A Low-Complexity Security Scheme for Drone Communication Based on PUF and LDPC

Abstract

Due to the limited payload and power of drones, the computational overhead, storage overhead and communication overhead that can be used for secure communication are restricted, making it difficult to apply some complex but fairly secure authentication protocols on drones. In this paper, we propose a low-complexity protocol for storing identity information in a resource-unconstrained device that does not require the UAV to store the information, thereby enhancing the UAV’s resistance to capture. The protocol in this paper mainly consists of quasi-cyclic low-density parity-check (QC-LDPC) codes, physical unclonable functions (PUFs) based on random-access memory (RAM), “XOR” operations, and hash computation. The protocol in this paper is an authentication architecture in which the drone is guided by the ground station to read its identity information, and the drone does not store any identity information in advance. The protocol is divided into two phases: 1. fuzzy authentication of fingerprint PUF and 2. uniqueness authentication accomplished while guiding the recovery of identity PUF. Recovering identity PUF in this paper, QC-LDPC is used as the error control module, and the optimization of bit-flip decoding significantly reduces the probability of decoding failure. After the comparative security analysis and comparative overhead analysis of this paper’s protocol, it can be concluded that this paper’s protocol can withstand common attacks (including attacks attempting to pass authentication, attacks attempting to interfere with authentication, and physical capture attacks), and the storage and communication overhead is small in the case of large time overhead.

1. Introduction

Ad hoc network drones are increasingly used in various fields, for example, to locate people, drop supplies, and relay communications after natural disasters, but also to monitor some high-risk environments, crop growth, and traffic conditions. However, generic ad hoc network protocols allow devices with the same interface to connect freely. Therefore, some unethical manufacturers have illegally obtained program source code through invasive attacks, creating illegal devices that can join real drone networks. These counterfeit devices can easily access the private local area network (LAN) of drone groups, posing a significant threat to the information security of some sensitive data. Due to limited drone resources, it is difficult to apply complex security protocols in networked drones.

The physical unclonable function (PUF) is an emerging hardware security primitive that utilizes intrinsic device variations introduced by uncontrollable manufacturing processes as a unique digital identifier; it is used for the authentication and identification of Internet of Things (IoT) devices [1]. As PUFs do not support open-access protocols, the existing attacks against PUFs mainly rely on invasive or semi-invasive techniques [2]. Physical access to the target device is expensive; so, in some common drone groups, a lightweight PUF-based authentication protocol is used, such as that in [3,4,5,6,7]. Extracting the PUF as a device fingerprint using the MCU’s on-chip SRAM is an efficient and cost-effective method for manufacturers.

However, SRAM flips some of its bits every time it is powered up; so, it needs to use error coding to generate a stable PUF. Error correction code (ECC) modules used in NADN flash are based on Hamming or BCH codes [8,9,10,11], as flash chips are subject to a small number of bursty errors. However, with the increase in chip integration, its stability gradually decreases, and more powerful error correction codes with higher performance are needed, for example, by using multiple coding cascades. However, RAM-based PUFs are more than 10% unstable, and the cascading code scheme is a huge cost for resource-constrained drones. With the development of 4 G/5 G communication in the past decade, the research on LDPC codes has significantly matured, and they are also applied in error control for flash chips or solid-state drives, such as in [12,13,14]. Compared to BCH codes, low-density parity check (LDPC) codes have better performance and faster, simpler encoding/decoding methods, and can be adapted to different code lengths.

Table A1. Definition of abbreviations.

Abbreviation	Definition
LAN	Local Area Network
PUF	Physical Unclonable Function
IoT	Internet of Things
IoD	Internet of Drones
SRAM	Static Random-Access Memory
ROM	Read-Only Memory
BCH	Bose, Ray-Chaudhuri, Hocquenghem
MCU	Micro Control Unit
ECC (in related works)	Elliptical Curve Cryptography
ECC (others)	Error Correction Code
QC-LDPC	Quasi-Cyclic Low-Density Parity Check
UAV	Unmanned Aerial Vehicle
LBC	Linear Block Code
BSC	Binary Symmetric Channel
AWGN	Additive White Gaussian Noise
OLSR	Optimized Link State Routing
GS	Ground Station
P2P	Peer-to-Peer

lists the abbreviations used in this paper, and the contributions of this study mainly include the following:

(1)

A secure communication scheme using on-chip RAM as PUF is proposed to extract the PUF and authorize it to the drone under the guidance of the ground station, which greatly enhances the drone’s ability to resist physical capture.

(2)

A scheme to recover the original PUF using QC-LDPC with lower storage requirements is proposed, and the structural requirements of the coding matrix and special decoding algorithm are given to improve the security of the authentication process.

(3)

The challenge of offering half of the authentication parties and utilizing the response as a medium for negotiating the secret key is proposed, which greatly enhances the ability of the PUF to resist machine learning.

2. Related Works

In recent years, researchers have proposed several lightweight authentication schemes for the IoT to ensure the security and privacy of IoT. In [15], Wazid et al. introduced several security challenges along with necessary security requirements for IoD environments and designed a user authentication scheme for IoD. Ali et al. [16] presented an enhanced authentication scheme for IoD. However, none of the above authentication schemes are secure against physical capture attacks. Because secret information required for authentication is stored in the drone’s physical memory, an adversary can easily extract this critical information and perform various attacks.

Asymmetric encryption solves the above problem very well; for example, Won et al. [17] proposed an elliptical curve cryptography (ECC)-based certificate authentication scheme for IoD. Nikooghadam et al. [18] presented an ECC-based secure and lightweight authentication scheme for IoD. Rodrigues et al. [19] presented an ECC-based authentication method for UAV communication. Dogan et al. [20] proposed an ECC-based authentication protocol to provide mutual authentication between UAV and base station devices. Tanveer et al. [21] devised an authentication scheme for IoD which employs a hash function and authenticated encryption with associative data (AEAD). All of the above schemes use elliptic curve encryption, but this requires a high computational and communication overhead margin for resource-constrained edge devices such as drones.

To meet the resource-constrained requirements of drones, the use of PUFs in authentication schemes for IoD has become a popular research direction. Alladi et al. [22] proposed a PUF-based authentication scheme. Bansal et al. [23] designed a similar scheme. Alladi et al. [24] proposed a lightweight mutual authentication scheme based on PUF, which includes drone–GS authentication and drone–drone authentication. None of the papers mentioned above protect challenge–response pairs. Pu et al. [25] proposed a lightweight authentication protocol for UAVs using PUFs and chaotic systems to protect the communication between drones and the GS. However, each drone’s PUF challenge-response pair is stored in its memory.

Almost all of these PUF-based papers assume that the PUF is stable, i.e., inputting the same challenge always produces the same response; otherwise, the hashing operation on the response becomes meaningless. Any PUF needs to be recovered before it is used, and the information used to recover the PUF is necessarily recorded in non-volatile memory, which can give away information about the PUF to attackers.

Table 1. Summary of related works.

