Key Agreement Between User and Drone With Forward Unlinkability in Internet of Drones

Many applications are equipped to utilize drones to provide various services to users in Internet of Drones (IoD) environments. In such applications, it is necessary to make a session key between a drone and a user to establish an authenticated and secure channel. It is also desirable to provide strong anonymity to increase user(drone) privacy. To provide robust anonymity, a protocol has to provide both pseudonymity and unlinkability. If a protocol provides only pseudonymity without unlinkability, user(drone) privacy could be breached by analyzing communication frequency or user(drone) movement. On the other hand, we consider drone capture attacks in the IoD, because if a drone is captured, the secret information of the drone could be revealed. To minimize the damage against the capturing attacks, a key exchange should provide the forward unlinkability as well as forward secrecy. Forward unlinkability means that even though the secret information of the drone is revealed, the unlinkability is guaranteed. In the paper, we suggest the first key agreement protocols providing both pseudonymity and forward unlinkability, whereas previous key agreement protocols provide only pseudonymity and unlinkability.


I. INTRODUCTION
Owing to the rapid development of unmanned aerial technology, various services based on the Internet of Drones (IoD) have been developed in real life [1]. Since contemporary drones are equipped with high-performance sensors, IoD is proving useful in a number of ways, including during disasters, for military operations, and transportation processes. For instance, unmanned drones have been used in COVID-19 management systems, in which the drones fly over a certain area (or quarantined area) and send alert messages to the gathered people. And agricultural drones can be used for farming [2]. Drones are also useful in collecting several kinds of data and these collected data can be stored in blockchains [3]. As illustrated in Fig. 1, IoD consists of drones, users, and the control server.
In the IoD, it is necessary to authenticate the communicating parties and protect the messages exchanged between the parties from adversaries. For authentication and The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava. confidentiality between a user and a drone, we need an authenticated key exchange protocol to make a session key. With the session key, the user and the drone can create a secure channel to protect the messages from adversaries. Recently, authentication with an efficient key exchange between users and drones has become a popular research topic in the IoD settings [4]- [7].
In some applications, pseudonymity and unlinkability can be crucial. For example, during a military operation, soldiers can utilize information collected by drones. Drones can move around the operation field to collect information, and soldiers also independently move the field. Whenever a soldier needs additional information, they are able to establish a session key and communicate with the drone. In this scenario, we have to assume that an adversary is eavesdropping on the communications between the drones and the soldiers.
In a key exchange protocol, we can use pseudonyms for users and drones to provide privacy. We note that pseudonymity alone without unlinkability does not provide strong anonymity. For instance, if an adversary can observe the same pseudonym of a user(drone), it can also trace the frequency of communications or the movements of the user(drone). This could eventually trace back to the real identity of the user(drone), and thus break user(drone) privacy. Therefore, in the above scenario, the knowledge of the movements of the drones and the soldiers due to the lack of unlinkability could lead to a failed military operation.
In the IoD environment, it is possible to capture a drone and analyze the drone to extract some useful information. This attack is called drone capturing attack [8]. In a key exchange protocol the drone capturing attacks make an adversary extract the long-term secret key stored in a drone, and use the secret key to break the secrecy of the session keys or unlinkability of the sessions. Therefore, a key exchange should provide the forward unlinkability to minimize the damage against the capturing attacks. Forward unlinkability means that even though the secret information of the drone is revealed, the unlinkability is guaranteed.

