Secure Communications in Unmanned Aerial Vehicle Network

Abstract

The unmanned aerial vehicle (UAV) network has attracted much attention in industry and academia. However, a UAV as a vital information carrier and data relay platform is prone to various attacks. In this paper, we propose a secure communication scheme for UAV network. In our scheme, each drone maintains and manages an area in which the authorized devices can obtain a broadcast key without an online centralized authority. By employing the hierarchical identity-based broadcast encryption and pseudonym mechanism, all the devices in this system can broadcast encrypted messages anonymously and decrypt the legal ciphertext. The analysis shows that our scheme satisfies four important security properties of confidentiality, authentication, partial privacy-preservation and resistance to denial of service attacks. Experiments show that our scheme incurs a delay of only a couple of milliseconds.

A Proof of Theorem 2

In each result, we assume that \(\mathcal {A}\) makes \(q_{h_i}\) queries to the hash function \(H_i\) for \(i \in \{0,1\}\). The numbers of queries for \(Q_1\) and \(Q_2\) are denoted by \(q_1\) and \(q_2\), respectively.

Proof

The \(\mathcal {C}\) first obtains a q-BDHIP problem instance, \((g, g^\alpha , g^{\alpha ^2}, \dots , g^{\alpha ^{q-1}})\), to generate some pairs \((c_i,g^{\frac{1}{c_i+\alpha }})\) to use as key pairs. Then, \(\mathcal {C}\) proceeds as follows.

1. 1.

   \(\mathcal {C}\) first randomly picks \(w_1, w_2, \dots , w_{q-1} \in \mathbb {Z}^*_p\) and expands \(f(z)=\prod ^{q-1}_{i=1}(z+w_i)\) to \(f(z)=\varSigma ^{q-1}_{i=0}a_iw^i\), where \(a_i\) is the coefficient of expansion. Then, \(\mathcal {C}\) randomly chooses an \(\ell \in \{1,\dots , q_{h1}\}\) and let \(I_i = I_{\ell }-w_i\).

2. 2.

   \(\mathcal {C}\) sets \(\tilde{g}=g^{\prod ^{q-1}_{i=0}c_i\alpha ^i}=g^{f(\alpha )} \in G\) and generates the value \(\tilde{g}^{\alpha } = g^{\prod ^{q}_{i=1}c_i\alpha ^i}\).

3. 3.

   For any \(1 \le i \le q-1\), \(\mathcal {C}\) defines \(f_i(z)=f(z)/(z+w_i)\); therefore,

   $$\begin{aligned} \tilde{g}^{\frac{1}{w_i+\alpha }}=g^{f(\alpha )\frac{1}{w_i+\alpha }}=g^{f_i(\alpha )} \end{aligned}$$

   And the key pair can be computed as \((w_i,\tilde{g}^{\frac{1}{\alpha +w_i}})\) where \(i \in \{0,1,\dots ,q_{h_1} \ell \}\) in the initial phase. The system public key can be computed as \(\tilde{g}^{-\alpha -I_{\ell }}\). Set x = \(-\alpha - I_{\ell }\) which is also a secret value for \(\mathcal {C}\). For i \(\in \) \([0,q]\setminus \ell \), we have \((I_i,\tilde{g}^{\frac{-1}{w_i+\alpha }})\) = \((I_i, \tilde{g}^{\frac{1}{I_i+x}})\).

Then, \(\mathcal {C}\) prepares for \(\mathcal {A}\)’s queries. For simplicity, we assume that the queries for hash functions are distinct and that any queries involving an ID have been made to the \(H_1\) in advance. The \(\mathcal {C}\) simulates the hash function \(H_1, H_2, H_3\) as follows.

• \(H_1\) query: \(\mathcal {C}\) maintains a list \(L_1\) for this random oracle. For the \(\iota \)-th query of any user or drone(we denote this identity as \(ID_{\iota }\)), \(\mathcal {C}\) responds with \(I_{\iota }\) and records (ID, \(I_{\iota }\), \(\iota \)) as the \(\iota \)-th entity in \(L_1\).

