Group Secret Key Generation Using Physical Layer Security for UAV Swarm Communications

In unmanned aerial vehicle (UAV) swarm networks, a group secret key (GSK) is required to enable secured UAV–UAV communications, multicast, and broadcast transmission. Moreover, it can be used for device authentication. Therefore, this article proposes an efficient GSK protocol denoted as the sequential secret group key (SSGK) algorithm for distributed UAV swarm-secured communications. The proposed protocol utilizes network coding to generate cooperation information that is transmitted on the channel and is uncorrelated with the generated secret key. The proposed protocol depends on the pairwise key generation process between pairs of UAVs. However, not all possible pairwise agreements are performed to minimize the time and signaling overhead, i.e., the pairwise key agreement is performed only between selected UAVs as a compromise between the required overhead transmission resources and the achieved redundancy level. The obtained results show that a redundancy level of 4 is sufficient to provide a reliable GSK generation process. The results also show that the performance of the key generation process highly depends on the channel bit error rate (BER), the number of UAVs, and the key length.


I. INTRODUCTION A. Overview
Unmanned aerial vehicle (UAV) mesh communication networks have gained interest for several applications, such as surveillance and security, remote sensing, and rescue missions [1], [2], [3].Of particular interest is the case of multiple UAVs working collectively to accomplish a mission objective.Widely referred to as UAV swarms, this group of UAVs can find their applicability in a variety of use cases that a single UAV cannot accomplish [4].However, UAV swarm communications are vulnerable to various security attacks due to their distributed and cooperative nature.Any security attack can be fatal as it can fail the ongoing mission, perform some mischievous tasks, and even lead to crashing or seizing the UAVs.UAV swarms have recently started a new era of applications in the defense industry.For example, the U.S. military recently launched a huge project to use autonomous UAV swarms on a massive scale to defend against various types of attacks [5].In such applications, a certain command might need to be shared securely among all members of the swarm.However, direct communications between the central control center and all UAVs might be infeasible, and hence, distributed key sharing will be indispensable.Therefore, data communicated between the swarm members over the mesh should be secured, and the members' authenticity must be continuously validated [6].To this end, a group secret key (GSK) can be a promising solution to ensure secure communications and device authentication.
Traditional cryptography-based infrastructure can generate a GSK within the UAV swarm mesh networks.However, UAV swarm mesh networks, usually characterized as infrastructureless, distributed, and dynamic, can challenge a practical implementation of such cryptography-based security solutions.There is also some work on infrastructureless authentication and key agreement schemes for vehicular networks [7], [8] as well as UAV [9], [10], [11].Vehicular networks have some work related to group key generation (GKG), but in the UAV network domain, most of the work is on authentication and key agreement between two UAVs.Recently, physical layer security (PLS) based key generation has received considerable attention over the past decade due to its suitability for distributed and infrastructureless wireless networks [12], [13], [14], [15], [16].The main advantage of physical layer security (PLS) is that it can allow users to share a secret random key based on the unique characteristics of the channel between them.If the channel varies frequently over time, which is usually the case for several wireless applications, users can update the shared secret key with reasonable communication overhead and reduced computational complexity.Consequently, system security can be improved because varying the key frequently enables approaching Shannon's perfect secrecy condition [17].Nevertheless, the air-to-air (A2A) channel entropy for UAV communications can be low, which can lead to a low key generation rate.To overcome such problems, Assaf et al. [18] proposed using physically unclonable function (PUF) where the channel coefficients are used as the challenge for the PUF and PUF emulator (PUFe).Although the reliability of PUFs can deteriorate when experiencing a wide variation in temperature or supply voltage variations, new research results show promising results.For example, the 28 nm CMOS PUF proposed in [19] demonstrated robust performance for temperatures in the range of −40 to 100 • C and voltages of 0.5-1.4V.
However, PLS-based key generation is primarily suitable for point-to-point communications because PLS relies on the characteristics of the shared channel randomness and the underlying channel reciprocity (CR) principle between pairs of users.On the contrary, GSK is envisioned to ensure a secure information transfer, irrespective of the mode, whether it is broadcast, multicast, point-to-point, or relay-based communications.Beyond fast information transfer, the GSK can further find its application for device authentication in a network [20].For instance, the GSK can be used as a secret token for continuous authentication.Toward this, some practical usages of GSK are for ensuring information security in platoon-based vehicular and UAV swarm networks.Unlike peer-to-peer communications, no common wireless channel exists between all UAVs in a mesh network based on which a group key (GK) can be generated.More specifically, in the presence of M UAVs, there will be M(M − 1)/2 different channels associated with them.Consequently, direct key generation and distribution processes based on the mutual channel between the pairs of UAVs are practically infeasible.

