Design of Secure Handover Authentication Scheme for Urban Air Mobility Environments

Urban air mobility (UAM) is a future air transportation system to solve the air pollution and movement efficiency problems of the traditional mobility system. In UAM environments, unmanned aerial vehicles (UAV) are used to transport passengers and goods providing various convenient services such as package delivery, air bus, and air taxi. However, UAVs communicate with ground infrastructures through open channels that can be exposed to various security attacks. Therefore, a secure mutual authentication scheme is necessary for UAM environments. Moreover, a handover authentication is also necessary to ensure seamless communication when the service location is changed. In this paper, we design a secure and efficient handover authentication scheme for UAM environments considering various security vulnerabilities and efficiency using elliptic curve cryptography (ECC). We utilize informal security analysis, Real-or-Random (RoR), Burrows–Abadi–Needham (BAN) logic, and Automated Validation of Internet Security Protocols and Applications (AVISPA) to prove the security of the proposed scheme. Furthermore, we compare the computation and communication cost comparisons of the proposed scheme with the other related schemes. The results show that the proposed scheme is secure and efficient for UAM environments.


I. INTRODUCTION
Urban air mobility (UAM) [1], [2] is a future air transportation system that uses a low-altitude airspace as a path of movement. This transportation system can overcome problems of traditional urban traffic systems such as vehicles and railroads. With the rapid increase in vehicles and logistics, the movement efficiency of the urban transportation system has been decreasing due to urban concentration. In addition, there has been a high increase in urban air pollution problems because traditional vehicles use fossil fuels [3]. These existing problems of traditional urban transportation systems can be solved in UAM environments as follows. First, 3D airspace is used as a movement path in UAM environments, increasing the amount of traffic in the same space compared to existing transportation systems. Thus, the The associate editor coordinating the review of this manuscript and approving it for publication was Ilsun You . movement efficiency can be increased in UAM environments. Second, UAM environments use ''electric Vertical Take-Off and Landing (eVTOL)'' technology that performs a flight mission only with electric motors [4]. Compared with traditional vehicles that use fossil fuels, eVTOL technology can provide low emission and noise. Therefore, the urban air pollution problem can be solved in UAM environments. Accordingly, UAM environments are expected to change the paradigm of the mobility industry, and research for this future transportation system has been proposed [5], [6].
To use the airspace as a path, an unmanned aerial vehicle (UAV) is used for transportation in UAM environments. A UAV, i.e. drone, is an aircraft that does not have a pilot on board. In a UAV, there are various modules including communication, sensor, actuator, computing power, energy supply and recorder [7]. The UAV uses these modules to collect the surrounding information and communicates with the ground controller to receive navigation and environment VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ broadcasting services. Recently, UAV technology has improved due to the development of eVTOL and battery technologies. Moreover, autonomous flight for UAVs has been researched due to the development of information and communication technologies (ICT) [8]. Figure 1 indicates the general structure of a UAV. In UAM environments, it is necessary to control many UAVs and support seamless communications simultaneously. ''Internet of Drones (IoD)'' [9] is an architecture designed to provide controlled airspace with coordinated access. In the IoD environments, there are two entities: UAVs and zone service providers (ZSPs). To join in the network, both UAVs and ZSPs register to the central ground station server (GSS). ZSPs act as base stations managing specific areas and providing UAVs with information of navigation and surrounding environment. If a UAV enters a ZSP zone, the ZSP provides the UAV with flight information including identity and navigation services. With the information, UAVs can perform flight missions to people such as package delivery, air bus, and air taxi. Figure 2 shows the proposed system model for UAM environments.
Although UAM environments can provide people with convenient services, there are still several issues. In UAM environments, UAVs communicate with ZSPs using wireless channels which can be exposed to various security vulnerabilities. If an adversary hijacks and replays messages to another UAV, it can confuse the entire transportation system. If an adversary obtains the verification table of the server, the adversary can try to communicate with UAVs using this information. Moreover, handover authentication is necessary to overcome each ZSP's geographical coverage limit and support a seamless communication services for UAVs. If there is no handover authentication in UAM environments, each UAV must perform a new authentication process every time when it enters in the service area of another ZSP. This can cause inefficiency of the entire network and it is necessary to manage the information securely in authentication process. Thus, we design a mutual authentication and handover authentication scheme for UAM environments to ensure security and efficiency.