Paper	Works	Dependency	Disadvantages
Wazid et al. [15]	Introduced a user authentication scheme for IoD	Biometrics	Cannot resist physical capture attacks
Ali et al. [16]	Presented an enhanced authentication scheme for IoD	Biometrics	Cannot resist physical capture attacks
Won et al. [17]	Proposed an authentication scheme for IoD	ECC	Requires significant computational and communication overhead
Nikooghadam et al. [18]	Presented a lightweight authentication scheme for IoD	ECC	Requires significant computational and communication overhead
Rodrigues et al. [19]	Presented an authentication method for UAV communication	ECC	Requires significant computational and communication overhead
Tanveer et al. [21]	Devised an authentication scheme for IoD	ECC	Requires significant computational and communication overhead
Alladi et al. [22]	Proposed an authentication scheme	PUF	Assumes that the PUF is stable
Bansal et al. [23]	Designed an authentication scheme	PUF	Assumes that the PUF is stable
Alladi et al. [24]	Proposed a lightweight mutual authentication scheme	PUF	Assumes that the PUF is stable
Pu et al. [25]	Proposed a lightweight authentication protocol for UAVs	PUF	Assumes that the PUF is stable

summarizes some of the important related works.

3. Security Architecture

3.1. System Model

Secure communication requires the generation of session keys, and mutual authentication between both parties is needed before the generation of the keys. However, authentication protocols typically require both parties to store some information for authentication, which means that each drone in the fleet needs to store the identity information of the entire fleet. The number of drones directly affects the storage cost. The existing key generation algorithms, such as RSA, ECC, etc., are considered to be quite secure, and they pose a great challenge to the computing power and storage of drones when there are a large number of drones involved in P2P communication. Generally speaking, in the entire networked drone system, drones are the most vulnerable to attacks, especially when they are executing missions in the field and are susceptible to physical capture. If the program stored in the non-volatile read-only memory of drones is compromised, the identity information (local and fleet information) and simple key generation algorithms stored in ROM for authentication will be cracked, posing a great threat to the entire network of drones. This study proposes using the ground station as the authentication core to guide drones to read their ID for authentication. Other than a one-time key, the drones store minimal information.

3.1.1. Network Model

The group of drones assumed in this study is shown in Figure 1. The registration of the drones and the access of the GS to the database are both considered to be carried out over secure channels. We assume that the base station and the database are resource-unconstrained, so communication between the database and the GS uses a recognized high level of security with authentication and encryption systems by default. The database is considered secure, and when the administrator assigns a task to the drone fleet, the GS can only access the information of the drone specified by the administrator. The drone does not store any information, while the database does store all the data. With such an architecture, the attacker’s attack shifts to high-performance devices, which significantly increases the difficulty of the attack.

The drones in the fleet establish a local area network using ad hoc protocol and do not have interfaces to open networks such as the Internet. The LAN is constructed through various types of frames for neighbor listening and link perception. Apart from network topology-related information being disseminated through flood broadcasting, specific data information is communicated in a P2P manner with the use of P2P secret keys. For example, Drone A needs to send a message to Drone B. If A uses a P2P secret key between A and B, then neither the other drone nor the GS can receive the message. The ad hoc protocol still retains the feature that allows arbitrary joining, permitting newly authorized drones to join the mission midway through. However, the drone communication channel is considered to be an open channel that can be freely monitored and potentially attacked. In addition, this LAN uses a distributed network with P2P communication, and gateway drones are introduced to become a clustered networking system when the number is high to reduce the storage overhead of P2P secret keys.

The communication distances of the drones and the GS are all limited and subject to link instability, leading to packet loss. Therefore, all the drones are within the communication range of the GS when drones take off. The drones need to transmit status information back to the GS at regular intervals so that the GS can recall the drones that work abnormally in time. For the drones that broadcast the recall, the remaining drones update the communication secret key set.

3.1.2. Authentication Model

Based on the above networking model, an authentication model is proposed. All the legal drones are registered in the database with a set of data consisting of a static key $ke{y}_i$, a communication address $IP$, a fingerprint PUF $P_{fp}$, an ID, and extraction information of identity PUF $P_{ID}$. The registration scheme is shown in

Table 2. Registration procedure.

Registration Procedure
Step 1: Analyze the usage of the on-chip memory of the target drone and select an uninitialized RAM segment that is as long as possible.
Step 2: Repeat power-up 100 times to detect the distribution of unstable bits in this segment and select a more stable 64-byte contiguous segment as the $P_{fp}$. Choose a more stable segment to extract the 32-byte ID and record all bit changes in this segment.
Step 3: Starting with the first bit of the segment used to extract the ID, if 90% of the records in that bit are “1” or “0”, then record it in the $ID$, otherwise record it as an unstable set $S_{us}$, until the length of the $ID$ reaches 32 bytes. Record the starting address $start$ of the segment and use the total length $len$ for registration.
Step 4: Record the starting position of the $P_{fp}$ and its length in the drone’s program, along with a static secret key $ke{y}_i$.
Step 5: Since the stability of the bits of the ID is classified according to a threshold, the bits that are still unstable need to be powered up again several times to test them and recorded in the set $S_{pus}$ of predicted unstable bits.
Step 6: Record the registration information in the database in the format $\{IP,ke{y}_i,P_{fp},start,len,S_{us},ID,S_{pus}\}$.

. Before the drones execute tasks, the GS and the drones authenticate each other, and authentication only occurs once at takeoff. The authentication scheme is shown in

Table 3. Authentication scheme.

Step	Drone	Channel	GS
1	Pending accreditation.		Access the database to obtain the registration information for the drone requested. $\{IP,ke{y}_i,P_{fp},start,len,S_{us},ID,S_{pus}\}$
2	If the time has not expired, then continue; Solve the $fp$ extraction offset $a$; Split the fingerprint into 128 parts at 4 bits; Generate 4 numbers, $b_i$, such that ${\displaystyle {\sum }_{i=1}^4{b}_i=256,b_i=8}$.	$\leftarrow (a,T_1)\oplus ke{y}_i$	Solve the random number $g$; Calculate the hash of the $g$; Generate 4 signed random numbers $a_i\in [-128:127],i=1,2,3,4$; Add a timestamp; Send $a=(a_1|\left|a_2\right|\left|a_3\right||a_4)$ to drone.
3	Read $b_i$ bits from position $a_i$; e.g., $a=-10,b=50$ means reading 50 cells forward from the 10th cell; Sequentially splice into $\widehat{fp}$. Add a timestamp; Send it to GS.	$(\widehat{fp},T_2)\oplus ke{y}_i\to$	If the time has not expired, then continue; The reading position and direction can be known from $a_i, \mathrm{and} b_i$ can be calculated quickly from $P_{fp}$; Based on $a_i$ and $b_i$ one can generate $fp$ with $P_{fp}$; Compare $fp$ and $\widehat{fp}$; if the similarity reaches a threshold, e.g., $>75\%$, the authentication passes.
4	If the time has not expired, then continue; Calculate the hash of the $b$; Solve the extraction information; Extract the $\widehat{ID}$ with the power-on disturbance.	$\leftarrow h(b)\oplus (start,len,S_{us},T_3)$	If uniquely authenticated, calculate the hash of $b=(b_1|\left|b_2\right|\left|b_3\right||b_4)$; Send the ID extraction information and add a timestamp.
5	Generate noise $n,m$; Encrypt the $\widehat{ID}$ and a noise with $n$; Add a timestamp, and add verification information.	$\widehat{ID}\oplus n,n\oplus m,T_4,h(b,T_4)\to$	If the time has not expired, then continue; According to the predicted unstable set $S_{pus}$, add a few perturbations $\delta$ to the registration $ID$ to make it $I{D}_{\delta }$; Solve for $\widehat{n}=I{D}_{\delta }\oplus (\widehat{ID}\oplus n)$ with $ID$; Solve for $\widehat{m}=\widehat{n}\oplus (n\oplus m)$ with $\widehat{n}$.
6	If the time has not expired, then continue; Solve for ${\widehat{C}}_{\delta }=m\oplus (C_{\delta }\oplus \widehat{m})$ with $m$; Stitch the $\widehat{ID}$ and parity information ${\widehat{C}}_{\delta }$ to form a complete codeword; Use the ECC module to correct the codeword: $[I{D^{\prime }}_{\delta },{C^{\prime }}_{\delta }]=ECC(\widehat{ID},{\widehat{C}}_{\delta })$.	$\leftarrow C_{\delta }\oplus \widehat{m},k\oplus h(C_{\delta }),T_5,h(b,T_5)$	The parity information $C_{\delta }$ is obtained for $I{D}_{\delta }$ encoding; Generate noise $k$; Calculate the hash of the $C_{\delta }$; Send parity information $C_{\delta }$ encrypted with $\widehat{m}$ and the noise encrypted with $h(C_{\delta })$; Add a timestamp and verification information.
7	Solve for $k^{\prime }={C^{\prime }}_{\delta }\oplus (k\oplus C_{\delta })$ with ${C^{\prime }}_{\delta }$; Calculate the hash of the $k^{\prime }$; Send the restored $I{D^{\prime }}_{\delta }$ encrypted with $h(k^{\prime })$.	$h(k^{\prime })\oplus (I{D^{\prime }}_{\delta },T_6)\to$	Calculate the hash of the $k$; If $k^{\prime }\ne k$, the timestamp is garbled; If the time has not expired, then continue; Solve for $I{D^{\prime }}_{\delta }=h(k)\oplus (h(k^{\prime })\oplus I{D}_{\delta })$ with $h(k)$; If $I{D^{\prime }}_{\delta }$ and $I{D}_{\delta }$ are identical, the authentication is successful.
8	A temporary secret key is created.	$\stackrel{h(I{D}_{\delta }|\left|k\right||C_{\delta })}{\leftrightarrow }$	A temporary secret key $ke{y}_{temp}$ is created.