B. Motivation and Contribution
Unlike the work reported in the literature, this work proposes a novel algorithm for distributed GSK generation with application to UAV swarm mesh communications.The proposed algorithm is denoted as the sequential secret GK (SSGK).The main contributions of this article are as follows.
1) The SSGK couples the randomness of the wireless channels and PUFs to generate and share a GSK for UAV swarm communications.2) Due to the complexity encountered by deploying a PUFe in each UAV, an efficient group partitioning is considered where each UAV is equipped with a small subset of emulators.The subset size is a design parameter that is selected based on the desired complexity and redundancy levels.However, it is typically much smaller than the total number of UAVs in the network.3) Network coding with a leader selection process is adopted to ensure secure and robust key generation for all members of the swarm.The algorithm depends on the pairwise key generation (PKG).However, it is not required to generate pairwise keys between all pairs of UAVs [21].4) The UAVs partitioning provides an additional degree of freedom to tradeoff complexity with connectivity.
The minimum complexity and lowest probability of connectivity are obtained when each UAV is equipped with only one PUFe.In this case, each UAV can communicate only with another predefined UAV.
The other extreme, that is, the maximum complexity and probability of connectivity, is obtained when each UAV is loaded with the PUFe of all other UAVs in the swarm.The UAVs partitioning offers a flexible compromise between the two extremes.The selection of system parameters depends on the available resources and performance requirements.
As compared with the single PUFe case, having multiple PUFs in each UAV offers each UAV the choice to communicate with other multiple UAVs, i.e., it creates connection redundancy.5) The system performance is evaluated in terms of the probability of GK disagreement, the average number of UAVs that managed to share the GK, and system complexity.The results are presented for various key lengths and redundancy orders.6) The performance of the proposed SSGK algorithm is compared with the state-of-the-art, and the results obtained confirm its efficiency.
Based on the extensive literature search and to the best of the authors' knowledge, there is very little work that proposes GSK generation using PUFs, which are used to generate the pairwise keys between certain UAV pairs efficiently and securely.The main advantage of PUFs is their ability to operate efficiently in near-flat fading channels, which is not the case for most other existing algorithms [18].However, configuring all UAVs with all PUFes can be prohibitively complex.Therefore, we propose set partitioning to reduce complexity with negligible performance degradation.Another crucial feature is that no central UAV is required in the proposed scheme; therefore, the GK can be generated in a distributed manner.Moreover, redundancy is exploited to improve the probability of successfully sharing the GK.Such a performance improvement is proportional to the redundancy order, as illustrated later in the numerical results.

C. Article Organization
The article is organized as shown in Fig. 1.

D. Notations
Table I presents the notations used throughout the article.

II. RELATED WORK
There are several studies on authentication and key agreement for group communication in drone communication using different approaches, such as classical cryptographic [7], [22] based approaches, PLS, and blockchain [23].Table II presents a summary of the relevant literature on authentication and key sharing using different techniques.The studied protocols have been proposed for UAV network with centralized and distributed approaches.
The work on GSK generation using PLS can be broadly classified into two categories: GSK based on PKG [21], [24], [25], [26]; and GSK based on shared common randomness [24], [27], [28].Most of the work belongs to the first category as it can utilize pairwise key-generated schemes.GSK based on pairwise keys is generated by creating all possible pairwise keys between all UAVs.However, generating a key between all pairs and sharing the keys between all UAVs require significant transmission resources, particularly for a large dynamic network.Xu et al. [21] propose an efficient algorithm for GSK generation for a three-UAV network, multinode ring network, and multinode mesh network.All pairwise keys are generated and divided into small segments to generate a one-time pad sequence.The algorithm depends on all generated pairwise keys, significantly increasing the signaling overhead group users.In [25], the channel between the central UAV and the reference UAV is considered as the common secret.The GK is leaked if the link between the two UAVs is compromised.A UAV addition is impossible without increasing the number of broadcasts on the network.Peng et al. [26] proposed a GKG for self-organizing networks based on the PKG of the legitimate users with two neighbors.However, the proposed scheme is not robust because the key cannot be exchanged with the entire group if any link is lost.The difference of signal strength (DOSS) is used in [24] as the common secret.Jagadeesh et al. [27] have designed a consensus algorithm for a three-UAV network called the entropy-maximization error-minimization algorithm to maximize the entropy of the secret key such that the mismatch rate is less than a certain bound.Furthermore, Thai et al. [28] have proposed a GSK generation framework over mesh networks, wherein each UAV is equipped with multiple antennas.Specifically, the scheme required every network UAV to estimate the channel with every other UAV and then perform postpossessing cooperatively to arrive at a shared common group secret.However, the schema is limited to one-hop mesh networks and may incur much overhead regarding channel estimation.
Furthermore, the inherited randomness associated with the wireless channel may be limited in specific scenarios, such as rural areas, aerial-to-ground station line-ofsight communications, and UAVs-to-UAVs communications.This may limit the generation of a truly random key over the air and even make it easier for any intruding UAVs flying in the near vicinity to clone such a secret key.This requires a complementary source of randomness, which is also almost unclonable.To this end, PUFs can be an interesting solution.PUFs are integrated circuits with unique and unclonable structures due to the fabrication conditions and process.PUFs are characterized by a set of channel-response pairs, that is, for each challenge input to PUF, there is a unique response obtained as the output of PUF.PUFs can be used to improve the characteristics of the pairwise keys generated using the conventional PLS techniques.In such configurations, PLS can be used to generate an intermediate key, which is fed to the PUF that generates the final key [18].Any two UAVs can generate a pairwise key if one of them has a PUF and the other has the corresponding emulator [29], [30], [31], [32].The concept of coupling the random wireless channels and the PUF function to generate GSK is yet to be explored in the literature.