A. CONTRIBUTION
Contributions of this paper are as below.
• We design a mutual authentication and handover authentication scheme for UAM environments. To ensure a secure key agreement process, we use elliptic curve cryptography (ECC) in our scheme. The handover authentication phase of our proposed scheme provides lower computation costs than the initial mutual authentication phase. Moreover, the proposed scheme supports a UAV revocation process when a ZSP detects a malicious or misbehaving UAV.
• We analyze the security of the proposed scheme using informal security analysis, Real-or-Random (RoR) model [10], and Burrows-Abadi-Needham (BAN) logic [11]. We also simulate the proposed scheme utilizing Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool [12].
• We estimate and compare computation and communication costs of the proposed scheme with other related schemes.

B. ORGANIZATION
We introduce the existing authentication schemes for IoD environments and handover schemes in Section II. The system model, adversary model, and basic concept of ECC are described in Section III. Then, we propose a handover authentication scheme in Section IV. To prove the security and estimate the performance of the proposed scheme, we utilized formal and informal analyses in Section V and Section VI. Finally, we conclude and summarize the proposed scheme in Section VII.

II. RELATED WORKS
The basic concept of IoD was firstly proposed by Gharibi et al. [9]. They presented the conceptual layered network architecture for UAVs. With this network model, UAVs can provide users with various services such as package delivery, traffic surveillance, and rescue. Moreover, Gharibi et al. demonstrated that IoD environments can be exposed to jammed broadcast messages and airspace clogging. From Gharibi et al.'s scheme, various UAV authentication schemes have been proposed for IoD environments. Lin et al. [13] presented security and privacy challenges in IoD such as denial of service (DoS), spoofing, and data injection attacks. They also proposed a solution to provide privacy using identity-based encryption(IBE). Cho et al. [14] suggested an authentication scheme for UAV in IoD environments. Cho et al. utilized digital signatures to verify each other's certificate. However, Jan et al. [15] found that Cho et al.'s scheme can be vulnerable to privileged insider and verification table leakage attacks, and does not provide dynamic UAV addition and revocation phases. Jan et al. [15] proposed an authentication scheme considering these vulnerabilities using symmetric encryption. The above schemes [13]- [15] can provide convenient services such as weather forecasting and target tracking, but they are limited in long-distance flights because they did not consider handover processes.
To provide users with secure and seamless communications, handover authentication schemes have been proposed for smart cities and vehicular network environments. Kumar and Om [16] suggested an authentication scheme for 5G-WLAN networks to achieve a handover process between small cell base stations and mobile devices. They used bilinear pairings to provide secure device-to-device communication and privacy to users. However, Kumar et al.'s scheme requires high computation resources due to using bilinear pairings. Wang et al. [17] proposed a V2I authentication scheme in vehicular ad hoc network (VANET). In Wang et al.'s scheme, blockchain was utilized to record the attribute and trustworthiness of each vehicles. Zhou et al. [18] proposed an authentication and key agreement scheme in VANET environments to ensure user privacy and data confidentiality. They claimed that their scheme can provide a secure seamless communication and service in large-scale service-oriented VANET using ECC and XOR operations. However, ZakeriKia et al. [19] discovered that Zhou et al. [18]'s scheme can be vulnerable to impersonation, man-in-the-middle attacks and have an inefficient searching method. Therefore, ZakeriKia et al.
proposed an enhanced handover authentication scheme to be suitable for vehicular sensor network environments. However, ZakeriKia et al.'s scheme [19] can be vulnerable to DoS attacks because several messages does not use fresh timestamps in authentication scheme. Considering the above schemes [16]- [19], we design a handover authentication scheme which is secure and efficient for UAM environments.

