{\mathit{Succ}}_1\right]-1\hfill \\ & =2\mathrm{Pr}\left[{\mathit{Succ}}_9\right]-1+2(\mathrm{Pr}\left[{\mathit{Succ}}_1\right]-\mathrm{Pr}\left[{\mathit{Succ}}_9\right])\hfill \\ & ⩽\frac{2q_h^2+6q_s}{2^{l_1}}+\frac{{(q_s+q_e)}^2}{p}+\frac{q_{\mathit{BKG}}{(·)}^2+2q_{\mathit{BKG}}(·)}{2^{l_2}}+\Delta \hfill \end{array}\end{array}$$

(10)

Thus, one can see that the PPT adversary $\mathcal{A}$ cannot break the semantic security of the session key with a non-negligible advantage $Ad{v}_{\mathbb{S},\mathcal{D}}^{\mathcal{A}}$ that is less than ($\frac{2q_h^2+6q_s}{2^{l_1}}+\frac{{(q_s+q_e)}^2}{p}+\frac{q_{\mathit{BKG}}{(·)}^2+2q_{\mathit{BKG}}(·)}{2^{l_2}}+\Delta$), where $\Delta =2(C^{\prime }{q}_{send}^{s^{\prime }}+Ad{v}_p^{ECDL}\left(n\right)+Ad{v}_p^{ECCDH}\left(n\right))$. □

4.2. Heuristic Analysis of the Protocol

Utilizing the heuristic analysis method [19], which is a widely recognized approach to assessing security without the need for complex mathematical formulas, provides a straightforward yet comprehensive examination of a scheme or protocol’s security aspects. This analysis demonstrates that the proposed protocol offers essential security features and is resilient against known cyber threats.

(1) Mutual Authentication: Based on the protocol’s login and verification phase, $U_i$ and $DG$ authenticate each other as $DG$ checks if $C_3^{*}=C_3$ and $U_i$ checks if $C_{13}^{*}=C_{13}$. $DG$ and $P{S}_j$ can authenticate each other bidirectionally by verifying whether $C_6^{*}=C_6$ and $C_9^{*}=C_9$, respectively. Therefore, the proposed protocol can recognize mutual authentication.

(2) Session Key Agreement: Session key agreement means that no one can solely pre-negotiate the session key. Specifically, given $SK=h\left(A_5\right|\left|PI{D}_i\right|\left|AVI{D}_j\right|\left|P{S}_j\right|\left|h\left(LT{K}_i\right)\right)$, it states that $SK$ must consist of $U_i$’s newly secret $r_u$ and $P{S}_j$’s timely secret $r_s$, so that no one can manipulate the session key.

(3) Forward Secrecy: This property guarantees that the security of the established session keys remains intact even if the long-term keys of $DG$ are compromised (for instance, through side-channel attacks, SCAs [30,35]). Despite an adversary’s potential knowledge of the long-term keys and subsequent secrets, the complexity of the ECCDH problem prevents the adversary from calculating the session key $SK$, thereby ensuring the protocol’s resilience in maintaining confidentiality over time.

(4) User Anonymity: User anonymity consists of the user’s identity protection, which cannot be discerned by the adversary, and the user’s un-traceability, which ensures that the adversary cannot distinguish whether two full sessions originate from the same user.

For identity protection, on one hand, in the registration phase, $U_i$ only sends the value $A_0$ to $DG$ and so there is no exposed identity information $I{D}_i$ that the adversary can extract, even if the adversary corrupts the $DG$. On the other hand, in the verification phase, $U_i$’s identity $I{D}_i$ has been perfectly embedded in $A_2^{new}$ and still cannot be obtained by the adversary.

For the user’s un-traceability, the randomness inherent in pseudonym $PI{D}_i$ eliminates any statistical properties that an adversary might exploit to determine whether two sessions originate from the same user, thus enhancing privacy.

(5) Processor Impersonation Attack: This attack [19] considers an inside adversary (e.g., the legitimate physician $U_i$). In this attack scenario, $U_i$ could grasp $P{S}_j$’s secret key $LT{K}_j$ via his own values ($LT{K}_i,A_4$) and then impersonate this $P{S}_j$ to create a forged session key for the next new $U_i^{new}$. Factually, in this proposed protocol, the adversary cannot grasp the secret value $LT{K}_j$ from $\left\{C_8,C_{10}\right\}$, since he/she has no secret value $r_g$ of $DG$. As a result, this attack is futile.