.

The fingerprint PUF consists of a 64-byte contiguous sequence in RAM, while the ID PUF is a 32-byte sequence of discontinuous RAM segments. The PUF based on RAM belongs to weak PUFs. Therefore, this study uses random position, random direction, and random length as challenges for the PUF. The read position and read direction are provided by the GS (vector $a$ in Table 3), while the read length for each position is provided by the drone (vector $b$ in Table 3). The drone strings the read sequence into a 32-byte fingerprint $\widehat{fp}$ and sends it to the GS, which computes the challenge given by the drone based on the database and uses the hash value of that challenge as the secret key $h(b)$ for the next stage. Considering that the fingerprint PUF is limited, a static secret key $ke{y}_i$ is reserved in the drone since static secret keys are easily readable. Therefore, during the first stage of authentication, GS tags the drone information associated with the key to prevent counterfeit drones.

In Table 3, it should be noted that in the second step, GS generates four 1-byte signed numbers with a maximum representation range of −128 to 127, with the sign $\mathrm{sgn}(a)$ representing the direction of the read and $\left|a_i\right|$ representing the read position (offset from the start address). However, the fingerprint PUF has 64 bytes (512 bits), so it is necessary to divide the PUF into cells of 4 bits each. The advantage of this is not only that GS only needs to perform a hexadecimal convolution of the fingerprint when matching the fingerprint, which saves 3/4 of the time compared to a unit convolution, but also that the drone can send it directly in hexadecimal, eliminating the process of converting binary strings to hexadecimal arrays. To make the GS more efficiently matched, this paper requires that the random length be no shorter than 8 cells (32 bits). In the fifth step, the method of adding perturbations δ to GS is discussed in detail in Section 3.4.2. In the sixth step, the reason why $[I{D^{\prime }}_{\delta },{C^{\prime }}_{\delta }]=ECC(\widehat{ID},{\widehat{C}}_{\delta })$ is discussed in detail in Section 3.4.1. It is important to note in particular that the identity PUF is used for the second stage of authentication, where the power-up current is the challenge and the $\widehat{ID}$ is the response (the ID used for enrollment in Table 2 is one of its responses).

The network access permission for a drone is determined by second-stage authentication, while first-stage authentication ensures that the extraction information during second-stage authentication is difficult to steal, and if stolen, it can ensure that the network formation of the other drones remains secure. If an authorized situation occurs during authentication, the GS should not send the broadcast key to the drone, and the ground station needs to report to the database to permanently blacklist all its information. If the drone wants to continue using the network, it needs to re-register with completely new authentication information in the database. After successful authentication, the ground station informs the drone of the current broadcast key using the generated temporary key. The latest communication key seed set is then broadcasted across the entire network using the broadcast key, which is related to the ground station and all the authorized drones of the current mission. After flood broadcasting, the newly authorized drone can access the network normally. For the recalled drone with abnormal work, if it does not return within the specified time, the GS regards it as lost and informs the database to block its registration information.

3.1.3. Communication Model

Based on the above authentication results, the following communication scheme is proposed. All the frames used for data transmission and network formation are encrypted. If it is a P2P transmission, the corresponding key is used; if it is a broadcast frame, a broadcast-exclusive key, $ke{y}_{bc}$, is used. The GS regularly updates the group broadcast key through flood broadcasting. After successful authentication, a one-time key, $ke{y}_{temp}$, is generated based on the authentication information, and the GS uses this key to inform the newly authorized drone of the current broadcast key. Once the drone receives the current broadcast key, both parties abandon $ke{y}_{temp}$.

Considering the impact of the number of drones on storage, a 4-byte session key seed is used for P2P communication. In addition, during clustered networking, the drones only need to store the internal communication keys of the gateway. The gateway drones need to store the additional session key seeds of the other gateway drones. Based on the current authorized number of drones $n$, the GS generates a collection of 4-byte random numbers (including the communication with the GS) to form a key seed set $s=\{I{P}_{new},I{P}_1,s_1,\dots ,I{P}_n,s_n\}$ and broadcasts it to the entire network using the broadcast key. All the authorized drones add keys for communication with the newly authorized drones based on their own IP_i. The newly authorized drones record the broadcast key in RAM. Therefore, each drone has a key collection $s_i=\{ke{y}_{bc},s_{toGS},I{P}_j,s_{toI{P}_j}\},1\le j\le n,j\ne i$, recorded in RAM. Note that the neighboring secret key seed broadcast by the BS is only 32 bits; therefore, it is only used for the first P2P communication and has a single lifetime.

