Lightweight Secure Communication Supporting Batch Authentication for UAV Swarm

Abstract

In recent years, with the widespread application of UAV swarm, the security problems faced have been gradually discovered, such as the lack of reliable identity authentication, which makes UAVs vulnerable to invasion. To solve these security problems, a lightweight secure communication scheme supporting batch authentication for UAV swarm is proposed. Firstly, a layered secure communication model for UAV swarm is designed. Then, a secure transmission protocol is implemented by using elliptic curves under this model, which not only reduces the number of encryptions but also ensures the randomness and one-time use of the session key. Moreover, a UAV identity authentication scheme supporting batch signature verification is proposed, which improves the efficiency of identity authentication. The experiments show that, when the number of UAVs is 60, the computation cost of the proposed scheme is 0.071 s, and the communication cost is 0.203 s, fully demonstrating the efficiency and practicability of the scheme. Through comprehensive security analysis, the capability of the proposed scheme to resist various attacks is demonstrated.

1. Introduction

With the continuous development of unmanned aerial vehicle (UAV) technology, UAVs have been widely employed in many fields because of their flexible characteristics. However, a single drone has obvious limitations in actual mission execution, such as insufficient payload capacity, which may affect its efficiency when facing large-scale or complex missions. To solve these problems, UAV swarm has become an important development direction. UAV swarm refers to a collection of multiple UAVs under unified command, which jointly perform a certain mission and realize resource sharing through mutual information communication. Compared with a single UAV, the swarm mode significantly improves mission efficiency and execution capability, so it is gradually becoming widely employed in many fields, such as forest fire monitoring, civil and military applications, search and rescue, logistics, industry, and agricultural surveillance [1,2,3,4,5,6]. However, with the widespread application of UAV swarm, its potential security risks are gradually emerging. At present, in many drone systems, the unified command and task scheduling of drone swarm are performed through centralized management. Once the management node is maliciously destroyed, the entire drone network will not work, which will affect the mission execution of drones [7,8,9]. Moreover, drones are deployed in open environments, which makes communications between drones vulnerable to multiple security threats, such as man-in-the-middle attacks and malicious data tampering [10,11]. More importantly, reliable certification mechanisms are lacking in existing unmanned aerial systems, making achieving identity authentication between UAVs challenging [12,13,14,15].

1.1. Related Work

In recent years, pertaining to the security problems faced by UAV swarm, a great deal of research has been conducted. In 2018, to solve the security and privacy problems of the Internet of Drones (IoD), Wazid et al. proposed an identity authentication scheme based on key negotiation in which authorized users can access data directly from drones [16], but the instability of the wireless channel will affect the efficiency of key negotiation. In addition, the key negotiation will exchange information frequently, which will increase the delay in data transmission. In 2019, a secure transmission scheme supporting the cooperation of multiple unmanned aerial vehicles was proposed by Hua et al. Specifically, when multiple source UAVs send confidential information to multiple legitimate ground users, multiple jammer UAVs cooperate to send interference signals to multiple eavesdroppers [17]. Although this scheme can achieve secure data transmission in the presence of multiple potential eavesdroppers, it ignores the identity authentication between UAVs. In 2020, a lightweight authentication scheme based on Physical Unclonable Functions (PUFs) was presented by Alladi et al., which can establish a secure session between the UAV and the ground station without storing any secret information on the UAV [18]. Although this solution can complete lightweight certification among drones, it is still limited to centralized management. To protect secure communication between drones, in 2020, Fotohi et al. proposed an agent-based drone protection scheme, which aims to select a secure route from the data sending drone to the data receiving drone. In this scheme, the secure route is selected by a multi-agent system using an Artificial Immune System (AIS) [19]. However, this scheme ignores the security of data transmission. In 2021, to protect communications between drones and between drones and ground control stations, a secure communication protocol consisting of two sub-protocols (including Drone-to-Ground Control Station and Drone-to-Monitoring Drone) was proposed by Ko et al. [20]. In 2022, Tan et al. designed a blockchain-assisted distributed and lightweight authentication service for industrial UAVs, which realized the distributed and tamper-proof storage of authentication information. In this scheme, drones can easily obtain or update the corresponding information through smart contracts [21]. In 2023, to ensure that the communication between drones is protected from potential intruders, Wani et al. proposed an identity-based authentication scheme. It is implemented in two phases; the first phase is between the user and the base station, and the second phase is between the user and the drone in the presence of the base station [22]. Although it can complete mutual authentication between drones, it does not support the batch authentication of drones. A blockchain-aided distributed secure access control scheme specifically tailored for UAV computing networks was proposed by Wang et al. in 2023, which enabled UAVs to autonomously manage and determine identity by designing access control schemes [23]. In 2024, to achieve secure and reliable UAV authentication, an authentication method that leverages Shamir’s secret sharing was proposed by Bansal et al., which requires each drone to generate a minimum number of accurate responses [24]. However, secret sharing will greatly increase the number of network communications, which is not applicable for UAV swarm with limited network bandwidth.

Moreover, some identity authentication schemes suitable for the Internet of Things (IoT) also were proposed. In 2021, Rehman et al. designed a hybrid AES-ECC Model for the Security of Data over Cloud Storage [25]. In 2022, Maria et al. designed an IoT identity authentication scheme based on blockchain, which can verify the identity of vehicle users without the participation of a trusted authority [26]. In 2023, an anonymous batch authentication scheme using bilinear pairings was proposed by Maurya et al. [27]. However, the computation cost of a bilinear pairing is high, which limits the scalability of the scheme. In 2023, a lightweight authenticated key agreement scheme based on elliptic curve cryptography (ECC) was proposed by Wang et al. [28]. To promote secure data transmission in the Internet of Vehicles without infrastructure, in 2023, an efficient UAV certificateless group authentication mechanism was developed, which can batch authenticate a large number of requesting drones at once [29].