(6) Password Guessing Attack: As researched in [36], password guessing attacks can be divided into attack-I, where the adversary leverages the verification value in the smart card to guess the password, and attack-II, where the adversary uses the verification value in the public channel to guess the password.

For attack-I, even if the adversary knows verification values $A_1$, $A_2$ in the smart card, he/she cannot check the correctness of the guessed $P{W}_i^{*}$ and $I{D}_i^{*}$, since the congruence of the “modulus” operation in $HP{W}_i$ and $A_2$ and the limited “SUM” seriously affects the correctness of the guessed password of the adversary.

As for the adversary in attack-II, the password-related verification value is only attributed to $LT{K}_i$. Although the adversary obtains $LT{K}_i$ and even owns $A_1$, given the similar congruence of the “modulus” operation in $HP{W}_i$, he/she cannot verify the correctness of the guessed $P{W}_i^{*}$ and $I{D}_i^{*}$.

(7) De-Synchronization Attack: A de-synchronization attack may occur if the communication entities have to update any parameters upon the session key that has been established. However, this attack is impossible. Indeed, $U_i$ needs to change $LT{K}_i$ to $LT{K}_i^{new}$ and the corresponding $PI{D}_i$ to $PI{D}_i^{new}$, $\Delta S_{R{V}_i}$ to $\Delta S_{R{V}_i}^{new}$. Specifically, $U_i$ firstly recovers and names $LT{K}_i^{new*}$, $PI{D}_i^{new*}$, $\Delta S_{R{V}_i}^{new*}$ from $C_{11}$, $C_{12}$, and then checks if $h(PI{D}_i^{new*}\left|\right|\Delta S_{R{V}_i}^{new*}\left|\right|h(A_4^{*}\left|\right|S{K}^{*}\left)\right)=C_{13}$. If so, ‘$new*$’ is set to ‘$new$’. It is the verification of the correctness of $C_{13}$ that guarantees the synchronization update of $LT{K}_i$, $PI{D}_i$ and $\Delta S_{R{V}_i}$, since $U_i$ can instantly detect this attack once $h(PI{D}_i^{new*}\left|\right|\Delta S_{R{V}_i}^{new*}\left|\right|h(A_4^{*}\left|\right|S{K}^{*}\left)\right)$≠$C_{13}$.

(8) Replay Attack: In a replay attack, the adversary often sends old un-changed messages to try to pass the verification of entities. Indeed, random numbers $r,r_u,r_u^{\prime }$, $r_g$ and $r_s$ are chosen by $U_i$, $DG$ and $P{S}_j$, respectively. These random numbers ensure the freshness and independence of the exchanged messages in each session; therefore, there are no un-changed messages that can be used to initiate a replay attack.

(9) DoS Attack: In the proposed protocol, in order to render $DG$ unavailable (i.e., a DoS attack), the adversary can replay the old message $\left\{(PI{D}_i,P{S}_j,F_i\left(t\right),C_1,C_2,C_3,T_1)\right\}$ repeatedly. However, this attack can be effectively eliminated by $DG$ checking if the time gap between the current time $T_c$ and $T_1$ exceeds the set value $\Delta T$ (for example, 3 min). If so, $DG$ ignores this session. Further, even the adversary may change $T_1$ to make the time gap less than $\Delta T$; $DG$ also discards this session by finding the verification failure regarding value $C_3$, where $C_3$ can only be computed via the original $T_1$.

(10) Privileged Insider Attack: In this attack, the adversary (or even a corrupted $DG$) can extract the legitimate user’s identity information $I{D}_i$ in the registration phase. Factually, each $U_i$ in the proposed protocol sends an $A_0$ to $DG$, and $I{D}_i$ cannot be obtained, since the $I{D}_i$ has been encapsulated with $r\in Z_p$ and the “modulus” operation.