The lifetime of the secret key of a P2P session is related to the link state, e.g., two parties with a robust link means that the distance is close and the communication is more frequent, and the secret key lifetime is appropriately reduced to increase security. If the link is stable, both P2P parties pass the current secret key as a random seed into the same random number generator (e.g., to compute the hash value of the old secret key); if the link is unstable, the secret key lifetime can be calculated via the parties informing each other of the packet loss rate, and the negotiation accompanied by the link state information in the network topology frame not only reduces the overhead of secret key negotiation but also avoids the risk of secret key exposure. From a global perspective, the key seed set used for P2P communication is an adjacency matrix with the originating drone in the vertical coordinate and the receiving drone in the horizontal coordinate, as seen in Formula (1), where ${\widehat{s}}_{I{P}_n}$ is the key set removes the broadcast key $ke{y}_{bc}$. The keys vary to different degrees based on the number of sessions between the drones (it could be a 256-bit secret key or a 32-bit initial seed), as seen in Formula (2). For example, coordinates $(1,3)$ represent $a$ iterations of the communication key between Drone $D_1$ and Drone $D_2$, and since the secret key is symmetric, the secret key for coordinate $(2,2)$ is also iterated $a$ times. In fact, a P2P secret key is a dynamic secret key that undergoes constant iteration with the number of communications.

$$S=\left[\begin{array}{c}{\widehat{s}}_{I{P}_1}\\ {\widehat{s}}_{I{P}_2}\\ ⋮\\ {\widehat{s}}_{I{P}_n}\end{array}\right]=\left[\begin{array}{ccccc}{s}_{G{S}_1}& & s_{I{P}_2}& \cdots & s_{I{P}_n}\\ s_{G{S}_2}& s_{I{P}_1}& & \cdots & s_{I{P}_n}\\ ⋮& ⋮& ⋮& & ⋮\\ s_{G{S}_n}& s_{I{P}_1}& s_{I{P}_2}& \cdots & \end{array}\right]$$

(1)

$$\to \widehat{S}=\left[\begin{array}{cccccc}{s}_{G{S}_1}^{(d)}& & s_{I{P}_2}^{(a)}& \cdots & s_{I{P}_n}^{(b)}& s_{I{P}_{new}}^{(1)}\\ s_{G{S}_2}^{(e)}& s_{I{P}_1}^{(a)}& & \cdots & s_{I{P}_n}^{(c)}& s_{I{P}_{new}}^{(1)}\\ ⋮& ⋮& ⋮& & ⋮& ⋮\\ s_{G{S}_n}^{(f)}& s_{I{P}_1}^{(b)}& s_{I{P}_2}^{(c)}& \cdots & & s_{I{P}_{new}}^{(1)}\\ s_{G{S}_{new}}^{(1)}& s_{I{P}_1}^{(1)}& s_{I{P}_2}^{(1)}& \cdots & s_{I{P}_n}^{(1)}& \end{array}\right]$$

(2)

3.1.4. Implementation

This study uses two STM32F407-DISCOVERY (STMicroelectronics, China, www.st.com/en/evaluation-tools/stm32f4discovery.html (accessed on 1 May 2024)) boards (operating at a frequency of 168 MHz, with 128 KB of RAM) to simulate drones, with a Raspberry Pi 3 (RP3) simulating the ground station. An Arduino MEGA board and relays are used for automated power control, which can work with the RP3 for automated ID extraction. The RP3 development environment runs on Python 3.10 under Linux, with a text-based database. The development boards utilize the Keil MDK 5.24 integrated development environment, which includes online simulation functionality for easy monitoring of resource usage, memory allocation, and processing speed, particularly when calculating the extraction position of the PUF.

3.2. ID Extraction

In Table 2, it is important to note that the distribution of stack memory in different types of microcontrollers varies, and there is no unique extraction position or method. Typically, after the $.bss$ segment and the $.data$ segment, the heap space is incrementally allocated from the lowest address, while the stack space is decremented from the highest address. For example, in the Arduino MEGA, the stack is located on both sides of memory; so, extraction requires identifying the midpoint between the maximum heap space and maximum stack space, which may necessitate re-registration when updating the main program of the device. However, for the STM32F407 used in this study, by examining the memory mapping file (.map) generated during the compilation of the Keil project, it is found that RAM1 has a total size of 0x1c000 (112 KB) and RAM2 has a total size of 0x4000 (16 KB). RAM1 has a base address of 0x20,000,000, with a heap space of size 0x200 (512 B) at an offset of 0xd8 from the base address, and a stack space of size 0x400 (1024 B) at an offset of 0x2d8. Therefore, we choose 128 bytes from the end of RAM1 (from 0x2001c000 to 0x2001bf80) to be used to extract the fingerprint PUF and identity PUF.

In the above RAM segment, 64 bytes near the end of the RAM are used to extract the identity PUF, the remaining 64 bytes are used as the identity PUF, and the start position of the identity PUF is recorded in the drone. The RAM fragment used for the identity PUF is subjected to 100 power-ups to test the stability of each bit. It is found that the number of unstable bits exceeds $\alpha =20\%$. These 100 sets of data are labeled stable bits and unstable bits based on the threshold $\tau =90\%$ (see Table 2, Step 3), where threshold $\tau$, if set too high, results in a very stable segment but requires a large amount of storage for the unstable bit set $S_{us}$, while setting the threshold too low exceeds the error correction performance of the LPDC codes. A segment containing 256 stable bits is extracted using a sliding window with a step size of 1 byte, and the window offset, the read length (approximately $32B\times (1+\alpha )\approx 38B$ under the current threshold), and the unstable position set $S_{us}$ (typically $256bits\times \alpha \tau \approx 46bits$ need to be recorded) are recorded. The above information is written into the microcontroller program, and after re-powering the device 100 times, it is observed that there is $n_{\epsilon }\in \{0,1,2\}$ bit flips with each power cycle. In short, in a 38-byte contiguous segment containing 256 bits of identity PUF, the remaining bits are recorded in the unstable set, and the bits of the identity PUF that are still subject to change are recorded in the predicted unstable set.

Furthermore, if the response that the identity PUF receives each time is powered up is denoted by $\widehat{ID}$, then the difference between $\widehat{ID}$ and the registered $ID$ can be denoted by $\epsilon =ID\oplus \widehat{ID}$, where $\epsilon$ is a 256-bit sequence containing $n_{\epsilon }$ “1”s. The extraction results in the context of this study are shown in

Table 4. Details of the stm32f4.

Parameters	Board 1	Board 2
Hamming weight of RAM	382	414
Hamming distance of RAM	358 bit/100 Byte = 44.75%
The offset of the window	4	24
The length of the window	39	40
The number of unstable bits	36	42
Still unstable ratio	9.375%	7.8%
Probability of occurrence of more than 2 bit flips	2%	3%
Register ID	ae0720286ff7ffdc4409 141a7f47f8d43400a336 d7e840a50c07c2ffea08 4000	e1eddf5fc71090c6f591 bee115201bfffde70046 ef67ffd7fd9000139337 f79d
Hamming weight of ID	115(45%)	145(56.6%)
Hamming distance of ID	154 b/256 bit = 60.16%

, indicating that both the Hamming weight and Hamming distance for the ID and RAM are close to the theoretical values in a statistical sense.

3.3. QC-LDPC Encoding

LDPC codes are a type of high-performance LBC. Their encoding method is similar to that of LBCs where in the codeword $w=m·G$ $m$ is the message vector and $G$ is a generating matrix. $G$ consists of an identity matrix $I$ and a parity-check matrix $P$. LDPC codes have rules such that each parity-check bit supervises $\rho$ message bits, and each message bit is supervised by $\gamma$ parity-check bits. Additionally, in relation to the size of the matrix, both $\rho$ and $\gamma$ are typically small [26]. The principles of error correction for LDPC codes can be detailed in the paper on its origins [26].

LDPC codes have many construction methods; the performance of LDPC matrices constructed randomly is generally better than algebraic construction, but the matrices constructed randomly pose a challenge to the storage of drones. QC-LDPC is an algebraic construction method, and the nearly cyclic property greatly reduces the storage requirements [27,28,29,30].