1.2. Contribution

Although the above studies proposed some effective solutions to the security problems faced by UAV swarm, some problems remain unresolved. Most of the existing secure communication schemes rely on the Public Key Infrastructure (PKI) system, where a centralized trusted third party may become a performance bottleneck, lacking an efficient mechanism to ensure the safe transmission of data. Further, batch authentication of UAV identity is necessary in some scenarios. However, most of the existing batch authentication schemes are based on the Internet of Vehicles, which have high computation costs and are not suitable for UAV swarm with limited computing power [30,31,32,33]. Therefore, it is of great significance to design an efficient identity authentication scheme that supports batch authentication while realizing the secure communication of UAV swarm. The contributions of this paper are as follows:

• A layered secure communication model for UAV swarm is designed, which not only ensures real-time identity authentication but also prevents the invasion of malicious drones;
• To ensure the secure transmission of communication data, a secure transmission protocol is implemented by using elliptic curves, which not only reduces the number of encryptions but also ensures the randomness and one-time use of the session key;
• An identity authentication scheme supporting batch signature verification is proposed. The receiver can independently choose single signature verification or batch signature verification according to different scenarios, which improves the efficiency of identity authentication;
• The effectiveness and feasibility of this scheme are demonstrated via experiments. Under the same conditions, the proposed scheme has lower communication and computation costs, which is more suitable for UAV swarm with limited computing power.

The rest of the paper is organized as follows. Section 2 introduces some preliminaries employed in our proposed scheme, the designed system model is introduced in detail in Section 3, the secure communication protocol and identity authentication scheme are comprehensively described in Section 4, Section 5 evaluates the performance of the proposed scheme, the correctness and security of the proposed scheme are analyzed in Section 6, and Section 7 concludes the paper.

2. Preliminaries

2.1. Elliptic Curve Cryptography

The core idea of elliptic curve cryptography is that the elliptic curve is defined on a finite field, and the functions of encryption, decryption, and key exchange are realized by the addition of points on the elliptic curve. Assuming that ${\mathbb{F}}_q$ is a prime finite field of integers modulo q, the standard form of the elliptic curve defined on ${\mathbb{F}}_q$ is $y^2=x^3+ax+b (\mathrm{mod} q)$, where $4a^3+27b^2\ne 0$ [34,35].

Given a point $P=(x_1,y_1)$ and a point $Q=(x_2,y_2)$ on the elliptic curve, $R=P+Q=(x_3,y_3)$ can be calculated in the following way:

$$\begin{array}{cc}\hfill x_3& ={\lambda }_2-x_1-x_2\hspace{1em}(\mathrm{mod} q),\hfill \\ \hfill y_3& =\lambda (x_1-x_3)-y_1\hspace{1em}(\mathrm{mod} q),\hfill \end{array}$$

(1)

where

$$\lambda =\left\{\begin{array}{cc}{\displaystyle \frac{y_2-y_1}{x_2-x_1}},\hfill & P\ne Q\hfill \\ {\displaystyle \frac{3x_1^2+a}{2y_1}},\hfill & P=Q.\hfill \end{array}\right.$$

(2)

On the elliptic curve, point multiplication is calculated by repeated addition, and then $k·P=P+P+\cdots +P$ (addition k times). The security of ECC is based on the elliptic curve discrete logarithm problem (ECDLP); that is, it is difficult to calculate the integer k when the points P and $Q=k·P$ on the elliptic curve are known.

Compared with traditional public key cryptography algorithms such as RSA, ECC requires a shorter key length while providing the same security level, so it has higher computing efficiency and lower resource consumption, making ECC particularly suitable for scenarios with limited computing resources and communication bandwidth.

2.2. Chosen Plaintext Attack Security Model

Chosen plaintext attack (CPA) describes a general attack model in which the attacker can freely choose any plaintext and obtain its corresponding encrypted ciphertext. To more specifically measure the security of an encryption scheme under CPA, indistinguishability under chosen plaintext attack (IND-CPA) is usually used as a security standard. In the security standard, participants include an attacker and a challenger, and their interaction process is as follows.

Phase 1: The attacker can select any number of plaintexts and call the system encryption function to obtain the ciphertext.

Challenge: The attacker provides two plaintexts $m_0$ and $m_1$ of equal length to the challenger. The challenger randomly selects a bit $\beta \in \left\{0,1\right\}$, encrypts $m_{\beta }$, and sends it to the attacker.

Phase 2: The attacker can continue to access the system encryption functions.

Guess: The attacker tries to guess the value of $\beta$ and outputs the guessed value ${\beta }_1$. If $\beta ={\beta }_1$, the attacker succeeds; otherwise, the attacker fails. The attacker’s advantage can be defined as $\epsilon =|Pr({\beta }_1=\beta )-{\displaystyle \frac{1}{2}}|$; if $\epsilon$ is negligible in polynomial time, then the scheme is CPA secure.

3. System Model

3.1. Model Design

In UAV swarm application, the communication between the drone and the ground control center may be affected by the mission environment, which makes it difficult to complete the drone’s identity authentication request in time, and, in serious cases, it may cause the invasion of malicious drones. Therefore, a layered secure communication model for UAV swarm is designed, which not only ensures real-time identity authentication but also prevents the invasion of enemy drones. The model is mainly composed of 5 entities, including UAV swarm, mission control cloud, ground control center, ground information management infrastructure (GIMI), and air swarm identity management unit (ASIMU). The details are shown in Figure 1.