III. PRELIMINARIES
In this section, we introduce the system model of the proposed protocol and describe the basic concept of ECC and security challenges for UAM environments.

A. SYSTEM MODEL
The system model of the proposed scheme consists of ground station server (GSS), control room (CR), ZSPs, and UAVs, which are represented in Figure 2. Details are as below.
• GSS: The GSS is a main server that manages the identity information of UAVs and ZSPs. Therefore, the GSS can make a revocation list of misbehaving UAVs. The GSS has a high computation power and storage capacity. We define that the GSS is a trusted entity.
• CR: CR has the whole authority of this networks and manages the GSS.
• ZSPs: A ZSP is deployed in a specific zone and provides UAVs with useful services such as surrounding information and navigation services. Furthermore, the ZSP supports a handover service when the UAV moves to a service area of another ZSP. The ZSP is a trusted entity and has enough computation and storage capacities.
• UAVs: A UAV is an aircraft capable of autonomous flight. After authentication with ZSP, the UAV performs various convenient services for people such as package VOLUME 10, 2022 delivery, air taxi, and air subway. The UAV has restricted computation and storage capacities.

B. ADVERSARY MODEL
In this paper, we follow the well-known adversary model named ''Dolev-Yao threat model'' [20]. In this model, an adversary can control all messages exchanged via an open channel such as eavesdropping, modifying, intercepting, and deleting messages. In addition, the adversary can obtain ephemeral parameters or the master key of the GSS using the ''Canetti-Krawczyk threat model'' [21]. Therefore, an adversary can try various security attacks as follows.
• An adversary attempts to obtain and threaten the UAV's privacy and traceability.
• An adversary tries to impersonate as a legitimate UAV and communicate with the nearby ZSP.
• An adversary can execute various security attacks such as man-in-the-middle, privileged insider, verification table leakage, and replay attacks [22].

C. ELLIPTIC CURVE CRYPTOGRAPHY
Elliptic curve cryptography (ECC) is a public key cryptosystem using an elliptic curve [23]. Over a large finite field where p and q are large prime integers and 4c 3 + 27 2 = 0. Then, we select a subgroup G, a base point P ∈ G, and an integer k ∈ Z q . The point multiplication k · P and mathematical security of ECC are represented as below.
k · P = P + P + P + . . . + P(ktimes) • Elliptic curve discrete logarithm (ECDL) problem: It is difficult to calculate and obtain the integer k from k · P, where k ∈ Z q .
• Elliptic curve decisional Diffie-Hellman (ECDDH) problem: It is difficult to decide k · m · P ? = n · P when k · P, m · P, and n · P are given (k, m, n ∈ Z q ).
• Elliptic curve computational Diffie-Hellman (ECCDH) problem: It is difficult to calculate k · m · P if k · P and m · P are given, where k, m ∈ Z q .

IV. PROPOSED SCHEME
The proposed scheme consists of initialization, UAV registration, initial authentication, handover authentication, dynamic UAV addition, and UAV revocation phases. Table 1 defines the notations used in our scheme.

A. INITIALIZATION PHASE
To construct the whole network system, GSS initializes UAM environments and publishes public parameters. Therefore, GSS selects an elliptic curve E(a, b) : y 2 = x 3 +ax +b, a base point P, hash function h(.) and a master key k. Then, GSS publishes the public parameters h(.), E(a, b), P. Moreover, GSS registers ZSP and deploys it in specific zones. Firstly, GSS selects an identity ID j and generates a random number r sj . Then, GSS computes S j = h(ID j ||r sj ||k) and stores {ID j , r sj } in its secure database. To provide secure handover process, GSS also computes k 12 = h(ID j ||ID j2 ||k) as a shared secret of ZSP and ZSP 2 which is located near the ZSP. GSS sends {ID j , k 12 , S j } to the ZSP via a secure channel. The ZSP selects a secret key k j and computes its public key Pub j = h(S j ||k j )·P and stores {S j } in its database. Finally, the ZSP broadcasts {Pub j , ID j } in its management area.