A. RELATED WORKS AND CONTRIBUTIONS
Wireless Sensor Networks (WSN), Internet of Things (IoT), and Internet of Drones (IoD) environments have similar properties and security requirements. Therefore, a key exchange protocol developed for WSN or IoT can be usable with minor modifications in the IoD environment.
In 2013, Xie et al. proposed a chaotic, maps-based, threeparty password-authentication key agreement scheme [9]. However, in 2015, Lee et al. found security flaws in Xie et al.'s scheme [10]. In order to solve these security flaws, Lee et al. proposed a three-party-authenticated key agreement scheme based on chaotic maps without a password table [10]. However, the chaotic maps are less efficient than symmetric key-based encryption or hash functions [11].
In 2014, Turkanovic et al. proposed an efficient authenticated key exchange scheme in WSN [12]. Unfortunately, Turkanovic et al.'s scheme was later found to be insecure due to numerous attack types, such as man-in-the-middle, smart card, and sensor node impersonation attacks. To overcome the weaknesses of this scheme, Farash et al. proposed a new scheme in a heterogeneous WSN [13]. However, in 2016 Amin et al. showed that the Farash et al.'s scheme is vulnerable to a known session-specific temporary information attack, an off-line password guessing attack using a stolen smart card, a new smart card issue attack, and a user impersonation attack [14]. In 2017, Tai et al. designed a new authentication scheme in the same setting as the experiments conducted by Farash et al [15]. But this scheme is also not secure against other attack types, such as privilegedinsider, password-guessing, man-in-the-middle, and replay attacks. Also in 2017, Jiang et al. observed that Amin et al.'s scheme in [14] is neither secure against smart card loss attacks nor known session-specific temporary information attacks [16].
In IoT settings, some ECC-based key exchange schemes already exist [17], [18]. In 2019, Wazid et al. suggested device authentication and a key management protocol for IoT devices, cloud servers, and edge nodes in edge-based IoT environments [19].
In 2018, Wazid et al. proposed a novel and lightweight remote user authentication and key agreement scheme in the IoD setting [5]. This scheme enables a valid user to directly receive collected data from a drone after establishing a session key via a key agreement protocol. In 2019, Srinivas et al. proposed a more efficient scheme than that proposed by Wazid et al. [6]. However, the schemes in [5] and [6] are not secure against other legal users, since a legal user can calculate session keys established by other legal users. In 2020, Zhang et al. suggested a lightweight authenticated key agreement protocol using only a hash function and a bitwise XOR operation [7]. Overall, the schemes in [5]- [7] provide pseudonymity, but they do not provide unlinkability as pseudonyms are revealed and do not change between sessions.
There are already some authentication and communication protocols for drones. In 2020, Yazdinejad et al. proposed a drone authentication scheme using a shared ledger for the blockchain [20]. This scheme enables the drone information to be recorded in the blockchain when the drone is certified by the drone controller in a certain zone. If this is accomplished, the drone does not need to be re-certified, even if it needs to move to another zone due to the information registered in the blockchain. In 2020, Sharma et al. proposed a similar scheme, in which a drone can query to deploy sensor nodes to collect information [21].
There exist some works to make key exchange protocols that satisfy unlinkability in various environments such as IoT and ad-hoc networks. However, all of the existing protocols do not satisfy forward unlinkability. That is, if a secret information of a communicating party is revealed, it is possible to check whether the same communicating party participated in the two different sessions.
In 2015, Buttner and Huss proposed a new anonymous authentication key exchange protocol for vehicular ad hoc networks [22]. Even though the protocol tries to achieve the unlinkability using the Elliptic Curve Integrated Encryption Scheme(ECIES) and the ring signature, it is obvious that we can verify the identity of a communicating party if the party's VOLUME 10, 2022 private key is revealed. Therefore, it does not satisfy forward unlinkability.
In 2017, Shin and Kwon proposed an anonymous authentication key exchange protocol between a user and an IoT gateway in an IoT environment [23]. This protocol allows users and the IoT App Server to make a session key. However, this protocol does not satisfy forward unlinkability, because the pseudonyms of the same user is linkable if the server's secret key is revealed.
In 2021, Li et al. proposed an anonymous authentication key exchange protocol between vehicles using homomorphic encryption [24]. A vehicle first tries to anonymously authenticate itself to RSU using pseudonyms and tickets, and then vehicles try to anonymously authenticate each other. However, it is easy to check whether any two tickets belong to the same vehicle. Therefore, the protocol does not satisfy forward unlinkability.
In 2021, Khan et al. proposed an anonymous authentication key exchange protocol between nodes and hub nodes in Wireless Body Area Networks (WBANs) [25]. However, the secret information (or identity) of a node is exposed, it is easy to check whether a protocol message is made by the node. Therefore, the protocol does not satisfy forward unlinkability.
In this paper, we propose two authenticated key agreement protocols between drones and users in the IoD environment. In our proposed schemes, users and drones are registered to the control server. Our first key agreement protocol makes a drone initiate a key exchange protocol with a user. Our second key agreement protocol makes a user initiate a key exchange protocol with a drone.
Our two key agreement protocols use only symmetric cryptographic primitives such as symmetric encryption, MAC, and hash functions. To provide pseudonymity and forward unlinkability, the two key agreement protocols use different pseudonyms and secret keys in different sessions.
Our key agreement protocols also provide forward secrecy. Usually, forward secrecy is provided using asymmetric cryptographic primitives such as the ephemeral Diffie-Hellman key exchange which are expensive operations compared to the symmetric cryptographic primitives. Even though our protocols use only symmetric cryptographic primitives, our protocols provide 1-less full forward secrecy which is a variant of the full forward secrecy.

