2426 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO.

2, APRIL 2024

A UAV-Assisted UE Access Authentication

Scheme for 5G/6G Network
Ruhui Ma , Jin Cao , Member, IEEE, Shiyang He, Yinghui Zhang , Ben Niu , and Hui Li , Member, IEEE

Abstract—Unmanned Aircraft Vehicles (UAVs) equipped with variety of scenarios, e.g., emergencies, temporary coverage
base stations can assist ground User Equipments (UEs) in for mobile users and hots-spot events. Some international
accessing the 5G/6G network. Due to the UAV’s high autonomy, organizations, such as the 3rd Generation Partnership Project
easy configuration, and strong dynamic deployment capabili-
ties, UAV-assisted ground UEs to access the 5G/6G network (3GPP), have begun focusing on the relevant UAV standards.
can effectively expand the communication network coverage. In 3GPP Standard technical specification 22.125 [1], it is
However, some vulnerabilities exist, such as eavesdropping attack, pointed out that 5G systems should support UxNB, radio
impersonation attack, etc. In addition, the 3rd Generation access node on-board UAV to provide connectivity to User
Partnership Project (3GPP) committee has proposed that the Equipments (UEs). The 5G/6G network aim to provide seam-
UAV can employ the primary authentication mechanism (i.e.,
5G-AKA) to connect to the network. Nevertheless, the primary less global coverage for UEs. Generally, ground base stations
authentication mechanism 5G-AKA has some security problems. and satellites can assist UEs in accessing the 5G/6G core
In this paper, we first improve the existing 5G-AKA, which network. However, the ground base stations may be unable to
resists quantum attack and traceability attack and consumes continue to provide services when unexpected circumstances
moderate signaling overhead and short running time. Then, based occur. For example, the ground base station facilities are
on the improved 5G-AKA protocol, we propose a UAV-assisted
UE access authentication scheme for the 5G/6G network. In damaged due to sudden natural disasters. There are several
the proposed scheme, the UAV can perform the service access limitations for satellites, such as large transmission delay [2],
authentication process to access the 5G/6G core network and high satellite deployment costs, and high requirements for
then execute the UAV-assisted UE access authentication process to UE capabilities. The UAV, acting as a relay, can assist
assist UE in obtaining network services. Additionally, the ground the ground UE in accessing the 5G/6G core network [3].
UE can perform a fast and secure handover process with the tar-
get UAV to ensure continuous network services. The automation UAVs can first access the 5G/6G network through remote
verification tool Tamarin is employed to verify the security of access node, and then provide network access services for
the proposed scheme. Additionally, we implement the improved ground UEs. Due to the UAV’s advantages of high autonomy,
5G-AKA protocol and the existing 5G-AKA protocol on Field easy configuration, and strong dynamic deployment capabil-
Programmable Gate Array (FPGA) to test their running time. ities [4], [5], UAV-assisted ground UEs to access the 5G/6G
The security and performance evaluation results show that
the proposed scheme provides robust security with moderate network can effectively expand the communication network
efficiency. coverage. However, many security and performance challenges
remain.
Index Terms—Authentication scheme, UAV-assisted UE, 5G/6G
network, 5G-AKA. Firstly, the connections between UAVs and the 5G/6G
core network are unsafe owing to air interface links, which
are vulnerable to eavesdropping attack and tampering attack.
I. I NTRODUCTION Meanwhile, attackers may impersonate legitimate UAVs to
N RECENT years, Unmanned Aircraft Vehicle (UAV) access the network or legitimate core network entities to
I equipped with base stations has attracted extensive attention
in the 5G/6G network, especially to enhance coverage in a
provide false network services. Additionally, once the pri-
vacy information of the UAV is leaked, the attacker may
track the UAV and conduct an attack. Thus, it is crucial
Manuscript received 4 May 2023; revised 26 August 2023 and 5 December to consider a secure authentication scheme for the UAV
2023; accepted 9 December 2023. Date of publication 12 December 2023; access network, which supports mutual authentication and data
date of current version 15 April 2024. This work is supported in part by
the National Natural Science Foundation of China under Grant 62102298, security between the UAV and the 5G/6G core network and
62172317, and U23B2024, and in part by the Fundamental Research Funds privacy preserving.
for the Central Universities under Grant XJS221504. The associate editor Subsequently, attackers may eavesdrop and tamper with
coordinating the review of this article and approving it for publication was
B. Martini. (Corresponding author: Jin Cao.) the communication data between the ground UEs and UAVs,
Ruhui Ma, Jin Cao, Shiyang He, and Hui Li are with the State Key impersonate legitimate UEs to access the network, or legiti-
Laboratory of Integrated Services Networks, School of Cyber Engineering, mate core network entities to provide false services to UEs.
Xidian University, Xi’an 710071, China (e-mail: [email protected]).
Yinghui Zhang is with the National Engineering Laboratory for Wireless Additionally, preventing privacy leaking and user tracking by
Security, Xi’an University of Posts and Telecommunications, Xi’an 710121, UE is also crucial. Thus, it is vital to consider a secure
China. authentication scheme for UAV-assisted UE access networks,
Ben Niu is with the Institute of Information Engineering, Chinese Academy
of Sciences, Beijing 100045, China. ensuring the legitimacy of the UE and the 5G/6G core network
Digital Object Identifier 10.1109/TNSM.2023.3341829 entity, and data security and privacy preserving.
1932-4537 
c 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2427