As shown in Figure 1, UAVs are first registered with the GIMI, and the GIMI generates identity information for UAVs and stores it. When all drones are registered, multiple reliable drones are selected by the ground control center to form the air swarm identity management unit, and the key information on the GIMI, such as pre-planning mission details and drone-identity-related information, is synchronized to the ASIMU. The detailed functions of each entity are shown below.

• The ground control center mainly generates pre-planning missions and dynamically adjusts them based on the latest situation information. Moreover, it can detect the operation of the UAV swarm in real time to ensure the smooth execution of the mission;
• The UAV swarm performs the missions of the ground control center and sends the collected situation information to the mission control cloud;
• The mission control cloud receives situation information sent by the drone and sends the replanning mission of the ground control center to the drone and the ASIMU;
• The GIMI is a distributed system composed of organizations involved in UAV swarm application and is deployed on the ground, which is used to store key information such as the identity of the UAV, complete the identity authentication of the mission control cloud and the UAV, and provide key data to the ground control center;
• The ASIMU is a distributed system composed of multiple reliable UAVs, which is deployed between UAV swarm to store key information such as the drone’s identity and realize identity authentication between drones. When two drones communicate with each other, they first verify each other’s identities through ASIMU to prevent the invasion of malicious drones.

3.2. System Initialization

Let ${\mathbb{F}}_q$ be a prime finite field of integers modulo q, $EC$ be an elliptic curve defined over ${\mathbb{F}}_q$, G be the base point of order r on the elliptic curve, and a one-way hash function $H:{\{0,1\}}^{*}\to {\mathbb{Z}}_r^{*}$ is chosen. When a drone is registered, its public and private keys, distributed identifier ($DID$) and $DID$ document, are generated by GIMI.

Public and private key generation: The GIMI randomly selects an integer $S{K}_i\in {\mathbb{Z}}_r$ as its private key for each registered drone and computes $P{K}_i=S{K}_i·G$ as its public key.

$DID$ and $DID$ document generation: If the registration information of the drone is $m_i$, then $DID=H\left(m_i\right)$. The $DID$ document contains some key information of the drone, and its specific content is shown in

Table 1. $DID$ document content.

Symbol	Description
$DID$	UAV’s $DID$ that identifies the $DID$ document
Publickey	UAV’s public key required for authentication and establishing communication
Timestamp	The timestamp when the $DID$ document was created
Event	The record of important UAV event
UpdateTimestamp	The timestamp of the last update of the $DID$ document
Role	UAV’s role
PhysicalID	UAV’s physical ID
Sign	Integrity proof of the $DID$ document, i.e., the signature of the GIMI

.

After the GIMI generates the above information, the drone $DID$ and the corresponding $DID$ document are associated and distributed to store on the GIMI. The $DID$ and the private key $S{K}_i$ are distributed to the corresponding drone through the secure channel. The drone’s private key $S{K}_i$ is not stored on the GIMI.

4. Scheme Design

To solve some security problems faced by drones, a lightweight secure communication scheme supporting batch authentication is proposed.

4.1. Secure Communication Protocol

To realize the secure transmission of data, a lightweight secure communication protocol is innovatively proposed, which not only reduces the number of encryptions but also ensures the randomness and one-time use of the session key. This protocol mainly consists of three parts; they are the ASIMU, the sender, and the receiver. In this paper, each entity in Figure 1 can be both a sender and a receiver. The sender is the entity that sends the information, and the other entities that communicate with it are the receivers. If two drones communicate for the first time, the receiver’s $DID$ document is requested by the sender from the ASIMU and stored locally. The protocol details are shown below.

• The sender sends message:

$$\begin{array}{c}S\to R:C_s=\{DI{D}_s,L_s,T_s,E_{k_s}(Sig{n}_s,m_s)\},\end{array}$$

where S represents sender, R represents receiver, $C_s$ indicates ciphertext sent by S, $DI{D}_s$ is the sender’s identifier, $r_s$ represents a random number generated on the finite field ${\mathbb{Z}}_r$, $L_s=k_s\oplus H(DI{D}_r\left|\right|S{K}_s·P{K}_r\left|\right|T_s)$, $S{K}_s$ is the private key of the sender S, $P{K}_r$ represents the public key of the receiver R, $T_s$ is the timestamp when $m_s$ was sent, E represents a symmetric encryption algorithm, $E_{k_s}$ is used to indicate encryption with $k_s$, $Sig{n}_s$ is the signature of the sender S to $m_s$, and $m_s$ is communication message. The detailed process for generating ciphertext $C_s$ is shown in Algorithm 1.

• The receiver processes message:

After the $C_s$ is received by the receiver, if the $DID$ document of the sender is not stored locally, it will first be requested by the receiver from the ASIMU. Then, decryption and signature verification are performed. The detailed processing flow is shown in Algorithm 2, where $T_s^{\prime }$ is the timestamp when the $C_s$ is received and T is a threshold set based on the actual application scenario, indicating the maximum communication delay.