B. UAV REGISTRATION PHASE
A UAV must register in GSS to join in UAM network system. Figure 3 indicates the UAV registration phase and details are as below.
Step 1: The UAV selects an identity ID i , a random number dr i and sends {ID i , dr i } to GSS through a secure channel.
Step 2: After receiving the message {ID i , dr i } from the UAV, GSS generates a random number r i and computes , and a public key Pub i = d i · P for the UAV. Then, GSS stores {DID i , dr i , RID i } and returns a message {DID i , Pub i , d i } to the UAV via a secure channel.
Step 3: The UAV stores {DID i , d i } in its memory.

C. INITIAL AUTHENTICATION PHASE
To perform various services such as package delivery, air taxi, and air bus, the UAV initially authenticates with a ZSP to prove its identity and establish a session key. Therefore, the UAV sends a request message to ZSP. We represent the initial authentication phase in Figure 4 and details are as below.
Step 1: The UAV generates a random nonce r 1 and a timestamp T 1 . Then, the UAV computes Step 2: When the ZSP receives the message MSG 1 from the UAV, the ZSP firstly checks |T c − T 1 | < T  and computes PD * = V * 1 , the ZSP generates a random nonce r 2 , a timestamp T 2 , and an expiration time E i of the UAV and computes Step 3: Upon receiving the message MSG 2 , the UAV checks |T c −T 2 | < T and computes DZ * . Then, UAV checks the validity of V 2 ? = V * 2 and stores {E i } in the memory.

D. HANDOVER AUTHENTICATION PHASE
If the UAV leaves the current ZSP(ZSP 1 ) region, ZSP 1 must support the handover service to the UAV and the next ZSP(ZSP 2 ). Figure 5 indicates the handover authentication phase of the proposed scheme and presents the details below.
Step 1: The UAV generates a random nonce r 3 and a timestamp T 3 . Then, the UAV computes Step 3: Here, the ZSP 1 firstly checks |T c − T 4 | < T and computes } through an open channel.
Step 5: The UAV checks |T c − T 6 | < T and computes = V * 6 is correct, the handover phase is successful.

E. DYNAMIC UAV ADDITION PHASE
The proposed scheme supports an additional UAV service. Details are presented below.
Step 1: The UAV selects an identity ID n i , a random number dr n i and sends {ID n i , dr n i } to GSS through a secure channel.

V. SECURITY ANALYSIS
In this section, we analyze our scheme using RoR model, BAN logic, and AVISPA simulation tool. Furthermore, we prove that the security of our scheme is robust against various security attacks using informal analysis.

A. INFORMAL ANALYSIS
we analyze the security of our scheme using informal analysis. The proposed scheme can prevent various security attacks such as replay, man-in-the-middle, session key disclosure, impersonation, privileged insider, verification table leakage, DoS, known session-specific temporary information attacks. Moreover, the proposed scheme can also ensure anonymity, untraceability, perfect forward secrecy, and mutual authentication.

1) REPLAY AND MAN-IN-THE-MIDDLE ATTACKS
Suppose that an adversary intercepts messages MSG 1 , MSG 2 , MSG 3 , MSG 4 , MSG 5 , and MSG 6 and replays them in another session. However, these messages include timestamp T 1 , T 2 , T 3 , T 4 , T 5 , T 6 and each entity checks the freshness of the messages. Moreover, ZSPs can verify the freshness of request messages MSG 1 and MSG 3 using the expiration time E i . Thus, the proposed scheme can prevent replay and man-inthe-middle attacks.