Then, due to technical limitations such as weight and battery is judged by whether the subsequent communication is correct,
capacity, the resource of UAVs is limited [6]. When UAVs are which is more vulnerable to security attacks. Additionally,
used as base stations to provide services to UEs, the weight, some authentication schemes related to UAVs have been
computational consumption, and number of transmissions of proposed. However, these schemes cannot consider the UAV
UAVs will further increase, reducing the actual service time to assist UE in accessing the network or cannot be applied
of UAVs [6]. To ensure the service time of UAV is as long to some unexpected circumstances (e.g., the nearby ground
as possible, the cost of the authentication process should be base stations are damaged). Some satellite-related schemes can
minimized as much as possible. be applied to the scenario of UAV-assisted UE access to the
Additionally, due to poor endurance and susceptibility to network, but these schemes have various shortcomings.
malfunctions of UAVs, the time for a single UAV to provide Contribution: In this paper, based on CRYSTALS-Kyber
network services is relatively short. In order to provide contin- algorithm in lattice theory cryptography and some lightweight
uous network services, new UAVs need to replace old UAVs to hash and symmetric encryption/decryption operations, we
provide services to UEs, and UEs need to frequently handover improve the existing 5G-AKA. Then, based on the improved
from the old UAV to the new UAV. Frequent handover may 5G-AKA protocol, we propose an authentication scheme
lead to intermittent connectivity of network services. Thus, it for UAV-assisted UEs to access the 5G/6G network. The
is necessary to consider a seamless handover authentication proposed scheme consists of three protocols, the UAV service
scheme when one UE moves from a source UAV to another access authentication protocol, the UAV-assisted UE access
UAV to ensure the security and continuity of network services. authentication protocol, and the UE handover authentication
In addition, signal loss may occur frequently in UAV appli- protocol. The contributions in this paper are summarized as
cation scenarios due to environmental factors. For example, in follows.
an earthquake with wind and rain, the signal loss is severe, • By the improved 5G-AKA protocol, ground UEs can
which may lead to the loss of authentication signals. How to access the 5G/6G core network through the ground base
mitigate the impact of signal loss is worth considering. station. This protocol can resist quantum attack and
Finally, there are various types of UAVs, but they are mainly traceability attack and consume small signaling overhead
commercial. The unified deployment of commercial UAVs for for the 5G/6G core network to identify a malicious UE.
emergency rescue and other scenarios has enormous market • By the UAV service access authentication protocol, the
potential. Therefore, it is crucial to design a unified security UAV can access the 5G/6G core network, build a secure
authentication mechanism for different types of UAVs. channel with the ground network and provide connectiv-
The 3GPP committee has begun researching the security of ity to UEs. By the UAV-assisted UE access authentication
UAVs in the 5G network. According to the 3GPP standard protocol, each UE can connect to the 5G/6G core network
technical specification 33.854 [7], the UAV, as a relay, first through the UAV and build a secure channel with
acts as a normal UE to access the network (that is, the primary the UAV. These two protocols are compatible with the
authentication mechanism [8], i.e., 5G-AKA, is used), and then improved 5G-AKA protocol.
acts as a base station to assist ground UEs in obtaining network • By the UE handover authentication protocol, the UE
services. However, the existing 5G-AKA protocol has some can achieve mutual authentication and key agreement
security issues, such as being vulnerable to traceability attack, with the new UAV without directly participating in the
quantum attack, missing key confirmation attack [9], and source UAV and the ground node, effectively reducing
consuming significant signaling overhead to identify malicious the handover delay.
UE. Applying the 5G-AKA protocol in UAV scenarios has also • The automation verification tool Tamarin and informal
introduced some new challenges. Firstly, packet loss occurs security analysis are employed to analyze the secu-
frequently in the UAV scenario, which may result in the 5G rity of the proposed scheme. Meanwhile, we evaluate
core network repeatedly consuming computational resources the performance of the proposed scheme regarding the
to process data. Subsequently, when the UAV assists ground signaling, computational, communication, and storage
UEs in accessing the 5G/6G network, the security between overheads, as well as energy consumption. We imple-
the ground UE and the UAV, as well as the UAV and the ment the improved 5G-AKA protocol and the existing
ground network should also be ensured since they are all 5G-AKA protocol on Field Programmable Gate Array
connected through unsafe air interface links. However, 3GPP (FPGA) to test their entire running time. The results show
does not propose a relevant mechanism. Then, due to the that the proposed scheme provides robust security with
characteristics of UAVs, such as poor endurance, easy failure, moderate efficiency.
and mobility, UE handover from one UAV to another will The rest of this paper is organized as follows. Firstly, we
occur frequently. However, UAV resources are strictly limited introduce the related work in Section II. Then, we describe
and may not be able to support UAV-to-UAV communication. the system model, adversarial model, security requirements
If the existing 5G handover authentication protocol [10], [11] and design idea in Section III. Subsequently, we briefly
is adopted, the ground UE must request the visited network introduce the limitations of the existing 5G-AKA protocol in
to handover, which undoubtedly requires more delay. Finally, Section IV. Then, we describe the improved 5G-AKA protocol
in the existing 5G handover authentication protocol [10], [11], in Section V. In Section VI, we elaborate on the proposed
the UE and the destination access point only complete the scheme in details, followed by the security analysis and
implicit authentication. That is, the legitimacy of both parties performance evaluation in Sections VII and VIII, respectively.

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2428 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

TABLE I
S UMMARY OF S CENARIOS , T ECHNIQUE AND W EAKNESS OF R ELATED W ORKS

In section IX, we describe the implementation details. Finally, authentication schemes have been proposed for satellite-
we conclude in Section X. assisted UEs to access the ground network. Thus, we mainly
consider these related schemes for UAV scenarios and satellite-
assisted UE scenarios. TABLE I summarizes related works’
II. R ELATED W ORK scenarios, techniques, and weaknesses.
In this paper, we improve the existing 5G-AKA protocol
and propose an authentication scheme for UAV-assisted UEs A. Related Schemes for UAV Scenarios
to access the 5G/6G network based on the improved 5G- Aydin et al. [16] put forward a group handover scheme
AKA protocol. Some improvement schemes for the 5G-AKA for UAV base stations based on Elliptic Curve Cryptography
protocol have been proposed. For example, Arkko et al. [12] (ECC). In this scheme, the UE group can handover from
embedded the diffie-hellman mechanism into the key export a terrestrial base station to a UAV base station, reducing
process of 5G-AKA, which can achieve the Perfect Forward the traffic of the terrestrial base station while ensuring the
Secrecy (PFS). Yang et al. [13] introduced blockchain tech- continuity of UE network services. However, in this scheme,
nology into the UE access process to reduce signaling user access to the network must rely on the source terrestrial
overhead. Pan et al. [14], [15] proposed a cross-layer authen- base station, which is unsuitable for scenarios such as damage
tication scheme that combines physical layer authentication to terrestrial base stations caused by sudden natural disasters.
and access authentication protocol, providing strong security. Zhang et al. [17], Nikooghadam et al. [18] and
Basin et al. [9] proposed adding a message authentication Berini et al. [19] proposed a lightweight authentication and
code and binding the authentication token to the name of key agreement scheme for the Internet of drones based
visiting network to notify UEs that the home network has on symmetric cryptography, ECC and Hyper Elliptic Curve
committed to a specific visiting network, avoiding the missing Cryptography (HECC), respectively. In these schemes, the user
key confirmation attack. However, none of these schemes and the remote UAV achieve mutual authentication with the
resist quantum attack. Additionally, these schemes only make help of the control server. Pu and Li [20], Mäurer et al. [21],
simple improvements to the existing 5G-AKA protocol, but Bansal and Sikdar [22] and Alladi et al. [23], [24] proposed
are unsuitable for access authentication in UAV scenarios. a lightweight mutual authentication scheme for UAVs, respec-
Therefore, we mainly start from the scenario of UAVs and tively. By these schemes, using the Physical Unclonable
focus on similar authentication schemes for UAV-assisted UE Function (PUF) mechanism, the communication security
access. between the UAV and the ground base station can be
Currently, some authentication schemes related to UAVs ensured. Yang et al. [25], Pu et al. [26], Khan et al. [27],
have been proposed. Meanwhile, similar to UAVs, satellites Lounis et al. [28] and Chaudhry and Garg [29] put forward
can assist UEs in accessing the ground network, and many an authentication scheme between UAVs, respectively. By

