With the rapid expansion of Internet of Things (IoT) devices, application scenarios such as smart cities and industrial intelligent manufacturing demand wider coverage and higher connection density from communication systems. Traditional terrestrial base stations have limited capacity to serve IoT devices in remote or complex environments. Unmanned Aerial Vehicles (UAVs), owing to their flexible deployment and high mobility, can function as aerial base stations that effectively complement terrestrial networks, providing reliable and energy-efficient access for remote IoT terminals. Additionally, the expected sixth-generation (6G) connectivity of tens of billions of devices may give rise to signaling conflicts and congestion at key nodes. To address these challenges, multi-cluster access schemes based on cluster division have been proposed. In these schemes, different clusters connect simultaneously to orthogonal subchannels, enabling UAVs to assist multiple IoT device clusters in accessing terrestrial networks concurrently. However, UAV-assisted multi-cluster communication faces pressing security and performance issues, including the susceptibility of air interface channels to attacks, the limited computational and storage capacities of IoT devices, signaling conflicts arising from massive concurrent access, and the requirement for seamless handover mechanisms due to the restricted endurance of UAVs. Therefore, the development of a secure and efficient UAV-assisted multi-cluster concurrent access and handover authentication scheme is essential.
In this context, drone technology plays a pivotal role in enhancing connectivity for IoT ecosystems. The integration of Unmanned Aerial Vehicle systems into communication infrastructures allows for dynamic network expansion, particularly in areas where terrestrial infrastructure is lacking. However, the use of UAVs introduces unique security challenges, such as eavesdropping, spoofing, and physical attacks on devices. Existing authentication schemes often fail to address the concurrent access of massive IoT device clusters or the handover between UAVs, leading to vulnerabilities in data integrity and service continuity. This paper proposes a novel authentication scheme that leverages Physically Unclonable Functions (PUFs) to provide lightweight security for IoT devices while enabling multi-cluster concurrent access and handover via UAVs. The scheme ensures mutual authentication, data security, and resistance to various attacks, all while minimizing signaling, computational, and storage overheads.
The system model comprises three main entities: the ground network, UAVs, and IoT device clusters. The ground network is responsible for authenticating UAVs and IoT devices, while UAVs act as intermediaries to facilitate communication. IoT device clusters consist of multiple resource-constrained devices and a gateway that aggregates data. The threat model follows the Dolev-Yao framework, where adversaries can intercept, modify, and inject messages over insecure channels. Security requirements include mutual authentication, data confidentiality, resistance to replay and man-in-the-middle attacks, and resilience against physical attacks. The proposed scheme addresses these requirements through a combination of pre-shared keys, PUF mechanisms, and multi-layer signaling aggregation.
The proposed scheme is divided into four phases: registration, UAV access authentication, multi-cluster concurrent access authentication, and multi-cluster concurrent handover authentication. In the registration phase, IoT devices and UAVs are provisioned with necessary credentials offline. For IoT device clusters, the ground network selects a set of PUF challenges and stores the corresponding responses. Each device computes PUF responses for these challenges and shares them securely with the ground network. UAVs register with the ground network to obtain temporary service identifiers, long-term shared keys, and service validity periods. This phase ensures that all entities have the foundational elements for subsequent secure interactions.
During the UAV access authentication phase, the UAV and ground network perform mutual authentication using pre-shared keys. The UAV sends an access request containing a sequence number and a message authentication code (MAC) derived from its long-term key. The ground network verifies the MAC, generates a response value, and establishes a session key. This process ensures that only authorized UAVs can access the network and that communication remains secure. The session key is computed as follows: $$K_{UAV-N} = KDF(K_{UAV} || ID_{UAV} || SQN_{UAV} || w_{UAV})$$ where $KDF$ is a key derivation function, $K_{UAV}$ is the long-term shared key, $ID_{UAV}$ is the UAV identity, $SQN_{UAV}$ is the sequence number, and $w_{UAV}$ is the service validity period.
The multi-cluster concurrent access authentication phase enables multiple IoT device clusters to authenticate simultaneously through the UAV. The ground network initiates the process by sending a random challenge and PUF-based MACs to the clusters via the UAV. Each IoT device computes a PUF response and verifies the MAC. Upon successful verification, devices generate response values that are aggregated by the gateway and forwarded to the UAV. The UAV further aggregates these responses and sends them to the ground network for validation. The ground network then establishes session keys with each device. The key derivation for device $i$ in cluster $A$ is given by: $$K_{i-N} = KDF(ID_i || C_A || R_{Ai} || RAND)$$ where $ID_i$ is the device identity, $C_A$ is the PUF challenge, $R_{Ai}$ is the PUF response, and $RAND$ is a random number. Additionally, a session key between the device and UAV is derived as: $$K_{i-UAV} = KDF(sID_{UAV} || K_{i-N})$$ where $sID_{UAV}$ is the UAV’s temporary service identifier.