III. SYSTEM AND CHANNEL MODELS
This work considers a UAV swarm mesh network with M UAVs distributed uniformly in a given geographical area.The set of UAVs is represented by M = {U 1 , U 2 , . . ., U M }, and all UAVs must generate and share a common GSK.In this work, it is assumed that all UAVs are trusted and each UAV has at least one other UAV in its transmission range to initiate the PKG process.The assumption that all nodes are trusted can be justified by noting that using PUFs with PLS provides inherent authentication, as described in Section V-A.The transmission time is divided into frames, where each frame is divided into two time slots, T GKG and T DT , as shown in Fig. 2. The slot T GKG is the period for the GKG and T DT is the data transmission time, T GKG T DT .The channel between U i and U j is denoted as h i, j = h (1)  i, j , h (2)  i, j , . . ., h (Q) i, j , where Q is the number of frequency slots or subcarriers used for communications [18].The channel is considered to be quasi-static, that is, the channel is fixed for at least T C > T GKG s, where T C is the channel coherence time.Moreover, given that the channel is reciprocal, then h i, j = h j,i ∀{U i , U j } ∈ M i , i = j.Although the channel is quasi-static in the time domain, it may vary in the frequency domain due to the frequency selectivity caused by the multipath reflections.
Each of the M UAVs is equipped with a single PUF device [36], and due to complexity constraints, the corresponding PUFe is installed only at a subset of UAVs.Therefore, the set M can be partitioned into , where M i represents the subset of UAVs that have the PUFe of U i .The ith UAV is considered to be aware of the channel state information (CSI) of all UAVs that belong to its subset, that is, U i is aware of h i, ∀ , where U ∈ M i [37].

A. Pairwise Key Generation
The proposed protocol is based on the PKG process [18], as shown in Fig. 3.The pairwise keys are generated based on the principle of CR and the PUF-based key generation algorithm [18].For the generation of pairwise keys between U m and U n , it is required that U n have PUF, while U m have PUFe of U n .The main steps of the PKG are as follows.The keys generated using this protocol are random and have a high key rate as compared with other PLS-based key generation algorithms [18].

B. Set Partitioning
Generally speaking, the UAV subsets do not have to be uniform, that is, each subset may contain a different PUFe.However, such partitioning creates a complexity imbalance, where the UAVs in large subsets have to be equipped with a larger number of PUFes, and the gain is a higher probability of successful GK sharing.The extreme scenario that would result in the highest complexity is to have only one set, where each UAV has the PUFes of the other M − 1 UAVs.The other extreme scenario provides the lowest complexity when only one PUFe is installed on each UAV.In such scenarios, if U i is down, then U 1 , U 2 , . . ., U i−1 and U i+1 , U i+2 , . . ., U M will never be able to generate and share a GK.Furthermore, if U i does not obtain the GK, then U i+1 , U i+2 , . . ., U M will not be able to obtain the GK during this trial.
Practically speaking, all UAVs in a swarm typically have similar and limited computational capabilities.Consequently, it is considered in this work that all UAVs in the swarm can support the same number of PUFe, defined as ζ .The value of ζ is critical for specifying the reliability and complexity of the network.In this context, the optimum ζ  can be defined as the value that maximizes the mesh connectivity while satisfying certain complexity constraints.To simplify the discussion, Fig. 5 The subsets in this case are Consequently, the redundancy order, in this case, is equal to the cardinality of the subsets, i.e., |M i | ζ i = ζ ∀i.It is worth noting that, according to Assaf et al. [18], the PKG process should be initiated by the UAV that has the PUF.As an example, in Fig. 5(a), U 5 can initiate the PKG process with U 4 , but not vice-versa.Therefore, each UAV in Fig. 5(b) has two possible UAVs with which it can connect to initiate the pairwise key sharing process.The detailed description of the proposed scheme, denoted as SSGK, is given as follows.

IV. PROPOSED SSGK PROTOCOL
Due to the set partitioning process, it is necessary to manage the GKG process such that each UAV joins the group in a certain order.Moreover, the UAVs that fail to connect or become disconnected in a certain time frame T i should be allowed to rejoin in the time frame T i+1 .Toward this goal, the time slot T GKG in each time frame is divided into M subslots, as shown in Fig. 2, where T GKG = {τ 1 , τ 2 , . . ., τ M }.Subslot τ i is reserved for U i to attempt joining the mesh key agreement process.Without the loss of generality, consider that the UAVs join the GKG process sequentially in the order of their indices, i.e., the process starts with U 1 in τ 1 , and then U 2 attempts to connect with U 1 in τ 2 , to generate the pairwise key K 1,2 .If U i becomes disconnected or fails to obtain the GK, it can retry connecting in τ i in the next time frame.