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2429

these schemes in [25], [26], [27], [28], [29], one UAV can
achieve mutual authentication and key agreement process with
another UAV. Alladi et al. [30], Karmakar et al. [31] and
Bera et al. [32] gave an authentication scheme for UAV-UAV
communication. In these schemes, the UAV achieves mutual
authentication with the ground station, and then two UAVs
achieve mutual authentication with the assistance of the ground
station.

B. Related Schemes for Satellite-Assisted UE Scenarios

Zheng et al. [33], Zhao et al. [34], and Jurcut et al. [35] Fig. 1. The architecture of UAV assisting UE in accessing the 5G/6G
proposed an efficient authentication scheme for satel- network.
lite networks based on symmetric cryptography.
Kumar and Garg [36] put forward an authentication protocol accessing the network. For these schemes in [33], [34], [35],
for satellite communication based on Ring Learning With [36], [37], [38], [39], [40], they can be applied to UAV-assisted
Error (RLWE) problem in lattice theory cryptography. In these UE access network scenarios, but there exist various security
schemes, through the satellite node, each UE can perform the and performance flaws, and these authentication schemes
mutual authentication and key agreement process with the are not compatible with the ground access authentication
ground Network Control Centre (NCC) to access the ground scheme. Therefore, it is crucial to consider an authentication
network. However, the scheme in [33] suffers from various scheme suitable for UAV-assisted UE access to the network.
attacks, such as identity spoofing attack, malicious service This paper proposes a UAV-assisted UE access authentica-
request attack, and Denial Of Service (DOS)/Distributed tion scheme for 5G/6G network. By modifying the existing
Denial Of Service (DDOS) attack. The scheme in [34] is ground access authentication scheme (5G-AKA protocol), in
vulnerable to traceability attack. The scheme in [35] does some unexpected circumstances (e.g., the nearby ground base
not work correctly since the NCC cannot recognize the UE stations are damaged), UE can securely and efficiently access
successfully. The scheme in [36] incurs many communication the 5G/6G core network through the UAV. The proposed
overheads. scheme is compatible with the ground access authentication
Meng et al. [37] designed a proxy signature-based authen- scheme, providing robust security protection and consuming
tication scheme for satellite networks. Xue et al. [38] present less signaling and computational overheads compared with
a secure and efficient authentication scheme based on ECC. other related schemes.
Yang et al. [39] proposed a secure authentication scheme
for satellite networks based on group signature to provide
III. S YSTEM M ODEL , A DVERSARIAL M ODEL , S ECURITY
anonymity for roaming users. Guo and Du [40] designed a
R EQUIREMENTS AND D ESIGN I DEA
novel anonymous mutual authentication protocol for space
information networks based on the RLWE problem. In these A. System Model
schemes, UE achieves mutual authentication with the satellite. According to the 3GPP standards [42], [43] for UE access
However, these schemes in [37], [38] suffer from traceability to the network through the non-terrestrial network (satellite,
attack, and the scheme in [39] incurs a large number of com- unmanned aircraft system, etc.), as well as the 3GPP stan-
putational overheads because of multiple point multiplication dard [6] related to radio access node on-board UAV, the
and bilinear pairing operations. For Guo et al.’s scheme [40], universal scenario of UAV assisting UE in accessing the
the access network needs to store the public keys of all UEs, 5G/6G network shall be depicted in Fig. 1. In this archi-
which is impossible to realize since the number of UEs is tecture, the UAV is connected to the 5G/6G core network
tremendous and the high storage cost of a single public key. through the remote ground Radio Access Network (RAN),
For these schemes in [33], [34], [35], [36], [37], [38], [39], and then the UAV assists UEs in accessing the 5G/6G core
[40], the UE access authentication scheme through the satellite networks. The architecture comprises 5G/6G core network,
network is incompatible with the UE access authentication ground RAN, UEs, and UAVs.
scheme through the ground networks. The 5G/6G network may 5G/6G core network contains many different entities (such
support dual connectivity with a satellite access network and as authentication server function, unified data management,
a ground access network [41]. The UE needs to store two sets etc.) and provides authentication and authorization services for
of different authentication algorithms, which will undoubtedly UEs and UAVs.
increase the overhead. Ground RAN can integrate the base station, gateway, and
In summary: one of the gaps in the previous studies is the edge cloud functions. Ground RAN provides the communica-
lack of an authentication scheme for UAV assisting UE in tion interface between the UAVs/UEs and the ground 5G/6G
accessing the 5G/6G core network. The scheme in [16] is core network. In order to reduce the control delay and provide
unsuitable for the scenario where the source terrestrial base continuous network services to the ground UEs, ground
station is damaged. For these schemes in [17], [18], [19], RAN can control the start, stop, and replacement of UAVs.
[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], Specifically, when UAVs are far from the emergency area,
[31], [32], the UAV cannot be considered to assist the UE in ground RAN can use dedicated machines (unmanned vehicles,
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2430 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

