Authenticated Secure Quantum-Based Communication Scheme in Internet-of-Drones Deployment

The rapid advance of manufacturing Unmanned Aerial Vehicles (UAVs, aka drones) has led to a rise in the use of their civilian and commercial applications. The access of these drones to controlled airspace can be efficiently coordinated through particular layered network architecture, often referred to as the Internet-of-Drones (IoD). The nature of IoD, which is deployed in an open-access environment, brings significant safety and security concerns. Classical cryptosystems such as elliptic curve cryptography, Rivest-Shamir-Adleman, and Diffie-Hellman are essential building blocks to secure communication in the IoD. However, with the rapid development of quantum computing, it will be easy to break public-key cryptosystems using efficient quantum algorithms like Shor’s algorithm. Thus, building quantum-safe solutions to enhance IoD security has become imperative. Fortunately, quantum technologies can provide unconditional security solutions to protect data and communications in the IoD environment. This paper proposes a quantum-based scheme to prevent unauthorized drones from accessing a specific flight zone and authenticates the identities and shared secret messages of involved entities. To do so, we used a quantum channel to encode the private information based on a pre-shared key and a random key generated in a session. The involved entities also perform mutual authentication and share a secret key. We also provide the security proofs and analysis of the proposed scheme that indicates its resistance to well-known attacks.

The security of such a cryptosystem is guaranteed by the 68 hardness of adopted mathematical problems like the discrete 69 logarithm problem and the integer factorization problem. presently, but they need significant technical improvement to 78 be widely utilized. It is believed that a quantum computer with 79 around 20 million quantum bits (qubits) is required to break 80 an RSA-2048 algorithm [40]. Once scaled, quantum comput-81 ers will catastrophically break most of our commonly used 82 standardized mechanisms for ensuring the integrity and con-83 fidentiality of the data [5], [6]. Fortunately, quantum cryptog-84 raphy is able to provide unconditional security for the stored 85 and communicated data (i.e., a protocol remains secure even 86 if an attacker has unlimited computing power or a powerful 87 quantum computer) [41], [42]. Therefore, securing the com-88 munication of drones based on quantum cryptography could 89 resist the potential threat of a powerful quantum computer 90 and is significant for scenarios where the communicated data 91 is of high value to the attackers. 92 In 2020, Liu et al. [7] experimentally developed an air-93 borne mobile quantum communication network using a 94 quantum-based drone. They used the quantum-based drones 95 as nodes capable of generating and measuring quantum bits 96 (qubits); hence the drones can build a secure quantum chan-97 nel among communicators. Liu et al.'s mobile quantum net-98 work could be used for multiple functions: 1) to interconnect 99 quantum satellites with quantum fiber ground networks; 2) to 100 connect two quantum ground nodes or servers; 3) to con-101 nect quantum drones with other quantum ground nodes or 102 users and so on. Their work opens the door for a new era of 103 quantum-based drone development that could be used in real 104 life. In this paper, we propose an authentication scheme based 105 on quantum cryptography for authenticating the involved 106 entities and securing the transmitted data in the IoD deploy-107 ment. The network model of the proposed scheme contains 108 various drones deployed in many zones that send their data to 109 a ground station. We will prove the security of communica-110 tion between entities against related common attacks such as 111 impersonation attacks and man-in-the-middle attacks.