QC-LDPC is characterized by its parity-check matrix composed of zero and circulant permutation matrices. The check matrix can be expressed as follows:

$$P^T=\left[\begin{array}{cccc}{E}^{c_{00}}& E^{c_{01}}& \cdots & E^{c_{0,n-1}}\\ E^{c_{10}}& E^{c_{11}}& \cdots & E^{c_{1,n-1}}\\ ⋮& ⋮& \ddots & ⋮\\ E^{c_{m-1,0}}& E^{c_{m-1,1}}& \cdots & E^{c_{m-1,n-1}}\end{array}\right]$$

(3)

where $E^{c_{ij}}\left(0\le i\le m-1,0\le j\le n-1\right)$ represents a $b\times b$ circulant permutation matrix obtained by shifting the identity matrix to the right $c_{ij}\in \{0,1,\dots ,b-1,-1\}$ times. If $c_{ij}=-1$, it represents $E$ as a zero matrix. The calculation method of $c_{ij}$ is not unique, and this study adopts

$$c_{ij}=\left\{\begin{array}{ll}(i+1)k \mathrm{mod} b\hfill & ,a_{ij}=1,k\in \{0,1,\dots ,\rho -1\}\hfill \\ -1\hfill & ,a_{ij}=0\hfill \end{array}\right.$$

(4)

where $a_{ij}$ is an element of the base matrix. By replacing the element $E^{c_{ij}}$ with $c_{ij}$ in matrix $P^T$, the shift parameter matrix $C$ can be obtained:

$$C=\left[\begin{array}{cccc}{c}_{00}& c_{01}& \cdots & c_{0,n-1}\\ c_{10}& c_{11}& \cdots & c_{1,n-1}\\ ⋮& ⋮& \ddots & ⋮\\ c_{m-1,0}& c_{m-1,1}& \cdots & c_{m-1,n-1}\end{array}\right]$$

(5)

By replacing the element “−1” with “0” in matrix $C$ and replacing the other elements with “1”, the base matrix $A$ can be obtained, where $a_{ij}\in \{0,1\}$.

$$A=\left[\begin{array}{cccc}{a}_{00}& a_{01}& \cdots & a_{0,n-1}\\ a_{10}& a_{11}& \cdots & a_{1,n-1}\\ ⋮& ⋮& \ddots & ⋮\\ a_{m-1,0}& a_{m-1,1}& \cdots & a_{m-1,n-1}\end{array}\right]$$

(6)

It can be seen that for the codeword $w=m\cdot G=\left[\begin{array}{cc}m& m·P\end{array}\right]$, the key is to multiply with the message part $m$. If represented by row vectors $p_i$, $P^T={\left[\begin{array}{c}{p}_0,p_1,\dots ,p_{n-k-1}\end{array}\right]}^T$, it is $w_i=m\cdot p_i=m_0{p}_{i0}+m_1{p}_{i1}+\dots +m_k{p}_{ik}={\oplus }_{p_{ik}=1}{m}_k,p_{ik}\in \{0,1\}$. Therefore, during encoding, it is only necessary to record the positions of “1” in each column of the matrix $P^T$, $p_i=\{p_i^{1st},p_i^{2\mathrm{nd}},\dots ,p_i^{\rho \mathrm{th}}\},0\le i\le n-k-1$ to obtain a new matrix $P_L^T$ of size $(n-k)\times \rho$ composed of indices

$$P_L^T=\left[\begin{array}{c}{p}_0\\ p_1\\ ⋮\\ p_{n-k-1}\end{array}\right]=\left[\begin{array}{cccc}{p}_0^{1st}& p_0^{2nd}& \cdots & p_0^{\rho th}\\ p_1^{1st}& p_1^{2nd}& \cdots & p_1^{\rho th}\\ ⋮& ⋮& \ddots & ⋮\\ p_{n-k-1}^{1st}& p_{n-k-1}^{2nd}& \cdots & p_{n-k-1}^{\rho th}\end{array}\right]$$

(7)

During program execution, it is only necessary to calculate the symbol bits supervised by a certain parity bit and to perform the XOR operation, $w_i={\oplus }_{n\in \{1,2,\dots ,\rho \}}{m}_{l_i^n}$.

If the base matrix $A$ also has the characteristics of cyclic shifts, then all the matrix information can be embedded in the program. For encoding, each time a parity bit is computed, a computation is required. Considering that the program running memory space on embedded chips is generally more limited than program storage space, this method of trading computation time for RAM space is acceptable. The basis matrix $A$, for example,

$$A=\left[\begin{array}{cccccccc}1& 0& 1& 0& 0& 0& 0& 1\\ 1& 1& 0& 1& 0& 0& 0& 0\\ 0& 1& 1& 0& 1& 0& 0& 0\\ 0& 0& 1& 1& 0& 1& 0& 0\\ 0& 0& 0& 1& 1& 0& 1& 0\\ 0& 0& 0& 0& 1& 1& 0& 1\\ 1& 0& 0& 0& 0& 1& 1& 0\\ 0& 1& 0& 0& 0& 0& 1& 1\end{array}\right]$$

(8)

has a grith of six. The cyclic parameter matrix is

$$C=\left[\begin{array}{cccccccc}0& \infty & 1& \infty & \infty & \infty & \infty & 2\\ 0& 2& \infty & 4& \infty & \infty & \infty & \infty \\ \infty & 0& 3& \infty & 6& \infty & \infty & \infty \\ \infty & \infty & 0& 4& \infty & 8& \infty & \infty \\ \infty & \infty & \infty & 0& 5& \infty & 10& \infty \\ \infty & \infty & \infty & \infty & 0& 6& \infty & 12\\ 0& \infty & \infty & \infty & \infty & 7& 14& \infty \\ \infty & 0& \infty & \infty & \infty & \infty & 8& 16\end{array}\right].$$

(9)

Utilizing submatrices $E_{32}$ for expansion, a matrix of size 8 × 8, with a girth of eight and a size of 256, is obtained.

The shape of matrix $P^T$ used in this study can be seen in Figure 2, and the Generation of LDPC parity matrix $P_L^T$ is shown in

Table 5. Generation of LDPC parity matrix.

Generation of LDPC Parity Matrix
Firstly, take the modulus of the target row number $r_P$ to calculate its position $r_I$ in the sub-matrix. Take the integer dividing to calculate the position $r_A$ of the base matrix, where $r_P=r_A\times b+r_I$, and $b$ is the size of the cyclic matrix.
Secondly, calculate the base offset of the base matrix $O_{r_A}=(p_1+r_A)\mathrm{mod}a$, where $p_1$ is the first line of the index of the base matrix and $a$ is the number of columns of the base matrix; Calculate the initial offset of the final matrix $O_{r_I}=O_{r_A}\times b$.
Finally, the current basis matrix cycle offset $c_{r_A}$ can be found according to Formula (9). The final column index is $p_{r_P}=(c_{r_A}+r_I)\mathrm{mod}b+O_{r_I}$.

. The row index is calculated in a similar way to the column index formula.

3.4. Error Correction Schemes

Firstly, concerning the parity matrix $H={\left[\begin{array}{c}{h}_{i,j}\end{array}\right]}_{k\times n}$, define the symbol set $N_i=\{j,1\le j\le n,h_{i,j}=1\}$ for the i-th parity equation. It is worth pointing out that in Table 5, the column index result $p_{r_A}\in N_i$ represents the set of symbols for the j-th symbol (including information bits and parity bits) involved in the set of parity equations $K_j=\{i,1\le i\le k,h_{i,j}=1\}$, i.e., the row index.