II. CRYPTOGRAPHIC PRIMITIVES
, 1} θ is a cryptographically secure hash function, where θ is a security parameter.
Definition 1 (SUF Secure MAC [26]): We consider MAC Mac = (KeyGen, Mac, Vrfy). To define SUF security for Mac, we suppose an adversary F that can access MAC generation oracle Mac mk (·) and MAC verification oracle Vrfy mk (·, ·). Then, SUF security is defined by the following experiment: F can access oracles Mac mk (·) and Vrfy mk (·), and we define an advantage of F as follows: A Mac is SUF secure if the advantage of any probabilistic polynomial-time adversary F is negligible in terms of the security parameter θ.
Definition 2 (LoR-CPA Secure Symmetric Encryption [26]): For our study, we consider a symmetric encryption scheme SE = (Key, E, D), and we suppose that an adversary D can access encryption oracle E sk (LR(·, ·, b)). The left-orright chosen-plaintext attack (LoR-CPA) security for SE is defined by the following experiment: The advantage of D is defined as where θ is a security parameter. SE is LoR-CPA secure if the advantage of any probabilistic polynomial-time adversary D is 1/2 + (θ), where (θ ) is a negligible function.

III. SECURITY MODEL
Full forward secrecy means that even if all the secret keys of the communicating parties are disclosed, the session keys before the disclosure are still secure. The full forward secrecy of a key agreement protocol is defined by an experiment. In the experiment, an adversary A asks Initiate, Send, Reveal, Corrupt, and Test queries, and it receives the messages according to the protocol description. We assume that U i denotes users, D j as drones, and S as the server, where i ∈ • An Initiate(P i , k) query is used to instigate a key agreement protocol, where P i ∈ {U i , D j }. P i returns the first message as its response according to the protocol description.
After receiving m, P i returns a message as its response according to the protocol description.
• A Reveal(P i , k) query is used to get a session key made in party P i 's k-th instance, where P i ∈ {U i , D j }.
• A Corrupt(P i , k) query is used to get the long-term secret key of party P i , where P i ∈ {U i , D j }. P i returns its long-term secret key as its response.
• A Test(P i , k) query is used to define the advantage of an adversary, where P i ∈ {U i , D j }. P i flips a coin σ ∈ {0, 1}. If σ = 1, P i returns a real session key of the k-th instance. Otherwise, P i returns a random value. We note that this query is valid only when the k-th instance of P i is fresh (defined below). The k-th session of party P i , P i ∈ {U i , D j }, is fresh if the following conditions hold: 1) If Corrupt(P i ) or Corrupt(P j ) has been asked, the k-th session of party P i was made before Corrupt(P i ) and/or has not been asked.
3) If the two instances calculated the same session key, they are matching instances. Reveal(P j , ) has not been asked if the k-th instance of P i and the -th instance of P j are matching instances, where P j ∈ {U i , D j }. To terminate the experiment, the adversary A outputs σ to guess σ and stops. The advantage of A is defined by A key agreement protocol is ''secure'' if the advantage of any probabilistic polynomial-time adversary A is 1/2+ (θ ) in the security parameter θ, where (θ) is a negligible function. We note that our security model deals with various attack types, such as impersonation, drone capture, and compromised user device attacks.

1-Less Full Forward Secrecy:
We define 1-less full forward secrecy which is a variant of the full forward secrecy. In the experiment of the 1-less full forward secrecy, an adversary can test the instances of P i except the ones which are made after the second to last instance having a matching instance of P j and before Corrupt(P i ) or Corrupt(P j ) is asked. The difference between the full forward secrecy and the 1-less full forward secrecy is depicted in Fig. 2.