Algorithm 1 Ciphertext processing algorithm

Require:$(DI{D}_s,S{K}_s)$ Ensure:$\left(C_s\right)$   1: if first communication with the receiver then   2:    request the receiver’s $DID$ document from the ASIMU   3: end if   4: read the receiver’s public key $P{K}_r$ from its $DID$ document   5: get timestamp $T_s$ and randomly select $k_s\in {\mathbb{Z}}_r$   6: calculate $L_s=k_s\oplus H(DI{D}_r\left|\right|S{K}_s·P{K}_r\left|\right|T_s)$   7: calculate $Sig{n}_s$   8: execute $E_{k_s}(Sig{n}_s,m_s)$ using symmetric encryption algorithm E   9: encapsulate $C_s=\{DI{D}_s,L_s,T_s,E_{k_s}(Sig{n}_s,m_s)\}$ and send it

Algorithm 2 Receiver information processing algorithm

Require:$\left(C_s\right)$ Ensure:$\left(m_s\right)$   1: if first communication with the sender then   2:    request the sender’s $DID$ document from the ASIMU   3: end if   4: get timestamp $T_s^{\prime }$   5: if$T_s^{\prime }-T_s\le T$then   6:    read $DI{D}_s, L_s, T_s,$ and $E_{k_s}(Sig{n}_s,m_s)$ from $C_s$   7:    read the sender’s public key $P{K}_s$ from its $DID$ document   8:    calculate $H\left(DI{D}_r\right||S_r·P{K}_s|\left|T_s\right)$   9:    calculate $k_s=L_s\oplus H(DI{D}_r\left|\right|S_r·P{K}_s\left|\right|T_s)$ 10:    decrypt $E_{k_s}(Sig{n}_s,m_s)$ with $k_s$ 11:     if successful verification $Sig{n}_s$ then 12:     receive $m_s$ 13:   else 14:     discard $m_s$ 15:   end if 16: end if

4.2. Identity Authentication

To implement efficient identity authentication, an identity authentication scheme supporting batch signature verification is proposed, which is divided into two stages: signature and verification.

Signature: To ensure the integrity of $m_s$ and realize the identity authentication of the sender, $m_s$ needs to be signed by the sender. The detailed processing flow is shown in Algorithm 3, where $X_{sx}$ is the x-coordinate of point $X_s$ on the E. After the signature is completed, $Sig{n}_s=(Sig{n}_{s1},Sig{n}_{s2})$ and other information are transmitted securely using the secure communication protocol designed in this paper.

Verification: After the signature of the sender is obtained, the receiver can select single signature verification or batch signature verification based on the actual situation. In the system model proposed, if drones communicate with each other, to ensure real-time performance, single signature verification can be used. The detailed process is shown in Algorithm 4. If the drones send situation information to the tactical cloud, to improve the processing efficiency of the tactical cloud, batch signature verification can be used. The detailed process is shown in Algorithm 5.

Algorithm 3 Signature algorithm

Require: $(k_s,S{K}_s,P{K}_s,m_s)$ Ensure: $Sig{n}_s=(Sig{n}_{s1},Sig{n}_{s2})$   1: calculate $X_s=k_s·G$   2: randomly select $k\in {\mathbb{Z}}_r$   3: calculate $Y_s=k·G$   4: calculte $M_s=H\left(m_s\right)$   5: calculate $Sig{n}_{s1}=(X_{sx}+Y_{sx}) \mathrm{mod} r$   6: while $Sig{n}_{s1}=0$ do   7:    reselect k and recalculate $Y_s$ and $Sig{n}_{s1}$   8: end while   9: calculate $Sig{n}_{s2}=(M_s+S{K}_{s}Sig{n}_{s1})k_s^{-1} \mathrm{mod} r$ 10: while $Sig{n}_{s2}=0\vee Sig{n}_{s1}=0$ do 11:    reselect k and recalculate $Y_s$, $Sig{n}_{s1}$, and $Sig{n}_{s2}$ 12: end while 13: encapsulate $Sig{n}_s=(Sig{n}_{s1},Sig{n}_{s2})$

Algorithm 4 Single signature verification algorithm

Require: $(k_s,Sig{n}_{s1},Sig{n}_{s2},m_s)$ Ensure: $(True or False)$   1: calculate $X_S=k_s·G$   2: calculate $M_s^{\prime }=H\left(m_s\right)$   3: calculate $A_s=\left(M_s^{\prime }Sig{n}_{s2}^{-1}\right) \mathrm{mod} r$   4: calculate $B_s=\left(Sig{n}_{s1}Sig{n}_{s2}^{-1}\right) \mathrm{mod} r$   5: calculate $X_s^{\prime }=A_s·G+B_s·P{K}_s$   6: if $X_s=X_s^{\prime }$ then   7:    successful verification signature and return True   8: else   9:    failed verification signature and return False 10: end if

According to Algorithm 4, there are $A_s=\left(M_s^{\prime }Sig{n}_{s2}^{-1}\right) \mathrm{mod} r$ and $B_s=\left(Sig{n}_{s1}Sig{n}_{s2}^{-1}\right) \mathrm{mod} r$. The detailed calculation of $X_s^{\prime }$ is shown in Formula (3)

$$\begin{array}{cc}\hfill X_s^{\prime }& =A_s·G+B_s·P{K}_s\hfill \\ \hfill & =\left(M_s^{\prime }Sig{n}_{s2}^{-1}\right)·G+\left(Sig{n}_{s1}Sig{n}_{s2}^{-1}\right)S{K}_s·G\hfill \\ \hfill & =\left[\left(M_s^{\prime }+Sig{n}_{s1}S{K}_s\right)Sig{n}_{s2}^{-1}\right]·G\hfill \\ \hfill & =\left[{\displaystyle \frac{M_s^{\prime }+Sig{n}_{s1}S{K}_s}{(M_s+Sig{n}_{s1}S{K}_s)k_s^{-1}}}\right]·G.\hfill \end{array}$$

(3)

If the $m_s$ is not modified during transmission, then $M_s^{\prime }=M_s$, so $X_s^{\prime }=k_s·G=X_s$.

