 Research
 Open access
 Published:
Lightweight ringneighborbased user authentication and groupkey agreement for internet of drones
Cybersecurity volume 7, Article number: 50 (2024)
Abstract
As mobile internet and Internet of Things technologies continue to advance, the application scenarios of peertopeer Internet of Drones (IoD) are becoming increasingly diverse. However, the development of IoD also faces significant challenges, such as security, privacy protection, and limited computing power, which require technological innovation to overcome. For group secure communication, it is necessary to provide two basic services, user authentication and group key agreement. Due to the limited storage of IoD devices, group key negotiation requires lightweight calculations, and conventional schemes cannot satisfy the requirements of group communication in the IoD. To this end, a new lightweight communication scheme based on ring neighbors is presented in this paper for IoD, which not only realizes the identity verification of user and group key negotiation, but also improves computational efficiency on each group member side. A detailed security analysis substantiates that the designed scheme is capable of withstanding attacks from both internal and external adversaries while satisfying all defined security requirements. More importantly, in our proposal, the computational cost on the user side remains unaffected by the variability of the number of members participating in group communication, as members communicate in a noninteractive manner through broadcasting. As a result, the protocol proposed in this article demonstrates lower computational and communication costs in comparison to other cryptographic schemes. Hence, this proposal presents a more appealing approach to lightweight group key agreement protocol with user authentication for application in the IoD.
Introduction
Since the emergence of the Internet, the number of connected devices has been continuously skyrocketing. This upward trend is fueled by increasing reliance on and pursuit of the Internet, driving the expansion of network connections across various types of devices. From smartphones and computers to household appliances and cars, almost all technological domains are rapidly integrating with the Internet, making our daily lives closely intertwined with the digital world. These interconnected devices will generate, share, collect, and enable varied data utilization, further promoting the transmission, communication, and interaction of information.
The widespread application of IoT technology has facilitated the seamless integration of drones with various devices, systems, and platforms, significantly advancing the development of Internet of Drones (IoD) (Derhab et al. 2023). This advancement has attracted considerable attention in academia and industry. Due to their exceptional flexibility, convenience, and efficiency, the Unmanned Aerial Vehicles (UAVs) (Drones) have replaced human involvement in mechanical and highrisk activities across numerous fields, thereby substantially improving work efficiency and quality of life (Badshah et al. 2024; Cui et al. 2020). For instance, drones can be deployed for the rapid delivery of pharmaceuticals and medical supplies to enhance the efficiency of emergency responses. Similarly, they can precisely locate missing persons during search and rescue operations. Moreover, drones are also employed in critical tasks such as military reconnaissance and traffic monitoring, providing timely and essential information to prevent and manage emergency situations.
A typical application scenario of IoD is illustrated in Fig. 1. These drones collect data via their integrated sensors, cameras, and microphones, and then use their own communication modules such as WiFi, Bluetooth, and WLAN to transmit these data to the control center through public channels. Hence, drone technology offers an efficient means for users to obtain relevant information in realtime from a distance. In most application scenarios, drones often collect data containing sensitive private information, rendering these drones highly vulnerable to physical interception and data tampering when operating in public spaces. This leads to significant data security challenges. Additionally, as devices constrained by limited resources, the restricted memory and computational power of drones limit their ability to implement complex security protocols. Therefore, how to achieve lightweight computational and communication costs while ensuring robust security for data has become a critical issue that urgently needs addressing in this technological domain.
Drone communications in IoD face two principal data security challenges, authentication and privacy (Gupta et al. 2015; Lin et al. 2018). In open environments, besides the data gathered by drones, adversaries might also aim at the identities of drones and their geographic locations (that is, their flight routes) to acquire confidential information concerning the usage of drones and the facilities they are monitoring. Therefore, it is imperative that all entities participating in drone communications are thoroughly authenticated, and that encryption protocols are employed on the communication data to protect drones against attacks targeting their privacy, thus averting the leakage of sensitive information.
Due to the limited operational range of individual drones, practical scenarios often require the simultaneous deployment of multiple drones for collaborative purposes. In this circumstance, group communication among drones becomes essential. Considering the serious risk of information leakage while transmitting data to recipients in a public and open environment, establishing a confidential group key among different group members is fundamental to ensuring the security of group communications (Zhang et al. 2020; Gope and Sikdar 2020; Hsu et al. 2023c, 2021). This approach to groupbased key negotiation requires the preliminary dissemination of onetime session key to all users. This onetime session key plays a pivotal role in creating a confidential group key among the group members. It is imperative to ensure that the generated group key is kept confidential and is only known to the members participating in the current session. This group key is subsequently used to encrypt all information transmitted in later communications, thus ensuring secure group communications.
In secure communications, the aim of key negotiation schemes is to distribute session keys to users securely. Researchers have utilized various cryptographic technologies to propose effective group key negotiation strategies that meet the security needs for confidentiality and integrity, among other aspects, within group communications. The initially proposed DiffieHellman scheme (Diffie and Hellman 1976) is a distinctive key exchange solution that enables encrypted communication between two users by agreeing upon a shared key without the requirement of transmitting it over an open public channel. This protocol laid the cornerstone for the advancement of modern key exchange algorithms and has become a popular tool for establishing keys. However, due to the limitation of the DiffieHellman proposal being applicable only to two users, numerous scholars have built upon this foundation to design new group key distribution protocols (Joux 2000; Boneh et al. 2001). Laih et al. (1989) proposed a group key distribution scheme, which employs secret sharing technique. Its core idea is to have a trusted group administrator distribute tokens to authorized group members and broadcast them to all participating members, thereby establishing a shared key. A conference key distribution system was introduced by Burmester and Desmedt (1994), which utilizes publickey cryptography to generate a group key for the attending members. Subsequently, Harn and Lin (2010) presented another group key agreement protocol where the group key is concealed within a polynomial and broadcasted simultaneously to all members within the group. This innovative approach proves to be more costeffective and efficient compared to pointtopoint communication.
As an increasing number of smart devices integrate into the IoD, the presence of millions of devices and the wireless data transmission across various systems markedly elevate the risks associated with cybersecurity (Abualigah et al. 2021; Derhab et al. 2023; Tanveer et al. 2021). To ensure the security of data within the IoD, there is a necessity for the efficient authentication of a multitude of nodes. This process guarantees that only authorized users can access the data, thus preserving the confidentiality of information. Due to several factors, traditional onetoone authentication schemes are no longer suitable for the current complex IoD environment (Hsu et al. 2023b). On one hand, the low power consumption constraints of nodes within the IoD limit their ability to process complex computations and communications. Conventional group key protocols in this environment require constantround communication with lightweight computation overhead on each group member side (Zhang et al. 2020; Gope and Sikdar 2020). On the other hand, the extensive number of devices poses a challenge for servers to process numerous authentication requests concurrently (Zhang et al. 2020; Hussain et al. 2021). Consequently, there is an urgent need to design lightweight group authentication protocols for the IoD environment that can simultaneously verify the legitimacy of group members and ensure secure communication among different members within the group.
Sharma and Purushothama (2022) designed a lightweight membershipauthenticated group key establishment for resourceconstrained smart environments using symmetric bivariate polynomials. By using symmetric binary polynomials, Hsu et al. (2023a) presented a structure for lightweight authentication in conjunction with joint arithmetic computation within the context of 5G IoT networks. This framework incorporates both member authentication and collaborative arithmetic computation functionalities, ensuring efficient computation and communication for each group member. Tian et al. (2019) introduced a privacy protection strategy for the IoD environment, utilizing an online/offline signature design. Additionally, they also proposed an authentication method by employing mobile edge computing. Zhang et al. (2020) presented an alternative lightweight authentication and key negotiation scheme for IoD. The verification process within this scheme only utilizes oneway hash functions and XOR operations. However, in the protocol, drones are required to store security credentials to authenticate their identities to other participants. This introduces a potential vulnerability, in the event of a physical assault on a drone, it becomes feasible for adversaries to access the preserved credentials. The existing authentication protocols (Zhang et al. 2020; Tian et al. 2019; Srinivas et al. 2019; Cho et al. 2020) designed for IoD uniformly confront a similar threat, that is, the privacy and security concerns arising from physical attacks on drones. PMAP is a lightweight and privacypreserving protocol designed by Pu et al. (2022). It consists of two components: the first part authenticates the identities of drones and service providers and establishes a secure session key, while the second part authenticates the drone identities and establishes a secure session key. Notably, the latter employs Physical Unclonable Functions (PUFs) and chaotic systems to support the negotiation process.
Based on the analysis of the security and privacy challenges prevalent in IoD, this paper proposes a novel and efficient scheme for user authentication and key negotiation. Unlike existing drone security solutions, the proposed approach employs asymmetric binary polynomials and addition operations to simultaneously support member authentication and the establishment of a group key. Furthermore, it provides the necessary security features for privacy protection without the need to store any keys on the devices. In registration stage, the membership registration center (MRC) is responsible for distributing a token for each registered member. The token refers to the univariate polynomial calculated by the asymmetric bivariate polynomial, which is used to distribute paired shared keys and verify the identity of the member. Subsequently, each group member uses addition to blend the secret key shared by her/him and the two neighbors in the group ring with his secret input value to obtain an output value. This output value is encrypted with the pairwise keys that she/he shares with other members of the group ring, generating a secret value that is then broadcasted to the corresponding group members. Finally, the participating members utilize all the received values to compute the group key, so as to facilitate subsequent secure communication. The presented ringneighborbased lightweight protocol is especially suitable for IoD environments.
The main contributions of this research are as follows.