dedicated drones, etc.) to transport UAVs to designated areas, increasing demand for session data security in the 5G/6G
reducing the energy consumption costs of UAVs incurred due network, ensuring the security of wireless communication data
to long-distance flight. Additionally, the edge cloud, deployed between the UE/UAV and the ground RAN is vital. Since
in the ground RAN, can cache the user authentication data, the UE/UAV may be lost or stolen, A may obtain the secret
UAV operation status data, and location data. The ground RAN parameters (ephemeral secret values or long-term secret key)
can be deployed far away from disaster and other areas. stored in the UE/UAV by complex power analysis attack and
UAV has the advantages of high autonomy, easy configu- further derive the preceding session data key KRAN .
ration, and strong dynamic deployment ability. The UAV can
fly to a designated area and then hover over that area for a
period of time. As a relay device, UAV has the functions of UE C. Security Requirements
and base station. UAV first accesses the network as a normal Due to the insecure wireless channel between the UE, the
UE. Then, UAV acts as a base station and provides network UAV, and the ground RAN, the following security require-
services to ground UEs [1]. According to [6], due to technical ments should be achieved.
limitations such as weight and battery capacity, the maximum • To prevent malicious UEs and UAVs from accessing the
flying time of the UAV is limited (e.g., 1 hour). Thus, a network, and the malicious network from providing false
single UAV cannot provide continuous network services, and services, mutual authentication between the UE/UAV and
replacement strategies for UAVs must be considered. When the 5G/6G core network should be achieved.
the power consumption of the UAV is low, the UAV turns off • To prevent adversaries from continuously sending
its base station function, transmits an exit request message to previously obtained user identities to request access to
the ground RAN and quickly charges through the UAV mobile the network, it is crucial to ensure the anonymity of the
charging station. Meanwhile, the alternative UAV should be user’s identity. Meanwhile, it is also imperative to resist
deployed to the corresponding area to continue providing traceability attack to prevent adversaries from tracking
network services. Additionally, considering that UAVs are specific users.
prone to failure, ground RAN can monitor whether a UAV is • To prevent the adversary from eavesdropping or tamper-
working properly based on the frequency of regular heartbeat ing with the communication data between the UE/UAV
messages or communication messages between the UAV and and the ground RAN, data security should be achieved.
the network. When the ground RAN detects that a UAV has • In order to prevent attackers from replaying previous
not sent a message for a period of time, other UAVs can be data to deceive the recipient, or to prevent attackers from
mobilized to replace the UAV. sending useless data that causes the recipient to refuse to
UE represents a device with base station access capability provide services, protocol attacks, including replay attack,
but not satellite access capability. UE can access the 5G/6G DOS/DDOS attack, etc., should be implemented to resist.
core network through ground RAN based on the existing 5G- • In order to prevent the adversary from using the
AKA protocol. ephemeral secret values or long-term secret keys obtained
In this architecture, the ground RAN and the 5G/6G core in the UE/UAV to derive the preceding session data key
network entities are generally connected through wired links, KRAN , the PFS should be supported, and the Ephemeral
which can establish a secure data channel through the existing Secret Leakage (ESL) attack should be resisted.
Datagram Transport Layer Security (DTLS) and/or Internet
Key Exchange version 2 (IKEv2) mechanism [8]. The others
are connected through wireless links. D. Design Idea
The critical design idea of the proposed scheme can be
briefly described as follows. Ground UEs can access the
B. Adversarial Model 5G/6G core network through the ground RAN. When the
In this section, the most adopted and accepted Dolev-Yao ground RAN operates normally, the ground UE can access
(DY) adversarial model [44] is considered as the basic adver- the 5G/6G core network by executing the improved 5G-AKA
sary model to analyze the security of the proposed scheme. protocol. When a specific area is not covered by a ground
In the DY adversarial model, the adversary A can control the RAN, or the ground RAN located in the specific area fails,
entire communication network. Concretely, A can eavesdrop, the ground UE cannot access the 5G/6G core network through
tamper, or even replay wireless communication data between the ground RAN. In this case, the remote ground RAN (a
the UE/UAV and the ground RAN. A can impersonate a bit further away from the specific area) can deploy UAVs to
legitimate UE accessing the network to gain unauthorized a specific area. Since the communication range of the UAV
access, a legitimate UAV providing illegal services to UEs, is more extensive than that of the normal UE, the UAV can
or a 5G/6G core network entity providing false services to access the remote ground RAN (or forwarded by other radio
UEs/UAVs. A can use a Man-In-The-Middle (MITM) attack access nodes, e.g., satellite nodes) to obtain network services.
to eavesdrop on the interactive data between UEs, UAVs, and Subsequently, the UAV assists the ground UE in obtaining
5G/6G core network entities. A can deplete the resources network services. If the power of the UAV is too low or
of 5G/6G core network entities, such as sending forged the UAV fails to provide services, another UAV is quickly
data, replaying data, sending useless data, etc., causing them deployed by the remote ground RAN to replace the source
to refuse to provide services. Additionally, considering the UAV. When the ground UE moves or the UAV moves or is