3.4.1. Cyclic Matrix Selection

The response generated by identity PUF can be represented as $\widehat{ID}=ID\oplus \epsilon$ (see Section 3.2), while the registered ID after scrambling by the GS can be represented as $I{D}_{\delta }=ID\oplus \delta$. Therefore, the response can be represented as $\widehat{ID}=I{D}_{\delta }\oplus \delta \oplus \epsilon$. When the GS uses $I{D}_{\delta }$ to derive random noises $n$ and $m$, the disturbance is passed on to the parity information of $I{D}_{\delta }$, causing the parity information obtained by the microcontroller to actually be ${\widehat{C}}_{\delta }=C_{\delta }\oplus \delta \oplus \epsilon$. Therefore, for the microcontroller, the error positions in $I{D}_{\delta }$ are symmetric with the error positions in $C_{\delta }$.

Therefore, the coding matrix used in this authentication scheme requires as few symbol bits on the main diagonal as possible. The reason for this is as follows: by examining Figure 2, it can be seen that the matrix is diagonal-like, as shown in Figure 3. If we represent the base matrix $A$ as $I_{32}$ and divide the parity bits and correction subunits into eight similar parts, when an error occurs in $M_j$, errors will occur symmetrically in $C_j$ as well. According to decoding theory, if errors occur in $M_j$, the related syndrome $S_{K_j}$ will also change. In the current matrix, where $j\in K_j$, this means that if an error occurs in $M_j$, both the coding error and the symmetric error will affect the same $S_{K_j}$ This undoubtedly greatly increases the decoding difficulty. The encoding matrix used in this study is the unit of circular right Shift 2 in Figure 2, and the column index algorithm in Table 5 needs to shift the corresponding loop right by 64 bits.

3.4.2. GS Perturbation Selection

In the proposed scheme of this paper, the response of the identity PUF of the drone changes by several bits, and the GS adds perturbations on top of it. This is performed to maximize the number of error-correcting bits in the ECC, which not only allows each response of the identity PUF to be controlled by the GS but also greatly increases the difficulty of an intrusive attack (described in detail in Section 4.3). As can be seen in the previous section, the power-up perturbation $\epsilon$ and the GS perturbation $\delta$ are symmetric in the information part and the parity-check part, so the location of the GS to add the perturbation needs to be constrained by the following. The symbol bit position of $\delta$ is as different as possible from the symbol bits supervised by the syndromes affected by the unstable bits. That is the symbol bit of $\delta$, ${\delta }_{j^{\prime }}\notin \{N_i,s_i\in K_j,m_j\in S_{pus}\}$. We take the base matrix $A$ as an example; as shown in Figure 4, if $S_{pus}=\left\{m_5\right\}$, then ${\delta }_{j^{\prime }}\in \left\{m_1\right\}$. Based on the above, if the parity matrix $P^T$ is considered as the adjacency matrix of the check bits and information bits, the disturbance ${\delta }_{j^{\prime }}$ needs to be outside the two-hop range of all the unstable bits in $S_{pus}$. Depending on the matrix performance and the length of the codeword, this study selects $n_{\delta }=2$ according to $P_{\epsilon }$, where $n_{\delta }$ is the number of symbol bits in sequence $\delta$.

3.4.3. Decoding Algorithm Selection

The decoding algorithm of LDPC codes is divided into the bit-flipping (BF) algorithm and the belief propagation (BP) algorithm [31,32,33]. BP decoding algorithms require channel information; for example, in an AWGN channel, one can calculate the probability of each bit being in error using the statistical information of the noise and performance decoding using maximum likelihood (ML) probability. However, in a BSC channel, knowledge of the statistical transition probabilities of each bit is required, but as the ML information is binary, there is less useful information available for BP. Even though the flipping probabilities of unstable bits can be measured in the previous section, and considering the need to store additional information in the drone, which is not conducive to PUF security (as it implicitly reveals potential error-prone locations), this study adopts the BF algorithm [34], as shown in Algorithm 1. Although its performance is not as good as the BP algorithm, its simplicity and lack of floating-point operations make it very suitable for resource-limited drone devices. However, the BF algorithm always flips the information bits by the parity bit first, until the flip functions are all equal; subsequently, it corrects the parity bit and then re-corrects the information bits. When the flip functions converge to unity, they likely enter a dead loop or indeed solve a legal codeword, but not the target codeword.

Algorithm 1. BF decoding.
1:	Initialize with the maximum number of iterations Imax.
2:	Initialize the hard judgment sequence $z^{(1)}=\{z_1^{(1)},z_2^{(1)},\dots ,z_n^{(1)}\}$.
3:	For $k=0; k<I_{\max }; k++$ do
4:	Initialize with the all-zero flag $flag=1$
5:	For $i=0; i<256; i++$ do
6:	Calculate the symbol position of row $i$ of the matrix $H$
7:	$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{Calculate} \mathrm{the} \mathrm{syndromes} s_i^{(k)}=z^{(k)}\cdot H^T(:,i)$
8:	If $s_i^{(k)}=1$ then $flag=0$ end
9:	End for
10:	If $flag=1$ then break end
11:	Initialize with the maximum value $E_{\max }=0;$
12:	For $j=0; j<256; j++$ do
13:	Calculate the flip function $E_j^{(k)}={\displaystyle \sum _{j\in M_j}(2s_i^{(k)}-1)}$
14:	If $E_j^{(k)}>E_{\max }$ then $E_{\max }=E_j^{(k)}$ end
15:	End for
16:	For each $E_j\in E^{(k)}$ do
17:	If $E_j=E_{\max }$ then $z_j^{(k+1)}!=z_j^{(k)}$
18:	Else $z_j^{(k+1)}=z_j^{(k)}$ End
19:	End for
20:	End for
21:	Output $z^{(k)}$

3.4.4. BF Algorithm Optimization

For the above situation, directional improvement is achieved by combining the characteristics of the protocol in this study: symmetrical error position of the information bit and the parity bit, but asymmetrical position of the information bit and its parity bit. Improvement is quite simple, according to the characteristics of the BF algorithm; the information bit and the parity bit in a symmetric position are flipped at the same time. Using the Monte Carlo method to simulate the above process, the main flow is shown in Figure 5 (the decoding process is not affected by where the perturbation comes from); the number of bits for each perturbation is simulated for 50,000 frames, and the decoding results are shown in Figure 6. In the context of this study, the power-up perturbation and GS perturbation are generally 3~4 bits, and its bit error rate (BER) is $6.87<{10}^{-5}$; the average number of iterations is 2.5.

Note that symmetric BF (SYM−BF) is robust to symmetric errors, but if an asymmetric error occurs, there is a high probability that the maximum number of iterations is exceeded and the decoding fails. This feature can invalidate some attack methods that do not follow the protocol. For example, using the last stolen check information to decode the next power-up ID will decode the $I{D}_{\delta }$ if and only if the two perturbations are identical. For intrusive attacks on replicated RAM, it is required that the replication error be no more than a few bits.

4. Security Analysis

4.1. Informal Security Analysis

In our model, considering the limited resources of drones, the drones are considered vulnerable to attacks, while the ground stations and databases are marked as difficult-to-attack objects (using widely recognized high-security-level authentication and encryption systems). Therefore, we only need to consider the security between the ground stations and drones, as well as that among the drones. According to the communication scheme of this study, the dynamic key between drones is distributed by the GS after authorization and the dynamic secret key is iterated by calculating the hash value, and only needs to synchronize the link state (packet loss rate) with each other during the negotiation process and are fully encrypted throughout. Therefore, the security of drone communication is determined based on the security at the time of takeoff authorization. The information that can be known in an open channel is shown in Table 3. A comparison of security with other protocols is shown in

Table 6. Comparison of the security features.