A. Protocol Terminologies
The following terminologies will be used to explain the protocol.
1) New UAV: The UAVs of the swarm are added in a sequential order, whereU i attempts to connect during τ i , such a UAV is referred to as the new UAV.2) Existing UAV: The UAVs that managed to generate and share the GK in their respective slots.3) Contacted UAV: A new UAV will select a certain existing UAV to generate a pairwise key, such a UAV is referred to as the contacted UAV. 4) Subslot GK: The GK might be updated every time subslot as a result of adding a new UAV.The GK after subslot i in which U i is added is represented as

B. Protocol Overview
The flowchart of the algorithm with the communication sequence is presented in Fig. 4. A new UAV selects a contacted UAV based on the channel conditions and generates a pairwise key with it.The contacted UAV can be selected from a set of UAVs that has the emulator of the new UAV present.The contacted UAV generates cooperation information (CI) using the pairwise keys present at the UAV and broadcasts it in the network.The generation of the CI is the core of the protocol and is used to extract the GK.

C. Protocol Procedure
The proposed protocol has the following main steps.1) Initialization: In T 1 , the process starts when U 1 and U 2 attempt to generate the pairwise key K 1,2 = K 2,1 using the algorithm, as presented in Section III-A in τ 2 .The GK after τ 2 is K (2)  G = K 1,2 .The sequential key generation process requires certain operations to be performed by the new, contacted, and existing UAVs in each time subslot.Algorithms 1, 2, and 3 present the pseudocode of the new, contacted, and existing UAV, respectively.
2) Contacted UAV Selection: The new U i , i ∈ {3, 4, . . ., M}, joins the mesh in its respective τ i and will select the contacted UAV from subset M i to generate a pairwise key.The contacted UAV is selected based on the channel conditions between the new UAV and the other UAVs in M i to ensure that the PKG step is performed with the UAV that has the best channel conditions, i.e., the maximum average channel gain hi, i, j .Therefore, the index of the contacted UAV can be selected such that Although the selection of the contacted node based on the channel strength is the defacto standard for such applications, channel probing and RSS computation may cause a time delay and increase the computational complexity.Furthermore, the A2A channels for communicating UAVs may exhibit equivalent strengths due to the line-of-sight signals in such channels [38].Therefore, the selection based on RSS can be inefficient.As an alternative approach, the new U i broadcasts a dummy key to all UAVs in M i , and the one that acknowledges that it received the dummy key correctly will be considered as the contacted UAV.The proposed contacted UAV selection is called the successful link selection algorithm (SLSA).
3) PKG: The new U i and the contacted U v generate a pairwise key in τ i , which gives K i,v = K v,i .For a mesh network with M UAVs, a total of M − 1 pairwise keys should be generated in T GKG s in every time frame.
4) CI Generation and Broadcasting: It is the core of the protocol where the contacted UAV generates CI, which is broadcasted to the existing UAVs and new UAV.The CI should not leak any information about the GK and should only be meaningful to legitimate UAVs.In this work, CI is generated by performing an exclusive-OR (XOR) operation between the GK generated in τ i−1 and the new pairwise key of the new UAV generated in τ i .The XOR process is uncorrelated in nature and decreases the leakage of information on the channel.Therefore, U v generates the CI to add U i τ i as follows: The cyclic redundancy check (CRC) of c (i) v , referred to as s v , is computed and appended to c (i)  v .The CRC is used to verify the transmitted data on the channel, which will eventually verify the correctness of the selected GSK at the existing UAVs.The CRC code consists of b bits and it approaches a misdetection probability of 2 −b over the binary symmetric channel (BSC) for large bit error rate (BER) probabilities.Generally speaking, using 16-bit CRC provides near-ideal error detection [39].The cooperative data along with the CRC, [c (i)  v s v ], are broadcasted by the contacted UAV to the new and existing UAVs, U 1 , U 2 , . . ., U i .The signal received at U i is denoted as y v,i .

5) Key Extraction Process:
The key extraction process is performed at the existing and new UAVs apart from the contacted UAV.The existing U q extracts c (i)  v and the estimated sequence is denoted as ĉ(i)  v .Then, the CRC of c (i) v is computed, which gives s q , as described in Algorithm 1.
After CRC matching, K v,i can be extracted as Similarly, at U i , G is extracted as follows: Therefore, all the UAVs in the mesh until τ i will have two keys: a key for slot i − 1,

G
; and a pairwise key shared between the new U i and the contacted U v .
6) GK and Key Identity Number Update: Each UAV has two keys present after the key extraction process in τ i ,

G
and K v,i .The UAVs update the GK such that The sequential GKs generated with the addition of each UAV for a total of M UAVs are {K (1)  G , K (2)  G , . . ., K (M ) G }, and the GSK for T 1 is considered to be K (M )  G .As can be noted, the number of pairwise keys generated by some GSK algorithms, such as [21], is M(M−1) 2 , whereas in the worst case scenario, the number of pairwise keys required for the proposed SSGK is ζ i × (M − 1)∀i in a time frame.
7) Special Case: No Redundancy: For the special case of no redundancy, ζ = 1, the new UAV PUFe is available only in one other UAV, as shown in Fig. 5(a).Because there is only one UAV that has the emulator, the step of selecting the contacted UAV is not required, and the UAV added in In each slot, the pairwise key is generated between the new U i and the previously added It should be emphasized that the proposed protocol requires generating a total of M − 1 pairwise keys between all UAVs, and a similar number is required to transmit the XOR bits over the broadcast channel.The pairwise keys are generated as reported in [18], which requires less time to generate as compared with other PLS techniques.