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2431

starts with generating a fresh sequence number SQNHN

and an unpredictable challenge RAND and calculates
XRES = f 2K (RAND), CK = f 3K (RAND),
IK = f 4K (RAND), AK = f 5K (RAND),
MAC = f 1K (SQNHN ||RAND||AMF ), XRES ∗ =
KDF (CK ||IK , serving network name||RAND||
XRES ). Then, the 5G core network entity computes an
authentication token AUTN = SQNHN ⊕ AK ||AMF ||
MAC. Finally, the 5G core network entity transmits
(RAND, AUTN) to the RAN.
4) The RAN forwards (RAND, AUTN) to the UE.
Fig. 2. The existing 5G-AKA protocol.
5) Upon receiving the (RAND, AUTN), the UE computes
AK = f 5K (RAND), obtains SQNHN  and calculates
XMAC = f 1K (SQNHN  ||RAND||AMF ). Then, the
replaced, the ground UE and the target UAV shall perform a
UE authenticates the 5G core network by checking
fast handover process to ensure continuous network services. ?
whether (i) XMAC = MAC and (ii) SQNHN  is in the
correct range.
IV. T HE L IMITATIONS IN THE 5G-AKA P ROTOCOL • If both (i) and (ii) are satisfied, the UE computes
3GPP has standardized the authentication protocol for UE RES = f 2K (RAND), CK = f 3K (RAND),
securely accessing the 5G core network through the ground IK = f 4K (RAND), RES ∗ = KDF (CK ||IK ,
RAN, namely 5G-AKA [8]. In the standard, it is proposed to serving network name||RAND||RES ). Then,
use a public key encryption mechanism to protect the UE’s the UE computes the key KRAN =
identity SUPI, and only one encryption algorithm is given in KDF (Knetwork , Uplink NAS COUNT ||Access
the appendix of the standard document [8], that is Elliptic type distinguisher ) and the sequence number on
Curve Integrated Encryption Scheme (ECIES) algorithm. The the UE side SQNUE = SQNHN + 1. Knetwork
brief description of the 5G-AKA protocol using the ECIES denotes the key between the UE and the 5G core
algorithm is as follows, as shown in Fig. 2. network (e.g., the key KAMF ), and is derived from
Initially, the 5G core network entity needs to generate the long-term secret key K. Uplink NAS COUNT is
a public key pkHN and private key skHN of the 5G core a counter for the uplink between the UE and the
network entity, respectively. Then, offline, the 5G core network 5G visiting network. Access type distinguisher is
entity presets the identity SUPI, the long-term secret key used to distinguish whether the network is “3GPP
K, the authentication and key management field AMF and access” or “non 3GPP access”. Subsequently, the
the public key pkHN to the corresponding UE and saves UE returns the RES ∗ to the 5G core network.
∗
them locally. Note that f 1K (), f 2K (), f 1K (), h() are message Finally, the 5G core network authenticates the UE
?
authentication functions, f 3K (), f 4K (), f 5K (), f 5∗K () are key by verifying XRE ∗ = RES ∗ . If the verification is
generating functions, and KDF() is a key derivation func- successful, the 5G core network computes the key
tion [45], wherein K is the long-term secret key shared KRAN and transmits (SUPI  , KRAN ) to the RAN,
between the UE and the 5G core network. Additionally, and then the UE and the RAN employ the KRAN
Ek () and Dk () are the symmetric encryption and decryption for secure communication.
functions, wherein k is the symmetric key. • If (i) is satisfied but (ii) is unsatisfied, the UE cal-
1) The UE freshly generates ECC ephemeral public/private culates MACS = f 1∗K (SQNUE ||RAND||AMF ),
key pair (Eph.privatekey, Eph.publickey), and computes AK ∗ = f 5∗K (RAND), AUTS = AK ∗ ⊕
Eph.enckey||Eph.mackey = KDF(Eph.privatekey, pkHN ). SQNUE ||MACS and transmits a sync failure mes-
Then, the UE computes the ciphertext C = sage including AUTS to the 5G core network. The
EEph.enckey (SUPI ), the message authentication code 5G core network checks (MACS , SQNUE ) and
mac = h(Eph.mackey, C). Finally, the UE transmits computes SQNHN = SQNUE + 1.
SUCI = Eph.publickey ||C ||mac||Other to the RAN, • If (i) is unsatisfied, the UE transmits a MAC failure
where Other represents other necessary parameters for message to the 5G core network.
UE access. By the 5G-AKA protocol, the UE can securely access the
2) The RAN forwards the SUCI to the 5G core network. 5G core network. However, the 5G-AKA protocol exists the
3) Upon receiving the SUCI, the 5G core following limitations.
network computes Eph.deckey||Eph.mackey = 1) Elliptic-curve cryptography is used to ensure the pri-
?
KDF (Eph.pubickey, skHN ), checks mac = vacy of SUPI. With the rapid development of quantum
h(Eph.mackey, C ) and computes SUPI  = computers, the elliptic curve algorithm can easily be
DEph.deckey (C ). Subsequently, the 5G core network broken [46]. Other cryptography schemes need to be
searches the corresponding long-term secret key K adopted to ensure the privacy of SUPI.

through the SUPI . Then, the 5G core network generates 2) The 5G core network authenticates UE by checking
XRES ∗ = RES ∗ , which means that the 5G core
authentication data as follows. The 5G core network
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2432 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