An efficient scheme for membership authentication and group key agreement is presented for secure communication in IoD environment, which is constantround communication with lightweight computation overhead for each group member side.

Tokens, initially derived from asymmetric binary polynomials, are employed for authenticating members and distributing pairwise shared keys.

The principal computational method of the proposed scheme is addition, substantially reducing the computational burden on users.

A distinctive feature of our scheme is that the computational overhead on the side of each group member does not increase linearly or logarithmically with the size of the group membership.

The security analysis clearly demonstrates that our scheme can effectively withstand internal and external attacks, while satisfying all defined security requirements.
Organization: “Preliminaries” section introduces the relevant preliminaries. The models of the presented protocol are described in “Model of our proposed protocol” section. In “Our proposed protocol” section, a comprehensive outline of our proposal is provided. We analyze the security of this proposal in detail and discuss various aspects of its performance in “Analysis” section. Finally, “Conclusion” section summarizes this study.
Preliminaries
The Shamir’s threshold secret sharing scheme SS (Shamir 1979) is a classic encryption algorithm. Its implementation principle involves obtaining \(t\) points on a polynomial curve for any \(t  1\) degree polynomial function. These points can be used to determine the function through polynomial interpolation methods. The specific process begins with the secret owner selecting an arbitrary polynomial \(f\left( x \right)\), where \(f\left( 0 \right) = s\), with \(s\) representing the secret information. Subsequently, the share \(f\left( {x_{i} } \right)mod\;p,\) is generated for each participant and distributed to the corresponding participant, where \(i = 1,2, \ldots ,n\), \(p\) is a prime satisfying \(p > s\), \(x_{i}\) denotes the identifier of the participant. It should be noted that the recovery of the secret information \(s\) requires a collective combination of at least \(t\) shares from the participating parties.
Due to the limitation in Shamir’s SS where shareholders cannot ascertain the validity of shares received from the dealer, Chor et al. (1985) extended this SS in 1985 to devise the first verifiable secret sharing (VSS). This scheme allows shareholders to authenticate the validity of shares received from the dealer. If the shares are found to be invalid, shareholders are entitled to request the dealer to regenerate new shares. Subsequently, researchers (Cramer et al. 1592; Cheng and Agrawal 2005; Desmedt and Frankel 1991; Katz et al. 2008; Kumaresan et al. 2010; Knuth 1981a) have broadened the application from univariate polynomial functions to bivariate functions to design more efficient schemes, BVSSs. Suppose there is a \(t  1\) degree bivariate polynomial \(F\left( {x,y} \right) = \mathop \sum \limits_{i = 0}^{t  1} \mathop \sum \limits_{j = 0}^{t  1} a_{i,j} x^{i} y^{j} mod\;p,\) where \(a_{i,j} \in GF\left( p \right), \) and \(p\) is a prime. Bivariate polynomials are further classified into two types: symmetric and asymmetric, similarly, BVSSs are divided into two categories, SBVSSs (Cheng and Agrawal 2005; Katz et al. 2008; Knuth 1981a) and ABVSSs (Cramer et al. 1592; Desmedt and Frankel 1991; Kumaresan et al. 2010). The former refers to polynomials where the coefficients satisfy the condition \(a_{i,j} = a_{j,i} ,\forall i,j \in \left[ {0,t  1} \right]\). Similar to the univariate polynomialbased secret sharing protocol mentioned above, in SBVSS, the secret owner randomly defines a polynomial \(F\left( {x,y} \right)\) of degree \(t  1\), where \(F\left( {0,0} \right) = s\). Each share \(F\left( {x_{i} ,y} \right)\bmod p,i = 1,2,\ldots,n\) is distributed to the corresponding participant \(U_{i}\) and kept securely. The share is a univariate polynomial of degree \(t  1\) generated based on the symmetric polynomial \(F\left( {x,y} \right)\), and satisfies \(F\left( {x_{i} ,x_{j} } \right) = F\left( {x_{j} ,x_{i} } \right),\) \(\forall i,j \in \left[ {0,t  1} \right]\). Consequently, participants \(U_{i}\) and \(U_{j}\) can posse a shared key \(F\left( {x_{i} ,x_{j} } \right) = F\left( {x_{j} ,x_{i} } \right)\). Similarly, in ABVSS, each shareholder \(U_{i}\) can obtain a pair of shares, \(F\left( {x_{i} ,y} \right)\bmod p\) and \(F(x,x_{i} ) mod\;p,i = 1,2, \ldots ,n,\) generated by the secret owner, and establish a shared pairwise secret key, \(F\left( {x_{i} ,x_{j} } \right)\) or \(F\left( {x_{j} ,x_{i} } \right),\) with other shareholder \(U_{j} .\)
This paper aims to design a lightweight and efficient membership authentication and group key negotiation scheme for IoD. The three solutions of verifying membership, distributing pairwise shared keys, and negotiating group keys are integrated into our construction. In contrast to most current secure communication solutions (Yang et al. 2023; Bai et al. 2022; Wang et al. 2022; Roy and Bhattacharya 2022) that require additional steps for member authentication and shared key distribution, as well as interactive communications or complex computations for encryption and decryption, our approach presents considerable benefits in communication and computational expenses owing to its integrated and noninteractive characteristics. Furthermore, utilizing a method based on ring neighbors ensures that the computational burden for each group member does not increase linearly or logarithmically with the size of the group. That is, regardless of the number of participants in group communication, the computational cost for individuals within the group remains constant.
Model of our proposed protocol
We design models of the presented proposal from two perspectives of network and security respectively. The following is a detailed introduction.
Network and communication model
In resource constrained environments, for example, in a typical Internet of Drones (IoD) model, there are typically three foundational elements: trusted authority (TA), IoD infrastructures (II) and smart devices (SD). Through IoD, these three types of participants are able to interconnect and form a vast communication network. Smart Devices can share various types of information with each other and with the IoD infrastructure, thus enhancing the efficiency of IoD information processing. Communication between Smart Devices and everything else represents one form of intelligent environment communication, referring to the interactions between Smart Devices and any entity. In addition, there are other types of communications, such as SDtoSD communication, SDtoII communication. The typical IoD model is illustrated in Fig. 2, featuring both SDtoSD and SDtoII communication. The protocol we propose is designed to secure group communications within this network model, where the TA is fully trusted and responsible for member registration. Participants in group communication can include smart devices such as drones, as well as IoD infrastructure.
In this IoD model, it is assumed that there there are \(n\) users \(\left\{ {U_{1} ,U_{2} , \ldots ,U_{n} } \right\}, \) who belong to a communication group. The proposed scheme is primarily divided into three steps: user registration, authentication of group members, and group key agreement. Firstly, all users who want to participate in the application need to register with TA. TA is responsible for user management, including deletion of unregistered users and registration of new users. Upon completion of the registration process, TA assigns each user a unique secret token. Before engaging in actual communication, users are required to authenticate their identity to ensure the legitimacy of those intending to participate in group communications. Typically, if all users involved in the communication are legitimate members of the group and act honestly, the protocol executes successfully, meaning that only legitimate members of the same group can obtain the session key for that group. Otherwise, the protocol fails to execute, meaning that no secret information will be disclosed to the group members. Therefore, member authentication is necessary before establishing a group key. Group key negotiation refers to the collaborative process by which all members establish a shared key before participating in group communication, ensuring the confidentiality of data transmitted during the communication process.
The specific process of our model is briefly outlined below. Suppose that a group ring is formed \(m\) (i.e., \(2 \le m < n)\) members \( \left\{ {U_{{v_{1} }} ,U_{{v_{2} }} , \ldots ,U_{{v_{m} }} } \right\} \) in a certain fixed order as shown in Fig. 3, where \(m = 6\). First, interactive authentication is performed among all participating members to demonstrate their membership in the communication group. Specifically, each member broadcasts a randomly selected integer within the group. The generated value, obtained by inputting the key shared with other member and the received random value from this member into a hash function, serves as the authentication response for this member. This response value is then used to verify the identity of the member, that is, whether they belong to the same communication group. Subsequently, each member adds their secret share to the paired keys shared with their two neighboring members, and the resulting output value is broadcasted to the entire group. The group key is reconstructed by combining all the received values, and used for subsequent secure communication. Our solution employs lightweight operations, such as addition, to achieve group member authentication and group key negotiation. Most importantly, it is a noninteractive protocol that enables the construction of a group key without the need for direct interactions among the members. These significantly enhance the efficiency of our scheme, with a detailed analysis and discussion of the performance evaluation to be presented in “Analysis” section.
Security model
Considering the highly sensitive nature of the information collected in the IoD environment, the data transmitted by drones over open networks are vulnerable to security risks. Hence, ensuring that the presented group key negotiation protocol meets the security required for IoD is of utmost importance. This subsection presents the security model of our proposal, and the corresponding proof analysis process is provided in “Analysis” section.
Type of adversaries
This paper discusses two distinct forms of attacks: internal attacks and external attacks. Internal attacks refer to the attempts made by registered users, who have obtained tokens, to launch attacks by utilizing their own tokens with the aim of recovering the polynomial and gaining access to secret information. In contrast, external attacks involve illegal adversaries without valid tokens trying to generate valid tokens in order to impersonate legitimate members and gain access to information beyond their authorized knowledge.
Security features
To ensure a robust group key agreement, it is crucial to fulfill the following essential security criteria.