2) IMPERSONATION ATTACK
An adversary intercepts all messages and tries to impersonate as a UAV D U . To act as D U , the adversary must calculate the secret parameter DID i = h(ID i ||r i ||k). However, the adversary cannot obtain DID i because r i and k are a random number and the master key of GSS, respectively. Therefore, the adversary cannot calculate the initial authentication request message MSG 1 and handover request message MSG 3 . For this reason, the proposed scheme is secure against impersonation attacks.

3) PRIVILEGED INSIDER ATTACK
Suppose that an privileged insider obtains the registration request message {ID i , dr i } of a UAV D U . However, the adversary cannot calculate the session key SK = h(DZ 1 ||T 2 ||z ij ||DID i ||ID j ) because z ij is composed of D U and secret keys of ZSP. In the handover authentication phase, the adversary must calculate DZ 2 = r 3 · r 4 · P, which is under the ECDL problem. Therefore, the proposed scheme is resistant to privileged insider attacks.

4) VERIFICATION TABLE LEAKAGE ATTACK
If an adversary obtains the verification table {ID j , r sj }, {ID i , d i } stored in GSS, the adversary can attempt to calculate the session key SK of the UAV D U . However, the adversary cannot calculate SK = h(DZ 1 ||T 2 ||z ij ||DID i ||ID j ) without knowing the secret key of D U and ZSP because z ij is composed of k j and d i . Moreover, the adversary cannot obtain the session key SK new = h(DZ 2 ||T 6 ||DID i ||ID j2 ) in the handover authentication phase without knowing DID i . Therefore, the proposed scheme is secure against verification table leakage attacks.

5) DOS ATTACK
We can assume that an adversary intercepts all of authentication request messages and sends them to the ZSPs concurrently. Recall, there is a timestamp to check the freshness of each message. Moreover, each message includes the real identity of the ZSP and the ZSP can filter the invalid message out. Therefore, the proposed scheme can prevent DoS attacks.

6) SESSION-SPECIFIC RANDOM NUMBER LEAKAGE ATTACK
Assume that an adversary obtains random nonces r 1 , r 2 , r 3 , and r 4 . However, the adversary cannot calculate the session key SK = h(DZ 1 ||T 2 ||z ij ||DID i ||ID j ) and SK = h(DZ 2 ||T 6 ||DID i ||ID j2 ) because the adversary cannot reveal z ij and DID i . Therefore, the proposed scheme defends session specific random number leakage attacks.

7) ANONYMITY AND UNTRACEABILITY
In our scheme, each message utilizes temporary identity TID i and HID i , which change dynamically every session. This makes that the adversary cannot identify the real identity of the UAV ID i during initial and handover authentication phases. Therefore, the proposed scheme can ensure anonymity and untraceability.

8) PERFECT FORWARD SECRECY
If an adversary obtains the master key k of GSS and messages MSG m (m = 1, 2, 3, 4, 5, 6) of the previous session, the adversary can try to calculate the session key SK of UAV D U . However, the adversary cannot calculate SK because DZ 1 and DZ 2 are based on the ECDL problem. Furthermore, the secret keys of D U and ZSP are necessary to calculate z ij = d i · k j · P. Therefore, the adversary has no advantage and this means that the proposed scheme provides perfect forward secrecy.

9) MUTUAL AUTHENTICATION
In our scheme, each entity sends message including timestamp T m (m = 1, 2, 3, 4, 5, 6) to check the freshness and verification parameter v m and the correctness of each parameter. If the verification parameter is clear, it means that the entity authenticates to the target entity. Therefore, the proposed scheme provides mutual authentication.