network takes at least 6 signaling messages to identify employs the value σ to sample s ∈ Rq2 and e ∈ Rq2 from B3 ,
the malicious UE, which may take up a lot of resources adopts the parameter ρ to generate the matrix A ∈ Rq2×2 , and
on the 5G network. computes pk = As + e. Then, the 5G/6G core network uses pk
3) In the existing 5G-AKA, the attacker can replay and sk = s as its public key and private key, respectively. Then,
the response message of a certain UE received from the similar to the 5G-AKA protocol, the 5G/6G core network
network to multiple UEs. From the UEs’ answer, the entity needs to offline preset the identity SUPI, the long-term
attacker can distinguish between the UE observed earlier secret key K, the authentication and key management field
and a different UE [9]. Thus, the 5G-AKA protocol is AMF, the public parameters (ρ, pk) to the corresponding UE
unable to resist traceability attack. and save them locally. Similarly, UE can generate the matrix
4) In some specific scenarios, packet loss occurs frequently. A ∈ Rq2×2 with the parameter ρ.
If the response value RES sent by the UE to the 5G As shown in Fig. 3, when accessing the 5G/6G network
core network is lost, the UE needs to regenerate the through the ground RAN for the first time, the UE performs
SUCI and the 5G core network needs to deconceal the the access authentication process as follows.
SUCI and regenerate the authentication data, which costs Step 1. The UE generates a random value RAND ∈
considerable computational overhead. {0, 1}256 , and a fresh sequence number SQNUE , samples
r ∈ Rq2 from B3 , e1 ∈ Rq2 from B2 , and e2 ∈ Rq
V. T HE I MPROVED 5G-AKA P ROTOCOL from B2 , and computes u = AT r + e1 , v = pkT r +
A. Overview e2 + Decompressq (RAND, 1), C 1 = (u, v ), MSK =
KDF (RAND), C 2 = EMSK (SUPI ||SQNUE ), MAC =
In this section, we improve the 5G-AKA protocol.
f 1K (SQNUE ||RAND||AMF ). Finally, the UE transmits
Concretely, we combine the CRYSTALS-Kyber algorithm to
SUCI = C 1||C 2||MAC ||Other to the RAN, where Other
protect the privacy of the SUPI. CRYSTALS-Kyber [47],
represents other necessary parameters for UE access. The
which is a lattice-based public key encryption algorithm and
RAN forwards the SUCI to the 5G/6G core network. In
is based on the Module Learning With Errors (MLWE), has
the actual use process, to reduce the communication over-
been chosen as one of the first groups of tools for post-
head, the message can be encoded and compressed for
quantum cryptographic and will be standardized [48]. Then,
transmission.
we slightly adjust the calculation order of some values (such
Step 2. Upon receiving the SUCI, the 5G/6G core network
as MAC, XRES, etc.) and the function input values in the
entity computes RAND  = Compressq (v − skT u, 1),
5G-AKA protocol (such as SQNUE , SQNHN , RAND), so
MSK  = KDF (RAND  ), SUPI  ||SQNUE  = DMSK  (C 2).
that it can identify malicious UE with only 2 signaling
Subsequently, the 5G/6G core network entity searches the
messages. Subsequently, the anonymous key MSK is reused
long-term secret key K of the UE according to SUPI  and
to protect the legitimacy of SQN instead of the key AK
computes XMAC = f 1K (SQNUE  ||RAND  ||AMF ). Then,
in the 5G-AKA protocol. Through the above modifications,
the 5G/6G core network entity authenticates the UE by
the improved 5G-AKA protocol can resist traceability attack.
checking (i). whether XMAC is equal to MAC; (ii). whether
Additionally, after the 5G core network successfully authenti-
the SQNUE  is in the correct range. If both (i) and (ii) meet,
cates UE, the authentication data (SUPI  , RES ∗ , KRAN ) can
the procedure jumps to Step 3. If (i) meets but (ii) does not
be temporarily stored until a confirmation message is received
meet, the procedure jumps to Step 3*. If (i) does not meet,
or timeout occurs, thereby avoiding repeated consumption
the procedure jumps to Step 3**.
of computational resources. Through the improved 5G-AKA
Step 3:
protocol, the UE can securely access the 5G/6G core network
3 The 5G/6G core network entity com-
through the ground RAN.
putes RES = f 2K (RAND  ), CK =
f 3K (RAND  ), IK = f 4K (RAND  ), RES ∗ =
B. The Process KDF (CK ||IK , serving network name||RAND  ||
Note that, in below, vectors are represented in bold lower- RES ), Then, the 5G/6G core network
case letters, while matrices are represented in bold upper-case entity computes Knetwork (e.g., the key
letters. R represents ring Z [X ]/(X n + 1) and Rq denotes KAMF ) as 5G-AKA, calculates KRAN =
ring Zq [X ]/(X n + 1), where n = 256 and q = 3329. Bη KDF (Knetwork , Uplink NAS COUNT ||Access type
represents a set range. Sampling s ∈ Rq from B2 or B3 distinguisher ||RAND  ) and computes the sequence
means each coefficient of the ring s is sampled from {−2, 2} number on the network side SQNHN = SQNUE  +
or {−3, 3}, respectively. In addition, compression function 1. Finally, the 5G/6G core network entity transmits
Compressq (x , d ) = (2d /q) · x mod + 2d and decompression the authentication data (SUPI  , RES ∗ , KRAN ) to the
function Decompressq (x , d ) = (q/2d ) · x . G() represents a RAN. The RAN forwards (RES ∗ ) to the UE. Note that
pseudo random number generator. Due to space limitation, we the 5G/6G core network entity can temporarily store
only consider “Kyber512”, whose security level is equivalent (SUPI  , RES ∗ , KRAN ) until receiving a confirmation
to AES 128 bits. message or timeout.
Initially, the 5G/6G core network entity must generate the 4 The UE computes XRES = f 2K (RAND), CK =
system parameters. Concretely, the 5G/6G core network entity f 3K (RAND), IK = f 4K (RAND), XRES ∗ =
firstly chooses a 256 bits seed d, computes (ρ, σ) = G(d ), KDF (CK ||IK , serving network name||RAND||

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2433

Fig. 3. The improved 5G-AKA protocol.

TABLE II
XRES ). Then, the UE authenticates the 5G/6G D EFINITION OF N OTATION
network by verifying whether XRES ∗ equals RES ∗ .
If it is, the UE calculates Knetwork as 5G-AKA
and computes KRAN = KDF (Knetwork , Uplink
NAS COUNT ||Access typedistinguisher ||RAND),
SQNUE = SQNUE + 1. Finally, the UE may transmit
an access confirmation message to the RAN network.
The UE may transmit a failure message to the RAN
network if the verification fails.
Step 3*:
3* The 5G/6G core network entity computes
MACS = f 1∗K (SQNHN ||RAND  ||AMF ), CSQN =
EMSK  (SQNHN ), and AUTS = CSQN ||MACS .
Finally, the 5G/6G core network entity transmits a sync
failure message, including AUTS, to the RAN, and the
RAN forwards it to the UE.
4* The UE computes SQNHN  = DMSK (CSQN ) and
checks MACS. If it is, the UE resets the value of the
counter SQNUE to SQNHN  . authentication phase. Concretely, the UAV can perform the
Step 3**: The 5G/6G core network entity transmits a MAC UAV service access authentication process to communicate
failure message to the UE. with the 5G/6G core network and build a secure channel
with the ground RAN. Subsequently, the ground UE can
execute the UAV-assisted UE access authentication process to
VI. T HE P ROPOSED S CHEME access the 5G/6G core network and build a secure channel
Based on the improved 5G-AKA protocol, this section pro- with the UAV. Then, when the ground UE moves or the UAV
poses an authentication scheme for UAV-assisted UE to access moves or is replaced, the ground UE can execute the handover
the 5G/6G core network. The proposed scheme contains authentication process to build a secure channel with the new
three phases, UAV service access authentication phase, UAV- UAV. The main notations used in this paper are given in
assisted UE access authentication phase, and UE handover TABLE II.

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2434 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

Fig. 4. UAV service access authentication process.

A. UAV Service Access Authentication Phase

When UAVs are needed to assist the UE in accessing Fig. 5. UAV-assisted UE access authentication process.
the network, the remote ground RAN initiates a scheduling
notification to UAVs. After receiving the scheduling notifi-
TGKi = KDF (GKUAV , TIDi ||TST ), Tokeni =
cation from the ground RAN, each UAV UAVj wishing to
TGKi ||TST , Ci = EKRAN (TIDi ||Tokeni ), and calculates
provide network services shall perform the UAV service access i