(1)
Correctness In the case where all members participating in group communication comply with to the protocol rules, the authentication of members and the correct recovery of the group key can be achieved.

(2)
Freshness of authentication response Each member is required to send a onetime response to other members within the group as proof of their identity, which is only used for this round of communication.
Freshness of group key The group key used in each session is unique to prevent malicious adversaries from exploiting a previously used key to deceive the system.
Freshness of the group key authentication The verification message utilized to validate the correctness of the group key is also disposable and cannot be reused.

(3)
Forward secrecy of group keys Users who have not taken part in the ongoing group communication are incapable of recovering the key that has been established solely for the current group communication.
Backward secrecy of group keys Participants in the current group communication are unable to retrieve previously used group key.
Security assessment
This section outlines the security assessment criteria that a group key agreement (GKA) protocol should meet. The specific standards are as follows:

Resistant to key compromise impersonation attack Even if a member \(U_{i}\)’s token is disclosed, an adversary cannot impersonate any legitimate group member when \(U_{i}\) is present, such as the adversary in a man in the middle (MITM) attack.

Key authentication Ensures that every group member is assured that no entities other than the current participants in the key negotiation can know the established session key.

Contributiveness Every group member is confident that their contribution, that is onetime key, has been used in computing the group key.

Knownkey security Even if a session key is compromised and disclosed to an adversary, they cannot derive the keys of other sessions based on that key.
At the same time, we can clearly see that in the IoD scenario, the authentication of group membership and the establishment of group keys also need to meet all the above security requirements, as follows:

(1)
Mutual authentication can be achieved through Group membership authentication;

(2)
Session key agreement can be achieved through Group key agreement;

(3)
Effectively interception for illegal login can be achieved through Freshness of authentication response;

(4)
Resist device loss attack and Resist physical attack can be achieved through Knownkey security;

(5)
Resist impersonation attack can be achieved through Resistant to key compromise impersonation attack;

(6)
Resist privileged insider attack It can be achieved by resisting inside attack;

(7)
Resist desynchronization attack can be achieved by ensuring Freshness of group key and group key authentication;