D. Verification and Disconnected Nodes
The CI is transmitted with a CRC to enable verification of the integrity of the received data.Each UAV that receives CI verifies its integrity using CRC.In case of error, the UAV may request a retransmission of CI if an automatic repeat request (ARQ) is adopted.If a CI is ultimately not received, the UAV becomes disconnected from the swarm and should wait for its time subslot in the next time frame to connect as a new UAV.The time frame number should be transmitted with the CI to create a sequence of frame GKs on all the UAVs.This will enable the disconnected UAV to identify that the key it has is outdated.

V. PROPOSED SYSTEM PERFORMANCE A. Informal Security Analysis
In the literature, the resilience of GKG schemes has been discussed against various security attacks.Broadly, an attacker can be classified either as passive or active.From the context of the proposed GKG framework, any passive attacker may attempt to overhear the transmissions occurring during the key establishment phase and determine the GSK.On the contrary, an active attacker may inject harmful signals to interrupt the GKG process or manipulate the environment per his requirements.This work assumes that all participating nodes are initially mutually authenticated and the adversary is primarily passive.Apart from the passive adversary case, we also consider a case of active attack where an adversary tries to impersonate and attempts to participate in the key exchange process to determine the GSK.Furthermore, we do not consider denial-of-service (active attacks), such as jamming.Jamming is a typical attack in wireless communications, and several jamming avoidance solutions, such as frequency hopping and spread spectrum, can be incorporated into the proposed GKG framework to mitigate it.
The underlying GK generated from the proposed GKG framework applies equally to encryption and authentication use cases.Specifically, the key can encrypt common messages intended for a group/cluster of UAVs.Moreover, the key can serve as a secret token to identify the group members and provide a means of continuous authentication.Consequently, it is critical to test the strength of the final GSK.Moreover, the robustness and reliability of the proposed scheme from the security perspective must be ensured.The GKG framework must not leak or reveal any information that can come to the aid of the adversary in determining the key.Furthermore, the GKG framework should be resistant to impersonation attacks, machine-learning-based attacks, and stalking attacks [40].Accordingly, an informal analysis of the security of the proposed protocol under various attacks and key randomness is discussed in the following.
1) Key Randomness: The security of the generated keystream can be verified by invoking the randomness test.Specifically, consider first the security of the keystream generated for the case, where there exist only two UAVs, i.e., U ı and U j .In such a case, , where K ı,j is the pairwise secret key and K G is the GSK.Consequently, K ı,j was subjected to the randomness test using the National Institute of Science and Technology (NIST) standard test suite.Due to the constraint imposed by the minimum input length for the NIST test suite, eight NIST tests were executed.The corresponding p values for the tests were much larger than 0.01, which shows that the secret keys are random with 99% confidence.More exhaustive details on the randomness test are given in [18].Furthermore, for the case with more than two UAVs, the final K (i)  G in the ith time slot will be obtained by first sharing the XOR of the generated pairwise key K ı,j and a previously existing GSK

G
, and then operating min K ı,j , K (i−1)

G
. Now, the minimum operation is executed at every node between the keystreams K (i−1) G and K ı,j each of which individually satisfies the NIST randomness test.Consequently, the final GSK, that is, G will satisfy the randomness test.
2) Forward and Backward Secrecy: The proposed protocol considers a dynamic group of UAVs and assumes that the participating members are authenticated.In addition, the transmission time is divided into frames, where the ith frame T i is divided into two phases, T GKG for the generation of GK and T DT for the transmission of data.T GKG is further divided into M subslots, and each subslot τ m , where m ∈ {1, 2, . . ., M}, is reserved for the mth UAV trying to join the mesh key agreement process.Every new incoming UAV m is permitted to join its dedicated subslot τ m , resulting in a new GSK.Furthermore, if a UAV m gets disconnected or is not able to join in the m th subslot, then UAV m is allowed to join only in the next time frame.Therefore, the proposed protocol distributively generates a GSK in a time-bound manner and is unaffected if a new member joins or leaves within the present time frame.Moreover, under quasi-static channel considerations, generally T i T C (T GKG < T C ), where T C , and hence, the GSK generation process in each time frame should be independent.Consequently, owing to the constraints imposed due to T C and also since the joining and leaving of any member do not affect the GSK generation process, the previous and future GSK remain unaffected and uncorrelated.Accordingly, the proposed GSK protocol ensures forward and backward secrecy [41].
3) Resilience to Eavesdropping Attacks: During the GSK protocol, having more than two UAVs, the cooperative information