authentication process, as shown in Fig. 4. The details are as HRESi∗ as that in Section VI-A, where TST represents the
follows. expiration time of Tokeni . The temporary identity may be
Steps 1, 2 and 3 are the same as that in improved 5G-AKA updated periodically or irregularly. Finally, the ground RAN
protocol, except that the 5G/6G core network needs to judge transmits (HRESi∗ , Ci , TIDi , KUAV i ) to the UAVj securely.
whether the UAVj can provide network services and informs Step 5. The UAVj stores (TIDi , KUAV i ) and transmits
the ground RAN to authorize it. (HRESi∗ , Ci ) to the UEi .
Steps 4. If the UAVj is authorized, the ground RAN Step 6. The UEi calculates HXRESi∗ and KRAN i as that in
generates one group key GKUAV for all UAVs. Then, Section VI-A. Then, the UEi authenticates the 5G/6G network
the ground RAN generates a temporary identity TIDj , by checking HXRESi∗ = HRESi∗ . If it is, the UEi computes
computes Cj = EKRAN (TIDj ||GKUAV ), HRESj∗ = TIDi ||Tokeni = DKRAN (Ci ), SQNi = SQNi +1, KUAV i =
i
j
KDF (KRAN i , TIDi ||TIDj ), and parses TGKi and TST
KDF (KRAN j , Cj ||RESj∗ ). Finally, the ground RAN trans-
from Tokeni . Finally, the UEi stores (TIDi , KUAV i , Tokeni )
mits (HRESj∗ , Cj ) to the UAVj .
and transmits an access confirmation message to the ground
Steps 5. The UAVj computes XRESj∗ and KRAN j as
RAN.
the improved 5G-AKA protocol and calculates HXRESj∗ =
After the UAV-assisted UE access authentication pro-
KDF (KRANj , Cj ||XRESj∗ ). Then, the UAVj authenticates
cess, a secure channel between the UEi and the UAVj
the 5G/6G network by checking HXRESj∗ = HRESj∗ . If
can be established. Additionally, during the above pro-
it is, the UAVj calculates TIDj ||GKUAV  = DKRAN (Cj ) cess, when the source UAV does not receive the response
j
and SQNj = SQNj + 1, stores (TIDj , KRANj , GKUAV  ) and value (HRESi∗ , Ci , TIDi , KUAV i ) after sending the message
transmits an access confirmation message to the ground RAN. (SUCIi ), it will detect whether it can continue to provide
After this process, a secure channel between the UAVj and services. If the source UAV cannot continue providing services
the ground RAN can be established. (due to power failure, failure, etc.), the UAV will send an
exit request message to the ground remote RAN. Then, the
B. UAV-Assisted UE Access Authentication Phase ground RAN will quickly deploy a new legitimate UAV
to replace the source UAV and generate the corresponding
When ready to provide network services, the UAV UAVj
(HRESi∗ , Ci , TIDi , KUAV i ) to the new UAV. The new UAV
broadcasts a notification message, including TIDj , to all UEs.
continues to complete the authentication process with the UEi .
After receiving the notification message, the ground UE UEi
willing to obtain network services shall perform the UAV-
assisted UE access authentication process, as shown in Fig. 5. C. UE Handover Authentication Phase
The details are as follows. Once detecting that the source UAV UAVj can not continue
Steps 1 and 2 are similar to that in the improved 5G-AKA to provide network services or the signal of the target UAV
protocol, except that the UAVj should forward the SUCIi UAVj∗ (with identity TIDj∗ ) is stronger than that of the
together with its temporary identity TIDj to the ground RAN. source UAV UAVj , the UE UEi shall perform the handover
Step 3 is similar to the improved 5G-AKA protocol, except authentication process with the new UAV UAVj∗ . The details
that the 5G/6G core network needs to judge whether the UEi are as follows.
is authorized to obtain network services. Steps 1. The UEi generates a random value R1 , com-
Step 4. The ground RAN generates a temporary identity putes MACi = KDF (TGKi , TIDj∗ ||TIDi ||R1 ) and transmits
TIDi , computes KUAV i = KDF (KRAN i , TIDi ||TIDj ), (TIDi , MACi , R1 , TST ) to the UAVj∗ .

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2435

scheme, including the improved 5G-AKA protocol, the UAV

service access authentication protocol, the UAV-assisted UE
access authentication protocol and the UE handover authenti-
cation protocol. Tamarin supports XOR operation, symmetric
encryption/decryption operation, asymmetric encryption/de-
cryption operation, etc [50]. Tamarin employs lemma to
describe the security properties of the protocol, and Tamarin
tool can automatically output the verification results of
lemmas. If a lemma meets, output verified. If a lemma is not
satisfied, output falsified.
We have built the Tamarin models of the proposed scheme.
In our Tamarin models, we define several roles UE, RAN, UAV,
and CN to represent the UE, the ground RAN, the UAV, and
the 5G/6G core network in the proposed scheme, respectively.
Due to space limitations, we only describe the Tamarin process
of the improved 5G-AKA protocol. The details are as follows.
Fig. 6. UE handover authentication process. 1. The initial configuration process is defined as follows.
t h e o r y Improved5GAKA
Steps 2. The UAVj∗ firstly checks whether TST is begin
within the validity time. If it is, the UAVj∗ com- b u i l t i n s : h a s h i n g , a s y m m e t r i c−e n c r y p t i o n , s y m m e t r i c−
encryption
putes TGKi = KDF (GKUAV , TIDi ||TST ), XMACi =
KDF (TGKi , TIDj∗ ||TIDi ||R1 ) and checks whether XMACi 2. Several rules are defined as follows.
is equal to MACi . If it is, the UAVj∗ generates a random value (1) The rules ChanOut_S and ChanIn_S are used to
R2 , computes RESi = KDF (TGKi , TIDj∗ ||TIDi ||R1 ||R2 ), realize the secure channel between the RAN and the CN.
∗
KUAV = KDF (TGKi , TIDj∗ ||TIDi ) and HRESi = r u l e ChanOut_S : [ Out_S ( $A , $B , x ) ] −−[ ChanOut_S ( $A , $B , x )
i
KDF (RESi || R2 ). Finally, the UAVj∗ transmits (HRESi , R2 )
]−> [ ! Sec ( $A , $B , x ) ]
r u l e ChanIn_S : [ ! Sec ( $A , $B , x ) ] −−[ ChanIn_S ( $A , $B , x ) ]−>
to the UEi . [ I n _ S ( $A , $B , x ) ]