According to Algorithm 5, there are $A={\displaystyle \sum _{s=1}^n}\left[\left(M_s^{\prime }Sig{n}_{s2}^{-1}\right) \mathrm{mod} r\right]·G$ and $B={\displaystyle \sum _{s=1}^n}\left[\left(Sig{n}_{s1}Sig{n}_{s2}^{-1}\right) \mathrm{mod} r\right]·P{K}_s$. The detailed calculation of $X^{\prime }$ is shown in Formula (4)

$$\begin{array}{cc}\hfill & X^{\prime }=A+B\hfill \\ \hfill & =\sum _{s=1}^n\left[\left(M_s^{\prime }Sig{n}_{s2}^{-1}\right)·G+\left(Sig{n}_{s1}Sig{n}_{s2}^{-1}S{K}_s\right)·G\right]\hfill \\ \hfill & =\sum _{s=1}^n\left[\left(M_s^{\prime }+S{K}_{s}Sig{n}_{S1}\right)Sig{n}_{S2}^{-1}\right]·G\hfill \\ \hfill & =\sum _{s=1}^n\left[{\displaystyle \frac{M_s^{\prime }+S{K}_{s}Sig{n}_{s1}}{(M_s+S{K}_{s}Sig{n}_{s1})k_s^{-1}}}\right]·G.\hfill \end{array}$$

(4)

Similarly, if the $m_s$ is not modified during transmission, then $M_s^{\prime }=M_s$, so $X^{\prime }={\displaystyle \sum _{s=1}^n}{k}_s·G=X$.

Algorithm 5 Batch signature verification algorithm

Require: $(k_s,Sig{n}_{s1},Sig{n}_{s2},m_s)$ Ensure: $(True or False)$   1: calculate $X={\displaystyle \sum _{s=1}^n}{k}_s·G$   2: calculate $M_s^{\prime }=H{\left(m_s\right)}_{(s=1,2,\dots ,n)}$   3: calculate $A={\displaystyle \sum _{s=1}^n}\left[\left(M_s^{\prime }Sig{n}_{s2}^{-1}\right) \mathrm{mod} r\right]·G$   4: calculate $B={\displaystyle \sum _{s=1}^n}\left[\left(Sig{n}_{s1}Sig{n}_{s2}^{-1}\right) \mathrm{mod} r\right]·P{K}_s$   5: calculate $X^{\prime }=A+B$   6: if $X=X^{\prime }$ then   7:    successful verification signature and return $True$   8: else   9:    failed verification signature and return $False$ 10: end if

5. Performance Analysis and Evaluation

5.1. Communication Cost and Computation Cost Analysis

5.1.1. Communication Cost Analysis

In this paper, the communication cost is the number of bits of information required for identity authentication. Assume that the length of message $m_s$ is 160 bits and $EC$ is 256 bits, so the communication cost of transmitting point $P=(P_x,P_y)$ on the $EC$ is (256 bits + 256 bits) = 512 bits. In the proposed scheme, $k_s,Sig{n}_{s1},Sig{n}_{s2}$, and $m_s$ are required for identity authentication, so the total communication cost is (256 bits + 256 bits + 256 bits + 160 bits) = 928 bits. Moreover, a comparison of communication cost with the existing research is presented in

Table 2. Communication cost comparison.

Author	Verifying Single Signature	Verifying n Signatures
Maria et al. [26]	2080	2080n
Maurya et al. [27]	1628	1472n
Tan et al. [30]	3936	2368n + 1568
Feng et al. [31]	6144	6144n
Bagga et al. [32]	4544	4544n
Vijayakumar et al. [33]	2208	2208n
Proposed	928	928n

.

As can be seen from Table 2, the proposed scheme not only solves the security problems faced by UAV swarm but also has lower communication cost, which is more suitable for UAV swarm with limited communication network.

5.1.2. Computation Cost Analysis

To prove the efficiency of the proposed scheme, the computation cost of the proposed identity authentication scheme is compared with existing research, and the details are shown in

Table 3. Computation cost comparison.

Author	Computation Delay in Batch Signature Verification
Maria et al. [26]	$4n{T}_{ecm}+n{T}_{eca}+n{T}_{bp}$
Maurya et al. [27]	$3T_{bp}+(3n+2)T_{ecm}+2n{T}_h$
Tan et al. [30]	$(4T_h+3T_{ecm}+2T_{bp})n$
Feng et al. [31]	$4T_{bp}+(6n-1)T_{ecm}+2n{T}_h$
Bagga et al. [32]	$3T_{bp}+5n{T}_{ecm}+(3n+1)T_{eca}+(2n+1)T_h$
Vijayakumar et al. [33]	$n(T_{ecm}+T_{bp})$
Proposed	$(n+2)T_{ecm}+n{T}_{eca}+n{T}_h$

. We denote $T_{ecm}$, $T_h$, $T_{bp}$, and $T_{eca}$ as the time required for elliptic curve scalar multiplication, one-way hash function, bilinear pairing operation, and elliptic curve point addition, respectively. In the proposed scheme, five steps are mainly performed during batch signature verification, and the corresponding times are shown as follows:

Step 1: when calculating X, elliptic curve scalar multiplication is performed only once, so its time is $T_{ecm}$;

Step 2: the hash values of n messages are calculated, so its time is $n{T}_h$;

Step 3: when calculating A, elliptic curve scalar multiplication is performed only once, so its time is $T_{ecm}$;

Step 4: when calculating B, elliptic curve scalar multiplication is performed n times, and elliptic curve point addition is performed $n-1$ times, so its time is $n{T}_{ecm}+(n-1)T_{eca}$;

Step 5: when calculating $X^{\prime }$, elliptic curve point addition is performed only once, so its time is $T_{eca}$.