Features	[22]	[23]	[24]	[25]	[35]	Ours
Resistance of impersonation attack	Yes	Yes	Yes	Yes	Yes	Yes
Resistance of replay attack	No	No	No	No	No	Yes
Resistance of DoS attack	No	No	Yes	No	Yes	Yes
Resistance of MitM attack	Yes	Yes	Yes	Yes	Yes	Yes
Resistance of drone physical capture attack	Yes	Yes	Yes	Yes	No	Yes
Resistance of desynchronization attack	No	No	No	Yes	No	Yes
Resistance of session key disclosure attack	Yes	Yes	Yes	Yes	Yes	Yes
Provision of mutual authentication	Yes	Yes	Yes	Yes	Yes	Yes
Provision of forward and backward secrecy	Yes	Yes	Yes	Yes	Yes	Yes
Provision of PUF challenge–response pair protection	No	No	No	No	No	Yes

.

(1)

Resistance of replay attack: All messages transmitted in the channel have timestamps added that cannot be tampered with.

(2)

Resistance of man-in-the-middle (MITM) attack: All the information of the whole group network is encrypted. Except for the group network information, which is broadcasted, all the information is encrypted using the P2P secret key assigned by the GS, and the keys are dynamic and do not need to be negotiated in the channel so that no third party can eavesdrop. Thus, an intermediary is not be able to interfere with the authentication process.

(3)

Mutual authentication: The GS judges the legality of the drone based on whether or not the drone correctly decodes the $I{D}_{\delta }$. The drone judges the legality of the GS based on comparing the $I{D}_{\delta }$ with the power-up response $\widehat{ID}$, and since the number of erroneous bits added by the GS is not large, the $\widehat{ID}$ should have a similarity to the $I{D}_{\delta }$ higher than 98.8% (see Figure 6 for the ECC performance of this paper).

(4)

Resistance of impersonation attack: The protocol in this paper is based on PUFs and requires the GS to bootstrap the extraction of PUFs. Therefore, an attacker cannot obtain PUF information and cannot impersonate a drone. In addition, this paper assumes that the security of the GS is authenticated by the database and supervised by the administrator, so the GS cannot be spoofed by default.

(5)

Resistance of DoS attack: An attacker who wants to block the authentication process needs to obtain the static key of the drone (obtaining the key requires capturing the drone). However, the static secret key is unique for each drone, so it is not reasonable to use the static secret key to attack the drone. The protocol in this paper is semi-automated and requires an administrator to assign drones. The GS does not initiate authentication on a missing drone; then, the static key obtained by the attacker is invalid.

(6)

Resistance of physical capture attack: Because all encryption information at the drone end is provided by the ground station during authorization and the ROM only stores the static key, if the static key is obtained by reverse engineering the assembly instructions stored in the program memory, using this key in a conventional attack can only obtain half of the challenge from the ground station and the drone’s response. Since the fingerprint PUF is not available, the challenge given by the drone is not available, nor is the information about the identity PUF. In addition, once the captured drone loses power, all authentication information is lost.

(7)

Provision of forward and backward secrecy: The proposed protocol authentication process includes a challenge of fingerprint PUF, fingerprint, extracted information of identity PUF, ID with noise, and parity with noise. For an attacker who does not have access to PUF information, all these information bits are independent of each other and it is not possible to compute the forward or backward information based on any one of them.

4.2. Formal Security Analysis

To prove the security of this paper, the formal analysis uses the stochastic prediction model which classifies the attacker’s attacks into seven types. The proof is as follows. The symbol ${\displaystyle {\prod }_P^i}$ in this model represents the No.i session of participant $P$, where $P$ includes drones and GS.

Definition 1.

Suppose here exists an attacker A who has access to all messages and public parameters in the channel. The attacker can attempt the following to compromise protocol security:

(1)

$Send({\displaystyle {\prod }_P^i,}{p}_1,m_1)$. This operation represents attacker $A$ posing as legitimate device $P$, sending message $p_1$ to another device and receiving message $m_1$.

(2)

$Execute({\displaystyle {\prod }_D^i,}{\displaystyle {\prod }_G^i,}m)$. This operation represents attacker $A$ intercepting message $m$ between the drone and the GS.

(3)

$Reveal(A)$. This operation initiates a DoS attack on behalf of attacker $A$, blocking the communication between the drone and the GS.

(4)

$Corrupt({\displaystyle {\prod }_D^i,}K)$. This operation represents attacker $A$ destroying the drone and accessing confidential information in memory.

(5)

$Hash(M)$. This operation represents a hash query on message $M$ by attacker $A$. The hash list $L_h$ in ${\displaystyle {\prod }_P^i}$ is queried to see if message $M$ is contained.

(6)

$Query(CRP)$. This operation represents querying the CRP generated by the PUF during the authentication process, and if the query is successful, the $(C_i,R_i)$ is stored into the list $L_C$.

(7)

$Test({\displaystyle {\prod }_P^i})$. This operation represents that attacker $A$ sends a test query to device $P$ to measure the semantic security of the session key.

Theorem 1.

In the protocol proposed in this paper, an attacker cannot utilize multiple operations to pass the authentication (drone impersonation attack).

Proof of Theorem 1.

The first stage in Table 3 protects the CRP through a static secret key $ke{y}_i$. The second stage employs the secret key $h(b)$ established in the first stage, and the information about the ECC is encrypted with random noise $n,m,k$. Therefore, a simple eavesdropping channel cannot obtain any confidential information. Therefore, no confidential information can be obtained by using only $Send()$ and $Execute()$ operations. If the attacker obtains a static secret key $ke{y}_i$ by using operation $Corrupt()$, the attacker can obtain the challenge $a$ given by the GS and the response $\widehat{fp}$ of the drone. Since the attacker does not have access to the fingerprint PUF, the attacker cannot compute the challenge $b$ given by the drone. If the attacker uses the $Corrupt()$ operation after obtaining the secret key and models the fingerprint PUF to obtain the second stage secret key $h(b)$ the attacker can obtain the extracted information of the identity PUF, but still cannot decrypt $\widehat{ID}\oplus n$ and $n\oplus m$. Since the protocol in this paper is based on unstable PUFs and the challenge of identity PUFs comes from the power supply, the $Corrupt()$ operation or power down changes the current response ${\widehat{ID}}_i$ and $m$ is difficult to compute. In summary, since the attacker cannot know either the power-up response $\widehat{ID}$ of the identity PUF or the parity information $C_{\delta }$ given by the GS, a fake drone is not possible.

In conclusion, it is not possible to fake the drone since the attacker cannot know the power-on response of the identity PUF or the parity information provided by the base station. Without passing the authentication, it is not possible to obtain the GS’s broadcast secret key and the P2P secret key set. Therefore, the main research focus of this paper is proven to be finished. □

Theorem 2.

The proposed protocol is resistant to attacks that prevent authentication.

Proof of Theorem 2.

According to Theorem 1, it is known that an attacker can obtain key $ke{y}_i$ and key $h(b)$ by operation $Corrupt()$. These keys are only valid for a compromised drone, but the administrator will not assign a corrupted drone to a mission. It is contradictory for an attacker to disassemble a drone to perform a tamper attack and replay the attack on it. It is also impossible for an attack on the GS, as it is proposed in Section 3.1.1 that the GS authenticates based on the drone specified by the administrator. In short, it is meaningless for an attacker to attempt to attack the authentication process, e.g., replay attacks, tampering attacks, DoS attacks, and so on. □

Theorem 3.