(8)
Forward and backward secrecy can be achieved by Forward and Backward secrecy of group keys.
Our proposed protocol
This paper presents an innovative approach for establishing secure sessions within the IoD environment, which is a lightweight group key agreement proposal with user authentication based on ring neighbors. It utilizes binary asymmetric polynomial for constructing group keys and primarily employs addition as the main mathematical operation. The detailed procedure of the scheme is illustrated in Fig. 4. The notations used in our protocol is shown in Table 1.
Analysis
This section will provide a detailed discussion and analysis of the security and performance of the presented scheme.
Security analysis
Firstly, a comprehensive analysis of the security features and two distinct attack scenarios discussed in “Security Model” section is conducted.
Security features
Theorem 1
(Correctness) The presented scheme can verify the legitimacy of the identities of all participants in group communication and then successfully negotiate a secret group key among them.
Proof
Membership authentication The value \(Auth_{i,j} = h\left( {k_{i,j} \parallel r_{j} } \right)\) for each member \(U_{{v_{i} }}\) to verify membership is calculated based on his token and selected random integer, which is used to verify the membership of \(U_{{v_{i} }}\) to \(U_{{v_{j} }}\). Only registered users possess secret tokens, making it impossible for unauthorized adversaries without tokens to pass identity authentication using counterfeit ones.
Group key establishment The correctness of this process is determined by the rules of addition operation. Since \(q_{{v_{i} }} = s_{i} + \left( {  1} \right)^{a} k_{i,i  1} + \left( {  1} \right)^{b} k_{i,i + 1} mod\;p,\;{\text{where}}\left\{ {\begin{array}{*{20}l} {if\;v_{i} < v_{i  1} ,\;then\;a = 0;} \hfill \\ {if\;v_{i} > v_{i  1} ,\;then\;a = 1,} \hfill \\ \end{array} } \right.\) and \( \left\{ {\begin{array}{*{20}l} {if} \hfill & {v_{i} < v_{{i + 1}} ,} \hfill & {then} \hfill & {b = 0;} \hfill \\ {if} \hfill & {v_{i} > v_{{i + 1}} ,} \hfill & {then} \hfill & {b = 1.} \hfill \\ \end{array} } \right. \) we can obtain \(\mathop \sum \limits_{i = 1}^{m} q_{{v_{i} }} \;mod\;p = \mathop \sum \limits_{i = 1}^{m} s_{i} \;mod\;p = K_{i}\),\( i = 1,2,\ldots,m.\)
Group key authentication After the group members compute the key, they further verify its correctness using the computation formula \(H(K_{1} L) = H(K_{2} L) = \cdots H(K_{i} L) = \cdots = H(K_{m} {}L{)}\bmod p. \) If all the equations are satisfied, it confirms the correctness of the obtained group key, allowing for subsequent secure communication.
Theorem 2
The presented scheme features security characteristics including freshness of authentication response, freshness of group keys and freshness of the group key authentication.
Proof
Freshness of authentication response The message \(Auth_{i,j} = h\left( {k_{i,j} \parallel r_{j} } \right)\), used to verify user identity authentication, is produced by employing a hash function on the combination of the paired key \(k_{i,j}\) and a random number \(r_{j}\). \(k_{i,j}\) is shared between user \(U_{{v_{i} }}\) and user \(U_{{v_{j} }}\), and \(r_{j}\) is selected by \(U_{{v_{j} }}\). As \(r_{j}\) is different for each session, it effectively withstands the replay attack from adversaries.
Freshness of group keys As shown in equation \(K = \mathop \sum \limits_{i = 1}^{m} s_{{i_{.} }} mod p\), the group key is derived from the secret input \(s_{i}\) of \(U_{{v_{i} }}\). Since \(s_{i}\) is randomly selected, it ensures the onetime nature of the group key \(K\). That is, our protocol meets the goal of Contributiveness.
Freshness of the group key authentication The verification message \(H(K_{i} L)\) is computed by applying a unidirectional hashing function to the sum of the secret inputs \(s_{i}\) of all members and the sum of random integers \(l_{i}\). The randomness of \(K_{i}\) and \(L\) ensures the freshness of the authentication message, making it impossible to authenticate the current key based on past messages.
Theorem 3
The proposed protocol achieves the backward and forward secrecy of group keys. i.e., the newly joined members cannot recover past group keys, and members who have left the group cannot access the future group keys.
Proof
Forward secrecy of group keys In each session, the group key \(K\) used for encrypting communication data is collaboratively generated by the members who are currently involved in the negotiation. Therefore, members who have already left are unable to obtain the random numbers required to establish the key, and thus cannot acquire the group key used for the current session. We can see that the group key is different in every session. In other words, each member involved in the current group is convinced that his/her contribution has been used to calculate the group key. Simultaneously, individuals outside the group are unable to fabricate the authentication response, as they lack knowledge of the current members' secret tokens. Furthermore, this group key establishment process can against inside and outside attacks (see Theorems 4 and 5). Therefore, the members who have left the group cannot access the future group keys.