Therefore, the total time of batch signature verification in the proposed scheme is $T_{ecm}+n{T}_h+T_{ecm}+n{T}_{ecm}+(n-1)T_{eca}+T_{eca}=(n+2)T_{ecm}+n{T}_{eca}+n{T}_h$.

It can be seen from Table 3 that the computation cost of the scheme proposed is mainly $T_{ecm}$ and $T_{eca}$, and $T_{bp}>T_{ecm}>T_{eca}>T_h$. Therefore, the computation cost of the scheme proposed is theoretically lower than existing research.

5.2. Communication Cost and Computation Cost Evaluation

To evaluate the performance of the scheme proposed, the evaluation experiments of communication cost and computation cost are designed. In the experiment, the SM2 algorithm is used; it is an elliptic curve cryptography algorithm released by the China Cryptography Administration on 17 December 2010. It is widely used in digital signatures and encryption. The digital simulation of UAV is performed on Windows 10 with 16.0 GB RAM, while the semi-physical simulation of UAV is implemented on an onboard embedded computer with 1.5 GHz ARM Cortex-A72 CPU and 2 GB RAM, and the algorithm proposed in this paper is implemented using the go language.

5.2.1. Communication Cost Evaluation

In Section 5.1, the communication cost of the proposed scheme is analyzed theoretically, and the specific experimental evaluation is discussed in this section. The comparison experiments with existing schemes are designed under different file sizes and different number of nodes. In the comparison experiment, AES with 256-bit key length is used for symmetric cryptography and SM2 is used for asymmetric cryptography.

In the existing schemes, a hybrid encryption scheme based on the combination of symmetric encryption and asymmetric encryption is adopted in [25], while a pure asymmetric encryption scheme is adopted in [28]. These two schemes are representative in the field of secure communication, and they embody different design ideas and implementation methods. By comparing with them, the advantages and innovations of the proposed scheme can be highlighted.

In the comparison experiments under different file sizes, the communication delay is compared by increasing the file size. The specific experimental results are shown in Figure 2 and Figure 3.

As can be seen from Figure 2 and Figure 3, under the condition of the same file size, the communication delay of the proposed scheme is lower, and it can realize the safe and efficient transmission of large files such as pictures and videos in UAV swarm application.

In the comparison experiment under different number of nodes, the communication delay is compared by increasing the number of UAV nodes. The specific experimental results are shown in Figure 4.

As shown in Figure 4, when the number of nodes is the same, the scheme proposed has lower communication delay, and its growth trend is relatively slow with the number of nodes.

Moreover, to intuitively evaluate the performance of the proposed scheme, the communication cost in Section 5.1 is quantified, and the detailed results are shown in Figure 5.

It can be seen from Figure 5 that, under the condition of the same number of signatures, the batch signature scheme proposed has a lower communication cost.

5.2.2. Computation Cost Evaluation

To accurately evaluate the computation cost of the proposed scheme, the execution times of $T_{bp}$, $T_{ecm}$, $T_{eca}$, and $T_h$ in Table 3 are quantified. In this experiment, their execution times are tested 20 times, respectively, and the maximum time, minimum time, and average time of each indicator are recorded. The details are shown in

Table 4. Computation cost comparison.

Indicator	Maximum Time (ms)	Minimum Time (ms)	Average Time (ms)
$T_{bp}$	5.1	4.4	4.8
$T_{ecm}$	1.6	0.9	1.1
$T_{eca}$	0.02	0.008	0.014
$T_h$	0.001	0.0002	0.0006

. The quantization result of the batch signature verification delay is shown in Figure 6.

As shown in Figure 6, the batch signature verification delay of the seven schemes increases with the increase in the number of nodes. Under the same conditions, the proposed scheme has a lower batch signature verification delay, and its growth trend is slower with the number of nodes. Therefore, the proposed scheme is more suitable for UAV swarm with limited computing power.

6. Security Analysis

The communication process of the proposed secure communication protocol is as follows. In this section, the random oracle model (ROM) is used to prove that the proposed scheme is secure under the DDH assumption. The random oracle model is an abstract model. In the actual protocol, the random oracle model is usually implemented by hash function.

Theorem 1.

If the DDH assumption holds, the proposed scheme is CPA secure.

If the proposed scheme can be broken by an adversary $\mathcal{A}$ with a non-negligible advantage $\epsilon >0$ in a polynomial time, then there is also an algorithm $\mathcal{B}$ that can break the DDH assumption with a non-negligible advantage ${\displaystyle \frac{\epsilon }{2}}$ in a polynomial time. The DDH assumption can be challenged by a challenger $\mathcal{C}$.

Let ${\mathbb{F}}_q$ be a prime finite field of integers modulo q, $EC$ be an elliptic curve defined over ${\mathbb{F}}_q$, and G be the base point of order r on the elliptic curve. The DDH challenger $\mathcal{C}$ randomly selects $\beta \in \left\{0,1\right\}$, $a,b\in {\mathbb{Z}}_r$, $R\in {\mathbb{F}}_q$. If $\beta =0$, we let $Z=abG$; otherwise, $Z=R$. Finally, a tuple $(G,aG,bG,Z)$ is sent to simulator $\mathcal{B}$ by the challenger $\mathcal{C}$, and $\mathcal{B}$ participates in the following game instead of $\mathcal{C}$.

Setup: The simulator $\mathcal{B}$ completes system initialization.

Phase 1: $\mathcal{A}$ can request the DID document of any entity from the ASIMU and submit any data to the random oracle to query the corresponding hash value. Under the random oracle model, it is assumed that the output of the hash function is random and unpredictable.