(11) Processor’s Node Capture Attack: An adversary capable of compromising a processor to obtain secret $LT{K}_j$ and associated values $A_3$ and $A_4$ still cannot compute the session key SK without solving the computationally difficult elliptic curve discrete logarithm problem [33].

(12) Session-Specific Temporary Information Attack: In this attack (also known as the ephemeral secret attack, ESL) [31], the adversary can learn the session key by obtaining nonces such as random numbers $r_u$ and $r_s$. However, in our scheme, apart from random numbers, the long-term information $LT{K}_i$ also constitutes the $SK$ and cannot be captured by the adversary.

5. Performance Analysis of the Proposed Scheme

In this section, we present a detailed performance analysis comparing our authentication protocol against seven recent alternatives. This includes a functionality comparison based on the criteria in

Table 3. Ten criteria for evaluation of authentication schemes.

†*	Ideal Attributes	‡*	Security Attributes
†1	Password friendly	‡1	User anonymity
†2	Sound repairability	‡2	No password exposure
†3	Provision of key agreement	‡3	Forward secrecy
†4	Mutual authentication	‡4	Resistance to known attacks
†5	No password verification table	‡5	No smart card loss attack

, outlined in

Table 4. Summary of functionality comparison among all authentication schemes.

Scheme	Ref.	No. Messages	Criteria
			${†}_{\mathbf{1}}$	${†}_{\mathbf{2}}$	${†}_{\mathbf{3}}$	${†}_{\mathbf{4}}$	${†}_{\mathbf{5}}$	${‡}_{\mathbf{1}}$	${‡}_{\mathbf{2}}$	${‡}_{\mathbf{3}}$	${‡}_{\mathbf{4}}$	${‡}_{\mathbf{5}}$
$\mathrm{Srinivas}\mathrm{et}\mathrm{al}.$	[10]	$\mathbf{3}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbf{N}$
$\mathrm{Aghili}\mathrm{et}\mathrm{al}.$	[11]	$\mathbf{4}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbf{N}$
$\mathrm{Banerjee}\mathrm{et}\mathrm{al}.$	[12]	$\mathbf{3}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbf{N}$
$\mathrm{Kumar}\mathrm{et}\mathrm{al}.$	[13]	$\mathbf{3}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbb{Y}$
$\mathrm{Alzahranl}\mathrm{et}\mathrm{al}.$	[14]	$\mathbf{4}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbf{N}$
$\mathrm{Yao}\mathrm{et}\mathrm{al}.$	[15]	$\mathbf{5}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbf{N}$	$\mathbb{Y}$	$\mathbf{N}$	$\mathbf{N}$
$\mathrm{Soleymani}\mathrm{et}\mathrm{al}.$	[16]	$\mathbf{6}$	—	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	—	$\mathbf{N}$	—	$\mathbb{Y}$	$\mathbf{N}$	—
$\mathbf{Our}\mathbf{scheme}$	—	$\mathbf{4}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$	$\mathbb{Y}$

, as well as an evaluation of the storage, communication and computational costs, detailed in

Table 5. Comparisons of storage, communication and computational costs among eight authentication schemes.

Scheme	Ref.	Storage Cost: bits			Communication Cost: bits			Computational Cost: ms
		$\mathbf{User}$	$\mathbf{DG}$	$\mathbf{PS}$	$\mathbf{User}$	$\mathbf{DG}$	$\mathbf{PS}$	$\mathbf{User}$	$\mathbf{DG}$	$\mathbf{PS}$
$\mathrm{Srinivas}\mathrm{et}\mathrm{al}.$	[10]	${2208}^{★}$	$384n_s+{3072}^{★}$	$512n_u+{384}^{★}$	800	1056	1056	$9.952$	$9.042$	$2.184$
$\mathrm{Aghili}\mathrm{et}\mathrm{al}.$	[11]	${1312}^{★}$	$512(n_u+n_s)+160$	288	1472	1344	448	$2.184$	$2.548$	$0.728$
$\mathrm{Banerjee}\mathrm{et}\mathrm{al}.$	[12]	1408	$128n_s+160$	416	416	160	544	$1.822$	$0.913$	$0.365$
$\mathrm{Kumar}\mathrm{et}\mathrm{al}.$	[13]	1440	$256n_s+160$	256	416	160	544	$1.275$	$1.095$	$0.366$
$\mathrm{Alzahranl}\mathrm{et}\mathrm{al}.$	[14]	1536	$128n_s+160$	416	704	704	416	$2.369$	$1.094$	$0.367$
$\mathrm{Yao}\mathrm{et}\mathrm{al}.$	[15]	128	$128n_s{n}_u+896(n_u+n_s)+160$	$256+384n_u^{★}$	1216	1568	3104	$3.018$	$3.746$	$4.97$
$\mathrm{Soleymani}\mathrm{et}\mathrm{al}.$	[16]	320	$864n_s+160$	864	800	2208	544	$2.98$	$3.708$	$2.98$
$\mathbf{Our}\mathbf{scheme}$	—	$128n_{p{s}_u}+800$	$128n_{ps}+320$	256	1344	2080	1216	$3.352$	$3.823$	$2.836$