An attacker cannot break the protocol of this paper even if they invoke operations $Reveal()$, $Hash()$, and $Test()$.

Proof of Theorem 3.

Operation $Reveal()$ is analyzed in Theorem 2. A total of five hash operations are used in this paper: $h(b)$, $h(T_4,b)$, $h(T_5,b)$, $h(C_{\delta })$, and $h(k)$. The case where parameter $b$ is cracked is analyzed in Theorems 1 and 2; operation $Hash()$ does not work for the protocol of this paper as the sequences $C_{\delta }$, $k$ are not available. In addition, the secret keys used in this paper are all 32 bytes, so the probability of success of operation $Test()$ is extremely small. □

4.3. Intrusive Attack

As can be seen from the introductory section, attacks on RAM-based PUFs mainly rely on intrusive or semi-intrusive techniques. Intrusive attacks are mainly used to break crypto-chips through physical disassembly (e.g., lasers, microscopy, etching, etc.), while RAM-based PUFs can also be viewed as a type of crypto-chip. Since this paper’s protocol requires an administrator to assign a drone, these attacks that are destructive to the chip are not effective for this paper’s protocol.

However, side-channel analysis is an efficient semi-intrusive attack that does not require destroying the chip to obtain the leaked secret key information, such as through power consumption or electromagnetic radiation analysis. Therefore, the purpose of this study is to increase the cost of intrusive attacks as much as possible. Since the fingerprint PUF information needs to be obtained before it is possible to obtain the location of the identity PUF, the attacker needs to read the whole read chip RAM. In this study, the GS introduces additional noise to the response of the identity PUF to make the ECC error correction performance reach a critical value. The addition of noise is based on the predicted unstable set, which is essentially the response characteristics of the PUF so that each accidental bit-flip when copying the entire RAM exponentially increases the probability of ECC decoding failure, which leads to authentication failure.

5. Cost Analysis

5.1. Computation Overhead

In this paper’s protocol, the computational overheads involved in the drone include five 256-bit hash computations $T_H$, two 256-bit random noise generations $T_R$, six 256-bit “XOR” operations $T_{SK}$, one 256-bit decoding $T_{ECC}$, and two 256-bit PUF responses $T_P$. The purpose of this study is to ensure security while minimizing the cost of drones. According to the microcontroller with a main frequency of 168 MHz, as used in this study, by placing breakpoints around the called functions using online simulation tools, the average time difference is calculated. Based on the ECC time consumption for different numbers of iterations, a single iteration takes 30 msec. Considering the maximum possible number of errors, as shown in Figure 6, the average iteration is 2.25 times, which amounts to 65 msec. As calculating each parity bit requires indexing the symbol bit each time, the decoding time cost is relatively high. However, this saves RAM space of $256\times 32$ bytes, which is acceptable. The other operation time overheads are shown in

Table 7. Running time of related operations.

Operation	${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{R}}$	${\mathit{T}}_{\mathit{S}\mathit{K}}$	${\mathit{T}}_{\mathit{P}}$	${\mathit{T}}_{\mathit{E}\mathit{C}\mathit{C}}$	Total
Time (msec)	0.51	0.27	0.32	0.37	65	70.75

. In this paper, it is assumed that the GS resources are not constrained; therefore, only the drone overheads are given. Since matrix storage consumes a lot of resources and authentication is performed only when the drone takes off, this paper adopts a time-for-space scheme. In addition, the decoding is implemented in this paper in a way that follows the theoretical steps, but if a parallelized decoding scheme is used on a high-performance platform, the time overhead significantly reduces.

5.2. Storage Overhead

The static storage overhead on the drone side consists mainly of a 32-byte static secret key, and the dynamic storage consists mainly of the secret key of the n-1 drones and GS, as well as the broadcast secret key; the registration information in the database is related to the extraction threshold, which is required to be approximately in the range of {4 + 32 + 64 + 4 + 1 + 39 + 32 + 22} = 198 bytes (according to the registration information $\{IP,ke{y}_i,P_{fp},start,len,S_{us},ID,S_{pus}\}$) for each drone according to the threshold in this study.

5.3. Communication Overhead

The communication overhead mainly occurs in the GS authentication phase. According to the communication steps in Table 3 the authentication overhead can be calculated as

{4 + 4} + {32 + 4} + {4 + 1 + 39 + 4} + {32 + 32 + 4 + 32} + {32 + 32 + 4 + 32} + {32 + 4} = 328 bytes.

The keys in the communication phase are distributed by the GS and do not need to be negotiated. The secret key set for broadcasting new authentication is related to the number of drones, and in 0 only the GS-drone authentication overhead is compared.

Zero shows the comparison of drone overheads, taking into account the different simulation platforms. The time overhead is used instead of the formula, where $T_{MAP}$ is the time to compute the authentication code. The storage overhead is only analyzed for the drone. For the communication overhead, it should be noted that protocols [22,23] use 32-bit sequences and protocols [24,35] only count the overhead of drone–GS authentication, while they still need about 4000 bits of communication overhead.

The overhead comparison of this paper’s protocol with other protocols is summarized in

Table 8. Authentication overhead.

Paper	Computation Cost	Storage Cost in Bits	Communication Costs in Bit
[22]	$T_R+2T_P+7T_{XOR}+T_{MAP}$	320	1600
[23]	$T_R+2T_P+(8+2(m-1)T_{XOR})+T_{MAP}$	320	1600
[24]	$3T_H+2T_R+8T_{XOR}+2T_P$	352	1600
[25]	$3T_R+2T_P+2T_{XOR}+T_{MAP}$	160	1152
[35]	$2T_H+5T_R+T_P+4T_{XOR}+3T_{MAP}$	672	1506
Ours	$5T_H+2T_R+2T_P+6T_{XOR}+T_{ECC}$	256	2624

.

6. Conclusions

In this paper, the protocol is proposed for the PUF extraction scheme, the ECC-based authentication scheme, and the drone communication scheme, respectively. In addition, this paper provides a detailed analysis of the coding matrix of the ECC module based on the protocol characteristics and offers the requirements of the matrix structure. Also, the decoding scheme is improved according to the matrix structure, which makes the probability of legal drone authentication failure of this paper’s protocol lower than $6.87\times {10}^{-5}$ and the probability of illegal drone authentication success lower than $3.62\times {10}^{-7}$.

The proposed protocol is then analyzed both non-formally and formally using random predicates, proving that the protocol of this paper can withstand various attacks. Comparative analysis with other protocols shows that the protocol of this paper is equally as secure as other protocols. Finally, the overhead of this paper protocol is calculated and compared with other protocols, and it is found that this paper protocol is higher in time overhead as matrix operations are computationally intensive operations; storage overhead is only 32 bytes; communication overhead is higher in drone–GS authentication as it needs to send the extracted information of the PUF but the protocol of this paper does not require a drone–drone authentication; overhead is zero.

In conclusion, the protocol in this paper meets the expectation of ensuring security while minimizing the information required to be stored by the drone.

7. Discussion

The present protocol still has some flaws. The protocols in this paper need to be monitored by administrators, and drones are not completely free to join or leave the network. In addition, the protocol in this paper assumes that GS and database resources are unrestricted and can withstand various attacks by default, so the drone information is all stored in the database. The limitations of the above conditions may impose some restrictions on the application of the protocol in this paper. In addition, the performance of the coding matrix used in this paper is poor and the probability of legitimate drone authentication failure is relatively high.