Backward secrecy of group keys Similarly, the members who are currently involved in the session are also unable to access the random numbers required to establish the keys used in the past, which means they cannot be aware of the key used in previous group communications. The group key is exclusively known by the members who participated in its establishment process. We can see that the group key is different in every session. In other words, each member involved in the current group is convinced that his/her contribution has been used to calculate the group key. Simultaneously, individuals outside the group are unable to fabricate the authentication response, as they lack knowledge of the current members' secret tokens. Furthermore, this group key establishment process can against inside and outside attacks (see Theorems 4 and 5). Therefore, the newly joined members cannot recover past group keys.
Possible attacks
Theorem 4
(Inside Attack) In the case of \(h > 2t  2\), it is necessary to have a minimum of \(t\) internal attackers to restore the tokens. The polynomial \(F\left( {x,y} \right)\) of the proposed scheme can withstand a joint attack from up to \(t  1\) internal adversaries.
Proof
The internal attackers in our scheme are legitimate registered users who possess valid secret tokens. Asymmetric bivariate polynomial, \(F\left( {x,y} \right) = a_{0,0} + a_{1,0} x + a_{0,1} y + a_{1,1} xy + a{}_{2,0}^{{}} x^{2} + a{}_{0,2}^{{}} y^{2} + a_{1,2} xy^{2} + a_{2,1} x^{2} y + a{}_{2,2}^{{}} x^{2} y^{2} + \ldots + + a{}_{t  1,h  1}^{{}} x^{t  1} y^{h  1} mod p\), has \(th\) different coefficients. Each token \(\left\{ {s_{i} \left( y \right),s_{i} \left( x \right)} \right\}\) can be used to generate \(t + h\) linearly independent equations based on the coefficients of \(F\left( {x,y} \right)\), because \(s_{i} \left( y \right)\) is \(h  1\) degree and \(s_{i} \left( x \right)\) is \(t  1\) degree. If there are \(t  1\) users colluding jointly, \(\left( {t + h} \right)\left( {t  1} \right)\) equations can be obtained. Meanwhile, \(t  1\) colluding users also have \(2C_{2}^{t  1}\) pairs of secret keys. Therefore, they can obtain \(\left( {t + h} \right)\left( {t  1} \right)  2C_{2}^{t  1}\) linear independent equations. In order to make the colluding users unable to recover the bivariate polynomial \(F\left( {x,y} \right)\), it is essential to ensure that the number of linear independent equations owned by colluding adversaries cannot exceed the number of terms in polynomial \(F\left( {x,y} \right)\), that is \(th > \left( {t + h} \right)\left( {t  1} \right)  2C_{2}^{t  1}\). Simplifying the above inequality, we can get \(h > 2t  2. \) Accordingly, in the case of \(h > 2t  2\), it is impossible for \(t  1 \) colluding users to recover the original polynomial \(F\left( {x,y} \right)\). In other words, our scheme prevents at most \(t  1\) colluding users from recovering the polynomial \(F\left( {x,y} \right)\) and obtaining the secret. We can select appropriate values for \(t\) and \(h\) according to the security level requirements of the application scenario. As an example, in the case of \(n = t  1\), even if all users collude, the polynomial \(F\left( {x,y} \right)\) cannot be recovered. This situation belongs to informationtheoretic secure.
Here, it is evident that internal attackers are incapable of recovering the polynomial \(F\left( {x,y} \right)\), because, even if the token of member \(U_{i}\) is compromised, they still cannot obtain the tokens of other members and the corresponding paired shared keys. Thus, our protocol meets the goal of Resistant to key compromise impersonation attack.
Theorem 5
(Outside Attack) No confidential information can be obtained by external attackers.
Proof
Outside attacks refer to the attempts made by unauthorized adversaries without valid tokens to generate valid tokens in order to impersonate legitimate members and gain access to information they are not supposed to know. Suppose there is an external adversary attempting to acquire the group key by pretending to be an authentic group member. Before negotiating the group key, group members undergo identity verification with all other members. This is achieved by combining their secret inputs with paired keys shared with two neighbors, and broadcasting the resulting output to other members. Due to the absence of valid token, the external attacker is unable to pass the verification of other members. Furthermore, the shared keys among legitimate members are unknown to this adversary, preventing him from extracting any confidential information from the broadcasted messages. Consequently, external adversaries are incapable of recovering the group key or obtaining any confidential information associated with the key.
As a result, each group member is convinced that no other entities except all group members can learn the established session key, our protocol meets the goal of Key authentication. At the same time, combined with the freshness of group key, even if the adversary compromises one session key, he/she cannot compute other session keys, our protocol meets the goal of Knownkey security.
Performance evaluation
Many of the most recent schemes (Yang et al. 2023; Bai et al. 2022; Wang et al. 2022; Roy and Bhattacharya 2022) are designed to offer either user authentication or group key establishment independently. Such schemes require further membership verification and distribution of shared keys, in addition to necessitating multiple rounds of interactive communication and intricate calculations for encryption and decryption. Below, we first examine the performance characteristics of our protocol.