IV. OUR KEY AGREEMENT PROTOCOLS
In this section, we outline our key agreement protocols, which require registration protocols.
In the registration protocols, a user(drone) registers its identity, pseudonym, and a secret key to the control server which are shared between the user(drone) and the server.
All protocols throughout this paper are explained using the following common notations.
• S: S is the control server. • U i (D j ): U i (D j ) denotes the identity of the i-th user (j-th drone).
, which is used in the current session.
• PU i (PD j ), PU n i (PD n j ): PU i (PD j ) and PU n i (PD n j ) denote a pseudonym for U i (D j ), which is supposed to be used in the next session.
• pw i : This is a password for U i .
denote the shared key between S and U i (D j ), which is used in the current session.
• α i (β j ), α n i (β n j ): α i (β j ) and α n i (β n j ) denote the shared key between S and U i (D j ), which is supposed to be used for the next session.
• ek i (ek j ): This is the encryption key derived from α i (β j ) for U i (D j ).
• mk i (mk j ): This is the MAC key derived from α i (β j ) for U i (D j ).

A. REGISTRATION PROTOCOLS
In the registration protocols, S registers the identity, a pseudonym, and a secret key of a party. This protocol assumes that there is a secure channel between user(drone) and the server.
The user U i and the server S proceed as follows (see Fig. 3): 1) U i randomly selects a pseudonym PU i and α i . U i sends U i ||PU i ||α i to the server S. U i encrypts PU i ||α i with password pw i and stores Similarly, drone D j registers its identity, pseudonym, and a secret key to the server S as shown in Fig. 4.  1) There should be only one unfinished instance in a user(drone). That is, if a user(drone) has to make session keys with several other drones(users), each session for each session key in the user(drone) is executed sequentially, not concurrently. 2) A party checks the timeout for a protocol message in a session. That is, if a party has not received a protocol message before timeout, the party stops and exits the session.
Our first key agreement protocol, a drone-initiated key agreement protocol, makes a session key between U i and D j as follows.
Then, S calculates the two keys ek j , mk j with the corresponding β o j or β n j and makes ciphertext c j = E ek j (PU i ||ru i ) and MAC value τ j = Mac mk j (S||PD j ||c j ). S sends S||PD j ||c j ||τ j to D j . 4) After receiving S||PD j ||c j ||τ j , D j calculates the two keys ek j , mk j . D j decrypts c j and obtains PU i ||ru i . If Vrfy mk j (S||PD j ||c j , τ j ) = 1, D j randomly selects rd j , PD j and β j . D j makes ciphertext d j = E ek j (PD j ||β j ||ru i ||rd j ) and MAC value j = Mac mk j (PD j ||S||d j ), and then it sends PD j ||S||d j || j to S. D j calculates the session key sk i,j = H (PU i ||PD j ||ru i ||rd j ||1) and another MAC key mk i,j = H (PU i ||PD j ||ru i ||rd j ||0). 5) After receiving PD j ||S||d j || j , S decrypts d j and obtains PD j ||β j ||ru i ||rd j . If Vrfy mk j (PD j ||S||d j , j ) = 1, S makes ciphertext d i = E ek i (PD j ||ru i ||rd j ) and MAC value i = Mac mk i (S||PU i ||d i ), and then it sends

7) After receiving
If it is valid, D j stores (D j , PD j , β j ). Our second key agreement protocol, a user-initiated key agreement protocol is similar to our drone-initiated key agreement protocol except that an initiator is a user instead of a drone as shown in Fig. 6.

Theorem 1: The drone-initiated key agreement protocol is 1-less-full-forward-secure in the random oracle model if Mac is SUF secure and SE is LoR-CPA secure.
The proof of Theorem 1 appears in the appendix.

Theorem 2: The user-initiated key agreement protocol is 1-less-full-forward-secure in the random oracle model, if
Mac is SUF secure and SE is LoR-CPA secure.
The proof of Theorem 2 is similar to Theorem 1, and so we have omitted this from our paper.