G
⊕ K v,i must be broadcast over the wireless channel so that all the network UAVs may agree to a common GSK.Notably, it is worthwhile to mention that the uncorrelated nature of the XOR operation ensures that the channel does not leak information.This is because the XOR of a random key stream with another random and uncorrelated key stream yields another random stream [42].For instance, let us denote the mth bit of K (i−1)   G and K i v,i as g m and k m , respectively.Now, the probability that Pr[g m ⊕ k m = 0] = Pr[g m = k m ] can be further expressed as follows: Therefore, each bit in the XOR of K (i−1)

G
and K v,i is chosen independently with a probability of 0.5, which means c (i)  v is a random string.Consequently, knowing c (i)  v gives no information about G and K v,i except its length, even to an eavesdropper with unlimited time and power.4) Resistance to Impersonation/Spoofing Attacks: The information transmitted on the channel is the XOR of the two pairwise keys stored at any UAV.The uncorrelated nature of the XOR operation ensures that the channel does not leak information.Even if an eavesdropper receives the message, it will not be able to extract the key from the transmitted messages.If a malicious user sends a joining request as described in the proposed SSGK to the mesh, it will not be able to generate the pairwise key with any other UAV in the mesh because the malicious user PUFe should be installed at certain legitimate UAVs.Consequently, the proposed scheme has inherent authentication that makes it improve its security against certain threats, such as the spoofing attack [34], [43], [44], [45], [46], [47], [48].It is also worth noting that the PKG is based on the CR concept, which also improves the immunity against spoofing.Furthermore, if a malicious UAV receives the CI transmitted on the channel, it will not be able to extract the key from the received information because it needs to know either the pairwise key or the slot GK to extract the information of the other UAV.The sequential keys being generated with the addition of each UAV in a slot is 5) Resilience to Machine-Learning-Based Attacks: Recently, some studies have shown that PUF security can be compromised by using several machinelearning-based strategies [49].Specifically, here the attacker by continuously monitoring the challengeresponse tries to model the PUF behavior.However, in the presented work, the challenge is generated by exploiting the CR concept, thereby restricting machine-learning-based attacks on the PUFs.6) Resilience to Stalking Attack: Any adversary, called a stalker, may follow the legitimate nodes' trajectory and may attempt to measure the corresponding wireless channel [40].Closer is the stalker node, easier for him to accurately estimate the channel.However, the involvement of PUFs in the process of deriving the key fails any attempt of the stalker to exploit the knowledge of the channel.Furthermore, in static and line-of-sight scenarios, the artificial fading component involved in the pairwise secret key generation protocol further provides inherent security against such types of attacks.
Furthermore, as depicted in Fig. 5(a), a group of PUFes is preconfigured at a certain UAV during the enrollment phase for the PKG process.Consequently, UAV anonymity is not guaranteed within that particular subset of UAVs, but it is not the case for UAVs in other sets.To guarantee anonymity across the entire swarm, the PKG can be performed while adopting anonymity enhancement schemes [35], [41], [50].

B. Complexity
The proposed system complexity can be evaluated in terms of storage requirement, computational complexity, and hardware complexity.
The storage requirements for the proposed scheme can be evaluated by counting the size of the data that needs to be regularly updated.The static data can be stored in lookup table (LUT), and thus, it is considered a hardware overhead [51].By referring to Algorithm 1, each UAV should store the following.
1) CSI: The channel vector h consists of (ζ − 1)Q samples.Given that each sample is represented by 8 bits, then the total number of bits is 8(ζ − 1)Q.2) Intermediate and final pairwise keys Km,n and K m,n : Both keys have equal length of K bits.Therefore, the total is 2K bits.3) Old and new GKs: The total is 2K bits.4) CI: The length of the CI is equal to the GK length, which is K bits.5) CRC bits: The length of the CRC is b bits.Therefore, the total storage required is 8(ζ − 1)Q + 5K + b bits.For example, given that Q = K = 256, b = 16, and ζ = 1, 2, . . ., 5, then the total storage is, respectively, equal to 1.26, 3.26, 5.26, 7.26, and9.26kB.
For a pair of UAVs to share a pairwise key, one UAV should have a PUF and the other UAV should have access to the challenge-response pairs (CRPs) for that PUF.A common approach is to use LUTs that securely stores certain CRPs.The size of the LUT can be varied based on the available hardware resources.For UAVs with limited hardware resources, small-size LUTs can be used; however, such LUT should be updated for every new mission.Generally speaking, if the number of UAVs is less than 100 and the number of CRPs is less than 50 000, the total size of the LUTs is relatively small [34].It is worth noting that if a PUF could be associated with a secret model that emulates the PUF behavior, then the secure storage requirements could be waived [52].

TABLE III Complexity Comparison
Algorithm 1: SSGK Steps to Add New U i in τ i .

G
The complexity comparison of the proposed scheme with the PLS-CR is presented in Table III.As can be noted from the table, the complexity of the SSGK is significantly less than [21], while it is equivalent to [25] and [26].