(1)
Function feature Compare with the existing schemes, ours achieves both member authentication and group key negotiation simultaneously. Users can verify the validity of their identity to other members based on the tokens received during registration, and negotiate a group key for secure communication. The secret token of each group member, \(\left( {s_{i} \left( y \right),s_{i} \left( x \right)} \right),\) required for member authentication and group key establishment, is generated using his unique public information, associated with each user, through an asymmetric bivariate polynomial. Therefore, the dynamic joining and exit of members can be flexibly realized.

(2)
Noninteractive feature According to the definitions of most communication protocols, “interactive communication” refers to one party acting in response to or in conjunction with another. In the protocol we propose, members do not need to “wait” for input from other members when sending message values to each other. In other words, there is no waiting time required for each member when computing and releasing values to others. This attribute is referred to as “noninteractive,” which can significantly speed up the communication process. Since our protocol employs broadcast transmission, a noninteractive method, it greatly enhances the efficiency of communication.

(3)
Constantround feature with low computation cost on each group member side The number of communication rounds is one of the main concerns for practical applications where the cardinality of group participants involved is considerable (Hu et al. 2019). It is critical to have fixed constant rounds in GKA protocols to secure these applications. About the difference of GKA protocols with constantround and the GKA protocols with linear or logarithmic rounds. We observe that in the kind of GKA protocols without constantround, computation overhead of the members are reduced remarkably at the price of enhancing the communication rounds. But the round efficiency of those constantround GKA protocols undoubtedly resulted in computational cost at the group member side in linear or logarithmic increasing when the cardinality of group members rising. In our proposed GKA protocol, it is easy to observe that the proposed GKA is a constantround protocol since the number of communication rounds where group members exchange their contributions is independent of the cardinality of group members. That is, the computational overhead at each group member's end does not increase linearly or logarithmically with the total number of group members. This is because each member always blends his/her secret input with two paired shared keys before transmitting the message value. This implies that the computation of this value is independent of the total number of group members. Hence, our constantround protocol achieves genuinely low computational overhead.