★ Here, we do not additionally evaluate the storage costs for the following functions stored: hash h(·) [10], biohash h_Bio(·) [11,15] and PUF(·) [15].

.

(1) Functionality Analyses

To evaluate the scheme’s advantages and disadvantages in functionality, we adopt the widely accepted 10 criteria [17], containing five ideal (†_*) attributes and five security (‡_*) attributes, as described in Table 3. The ‡₄ states that certain attacks, namely password guessing attacks, privileged insider attacks, de-synchronization attacks, replay attacks, stolen verifier attacks, node impersonation attacks, processor’s node capture attacks, DoS attacks and session-specific temporary information attacks, with the exception of breaking the user’s smart card, cannot be effectively initiated by the adversary with all capabilities.

In Table 4, for the evaluation of †₁ to †₅, we can see that all schemes satisfy †₁, †₂ and †₃, i.e., they are password friendly, have sound repairability and provide key agreement. However, †₄, †₅ differ from the three initially discussed. Specifically, for †₄, the scheme of [10,12,13,15] cannot meet this important mutual authentication requirement, because the number of messages (3 or 5) in their scheme does not guarantee that the entities can verify one another’s identities. As for †₅, only scheme [15] retains more password-related parameters in the server (or drone gateway) and inevitably results in threats to the password security.

Concerning the five security attributes labeled ‡₁ through ‡₅, no existing scheme successfully implements them all. Specifically, regarding ‡₁, which pertains to user anonymity, the scheme in [15] is lacking. In the scheme in [15], users directly provide their unmasked identities during the registration phase at the registration center. If the gateway is compromised, the users’ anonymity is subsequently at risk. In contrast, our scheme enhances the security by utilizing public key cryptography for attributes ‡₃ and ‡₄; modular arithmetic for attributes ‡₂, ‡₄ and ‡₅ and a timestamp mechanism for ‡₄, thus ensuring robust security measures.

(2) Overhead Comparisons

To facilitate detailed comparisons of the overhead,

Table 6. The reference length of all terms.

Symbols	bits
hash value $\left(h\right)$	256 [37]
ECC point $\left(p\right)$	320 [33,35]
counter $\left(SUM\right)$	32
timestamp $\left(t\right)$
modulus $\left(n_0\right)$
secret key $\left(x\right)$	160
random/nonce $\left(r\right)$
biometric key generation $\left(BKG\right(·\left)\right)$
user’s/processor’s identity $\left(ID\right)$	128
tolerance error value $\left(tev\right)$
symmetric ciphertext size $\left(enc\right)$
public reproduction parameter $\left(prp\right)$

establishes a reasonable reference length for all necessary terms. It is important to note that, according to NIST’s recommendations [23,37], SHA-256 is a collision-resistant hash function suitable for DloV. As for the ECC, in this paper, due to the limited resources of DloV devices, we target the ECC with 80-bit security (i.e., the length of the ECC key is 160 bits). Moreover, our scheme can be easily extended to 128-bit security (i.e., the length of the ECC key will be 256 bits); in this case, one might use future versions of NVIDIA DRIVE AGX Orin [38], which is a high-performance on-board processor.