A. ANONYMITY AND FORWARD UNLINKABILITY
The most pressing issue in the IoD environment is to protect the privacy of both the users and the drones. To provide anonymity, many previous key exchange schemes considered pseudonymity and unlinkability for the users and the drones, but forward unlinkability has not been considered in a key exchange protocol.
Our key agreement protocols provide not only pseudonymity but also forward unlinkability to ensure strong anonymity. In a session of our key agreement protocols, user and drone create new pair of pseudonym and secret key, stored as (PU n i , α n i ) and (PD n j , β n j ), respectively, for the next session which are independently selected of the current pair of pseudonym and secret key, stored as (PU o i , α o i ) and (PD o j , β o j ), respectively. Because (PU n i , α n i ) and (PU o i , α o i ) are independent, the protocol messages of any two sessions of user U i are unlinkable. Similarly, the protocol messages of any two sessions of drone D j are unlinkable, since (PD n j , β n j ) and (PD o j , β o j ) are independent. We compare anonymity among related key exchange protocols in Table 1.

B. EFFICIENCY
Due to limited resources, computational and communication costs are crucial factors in the IoD environments. To make efficient key agreement protocols, our two key agreement protocols use only symmetric cryptographic primitives, such as hash functions, symmetric encryption, and MACs.
Usually, full forward secrecy is provided using asymmetric cryptographic primitives such as the ephemeral Diffie-Hellman key exchange which are expensive operations compared to the symmetric cryptographic primitives. For instance, an ECC multiplication for the ephemeral Diffie-Hellman key exchange in ECC is 100 times more expensive than the symmetric primitives [28].
Khan et al.'s scheme uses only symmetric cryptographic primitives and provides partial forward secrecy [25]. That is, if only the secret key of a user is disclosed, the session key is still secure. However, if the secret key of the server is disclosed, the session key is not secure.
Even though our protocols use only symmetric cryptographic primitives, our protocols provide 1-less full forward secrecy which is a variant of the full forward secrecy. Therefore, our protocols are the most efficient ones among the key exchange protocols providing a variant of full forward secrecy.
Our protocols are a little bit inefficient with respect to the number of rounds, but the most efficient ones among the key exchange protocols providing full forward secrecy with respect to the computational cost. In Table 2, we analyzed the number of rounds, the total size of messages, and the total computations with respect to a user, a server, and a drone.

VI. CONCLUSION
In this paper, we proposed two authenticated key agreement protocols between drones and users in the IoD environment.
Our first key agreement protocol makes a drone start a key exchange protocol. Our second key agreement protocol makes a user start a key exchange protocol.
Our key agreement protocols are the first to provide both pseudonymity and forward unlinkability for users and drones in the IoD environment. Moreover, our key agreement protocols provide a variant of full forward secrecy.
In our protocols a party should execute several sessions sequentially. As a future research, it would be interesting to construct a key agreement protocol with forward unlinkability and forward secrecy, where a party can run several sessions concurrently.