(4)
Lightweight encryption method Symmetric key encryption, which involves each pair of users sharing a symmetric key, ensures confidentiality. However, it encounters significant challenges in key distribution and management, leading to substantial communication and storage costs (Roy and Bhattacharya 2022). In contrast, publickey encryption offers confidentiality, authenticity, and nonrepudiation but incurs high computational costs due to large modulus and modular exponentiation operations, such as a minimum modulus size of 1024 bits for RSA (Rivest et al. 1978) encryption. To address these issues, researchers have designed optimized key establishment protocols (Yang et al. 2023; Bai et al. 2022) based on bilinear mappings and complexity assumptions, requiring operations such as modular exponentiation, pairing, and scalar multiplication. Due to concerns about the computational security of the PKC scheme, scholars have recently constructed some latticebased GKA schemes, which are not yet practical due to the high computational complexity. For example, GKA scheme constructed based on the LWE problem (Wang et al. 2022) generally only encrypts one bit at a time, and the ciphertext is composed of exponential matrix units or vector units. The conventional calculation between ciphertext bits and bits consumes a lot of time complexity and space complexity.
Compared to the high computational costs associated with publickey and latticebased operations, methods based on bivariate polynomials not only provide authentication and informationtheoretic security but also incur lower computational costs. Such methods are very efficient in offering authentication when compared to symmetric key distribution, which involves significant communication overhead. Moreover, a unique aspect of our group key establishment is the use of addition operations as the primary computational approach, truly achieving a lightweight computation and communication footprint.
In summary, the proposed scheme is lightweight, noninteractive, constantround and computationefficient. Table 2 presents the comparison between our scheme and the latest group key establishment proposals. It can be observed that the performance of our scheme is optimal. It has the advantages in storage, computation and communication cost. Specific analysis is as follows.
Storage cost
The storage requirement for each group member is determined by the bit length of the parameters and secret materials produced upon the complete execution of the protocol. In our scheme, each user will be assigned a token \(\left( {s_{i} \left( y \right),s_{i} \left( x \right)} \right)\) when registering with MRC, where \(s_{i} \left( y \right)\) is \(h  1\) degree, and \(s_{i} \left( x \right)\) is \(t  1\) degree. Consequently, each user is required to store \(t + h\) coefficients, which collectively occupy \(\left( {t + h} \right)\log_{2} p \) bits of memory. Here \(p\) represents a modulus significantly smaller than that of public key algorithms.
Computation cost
Since this protocol only involves two types of entities, the trusted center and the users, the computational overhead incurred by the users can be regarded as the computational cost of the protocol. Based on the Horner’s rule (Knuth 1981b), the calculation of a polynomial of degree \(t  1\) is equivalent to \(t  1\) multiplications and \(t\) additions. During the authentication phase, each member calculates (\(m  1\)) pairs of keys \(k_{i,j} = s_{vi} \left( {x_{vj} } \right) = F\left( {x_{vi} ,x_{vj} } \right)\) shared with other members in the group, which involves (\(m  1\)) polynomial computations. Then, each member executes \(m\) hash functions to authenticate his identity to other members and verify (\(m  1\)) other members. During the group key negotiation phase, each member combines their secret input with the keys shared with their neighbors using the addition operation and performs encryption on the resulting value. Then, based on the received broadcast messages, each member generates the group key through addition operation and verifies the key using a hash function.
Compared to the majority of existing security protocols, our scheme exhibits significantly lower computational complexity. Additionally, no matter how many users participate in the current group session, it will not affect the computational cost of members. As demonstrated in the aforementioned computation process, users only need the keys shared with their two neighbors in the group ring to recover the group key.
Communication cost
All communications during the Authentication stage are transmitted via broadcasting. A total of \(m\) integers \(r_{i}\) and \(m\left( {m  1} \right)\) responses are transmitted during this process, where \(i = 1,2, \cdots ,m\). The Group Key Agreement phase involves the transmission of \(m\) integers \(l_{i}\), \(m\left( {m  1} \right)\) ciphertexts, and \(m\) hash values.
The communication overhead of the presented scheme is evaluated by the bit length of the transmitted messages. These messages are obtained through modulo calculations based on polynomials, which effectively reduces the communication overhead. Furthermore, in scenarios with a substantial number of group members, the number of session rounds plays a crucial role in determining the communication complexity. Based on this, our protocol guarantees a fixed number of rounds for key negotiation, so as to achieve lightweight computational overhead for the user.
In summary, our protocol is noninteractive and lightweight, which can reduce the computing and communication burden of users while ensuring security.
Conclusion
We presented a new and lightweight construction of ringneighborbased user authentication and group key distribution for IoD. This protocol provides the identity verification of member and group key negotiation simultaneously, while realizing lightweight computational overhead for users. Specifically, no matter how many users participate in the current group session, it will not affect the computational cost of members. Additionally, it is a noninteractive proposal that employs broadcasting for data transmission. The comprehensive security analysis substantiates that this proposal is secure and satisfies all defined security requirements. Moreover, we conducted a performance analysis of the presented protocol, and the findings demonstrated its superior lightweight and efficient nature. Hence, our group secret key agreement scheme is absolutely attractive to the IoD environment.
Availability of data and materials
The data used to support the findings of this study are included within the article
References
Abualigah L, Diabat A, Sumari P et al (2021) Applications, deployments, and integration of internet of drones (IoD): a review. IEEE Sens J 21(22):25532–25546
Badshah A, Abbas G, Waqas M et al (2024) USAFIoD: ultralightweight and secure authenticated key agreement framework for internet of Drones environment. IEEE Trans Veh Technol