Subsequently, for the eight authentication schemes, Table 5 presents comparisons of the storage costs, communication costs and time consumption. Additionally, although there are no existing protocols that incorporate access control for the DIoV, several research works on authentication with access control for medical scenarios are available. These can serve as valuable references for the development of authentication with an access control scheme for the DIoV. We have chosen to compare these medical-oriented schemes with our newly designed scheme. Therefore, the costs incurred at the gateway are considered equivalent to those on the DG, and the costs at the sensor node are analogous to those on the processor (PS).

For the storage costs consumed, e.g., in computing the storage costs in our scheme, it is the sum of the sizes of parameters {$PI{D}_i,BKG(·),A_1,A_2,EI{D}_i,F_i\left(t\right),SUM$} that the user stores. With the reference length in Table 6, the storage costs of the user can be calculated as $|PI{D}_i|+|A_1|+|A_2|+|EI{D}_i|+|F_i\left(t\right)|+|SUM|=128n_{p{s}_u}+800$ bits, where $n_{p{s}_u}$ is the number of processors that the user can be allocated to query authentication, and the size of biometric key generation function $BKG(·)$ does not need to be quantized.

Similarly, regarding the user storage costs in other schemes, the schemes of Yao et al. (128 bits) [15] and Soleyma et al. (320 bits) [16] have lower storage costs than the other six schemes. As for the DG’s storage resources that need to be consumed to realize authentication with access control, this value is inevitably influenced by the two parameters $n_u$ (the number of users) and $n_s$ or $n_{p{s}_u}$ (the number of medical sensor nodes or processor nodes that the user can be allocated to run authentication), and the cost in our scheme is $128n_{p{s}_u}+320$ bits. Thus, the more processors that are involved in authentication, the more storage resources will be consumed. In evaluating the processor’s storage costs, our scheme and others, with the exception of the schemes proposed by Srinivas et al. [10] and Yao et al. [15], demonstrate efficient storage utilization. Notably, our scheme holds a significant advantage in comparison to the seven state-of-the-art alternatives.

Regarding the communication costs, our scheme incurs higher overheads for the user and the drone gateway (DG), requiring 1344 bits and 2080 bits, respectively, to ensure secure authentication. The processor’s communication costs in our scheme, amounting to 1216 bits, are competitive with those of other schemes.

Regarding the comparison of the time consumed in all eight schemes, recent research [39] shows that the running time for ECC point multiplication is 0.508 ms; symmetric encryption and decryption (AES-128) take about 0.00054 ms each and a hash function (SHA-256) takes about 0.182 ms [23], and this value can be regarded as the runtime of $BKG(·)$. In [13], a PUF operation takes 0.43 ms. Note, that although the running times of these operations were tested in different works, this does not affect the results of the comparison, and the chosen approach has been widely utilized in previous works.

Based on Table 5, to secure the agreed session key, the time consumed by the user is 3.352 ms, which is reduced by 66% compared with Srinivas et al.’s scheme [10]. The time taken by the DG to complete user and processor authentication is 3.823 ms. To establish a robust session key with forward secrecy, leveraging Diffie–Hellman key exchange technology [15,40], the processor in our scheme requires 2.836 ms, which is a significant 43% reduction compared to Yao et al.’s scheme [15].

Overall, our scheme excels or is at least competitive in terms of the storage, communication and computational time costs, setting a benchmark for efficiency that other schemes struggle to meet, particularly in addressing security vulnerabilities.

6. Conclusions

Our authentication mechanism, tailored to the service type of rescue vehicles, ensures that only authorized users can achieve mutual authentication with a designated processor, thereby enhancing user privacy and data protection. By balancing security with performance, we have developed a more efficient and robust authentication protocol with access control. The command center (CC) specifies the access control, processed by the DG, allowing rescue vehicle users to authenticate and negotiate session keys with the designated processor (PS). The security analysis confirms the protocol’s capability for mutual authentication, ensuring the session key’s forward secrecy and maintaining users’ anonymity. The performance analysis further reveals the protocol’s efficiency and cost-effectiveness, particularly highlighting a significant reduction in operational time by at least 66% compared to recent proposals [10]. At present, fog computing [41,42] represents a novel paradigm; it can effectively enhance latency-sensitive applications such as catastrophe management and content transference applications. Thus, our future research will focus on developing an authentication encryption protocol to secure data communication within fog computing environments.