112
A. MOTIVATION 113 Previous works have indicated that there are many challenges 114 threatening the expansion of the use of drones for civilian and 115 military purposes [8]. Among these threats and challenges are 116 the authentication of drones and the other involved entities, 117 controlling and hacking of the drones, jamming of the broad-118 cast communication, and others. Recently, several drone inci-119 dents have occurred due to a lack of drone authentication. For 120 example, many heavy-traffic airports in different countries 121 were closed and incurred huge financial losses due to unau-122 thorized access from suspicious drones (a recent relevant sur-123 vey on this topic can be found in [9]). Therefore, it is crucial 124 to achieve authentication between ground stations and drones 125 to check whether a drone is authorized to access a certain 126 zone or not. Also, in some special cases, authentication is 127 needed between a drone and another drone for sharing some 128 information as well as authenticating the sensitive transmitted 129 messages among participants. The importance of authenti-130 cation and such incidents motivate the need to propose and 131 design secure authentication schemes for drones. As a result, 132 several schemes employed classical cryptosystems to ensure 133 the security and privacy of communications in the IoD envi-134 ronment [24], [25], [26], [27], [28], [29] report on post-quantum cryptography, anticipating that a uni-140 versal quantum computer capable of breaking 2000-bit RSA 141 in a few hours will be available by 2030, making the exist-142 ing public-key infrastructure (PKI) insecure [45]. Therefore, 143 quantum-safe schemes based on quantum cryptography or 144 post-quantum cryptography to secure the IoD is imperative. 145  The basic idea behind their scheme is that the ground station   [13], [14], [15]. How-179 ever, securing communication channels in such schemes are 180 based on classical cryptosystems, which are vulnerable to the 181 massive power of a quantum computer or classical computing 182 resources [5], [6]. As a response to those problems, quantum 183 cryptography, as one of the most mature quantum computing 184 applications, has been adopted to provide unconditionally 185 secure solutions in various communication systems that seek 186 optimal security of sensitive data and communication against 187 attackers [16]. In 2019, Liu et al. demonstrated a drone-based 188 mobile communication system for multi-node construction 189 and real-time all-location coverage. The designed system has 190 been proven robust against all-weather conditions and can be 191 scaled to multi-node structures. In 2021, Yu et al. designed 192 an airborne quantum key distribution model that connects 193 terrestrial networks with satellite networks to establish a real-194 time on-demand quantum network. These works focused on 195 the ability to build quantum communication through drones 196 and its efficiency in the IoD deployment and did not con-197 sider significant security features such as authentication, key 198 sharing, and key management. Inspired by Liu et al. [7] and 199 other related works [17], [18], [19], this work introduces a 200 robust and lightweight authentication scheme to secure the 201 communication and data in the IoD deployment.

203
• We propose a mutual identity and message authentica-204 tion scheme between the drones and the ground stations. 205 • A pre-shared secret key can be reused without informa-206 tion leaks.

207
• Sharing a secure random key among authenticated enti-208 ties for securing transmitted data.

209
• The proposed model is secure against well-known 210 attacks.

211
The remainder of the paper is organized as follows. 212 In Section II, we introduce the model considered for the 213 main result of this paper, provide a table of notation, then 214 VOLUME 10, 2022 has the ability to intercept the communication channels 255 and can also forge or modify the exchanged message.

256
• It is possible that an adversary has unlimited computing 257 power and can use it to apply powerful computational 258 attacks. However, the server and ground stations are 259 considered secure entities in this work. Thus, the adver-260 sary cannot extract useful information from the quan-261 tum channels that are information-theoretically-secure 262 thanks to the principles of quantum physics.

264
In this paper, we consider the following model of drones, 265 ground stations, and a central control room with a database 266 server. The database server is able to communicate with each 267 ground station and each pre-take off drone through secure 268 private channels. Each ground station is also able to commu-269 nicate with the drones within a known fly zone but cannot 270 communicate with other ground stations. The drones are able 271 to communicate with other drones within and beyond their 272 current fly zone. Before a drone d takes off, the database server pre-shares 276 a secret K dg with both a drone (d) and a ground station (g) 277 through a secure private channel (see also Fig. 2). Addition-278 ally, the database server preloads ID g and FP d into the d, 279 and sends ID d and FP d to g through a secure private channel. 280 Throughout this work, we assume that quantum channels are 281 optimal, i.e., quantum channels are noiseless and lossless. 282 Also, we assume that all involved entities agree on the four 283 Bell states {|φ 00 , |φ 01 , |φ 10 , |φ 11 }, indicated in (1), and 284 the four unitary operations {σ 00 , σ 01 , σ 10 , σ 11 }, indicated in 285 (2), to represent the four two-bits classical information {00, 286 01, 10, 11}, respectively.
The detailed steps of the proposed model are as follows:

296
Step 1: The drone d prepares the sequence S 0 = h(ID d ⊕

297
ID g ), where ID d and ID g represent the destination identity of 298 the drone d and the ground station g, respectively.

299
Step 2: The drone d randomly generates 3n Bell quan-300 tum states selected from the agreed four Bell states in (2).

306
Step 3: d creates an n − bit random number (r d ) and gets

316
Step 4: d determines the initial basis for each qubit in the Similarly, d determines the initial basis for each qubit in the 325 sequence S 1 S 2 based on the pre-shared key k 2 producing 326 S d = b k2 (S 1 S 2 ) according to the same rule, i.e., if k 2,i = 327 0 the drone d selects the Z − basis to transfer the correspond-328 ing qubit in the sequence S 1 S 2 ; otherwise, the drone d 329 selects the X − basis to transfer the corresponding qubit in 330 the sequence S 1 S 2 , where b k2 represents the selected mea-331 surement bases based on k 2 . Here, k 1 = k 1,1 , k 1,2 , . . . , k 1,3n , 332 k 2 = k 2,1 , k 2,2 , . . . , k 2,3n and i = 1, 2, . . . , 3n.