Challenge: $\mathcal{A}$ generates two messages of equal length, i.e., $m_1$ and $m_2$, and sends them to $\mathcal{B}$. A bit $\beta \in \left\{0,1\right\}$ and an integer $k_s\in {\mathbb{Z}}_r$ are randomly selected by $\mathcal{B}$ and generate $k_s=H(k_s\left|\right|Z)$. Then, $L_s=k_s\oplus H(DI{D}_r\left|\right|S{K}_s·P{K}_r\left|\right|T_s)$ is calculated (where $P{K}_r=bG$), and $E_{k_s}(Sig{n}_s,m_{\beta })$ is executed using symmetric encryption algorithm E. Finally, $C_s=\{DI{D}_s,L_s,T_s,E_{k_s}(Sig{n}_s,m_{\beta })\}$ is sent by $\mathcal{B}$ to $\mathcal{A}$.

Phase 2: $\mathcal{A}$ can continue to request the $DID$ document of any entity from the ASIMU, and can also input data into the random oracle to query the corresponding hash value.

Guess: A guess bit ${\beta }_1\in \left\{0,1\right\}$ is sent by $\mathcal{A}$ to $\mathcal{C}$. If ${\beta }_1=\beta$, it means that $\mathcal{A}$ has won the game and $\mathcal{B}$ outputs 0 to indicate $Z=abG$; otherwise, $\mathcal{A}$ has not won the game and $\mathcal{B}$ outputs 1 to indicate $Z=R$. The advantage of attacker $\mathcal{A}$ is $\epsilon$, and the probability that $\mathcal{A}$ guesses ${\beta }_1=\beta$ correctly is $Pr({\beta }_1=\beta )={\displaystyle \frac{1}{2}}+\epsilon$. Thus, $Pr({\beta }_1\ne \beta )={\displaystyle \frac{1}{2}}$. The advantage of $\mathcal{B}$ to solve DDH assumption is ${\displaystyle \frac{1}{2}}(Pr({\beta }_1=\beta )+Pr({\beta }_1\ne \beta ))-{\displaystyle \frac{1}{2}}={\displaystyle \frac{\epsilon }{2}}$.

If the advantage of $\mathcal{A}$ is not negligible, then the advantage of simulator $\mathcal{B}$ is also not negligible. However, there is no algorithm that can solve DDH assumption in polynomial time, so $\mathcal{A}$ cannot break the proposed scheme with a non-negligible advantage in polynomial time. Moreover, in ROM, the output of H is considered unpredictable, so the distribution of the key $k_s$ is indistinguishable to the adversary $\mathcal{A}$, which ensures the ciphertext indistinguishability of the protocol. Therefore, the scheme proposed is CPA secure under DDH assumption.

UAVs usually collaborate through wireless communications, and the channels are open and vulnerable to attacks. During the communication process, they may also face the threat of active interference or passive eavesdropping by the adversary. The Dolev–Yao threat model is highly consistent with the communication environment of UAV swarm. Therefore, the rest of this section will analyze the security of the protocol under the Dolev–Yao model.

6.1. Confidentiality

In 1983, the Dolev–Yao model was first proposed by Dolev and Yao, in which each entity transmits information over an open and insecure channel. The adversary is assumed to have the following capabilities [36,37]:

• The information transmitted by each entity over the public channel can be easily intercepted by the adversary;
• The transmitted information intercepted by the adversary can be stored, deleted, modified, and replayed;
• The adversary can obtain the information stored in the device after obtaining the user device;
• The adversary knows all the steps of the authentication protocol.

In the Dolev–Yao model, to formally describe the communication process, the receiving and sending processes of the protocol are modeled by a set of algebraic expressions and corresponding transformation rules, and the following convention is introduced:

$$\begin{array}{c}{E}_x{D}_x=D_x{E}_x=1,\end{array}$$

where $E_x$ and $D_x$ represent encryption and decryption operations, respectively.

In security analysis, the formal description of the protocol can be gradually simplified according to the above convention until it cannot be simplified further. If the final simplified result is a non-empty set, it means that the protocol meets the confidentiality requirements; otherwise, it means that the protocol has the risk of information leakage and does not meet the confidentiality requirements.

The communication process of the proposed secure communication protocol is as follows:

• $S\to R$

$$\begin{array}{c}{C}_s=\left\{DI{D}_s,L_s,T_s,E_{k_s}\left(Sig{n}_s,m_s\right)\right\};\end{array}$$

• $R\to S$

$$\begin{array}{c}{C}_r=\left\{DI{D}_r,L_r,T_r,E_{k_r}\left(Sig{n}_r,m_r\right)\right\}.\end{array}$$

According to the Dolev–Yao method, the formal description of the above protocol is as follows:

$$\begin{array}{cc}\hfill N_1(S,R)m_s& =\overline{{\alpha }_1(S,R)}{m}_s\hfill \\ \hfill & =E_{k_s}\left(E_{S{K}_s}\left(H\left(m_s\right)\right)m_s\right),\hfill \end{array}$$

(5)

where ${\alpha }_1(S,R)=E_{k_s}{E}_{S{K}_s}$.

$$\begin{array}{cc}\hfill N_2(S,R)m_s& =\overline{{\beta }_1(S,R)N_1(S,R)}{m}_s\hfill \\ \hfill & =\overline{{\beta }_1(S,R){\alpha }_1(S,R)}{m}_s\hfill \\ \hfill & =\overline{E_{k_r}{E}_{S{K}_r}{D}_{P{K}_s}{D}_{k_s}{E}_{k_s}{E}_{S{K}_s}}{m}_s\hfill \\ \hfill & =E_{k_r}\left(E_{S{K}_r}\left(Hash\left(m_s\right)\right)m_s\right),\hfill \end{array}$$

(6)

where ${\beta }_1(S,R)=E_{k_r}{E}_{S{K}_r}{D}_{P{K}_s}{D}_{k_s}$, and $E_{S{K}_s}{D}_{P{K}_s}=E_{k_s}{D}_{k_s}=1$.