• \(H_2\) query: \(\mathcal {C}\) maintains a list \(L_2\) for this random oracle. For an input (M, r) \(, CH\) chooses a random number \(h_2\). For subsequent queries, \(\mathcal {C}\) runs the random oracle \(H_3\) to obtain \(H_3(r) = h_3\) and stores \((M, r, c = M \bigoplus H_3, h_2, \gamma =re(g, g)^{h_2})\) as an entity in \(L_2\).

• \(H_3\) query: The \(\mathcal {C}\) maintains a list \(L_3\) for this random oracle. For an input \(r \in \mathbb {G}_T\), \(\mathcal {C}\) chooses a random number \(h_3\) and responds. \(\mathcal {C}\) then stores \((h_3,r)\) in \(L_3\).

The Corrupt query for identities is simulated as follows. For a user’s identity, \(\mathcal {C}\) first checks whether the input \(ID_{\iota }\) satisfies the condition that \(\iota \) is equal \(\ell \). If so, it aborts; otherwise, it outputs \(I_{\iota } = H_1(ID_{\iota })\) and \(\tilde{g}^{\frac{1}{I_{\iota }+x}}\), as the user ID’s long-term key pair. For a \(\mathcal {D}\)’s identity, \(\mathcal {C}\) checks whether the input \(ID_{\iota }\) is equal to \(\ell \). If so, it aborts; otherwise, it outputs \(I_{\iota } = H_1(ID_{\iota })\) and \(\tilde{g}^{\frac{1}{I_{\iota }+x}}\) as the \(\mathcal {D}\)’s long-term key pair.

For \(Q_1\) query, the identity is defined as \((ID_u)\), respectively, for any \(u \in [1,q_{h_1}]\). If \(u \ne \ell \), \(\mathcal {C}\) can generate the sign-encrypted messages according to the protocol specification because \(\mathcal {C}\) knows \(ID_u\)’s private key. When \(u = \ell \), \(\mathcal {C}\) knows the \(ID_{\iota }\)’s private key \(\tilde{g}^{\frac{1}{I_{\iota }+x}}\). \(\mathcal {C}\) first picks two random numbers \(t, h \in \mathbb {Z}^*_p\) and computes \(S = g^{t\frac{1}{I_{\iota }+x}}\), \(T = g^{t\alpha -h(I_{\iota }-\alpha -I_{\ell })}\).

It is easy to verify the equality

$$\begin{aligned} e(T, \tilde{g}^{\frac{1}{I_i+x}})=e(S, \tilde{g}^{\alpha })e(g, \tilde{g})^{-h} \end{aligned}$$

We should note that, in this step, the value r = \(e(T, \tilde{g}^{\frac{1}{I_i+x}})\) is different in the hash function \(H_2\); consequently, \(\mathcal {C}\) will fail if this message has been queried to \(H_2\) previously. The ciphertext C is defined as (\(M\bigoplus h_3(r), S, T)\).

We describe how to simulate the \(Q_2\) query as follows. We assume that the ciphertext is (c, S, T) and the identities is \((ID_u,ID_{\iota })\). If \(\iota \ne ell\), then \(\mathcal {C}\) can decrypt the messages because it knows \(ID_{D}\)’s private key. Then, \(\mathcal {C}\) can generate the response by following the response phase procedure. If \(\iota = \ell \), because \(u \ne \ell \), \(\mathcal {C}\) has the user’s private key and, for all valid ciphertext, \(h = H_2(M,r)\) and \(ID_{D}\)’s public key is \(\tilde{g}^{\alpha }\). Therefore, the following equation holds:

$$\begin{aligned} e(T,\tilde{g}^{\frac{1}{I_u+x}})=e(S,\tilde{g}^{\alpha })e(g^{I_{u}-\alpha -I_{\ell }},\tilde{g}^{\frac{1}{I_u+x}})^{-h} \end{aligned}$$