333
Step 5: The drone d generates a sufficient number of 334 decoy-qubits, where every decoy-qubit is randomly selected 335 from the quantum states {|0 , |1 , Then, d randomly inserts these decoy-337 qubits into the sequences S 0 , S re 34 , and S d .

338
Step 6: Through a quantum channel, d sends the sequences 339 S 0 , S re 34 and S d to the ground station g.

340
Step 7: Upon g receiving S 0 , S re 34 and S d , the drone d 341 announces the positions of each decoy-qubits and its cor-342 responding initial bases to g. Subsequently, based on the 343 received information, g measures these decoy-qubits to com-344 pute the error value. If the error rate is lower than a preset 345 value, d and g continue to the next process. Otherwise, they 346 must terminate the protocol.

347
Step 8: Upon confirming that the quantum channel 348 between d and g is secure, d sends the hashing value of the 349 random key r d , i.e., h(r d ), to g through a quantum channel. d 350 and g also employs the decoy-qubits technique used in Step 5 351 and Step 7 to ensure the security of transmitting h(r d ).

352
Step 9: The ground station g checks whether S 0 = h(ID dj ⊕ 353 ID g ) is identical with its corresponding data (i.e., S 0 = 354 h(ID d ⊕ ID g ) ) or not. If S 0 = S 0 ; g partially authenticates 355 the identity of d and continues to the next step. Otherwise, g 356 revokes d's request and ends the protocol.

357
Step 10: Upon confirming that S 0 is valid, g uses the pre-358 shared key (k 2 ) and the rules indicated in Step 4 to measure 359 (S 1 S 2 ) getting (S 3 S 4 ) ; note, if g has the identical pre-shared 360 key (k 2 ), (S 1 S 2 ) is identical to (S 1 S 2 ). Also, g uses the 361 pre-shared key k 1 and the rules indicated in Step 4 to measure 362 S re 34 = b k1 (S 3 | S 4 ) getting (S 3 S 4 ); note, if g has the identical 363 pre-shared key (k 1 ), (S 3 S 4 ) is identical to (S 3 S 4 ). Based on 364 (m g h(m g )), g applies unitary operations selected from the set 365 {σ 00 , σ 01 , σ 10 , σ 11 } to S 4 getting a new evolved sequence S 4 . 366 Step 11: Using Bell measurement, g measures every corre-367 sponding pair (d i and g i ) in (S 3 S 4 ) and (S 3 S 4 ) getting the 368 result r d M ; note, r d is identical to r d if the quantum channels 369 are secure and g has the matching pre-shared key (K dg ). The 370 ground station g then computes (r d h(r d ))⊕M ⊕(m g h(m g )) 371 getting a computation result representing m d h(m d ) . After 372 that, g performs two comparisons: 1) g computes h(m d ) and 373 checks whether h(m d ) is identical to h(m d ) or not; 2) g com-374 putes h(r d ) and checks whether h(r d ) is identical to h(r d ) 375 or not. If so, g knows with certainty that the message is 376 genuine and fully authenticates the identity of d. Otherwise, 377 g and d end the protocol and restart the protocol from the 378 beginning. 379 VOLUME 10, 2022 Step 12: g sends M to d through a quantum channel and 380 checks the security of transmission with d as in Steps 6 & 7.

381
Step 13: Upon confirming the secure transmission of M , g 382 also sends h(r d ⊕ K g ) to d through a quantum channel and 383 checks the security of transmission with d as in Steps 6 & 7.

384
Step 14: d computes (r d ⊕h(r d ))⊕M ⊕(m d ⊕h(m d )) getting 385 the computation result m g h(m g ) . Subsequently, d computes 386 h(m g ) and checks whether h(m g ) is identical to h(m g ) or not.

387
If so, d deduces the shared secret key K g , where m g = m g = 388 ID g K g . Finally, d checks whether h(r d ⊕ K g ) is identical 389 to h(r d ⊕ K g ) or not. If so, d believes that K g is genuine and 390 authenticates the identity of g. Otherwise, d and g end the 391 protocol and restart the protocol from the beginning.

393
In this section of the paper, we perform our security anal-  to be detected, the two parties would restart the session with 435 new random values to be generated. The only information E 436 could obtain without the risk of being detected would be the 437 announcement of the information of decoy photons, which 438 does not cause leakage of any private information used to 439 generate any of the messages in the protocol. Additionally, 440 E is unable to intercept any messages sent between d and g 441 without being detected with high probability. This prevents E 442 from attempting to recover or inject information needed to be 443 authenticated and/or get the shared key. Thus, E must attempt 444 to guess the information necessary to be authenticated and get 445 the shared key.