C. Communications Overhead
To share a GK, all UAVs in the mesh should exchange certain information, which forms communications overhead.For the proposed SSGK, the process starts with the channel probing process to generate the intermediate pairwise key between new and contacted UAVs.This process requires exchanging a secured version of the intermediate pairwise key Km,n multiple times until both UAVs agree on a key.The overhead of this process is equal to the number of iterations used to generate Km,n times the number of bits in the key K.However, based on the results in [18], the number of iterations is typically limited to one iteration.A similar process is applied to share the final pairwise key K m,n .Therefore, noting that M − 1 UAVs have to share the pairwise key, the overhead for this process is 2K (M − 1) bits.The proposed SSGK also requires sharing the pairwise key K m,n whenever a new UAV joins.Therefore, the corresponding overhead for this step is K (M − 2) because the GK sharing starts when the third UAV requests to join the mesh, and hence, the total overhead is K (3M − 4).The communication overhead reported in [33] is 832M + 960 bits, independently of the key size K.In [33], the key is always hashed and, therefore, does not affect the size of the transmitted messages.Therefore, for a key size of up to 256 bits, the proposed SSGK still has a communication overhead lower than [33].Consequently, the proposed SSGK can be considered efficient in terms of communication overhead compared to [33] and the references listed therein.
Generate pairwise key for U i and U v 3: G Algorithm 3: GK Update for U q ∀q = {i, v}.
Input: y v,q Output: Extract the pairwise key for U i and U v 5:

VI. NUMERICAL RESULTS
This section presents the numerical results to evaluate the performance of the proposed SSGK protocol.The results are generated using Monte Carlo simulation where each simulation point is generated using 10 6 key generation trials.Table IV presents the parameter sets considered in the simulation.The contacted UAV selection is performed using the SLSA and the channel is modeled as a BSC with a transition probability 10 −1 ≥ p ≥ 10 −5 .The considered range of p covers a wide range of channel fading conditions, modulation, and coding schemes.The performance of the SSGK is compared with the efficient algorithm reported in [21].To exclude the impact of the PKG process, the pairwise key is considered ideal, i.e., the new and existing UAVs consistently generate the pairwise keys successfully.To reduce the simulation complexity, CRC process is assumed to be perfect, i.e., the probabilities of false alarm and miss detection are equal to zero.Such performance can be obtained using 16 or 32 bits CRC [39].The redundancy order is selected such that 1 ≤ ζ ≤ 4. The case of ζ = 1 is the minimum to enable connectivity between all the mesh UAVs and ζ = 4 is generally sufficient to provide high connectivity probability while maintaining a reasonable computational complexity.In addition to GK sharing, the proposed protocol can be used to share certain commands securely without the need for encryption.Therefore, the key/command lengths used covers a wide range of key lengths, which are {8, 12, 16, 24, 32, 64}.The work considers two performance evaluation metrics: the group key disagreement (GKD) ratio, which is defined as N T , where N A is the total number of times the GK is generated successfully for the M UAVs in T 1 and N T is the number of attempts made to generate the GK; and average UAVs in agreement, which is defined as the average number of UAVs that managed to share the GK successfully during T 1 .The GKD is a commonly used metric for the GKG protocols [26].
Fig. 6 shows the GKD ratio and average UAVs in agreement versus p for ζ = 1, 2, 3, 4, M = 10, and K = 64.The values of p are presented on the x-axis in decreasing order.As can be noted from the figure, the GKD ratio improves by decreasing p, and P GKD = 1 for p 10 −2 for ζ = 4 and p 5 × 10 −2 for ζ = 1.The figure shows that the gain obtained by increasing ζ becomes smaller for large values of ζ .For example, at p = 10 −4 , increasing ζ from 1 to 2 reduces P GKD by about 62%.However, increasing ζ from 2 to 3 reduces P GKD by about 27%.It is worth noting that ζ does not affect the system efficiency because it only increases the number of possible connections for the new UAV.Therefore, increasing ζ may improve the key sharing success probability at the expense of some hardware complexity due to the increase in the number of PUFes.Fig. 7 shows the average number of UAVs in agreement using the same settings as Fig. 6(a).It can be observed that, for p = 10 −2 , 30% of the UAVs can connect in T 1 when ζ = 1, whereas 73% are able to connect using ζ = 3.The impact of redundancy can also be observed at high values of p, such as 0.1, where using ζ = 4 offered about 45% connectivity, while using ζ = 1 offered only 13%.Fig. 8. SSGK disagreement ratio compared with Ren's algorithm [33] with varying key length and redundancy order ζ i = 2∀i.
Fig. 8 is plotted for various values of K with ζ = 2.As the figure shows, the key length has a significant impact on P GKD .For example, at p = 10 −3 , increasing K from 8 to 64 increases P GKD by a factor of 6.6.For K > 16, the value of p should be less than 10 −4 to obtain P GKG of 10 −2 .Moreover, the degradation ratio versus the key lengths seems roughly fixed for a wide range of p.It is worth noting that these results can be significantly improved when the performance is evaluated for multiple time frames.The same trends can also be noted for M A in Fig. 9.For example, using K = 64 provides M A = 2.2, while for K = 8, it gives M A = 4.2, i.e., 22% and 42% connectivity, respectively.Roughly speaking, the system provides connectivity of more than 90%, given that p < 10 −3 for all the considered values of K. Fig. 9. SSGK average number of UAVs in agreement with various key lengths and redundancy order ζ i = 2∀i.The SSGK results are compared with Ren's algorithm [33].
Fig. 10.Relationship of key disagreement ratio and the average ratio of UAVs in agreement with the mesh size for the key length of K = 64 and redundancy order ζ i = 2.The comparison with Ren's algorithm [33] is also presented.
Figs. 8 and 9 also present the results of Ren's algorithm [33].Ren et al. [33] present a group authentication and data transmission scheme using the PUF for NB-Internet of things (IoT) in which the output of the PUF is viewed as a shared root key for mutual authentication and key agreement.In this scheme, a group leader (GL) is used to aggregate and relay authentication information to the wired network side.The article assumes that the PUF has ideal stability and response.So, if the output of the PUF changes for any reason, the algorithm will fail.Although the proposed scheme can support a key of different sizes Fig. 11.Comparison of the SSGK with Xu's algorithm [21] for M = 3. Fig. 12.Comparison of the SSGK with Xu's algorithm [21] and Ren's algorithm [33] for various mesh sizes and key length of K = 15.because the key is always hashed, the size of the transmitted messages does not depend on the size of the key.Fig. 10 shows the effect of the mesh size M on the P GKD and the ratio M A /M, where M A are the UAVs that have the same key.The considered case assumes that ζ i = 2∀i and K = 64.The key disagreement ratio is proportional to the mesh size, and the average ratio of UAVs in agreement is inversely proportional to the mesh size.The decrease in the ratio of UAVs in the agreement is significant at high BER.
In [33], although the use of a GL reduces signaling, it creates a single point of failure.Since a wireless link is never error-free, the protocol can suffer greatly from errors in the wireless link between IoT devices and the GL, and even severe failures if the errors occur on the wireless link between the GL and the wired network.
Another scenario of K = 24 and K = 12, and M = 3 is presented in Fig. 11.For this, a comparison is performed with an existing protocol for GKG.It can be observed that the special case of no redundancy provides the same performance as in [21], but with more redundancy, the performance gain of the proposed protocol increases.Fig. 12 shows the comparison of Xu et al.'s [21] work with the proposed SSGK algorithm in terms of the average ratio of nodes in agreement.For the proposed algorithm, the average ratio of nodes in agreement decreases with the size of the mesh.Xu's algorithm depends on all the pairwise keys generated compared with the proposed algorithm, which selects the GK as the minimum value of the pairwise keys generated.Due to this, a drastic improvement is observed in our algorithm compared with [21].