\(\mathcal {C}\) next computes the value \(\gamma \) = \(e(S,\tilde{g}^{\frac{1}{I_u+x}})\) and then searches the \(L_2\) to find the entities \((M_i,r_i,h_{2,i}, c_i, \gamma )\) where \(i \in [1,\dots ,q_{h_2}]\). If no entity is found, \(\mathcal {C}\) rejects this ciphertext. Then, for any entity satisfying this condition, \(\mathcal {C}\) checks whether the entity satisfies the following equation:

$$\begin{aligned} e(T,\tilde{g}^{\frac{1}{I_u+x}})=e(S,\tilde{g}^{\alpha }){e(g^{I_u - \alpha - I_{\ell }}, \tilde{g}^{\frac{1}{I_u+x}})}^{-h_{2,i}}. \end{aligned}$$

If any unique i is found, then it outputs \((M_i,h_{2,i})\) and generates a response based on the decrypted message \((M_i,h_{2,i})\). We should note that the Reveal query can be responded to with the value \((M_i,h_{2,i})\).

To run a \(Reveal(\pi ^i_U)\) query, \(\mathcal {C}\) returns the session key to \(\mathcal {A}\) invoked in \(\pi ^i_U\).

To run a Test query for some instances \(\pi ^i_{U_i}\) with a \(\mathcal {D}\) identity of \(ID_{D}\), if \(ID_{D} \ne ID_{\ell }\), \(\mathcal {C}\) aborts. Otherwise, \(\mathcal {C}\) pick a random \(\zeta \in \mathbb {Z}^*_p\), \(c \in {0,1}^{n}\), \(S \in G\), \(T = g^{-\zeta }\) and returns the ciphertext (c, S, T). Because \(\zeta \) = \(\rho \alpha \), it is easy to see that T = \(g^{-\alpha \rho }\) = \( g^{(I_{\ell }+x)\rho }\). Consequently, the r corresponding to this T satisfies \(r = e(g,\tilde{g})^{\rho }\). The \(\mathcal {A}\) cannot distinguish whether this ciphertext is valid unless he can query \(H_2\) or \(H_3\) with the value r. Therefore, if \(\mathcal {A}\) can win in the game with a non-negligible probability, he has queried this value (probably from \(H_2\) or \(H_3\)). Therefore, \(\mathcal {C}\) can guess the right r in \(H_2\) or \(H_3\) with probability \(1/(q_{h_2} + q_{h_3})\) and solve the q-BDHIP by computing \(e(g,g)^{\frac{1}{\alpha }}\) = \((r^{\frac{1}{\zeta }}/(\prod ^{q-1}_{i=1}e(g,g^{\alpha ^{i-1}})^{c_i}))^{\frac{1}{c_0}}\) = \((e(g,g)^{\frac{f(\alpha )}{\alpha }}/e(g,g^{\prod ^{q-1}_{i=1}c_i\alpha ^{i-1}}))^{\frac{1}{c_0}}\).

In conclusion, we note that the simulation will fail under the following conditions. Event1: The \(\mathcal {D}\)’s identity for the Test query is not \(ID_{\ell }\), with probability \(1-1/q_{h_1}\). Event2: The \(\mathcal {C}\) aborts because an \(H_2\) collision occurs in a \(Q_1\) query; this probability is \(q_{1}\frac{q_{1}+q_{h_2}}{2^k}\). Event3: The \(\mathcal {C}\) rejects a valid ciphertext because it cannot simulate the corresponding private key; the probability is \(\frac{q_{2}}{2^{\lambda }}\). Consequently, the overall probability that \(\mathcal {A}\)’s advantage will win the game is

$$\begin{aligned} Pr[\lnot \texttt {Event1}:|\lnot \texttt {Event2}:|\lnot \texttt {Event3}:] = \frac{1}{q_{h_1}} (1-(q_{1}\frac{q_{1}+q_{h_2}}{2^k})(1-\frac{q_{2}}{2^{\lambda }})) \end{aligned}$$

   \(\square \)