APPENDIX. PROOF OF THEOREM V.1
Let A be a polynomial-time adversary against the droneinitiated key agreement protocol. Then, we show that A's advantage is bounded as follows: where n is the number of users, m is the number of drones, q s is the maximum number of sessions for a party, and θ is a security parameter. A's advantage is from the following two cases: Case 1. There are forged MACs with respect to τ or made by A.
Case 2. There is no forged MAC with respect to τ or . We bound the advantage from each case in the following lemmas.
Lemma 1: The advantage from Case 1 is bounded as Lemma 2: The advantage from Case 2 is bounded as Therefore, the advantage of A is bounded as follows: A,game 0 ≤ 1 2 + (n + m)q s · Adv SUF (7) Next, we prove the above two lemmas. To do so, we define the following games: • game 0 : game 0 is the original game defined in the experiment for key agreement protocols.
• game 1 : game 1 is the same as game 0 except that ru 1 of U 1 is replaced by random ru * 1 in ciphertexts c i and c j if α 1 of U 1 has not changed. α 1 of U 1 in c i is also replaced by random α * 1 if α 1 of U 1 has not changed.
• game 2 : game 2 is the same as game 1 except that ru 1 of U 1 is replaced by random ru * 1 in ciphertexts c i and c j if α 1 of U 1 has changed one time. α 1 of U 1 in c i is also replaced by random α * 1 if α 1 of U 1 has changed once.
• game k : game k is the same as game k−1 except that ru 1 of U 1 is replaced by random ru * 1 in ciphertexts c i and c j if α 1 of U 1 has changed k − 1 times. α 1 of U 1 in c i is also replaced by random α * 1 if α 1 of U 1 has changed k − 1 times. . . .
• game q s : game q s is the same as game q s −1 except that ru 1 of U 1 is replaced by random ru * 1 in ciphertexts c i and c j if α 1 of U 1 has changed q s − 1 times. α 1 of U 1 in c i is also replaced by random α * 1 if α 1 of U 1 has changed q s − 1 times.
• game q s +1 : game q s +1 is the same as game q s except that ru 2 of U 2 is replaced by random ru * 2 in ciphertexts c i and c j if α 2 of U 2 has not changed. α 2 of U 2 in c i is also replaced by random α * 2 if α 2 of U 2 has not changed. . . .
• game q s +k : game q s +k is the same as game q s +k−1 except that ru 2 of U 2 is replaced by random ru * 2 in ciphertexts c i and c j if α 2 of U 2 has changed k − 1 times. α 2 of U 2 in c i is also replaced by random α * 2 if α 2 of U 2 has changed k − 1 times. . . .
• game 2q s : game 2q s is the same as game 2q s −1 except that ru 2 of U 2 is replaced by random ru * 2 in ciphertexts c i and c j if α 2 of U 2 has changed q s − 1 times. α 2 of U 2 in c i is also replaced by random α * 2 if α 2 of U 2 has changed q s − 1 times. . . .
• game (n−1)q s +1 : game (n−1)q s +1 is the same as game (n−1)q s except that ru n of U n is replaced by random ru * n in ciphertexts c i and c j if α n of U n has not changed. α n of U n in c i is also replaced by random α * n if α n of U n has not changed. . . .
• game (n−1)q s +k : game (n−1)q s +k is the same as game (n−1)q s +k−1 except that ru n of U n is replaced by random ru * n in ciphertexts c i and c j if α n of U n has changed k − 1 times. α n of U n in c i is also replaced by random α * n if α n of U n has changed k − 1 times. . . .
• game n·q s : game n·q s is the same as game n·q s −1 except that ru n of U n is replaced by random ru * n in ciphertexts c i and c j if α n of U n has changed q s − 1 times. α n of U n in c i is also replaced by random α * n if α n of U n has changed q s − 1 times.
• game n·q s +1 : game n·q s +1 is the same as game n·q s except that rd 1 of D 1 is replaced by random rd * 1 in ciphertexts d i and d j if β 1 of D 1 has not changed. β 1 of D 1 in d j is also replaced by random β * 1 if β 1 of D 1 has not changed. • game n·q s +2 : game n·q s +2 is the same as game n·q s +1 except that rd 1 of D 1 is replaced by random rd * 1 in ciphertexts d i and d j if β 1 of D 1 has changed one time. VOLUME 10, 2022 β 1 of D 1 in d j is also replaced by random β * 1 if β 1 of D 1 has changed once. . . .
• game n·q s +k : game n·q s +k is the same as game n·q s +k−1 except that rd 1 of D 1 is replaced by random rd * 1 in ciphertexts d i and d j if β 1 of D 1 has changed k −1 times. β 1 of D 1 in d j is also replaced by random β * 1 if β 1 of D 1 has changed k − 1 times. . . .
• game (n+1)·q s : game (n+1)·q s is the same as game (n+1)·q s −1 except that rd 1 of D 1 is replaced by random rd * 1 in ciphertexts d i and d j if β 1 of D 1 has changed q s − 1 times. β 1 of D 1 in d j is also replaced by random β * 1 if β 1 of D 1 has changed q s − 1 times. • game (n+1)·q s +1 : game (n+1)·q s +1 is the same as game (n+1)·q s except that rd 2 of D 2 is replaced by random rd * 2 in ciphertexts d i and d j if β 2 of D 2 has not changed. β 2 of D 2 in d j is also replaced by random β * 2 if β 2 of D 2 has not changed. . . .
• game (n+1)·q s +k : game (n+1)·q s +k is the same as game (n+1)·q s +k−1 except that rd 2 of D 2 is replaced by random rd * 2 in ciphertexts d i and d j if β 2 of D 2 has changed k − 1 times. β 2 of D 2 in d j is also replaced by random β * 2 if β 2 of D 2 has changed k − 1 times. . . .
• game (n+2)q s : game (n+2)q s is the same as game (n+2)q s −1 except that rd 2 of D 2 is replaced by random rd * 2 in ciphertexts d i and d j if β 2 of D 2 has changed q s −1 times. β 2 of D 2 in d j is also replaced by random β * 2 if β 2 of D 2 has changed q s − 1 times. . . . Proof of Lemma 1: If a forged MAC appears in game 0 , we can construct an algorithm F that breaks the SUF security of the underlying MAC scheme Mac.
F is given oracles Mac sk (·) and Vrfy(·, ·) in the MAC scheme experiment, and uses the oracles to make and verify MACs that are supposed to be generated and verified with mk i or mk j in the randomly selected instance. A more concrete description of F is as follows: 1) F is given oracles Mac sk (·) and Vrfy(·, ·). F randomly selects * ← [1, n+m] and k * ← [1, q s ]. If * ∈ [1, n], F uses the oracles instead of MAC key mk i for the k *th instance of user U * . If * ∈ [n + 1, m], F uses the oracles instead of MAC key mk j for the k * -th instance of drone D * −n . 2) For each oracle query of A, F answers it the same as in game 0 except for the following: • For Send: If this query is made for the k * -th instance of the target party, the oracles Mac sk (·) and Vrfy(·, ·) are used to generate and verify MACs that are supposed to be generated and verified with mk i or mk j . 3) If a forged MAC appears with respect to the target instance, F outputs the forged MAC and message pair, and then quits. Otherwise, F stops when A stops. If F correctly selects k * and * , F does not fail. So the following inequality holds: So Lemma 1 follows. Proof of Lemma 2: We first declare the following two claims.
Claim 2.1: The advantage difference between the two adjacent games is bounded as
Finally, we prove the two claims. Proof of Claim 2.1: We prove Claim 2.1 by dividing into ∈ [1, n · q s ] and ∈ [n · q s + 1, (n + m) · q s ]. With the advantage difference Adv KE,Case2 A,game −1