VII. CONCLUSION AND FUTURE WORK
This work studied the problem of GSK generation for UAV swarm communications and proposed an efficient protocol based on the PLS.The proposed protocol follows a distributed approach in which no central node is used to control or coordinate the key generation process.To reduce the complexity of deploying PUFes in all UAVs, set partitioning is used where only a small number of emulators is deployed at each UAV.Having multiple PUFes at each UAV, as opposed to a single PUFe provides connection redundancy, which allows providing a performance improvement in the key disagreement ratio and the average number of UAVs in agreement.The obtained results showed that the proposed protocol can provide a low GKD ratio of about 1.8 × 10 −2 for a channel transition probability of 10 −4 .For a channel transition probability of 5 × 10 −3 , the average number of nodes approaches 100% when the swarm is composed of ten nodes.
Optimizing the cluster size based on the desired performance and mesh size is an interesting problem that will be investigated in future work.Moreover, reducing the communications overhead can be performed by using nonorthogonal multiplexing where the key generation bits can be combined with information bits to improve the system's spectral efficiency.

Fig. 2 .
Fig.2.System model for UAV swarm GSK generation, where T j is the jth transmission frame, T GKG and T DT are the GKG and data transmission time slots, and T GKG, j,i is the time subslot allocated for UAV i in frame j.

Fig. 3 .
Fig. 3. System model for PKG between U m and U n , where U n has the PUF n and U m has the corresponding PUF n emulator.

TABLE I Notation
Used Throughout the Article

TABLE II Tabulated
Comparison of Selected State-of-the-Art Articles Versus the Proposed Scheme Group key after adding UAV i .K m,n Final pairwise key between UAV m and UAV n .γv,i Received signal strength for U v and U i .Set of UAVs, M = {UAV 1 , UAV 2 , ..., UAV M }.CI for the addition of UAV i in time subslot j.Signal received at UAV i from UAV v .M i Subset of UAVs that have the PUFes for UAV i .Km,n Intermediate pairwise key for UAV m and UAV n .ζUnified system cardinality.ζi Cardinality of subset M i .bNumber of CRC bits.E i Emulator for the PUF of U i .hi, jChannel gain between UAV i and UAV j .Index of the contacted UAV.PUF v,i PUF of UAV i at UAV v .
G ĉ(i) v Estimated version of c (i) v .ŝq CRC of ĉ(i) v .M c ( j) v s v CRC bits generated for c ( j) v .y v,i v