B. RoR MODEL
This section analyzes the session key security of the proposed handover authentication scheme using RoR model [10]. In RoR model, we define participants, adversary, and queries to reflect our scheme.  Proof: Following the RoR security proof in [24]- [26], we conduct four games GA n (n = 0, 1, 2, 3). We define the winning probability of the adversary as Suc GA n . We also denotes the advantage of Suc GA n as PR[Suc GA n ].
• GA 0 : In GA 0 , the adversary has no information to calculate the session key SK . Therefore, the adversary picks the random bit b. As a result, we obtain the following equation.
• GA 1 : The adversary conducts Execute query to obtain messages transmitted through open channels. With the messages and MSG 6 = {Z 2 , V 6 , E n i , T 6 }, the adversary performs Test query to distinguish whether the result value is the session key or not. However, the session key SK = h(DZ 2 ||T 6 ||DID i ||ID j2 ) is composed of DZ 2 and DID i . To calculate DZ 2 , the adversary must obtain random nonces r 3 and r 4 . Moreover, DID i is the secret parameter of UAV. Therefore, we can obtain the following equation. GA 1 ] (3)

PR[Suc GA 0 ] = PR[Suc
• GA 2 : In GA 2 , the adversary attempts to attack the network using Send and Hash queries. In our scheme, parameters are masked by random nonces and hash functions which have resistance against hash collision. Therefore, the adversary has not any advantage using Hash query. Thus, we can obtain the following equation using the birthday paradox [27].
• GA 3 : In the final game GA 3 , the adversary obtains secret parameters of UAV {DID i , d i } using CorruptUAV query. However, the adversary cannot calculate the session key SK = h(DZ 2 ||T 6 ||DID i ||ID j2 ) because DZ 2 = r 3 · r 4 · P is based on ECDDH problem. Thus, we can obtain the following result.
The adversary executes Test query and obtains a guessed bit b. Thus, we can get the following equation.

PR[Suc
Using (2) and (3), we can calculate and get the equation.
We can obtain the following equation using (6) and (7).
Applying the triangular inequality and simplifying the equation (8), we can obtain the following. Therefore, the Theorem1 is proved.

C. BAN LOGIC
To prove the mutual authentication of our handover authentication scheme, we utilize a well-known formal proof named BAN logic [11]. Many researchers have proved the mutual authentication of their scheme using BAN logic [28]- [30].
To apply our scheme into BAN logic, we introduce notations and descriptions as follows.

1) RULES
In BAN logic, there are five basic logical rules shown as follows.

2) GOALS
We denote that principals of the UAV, ZSP 1 , and ZSP 2 are D U , Z 1 , and Z 2 , respectively. Thus, goals of our scheme are as below.

3) IDEALIZED FORMS
There are four messages in our handover authentication scheme. The idealized forms of the messages are as below.
The assumptions in our scheme are as below.