In Dolev–Yao models, there is $\gamma =D_{k_z}{\beta }_1(Z,R)$, which results in

$$\begin{array}{cc}\hfill \overline{\gamma N_1(S,R)}& =\overline{D_{k_z}{\beta }_1(Z,R)N_1(S,R)}\hfill \\ \hfill & =\overline{D_{k_z}{E}_{k_z}{E}_{S{K}_z}{D}_{P{K}_s}{D}_{k_s}{E}_{k_s}{E}_{S{K}_s}}\hfill \\ \hfill & =\overline{E_{S{K}_z}}\ne \lambda ,\hfill \end{array}$$

(7)

where $S{K}_z$ represents the private key of any UAV in the system and $\lambda$ denotes an empty set.

According to Dolev and Yao method, the confidentiality requirements are met by the proposed secure communication protocol.

6.2. Man-in-the-Middle Attacks

Suppose that the transmission message $C_s=\{DI{D}_s$, $L_s,T_s,E_{k_s}(Sig{n}_s,m_s)\}$ is eavesdropped by the attacker $\mathcal{A}$, and then $\mathcal{A}$ attempts to forge a message $m^{″}$ that cannot be discovered by the receiver. Since $k_s=L_s\oplus H(DI{D}_r\left|\right|S{K}_s·P{K}_r\left|\right|T_s)=L_s\oplus H(DI{D}_r\left|\right|S{K}_r·P{K}_s\left|\right|T_s)$, $k_s$ cannot be calculated by $\mathcal{A}$ as long as the private keys $S{K}_r$ and $S{K}_s$ are secure. However, $m_s$ and $Sig{n}_s$ are encrypted with $k_s$, so $\mathcal{A}$ cannot forge them. Moreover, the security of the signature algorithm proposed is based on the elliptic curve discrete logarithm problem, which is known to be unsolvable in polynomial time. The receiver can verify the integrity of the message $m_s$ by its signature, and any modification of the message can be discovered by the receiver. Therefore, the secure communication protocol proposed can resist man-in-the-middle attacks.

6.3. Replay Attacks

Assume that $\mathcal{A}$ eavesdrops on the transmission message $C_s=\{DI{D}_s,L_s,T_s,E_{k_s}(Sig{n}_s,m_s)\}$ and stores the last transmission message $C_s^{\prime }=\{DI{D}_s^{\prime },L_s^{\prime },T_s^{\prime },E_{k_s^{\prime }}(Sig{n}_s^{\prime }$, $m_s^{\prime }\left)\right\}$ locally. Replay attacks may be performed by $\mathcal{A}$ through the following two methods. One is to directly replace $C_s$ with $C_s^{\prime }$. Since the receiver verifies the timestamp, this method cannot implement the replay attack. The other is selective substitution. Because $k_s=L_s\oplus H(DI{D}_r\left|\right|S{K}_r·P{K}_s\left|\right|T_s)$, if any part of $C_s$ is replaced, the receiver cannot calculate $k_s$, so the security communication protocol proposed can resist replay attacks.

6.4. Impersonation Attacks

Assume that attacker $\mathcal{A}$ attempts to act as a legitimate drone and tries to generate ciphertext $C_s^{″}=\{DI{D}_s^{″},L_s^{″},T_s^{″},$$E_{k_s^{″}}(Sig{n}_s^{″},m_s^{″})\}$. To achieve this goal, a random number $k_s^{″}$ is first generated by $\mathcal{A}$, and an attempt is made to calculate $L_s^{″}=k_s^{″}\oplus H(DI{D}_r^{″}\left|\right|S{K}_r^{″}·P{K}_s^{″}\left|\right|T_s^{″})$. Since the receiver’s public key $P{K}_r^{″}$ is stored on the ASIMU, only legitimate drones can request it, and $\mathcal{A}$ also has no legitimate private key, so it is computationally infeasible for $\mathcal{A}$ to generate a valid $L_s^{″}$. Therefore, $\mathcal{A}$ cannot become a legal UAV; that is, the secure communication protocol proposed can resist impersonation attacks.

7. Conclusions

Aiming at the security problems faced by UAV swarm, such as the lack of reliable identity authentication, a lightweight secure communication scheme supporting batch authentication for UAV swarm is proposed, which can prevent the invasion of malicious UAVs. The secure communication protocol based on elliptic curves can not only reduce the number of encryptions but also ensure the randomness and one-time use of the session key. Moreover, to ensure efficient identity authentication of UAVs, a UAV identity authentication scheme supporting batch signature verification is proposed. The receiver can independently choose single signature verification or batch signature verification according to different scenarios. The experiments show that, under the same conditions, the proposed scheme has obvious advantages in terms of communication cost and computation cost, which is more suitable for UAV swarm with limited computing power. Further, through a comprehensive security analysis, the capability of the proposed scheme to resist various attacks is demonstrated. Therefore, the proposed scheme is not only safe and reliable but also has good feasibility and broad application potential. However, there are still some limitations in this scheme. It does not fully consider the protection measures against distributed denial-of-service (DoS) attacks and security in a quantum computing environment. In the future, we plan to explore these issues in depth and provide effective solutions.