−Adv KE,Case2
A,game for ∈ [1, n · q s ], we can construct algorithm D which breaks the LoR-CPA security of the underlying encryption scheme SE. D is given encryption oracle E sk (LR(·, ·, b)) in the LoR-CPA experiment, and uses the encryption oracle to make c i and c j for the target instances. We show a more concrete description of D as follows, if = (i * − 1) · q s + k * , where i * ∈ [1, n] and k * ∈ [1, q s ]: 1) For Send: If this query is made to the instance of U i * and α i * of U i * has changed k * − 1 times, D queries (U i * || PU i * || α i * || PD j || ru i * , U i * || PU i * || α * i * || PD j || ru * i * ) to encryption oracle E sk (LR(·, ·, b)) to get c i * . And D queries (PU i * ||ru i * , PU i * ||ru * i * ) to the encryption oracle to get c j . If this query is not to the target instance, D behaves the same way as in game . 2) For Test: This is the same as in game 0 . Note that a coin σ is flipped for the Test query.

3) If
Similarly, with the advantage difference Adv KE,Case2 A,game for ∈ [n · q s + 1, (n + m) · q s ], we can construct algorithm D, which breaks the LoR-CPA security of the underlying encryption scheme SE.
D is given the encryption oracle E sk (LR(·, ·, b)) in the LoR-CPA experiment and uses the encryption oracle to make d i and d j for the target instances. We show a more concrete description of D as follows, if = n · q s + (j * − 1) · q s + k * , where j * ∈ [1, m] and k * ∈ [1, q s ]: 1) For Send: If this query is made to the instance of D j * and β j * of D j * has changed k * − 1 times, D queries (PD j * ||β j * ||ru * i ||rd j * , PD j * ||β j * || ru * i ||rd * j * ) to encryption oracle E sk (LR(·, ·, b)) to get d j . And D queries (PD j * ||ru * i ||rd j * , PD j ||ru * i ||rd * j * ) to the encryption oracle to get d i . If this query is not to the target instance, D behaves the same way as in game . 2) For Test: This is the same as in game 0 . Note that a coin σ is flipped for Test query. 3) If A outputs σ and σ = σ , D outputs 1. Proof of Claim 2.2: Claim 2.2 is obvious from the fact that A cannot get any information about ru i and rd j used to make a session key sk i,j for the Test session since ru * i and rd * j are encrypted in ciphertexts for all instances instead of ru i and rd j . Therefore,