In the multi-cluster concurrent handover authentication phase, IoT devices seamlessly switch to a new UAV when the current one becomes unavailable. Prior to handover, the old UAV prepares the devices by encrypting relevant key materials using a group key. During handover, the new UAV broadcasts a random nonce, and devices compute new session keys and MACs. Gateways aggregate these MACs and forward them to the new UAV for verification. The new UAV then responds with aggregated response values, completing the authentication. The session key for device $i$ with the new UAV is derived as: $$K_{i-UAV}^* = KDF(H(K_{i-UAV} || ID_i || sID_{UAV1}) || RAND || RAND_A)$$ where $H$ is a hash function, $K_{i-UAV}$ is the previous session key, $sID_{UAV1}$ is the old UAV’s identifier, and $RAND_A$ is a random number generated by the gateway.
Security analysis is conducted using the Tamarin prover for formal verification and informal methods to assess resistance against common attacks. The Tamarin model confirms that mutual authentication and key agreement are achieved between all entities, and session keys remain confidential. Informal analysis demonstrates that the scheme resists replay attacks, man-in-the-middle attacks, and physical attacks due to the use of PUFs and dynamic key derivation. For instance, the PUF mechanism ensures that even if a device is physically compromised, the attacker cannot clone the PUF or derive valid responses without the original hardware.
Performance analysis compares the proposed scheme with existing approaches in terms of signaling overhead, computational cost, and storage requirements. Signaling overhead is evaluated based on the number of messages exchanged during access and handover phases. Assuming $m$ clusters and $n$ devices per cluster, the total signaling messages for access and handover are summarized in Table 1.
| Scheme | Access Signaling Overhead | Handover Signaling Overhead |
|---|---|---|
| Lattice-based UAV-assisted scheme [4] | $6n \cdot m$ | $3n \cdot m$ |
| Elliptic curve-based group handover scheme [5] | – | $n \cdot m$ |
| PUF-based group authentication scheme [25] | $(n + 9) \cdot m$ | – |
| Proposed scheme | $n \cdot m + 3m + 4$ | $n \cdot m + 4m + 3$ |
The proposed scheme reduces signaling overhead by leveraging aggregation at gateways and the UAV, thus minimizing the risk of congestion. For example, with $m=20$ and varying $n$, the signaling overhead grows linearly but remains lower than comparative schemes, as shown in Figure 1 (conceptual representation). The computational cost on IoT devices is assessed based on operations such as hashing, symmetric encryption, and PUF evaluations. The time complexities are defined as $t_h$ for hashing, $t_{se}$ for symmetric encryption/decryption, $t_{ecpm}$ for elliptic curve point multiplication, $t_{pm}$ for polynomial multiplication, and $t_{puf}$ for PUF evaluation. Typical values are $t_h = 0.02$ ms, $t_{se} = 0.03$ ms, $t_{ecpm} = 1.8$ ms, $t_{pm} = 0.1$ ms, and $t_{puf} = 0.12$ ms. The computational operations for each scheme are listed in Table 2.
| Scheme | Access Computational Operations | Handover Computational Operations |
|---|---|---|
| Lattice-based UAV-assisted scheme [4] | $8t_{pm} + 3t_{se} + 15t_h$ | $9t_h$ |
| Elliptic curve-based group handover scheme [5] | – | $0$ |
| PUF-based group authentication scheme [25] | $8t_h + t_{puf}$ | – |
| Proposed scheme | $4t_h + t_{puf}$ | $3t_h$ |
The proposed scheme requires fewer operations, making it suitable for resource-constrained devices. Storage overhead is evaluated by comparing the amount of data stored on IoT devices before authentication. Parameters include keys, identities, and PUF challenges. Assuming 128-bit security equivalent to AES, the storage requirements are summarized in Table 3. The proposed scheme minimizes storage by relying on PUFs and dynamic key derivation, whereas other schemes require storing static keys or multiple PUF challenges.
| Scheme | Storage Parameters | Total Storage (bits) |
|---|---|---|
| Lattice-based UAV-assisted scheme [4] | $(K, ID, AMF, pk_{HN}, \rho)$ | ~1280 |
| Elliptic curve-based group handover scheme [5] | $(x, f(x) \cdot P, ID)$ | ~896 |
| PUF-based group authentication scheme [25] | $(GID, ID, VID, \{C_i\}_{i=1}^{20})$ | ~3328 |
| Proposed scheme | $(ID_i, C_A, R_{Ai})$ | ~384 |
The proposed scheme achieves a balance between security and efficiency, making it ideal for large-scale IoT deployments assisted by drone technology. The use of Unmanned Aerial Vehicle systems not only extends network coverage but also enhances security through lightweight cryptographic mechanisms. However, limitations include the lack of forward secrecy in UAV access due to long-term keys and the hardware dependency of PUFs, which may affect stability in varying environmental conditions. Future work will focus on dynamic key update mechanisms, robust PUF designs, and edge computing integration to offload computational tasks from UAVs. Prototype development and field experiments will further validate the scheme’s practicality in real-world scenarios.
In conclusion, this paper presents a comprehensive authentication scheme for UAV-assisted multi-cluster IoT networks. The scheme ensures secure concurrent access and handover while addressing the constraints of IoT devices. Through formal and informal security analyses, we demonstrate its resilience against various attacks. Performance evaluations confirm reduced signaling, computational, and storage overheads compared to existing schemes. The integration of drone technology and Unmanned Aerial Vehicle systems paves the way for scalable and secure IoT communications in 6G networks and beyond.