446
In Step1, d uses the XOR function to encrypt the ID d and 447 ID g and uses a one-way hash function to produce S 0 . Then, 448 based on a randomly generated key r d , the secret data m d = 449 ID d FP d , and the two shared sub-keys k 1 and k 2 , d creates the 450 sequences S re 34 and S d and sends them to g in Step 6. To get K g , 451 E needs to 1) successfully guess the generated 3n Bell states; 452 2) get the transmitted sequencesS 0 ,S re 34 ,S d , andh(r d ) that 453 are sent by d correctly (i.e., S 0 , S re 34 , S d , and h(r d )); 3) then 454 successfully pass the eavesdropping check process in Steps 7 455 & 8. So, the probability (P) of getting K g is as follows: (4) 467 3) In Steps 7 & 8, d and g employ l decoy photons to detect 468 E. To successfully pass this check, E must correctly 469 guess the measurement basis of the targeted photon and 470 must also guess the initial basis to resend it to g. The 471 probability of deciding the correct measurement basis 472 (z-basis) is 50%, and the probability of deciding the 473 initial basis is also 50%. Therefore, the probability (P3) 474 of passing the eavesdropping check is as follows: Finally, the overall probability of getting K g is as 477 follows:

482
We now discuss additional security notions that an adversary 483 may try to exploit to gain information or access to private 484 information. In the proposed protocol, the drone transfers S 0 , S re 34 , and 492 S d to the ground station through a quantum channel. These 493 sequences are encoded based on the K dg = k 1 k 2 , m d , and r d . 494 As indicated in Theorem 1, any attackers who try to recover 495 secret information will be caught with high probability. More-496 over, the decoy-photon protocol [46] that is used for detecting 497 eavesdroppers in Step 7 just uses the inserted decoy-photons 498 to check the security of transmission and does not expose any 499 other photons used for encoding secret data.
In addition, if legitimate users detect an intruder in any 501 step through the protocol, they start the protocol from the 502 beginning. d will select different random Bell states and gen-503 erate a new r d for encoding the secret information. Hence, 504 the newly transmitted data will be completely different and 505 will be carrying the same secret data as well as the pre-shared 506 keys that can be reused safely. Thus, the proposed protocol is 507 secure against information leakage.  sequences S 0a , S re 34a and S da to the ground station, they will 557 be detected in Step 9 because the attacker does not know ID d 558 and ID d that are required to produce h(ID d ⊕ ID g ).

559
In Case of Impersonating the Ground Station (g): If the 560 attacker tries to impersonate g, they will send to d an invalid 561 data (i.e., M in Step 12 and h(r d ⊕ k g ) in Step 13) because the 562 attacker does not know the pre-shared key (K dg ) that was used 563 to reorder the transmitted sequences. Hence, the attacker can 564 be detected in Step 14 when d checks whether: 1) h(m g ) is 565 identical to h(m g ) or not; 2) h(r d ⊕ K g ) is identical to h(r d ⊕ 566 K g ) or not.

568
In this attack, the attacker tries to modify the contents of 569 the transmitted photons (in Step 2 or Step 6) to make the 570 communicants obtain different secret messages without being 571 caught. Then, in the first case, the attacker tries to modify 572 S 0 , S re 34 and S d in Step 6 and send the modified quantum 573 sequences, S 0a , S re 34a and S da to the ground station. But, the 574 attacker may also modify the decoy-photons since they can-575 not distinguish between the decoy-photons and secret pho-576 tons. Thus, the attacker could be detected in Steps 7 & 8 when 577 d and g check the security of the quantum channel. Also, 578 even if a single photon has been modified; the ground station 579 will detect the modification when checking the hash values of 580 h(ID dj ⊕ ID g ) in Step 9. Also, the attacker may try to modify 581 the sequences M transmitted in Step 9. However, both the 582 drone and ground station perform a security check using the 583 decoy-photon protocol as in Step 7. Thus, the attacker will be 584 detected with high probability. 585

586
A proposed scheme supports perfect forward secrecy when 587 an attacker cannot deduce the shared secret key using a com-588 promised pre-shared secret key of any node. In this work, 589 the final shared secret message/key of the session (K g ) is 590 shared between d and g using a random number r d , that is not 591 included in the pre-shared secret information K dg , ID g , ID d  for Women in Science and Engineering. She is also the Director of the Laurier 843 Centre for Women in Science. She is the author of two books, and more 844 than 60 articles, and has given over 200 invited talks about her work. Her 845 research interest includes quantum information science. Her research team 846 was the first to observe a connection between chaos theory and quantum 847 entanglement.