Bai L, Hsu C, Harn L et al (2022) A practical lightweight anonymous authentication and key establishment scheme for resourceasymmetric smart environments. IEEE Trans Dependable and Secure Comput
Boneh D, Lynn B, Shacham H (2001) Short signatures from the Weil pairing. In: Advances in cryptology—ASIACRYPT 2001: 7th international conference on the theory and application of cryptology and information security gold coast, Proceedings 7. Springer Berlin Heidelberg, pp 514–532
Burmester M, Desmedt Y (1994) A secure and efficient conference key distribution system. In: Advances in cryptology—EUROCRYPT'94: workshop on the theory and application of cryptographic techniques Perugia, Proceedings 13. Springer Berlin Heidelberg, p 199
Cheng Y, Agrawal Y (2005) A improved key distribution mechanism for largescale hierarchical wireless sensor networks. J Ad Hoc Netw 5(1):35–48
Cho G, Cho J, Hyun S et al (2020) SENTINEL: a secure and efficient authentication framework for unmanned aerial vehicles. Appl Sci 10(9):3149
Chor B, Goldwasser S, Micali S, Awerbuch B (1985) Verifiable secret sharing and achieving simultaneity in the presence of faults. In: Proceedings of the 26th IEEE symposium on the foundations of computer science, Oregon, pp 383–395
Cramer R, Damgard I, Dziembowski S, Hirt M, Rabin T (1999) Efficient multiparty computations secure against an adaptive adversary. In: Proceedings of 18th annual IACR EUROCRYPT, Prague, LNCS, Springer, vol 1592, pp 311–326
Cui J, Liu Y, Nallanathan A (2020) Multiagent reinforcement learningbased resource allocation for UAV networks. IEEE Trans Wirel Commun 19(2):729–743
Derhab A, Cheikhrouhou O, Allouch A et al (2023) Internet of drones security: taxonomies, open issues, and future directions. Veh Commun 39:100552
Desmedt Y, Frankel Y (1991) Shared generation of authenticators and signatures. In: Advances in cryptologycrypto’91, pp 457–569
Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22(6):644–654
Gope P, Sikdar B (2020) An efficient privacypreserving authenticated key agreement scheme for edgeassisted internet of drones. IEEE Trans Veh Technol 69(11):13621–13630
Gupta L, Jain R, Vaszkun G (2015) Survey of important issues in UAV communication networks. IEEE Commun Surv Tutor 18(2):1123–1152
Harn L, Lin C (2010) Authenticated group key transfer protocol based on secret sharing. IEEE Trans Comput 59(6):842–846
Hsu C, Harn L, Xia Z et al (2021) Noninteractive integrated membership authentication and group arithmetic computation output for 5G sensor networks. IET Commun 15(2):328–336
Hsu C, Harn L, Xia Z et al (2023a) Construction of lightweight authenticated joint arithmetic computation for 5G IoT networks. Comput J 66(1):208–220
Hsu C, Xia Z, Cheng T et al (2023) Extremely lightweight constantround membershipauthenticated group key establishment for resourceconstrained smart environments toward 5G. Comput J bxad023
Hsu C, Xia Z, Harn L et al. (2023) Ideal dynamic threshold multisecret data sharing in smart environments for sustainable cities. Inf Sci 119488
Hu X, Wu Y, Lu Z (2019) A survey of group key agreement protocols with constant rounds. ACM Comput Surv 52(3):1–32
Hussain S, Chaudhry SA, Alomari OA et al (2021) Amassing the security: an ECCbased authentication scheme for internet of drones. IEEE Syst J 15(3):4431–4438
Joux A (2000) A one round protocol for tripartite Diffie–Hellman. In: Algorithmic number theory: 4th international symposium, ANTSIV Leiden, Proceedings 4. Springer Berlin Heidelberg, pp 385–393
Katz J, Koo C, Kumaresan R (2008) Improved the round complexity of VSS in pointtopoint networks. In: Proceedings of ICALP '08, Part II, LNCS. Springer, vol 5126, pp 499–510
Knuth DE (1981a) The art of computer programming, seminumerical algorithms, vol II. Addison Wesley, Reading
Knuth DE (1981b) The art of computer programming, seminumerical algorithms, vol II. Addison Wesley, Reading
Kumaresan R, Patra A, Rangan CP (2010) The round complexity of verifiable secret sharing: the statistical case. In: Advances in cryptology—ASIACRYPT 2010, LNCS, Springer, vol 6477, pp 431–447
Laih CS, Lee JY, Harn L (1989) A new threshold scheme and its application in designing the conference key distribution cryptosystem. Inf Process Lett 32(3):95–99
Lin C, He D, Kumar N et al (2018) Security and privacy for the internet of drones: challenges and solutions. IEEE Commun Mag 56(1):64–69
Pu C, Wall A, Choo KKR et al (2022) A lightweight and privacypreserving mutual authentication and key agreement protocol for Internet of Drones environment. IEEE Internet Things J 9(12):9918–9933
Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and publickey cryptosystems. Commun ACM 21(2):120–126
Roy P K, Bhattacharya A (2022) A group keybased lightweight Mutual Authentication and Key Agreement (MAKA) protocol for multiserver environment. J Supercomput 1–28
Shamir A (1979) How to share a secret. Commun ACM 22(11):612–613
Sharma P, Purushothama BR (2022) BPMGKM: an efficient multigroup key management scheme based on bivariate polynomial. Comput Netw 216:109244
Srinivas J, Das AK, Kumar N et al (2019) TCALAS: Temporal credentialbased anonymous lightweight authentication scheme for Internet of drones environment. IEEE Trans Veh Technol 68(7):6903–6916
Tanveer M, Kumar N, Hassan MM (2021) RAMPIoD: a robust authenticated key management protocol for the Internet of Drones. IEEE Internet Things J 9(2):1339–1353
Tian Y, Yuan J, Song H (2019) Efficient privacypreserving authentication framework for edgeassisted Internet of Drones. J Inf Secur Appl 48:102354
Wang Z, Yang Z, Li F (2022) A two rounds dynamic authenticated group key agreement protocol based on LWE. J Syst Architect 133:102756
Yang Z, Wang Z, Qiu F et al (2023) A group key agreement protocol based on ecdh and short signature. J Inf Secur Appl 72:103388
Zhang Y, He D, Li L et al (2020) A lightweight authentication and key agreement scheme for Internet of Drones. Comput Commun 154:455–464
Acknowledgements
Not applicable.
Funding
This work was partially supported by the National Natural Science Foundation of China (Grants Nos. 62172181, 62272189, 62072133), the Fundamental Research Funds for the Central Universities (No. CCNU19TS019), the Research Planning Project of National Language Committee (No. YB13540) and the Research Initiation Project of Zhejiang Lab (No. 2022PD0AC02).
Author information
Authors and Affiliations
Contributions
All authors contributed equally to this work, including writing and revising the paper Lightweight Ringneighborbased User Authentication and Groupkey Agreement for Internet of Drones.
Corresponding author
Ethics declarations
Consent for publication
All authors consent to the publication of the manuscript.
Competing interests
The authors declare that they have no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Zhao, Z., Hsu, C., Harn, L. et al. Lightweight ringneighborbased user authentication and groupkey agreement for internet of drones. Cybersecurity 7, 50 (2024). https://doi.org/10.1186/s42400024002473
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400024002473