5) BAN LOGIC PROOF
Step 1: BP 1 is obtained from the message MSG 2 .
Step 2: BP 2 is obtained from the MMR using BP 1 and A 5 .
Step 3: BP 3 can be obtained from Step 4: BP 4 can be obtained from the MMR using BP 3 and A 8 .
Step 5: BP 5 is obtained from the FR using A 2 and BP 4 .
Step 6: BP 6 is obtained from the NVR using BP 4 and BP 5 .
Step 7: From the message MSG 3 , BP 7 can be obtained.
Step 8: BP 8 can be obtained from the MMR using BP 7 and A 6 .
Step 9: BP 9 can be obtained from the FR using BP 8 and A 4 .
Step 10: BP 10 can be obtained from the NVR using BP 8 and BP 9 .
Step 11: BP 11 can be obtained from the message MSG 4 .
Step 12: BP 12 can be obtained from the MMR using the assumption A 11 .
Step 13: BP 13 can be obtained from the FR using the assumption A 1 .
Step 14: BP 14 can be obtained from the NVR using BP 12 and BP 13 .
Step 16: BP 17 and BP 18 can be obtained from the JR using BP 15 , BP 16 , A 9 , and A 10 , respectively. [12] simulation tool has been widely used to prove the security features, i.e. replay and man-in-the-middle attacks, of various schemes [31]- [33]. Therefore, we simulate and demonstrate the security against replay and man-inthe-middle attacks of the proposed scheme using AVISPA. To apply our scheme into AVISPA, we complete a code design written in ''High-Level Protocol Specification Language (HLPSL)''. After that, the HLPSL code is converted to ''Intermediate Format (IF)'' by the translator and the IF enters in four backends to perform security analysis named On-the-Fly Model Checker (OFMC), Tree Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP), Constraint Logic based Attack Searcher (CL-AtSe), and SAT-based Model Checker (SATMC). In this paper, we use OFMC and CL-AtSe backends because they can support exclusive-OR (⊕) operators. At last, ''Output Format (OF)'' is obtained. If the summary of OF is ''SAFE'', the proposed scheme has resistance against replay and manin-the-middle attacks.
We present the role of UAV in Figure 6. Firstly, the UAV sends a registration request message {ID i , dr i } to GSS in the state 1. In state 2, the UAV receives {DID i , Pub i , d i } through a secure channel. Then, the UAV generates a random nonce and timestamp, and sends authentication request message In state 3, the UAV receives a return message and compute a session key SK . To perform a handover authentication phase, the UAV sends a handover request message {HID i , ID j , D 2 , V 3 , T 3 } to ZSP2. Finally, the UAV receives {Z 2 , V 6 , E n i , T 6 } from ZSP2 and completes the  handover authentication in state 4. Figure 7 indicates the session, environment, and goal of our scheme and Figure 8 shows the OF of our scheme. Since the summary of the result displays ''SAFE'', we can demonstrate that the proposed scheme can prevent replay and man-in-the-middle attacks.

VI. PERFORMANCE ANALYSIS
In this section, we compare the security features, communication, and computation costs of proposed scheme with the other related schemes.

A. COMPUTATION COSTS COMPARISON
In this section, computation costs of the proposed scheme and the related schemes [16]- [19] are estimated to prove the efficiency of our scheme. Therefore, we simulate and estimate     Table 3 and the total computation costs of our scheme and the existing related schemes are represented in Table 4. From the results, the proposed scheme has an computational efficiency compared with other schemes [16]- [19].

B. COMMUNICATION COSTS COMPARISON
We compare communication costs of our scheme with the related schemes [16]- [19]. From [35], we define that the identity, hash function, random number, ECC point, timestamp and modular exponentiation are 160 bits, 160 bits, 160 bits, 320 bits, 64 bits, and 1024 bits, respectively. By applying them, we obtain the communication cost of the proposed scheme for each message as follows: . Therefore, the total communication costs of proposed scheme requires 864 + 928 + 384 + 704 = 2880 bits. We also compare the communication costs of the proposed protocol with the other related schemes [16]- [19] in Table 5. The result represents that the proposed scheme has a lower communication costs compared with the existing schemes.

C. SECURITY AND FUNCTIONALITY FEATURES COMPARISON
We compare security and functionality features of the proposed scheme and those of the existing schemes [16]- [19]. Table 6

VII. CONCLUSION
In this paper, we designed a secure handover authentication scheme for UAM environments which are expected as a future air mobility system. In the proposed scheme, the handover authentication process can provide a lower computation cost than the initial authentication because the previous ZSP supports the handover authentication. We conducted an informal security analysis to demonstrate that our scheme can prevent various security attacks. We also conducted RoR model and BAN logic to prove that the proposed scheme can provide session key security and mutual authentication, respectively. Moreover, we executed AVISPA simulation tool to show the robustness of our scheme against man-in-themiddle and replay attacks. To estimate the efficiency of our scheme, we compared computation and communication costs of our scheme with other related schemes. Therefore, the proposed scheme can provide a secure and efficient communication for UAM environments. In the future study, we will design an enhanced scheme for implementation in practical environments and contribute to secure UAM environments.