Steps 3. The UEi computes XRESi = KDF (2) The rule Reveal _ltk is to model compromised agents.
(TGKi , TIDj∗ ||TIDi ||R1 ||R2 ), HXRESi = KDF (XRESi
rule Reveal_ltk :
||R2 ), and checks whether HXRESi is equal to HRESi . If it [ ! L t k (CN, s k ) ] −−[ L t k R e v e a l (CN) ]−> [ Out ( s k ) ]
is, the UEi computes KUAV ∗ = KDF (TGKi , TIDj∗ ||TIDi ),
i (3) The rule Setup is to assign necessary parameters to the
∗
stores KUAV and transmits XRESi to the UAVj∗ .
i UE and the CN.
Steps 4. The UAVj∗ checks whether XRESi is equal
to RESi . If it is, the UAVj∗ stores (TIDi , KUAV ∗
i
) and r u l e Setup :
[ F r ( ~K) , F r ( ~ SUPI ) , F r ( ~SNN) , F r ( ~ s k ) ] −−[S e t u p ( ) ]−> [ ! L t k ( $CN
transmits a handover inform message to the ground RAN. The , ~ s k ) , ! Pk ( $CN , pk ( ~ s k ) ) , C N _ i n i t ( $UE , ~K, ~ SUPI , ~SNN) ,
U E _ i n i t ( $UE , ~K, ~ SUPI , ~SNN) ]
ground RAN may generate a new temporary identity for the
UEi /UAVj∗ . (4) The UE’s process is modeled by two rewriting rules.
After the UE handover authentication process is successful, Rule UE1 denotes the process of the UE generating a request
a secure channel between the UEi and the UAVj∗ can be message SUCI and transmitting it to the RAN. Rule UE2
established. Since the handover process does not require the represents the process of the UE receiving and verifying the
participation of the ground RAN, only the interaction between response message RES ∗ .
the UE and the new UAV is required. The UE and the new r u l e UE1 :
UAV only perform some lightweight cryptographic operations, let
MSK=h ( < ~RAND> )
so the handover delay is very short. C1= a e n c ( ~RAND, pk )
In the above authentication process, considering frequent C21= s e n c ( SUPI ,MSK)
C22= s e n c ( ~SQNUE,MSK)
signaling loss in UAV scenarios, UAVs and 5G/6G core MAC=h ( <K, ~SQNUE, ~RAND> )
networks can temporarily store data. If duplicate messages are in
[
received in a short period of time, they can directly return the U E _ i n i t ( $UE , K, SUPI , SNN)
previously generated response message. , F r ( ~RAND)
, F r ( ~SQNUE)
, ! Pk ( $CN , pk )
VII. S ECURITY A NALYSIS ]
−−[S e n d R e q u e s t ( $UE ,MAC) , S e c r e t M s g ( SUPI ) ]−>
In this section, the automation verification tool named [ U E s t o r e ( $UE , K, ~RAND, SNN, ~SQNUE) , Out ( <C1 , C21 , C22 ,MAC> ) ]

Tamarin and the informal security analysis are used to prove r u l e UE2 :
the security of the proposed scheme. let
XRES=h ( <K, RAND, ’ 2 ’ > )
CK=h ( <K, RAND, ’ 3 ’ > )
IK=h ( <K, RAND, ’ 4 ’ > )
A. Automation Verification Tool: Tamarin XRES1=h ( <CK, IK , SNN, RAND, XRES> )
key =h ( <K, RAND, ~SQNUE, SNN> )
In this section, the automation verification tool named in
Tamarin [49] is used to prove the security of the proposed [ U E s t o r e ( $UE , K, RAND, SNN, ~SQNUE)
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2436 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

, I n ( <RES1 > )
]
−−[ Eq ( XRES1 , RES1 ) , RecvConfirm ( $UE , RES1 , key ) , S e c r e t M s g ( key
) , S e c r e t P F S ( key ) ]−> [ ]

(5) The RAN’s process is modeled by two rewriting rules.

Rule RAN1 denotes that the RAN transmits the message SUCI
to the CN. Rule RAN2 denotes that the RAN transmits the
message RES ∗ to the UE.
Fig. 7. Tamarin result of the improved 5G-AKA protocol.
r u l e RAN1 :
[ I n ( <C1 , C21 , C22 ,MAC> )]−−>[Out_S ($RAN , $CN, < C1 , C21 , C22 ,MAC> ) ]

r u l e RAN2 :
[ I n _ S ( $CN , $RAN, < RES1 > ) ]−−>[Out ( <RES1 > ) ]

(6) The CN’s process is modeled by one rewriting rule. Rule

CN1 denotes that the CN verifies the request message SUCI,
generates the response message RES ∗ , and then hands RES ∗
to the RAN.
r u l e CN1 : Fig. 8. Tamarin result of the UAV service access authentication protocol.
let
RAND= a d e c ( C1 , s k )
MSK=h ( <RAND> )
SUPI= s d e c ( C21 ,MSK)
SQNUE= s d e c ( C22 ,MSK)
XMAC=h ( <K, SQNUE, RAND> )
RES=h ( <K, RAND, ’ 2 ’ > )
CK=h ( <K, RAND, ’ 3 ’ > )
IK=h ( <K, RAND, ’ 4 ’ > )
RES1=h ( <CK, IK , SNN, RAND, RES> )
key =h ( <K, RAND, SQNUE, SNN> )
in
[
C N _ i n i t ( $UE , K, SUPI , SNN) Fig. 9. Tamarin result of the UAV-assisted UE access authentication protocol.
, ! L t k ( $CN , s k )
, I n _ S ($RAN , $CN, < C1 , C21 , C22 ,MAC> )
]
−−[ R e c v R e q u e s t ( $UE ,MAC) , Eq (XMAC,MAC) , S e n d C o n f i r m ( $UE , RES1
, key ) ]−>
[ Out_S ( $CN , $RAN, < RES1 > ) ]

3. Several restrictions are defined to assist in verifying the

protocol. Restriction unique represents that it is only once,
although it appears on the trace twice. Restriction Equality is
used to verify the MAC value. Restriction OneSetup denotes
Fig. 10. Tamarin result of the UE handover authentication protocol.
that the action Setup() must be unique.
r e s t r i c t i o n unique :
" A l l CN m key # i # j . RecvConfirm (CN, m, key ) @# i &
RecvConfirm (CN, m, key ) @# j ==> # i = # j " " ( A l l UE m # i . R e c v R e q u e s t ( UE , m) @ # i
==>
r e s t r i c t i o n Equality : ( ( Ex # a . S e n d R e q u e s t (UE , m) @ a )
" A l l x y # i . Eq ( x , y ) @i ==> x = y " | ( Ex # r . L t k R e v e a l (UE) @ r & r < i ) ) ) "

r e s t r i c t i o n OneSetup : lemma UE_auth_CN_Key :

" A l l # i # j . S e t u p ( ) @i & S e t u p ( ) @j ==> # i = # j " " ( A l l UE mac key # i . RecvConfirm (UE , mac , key ) @ # i
==>
4. The desired security properties are described ( ( Ex # a . S e n d C o n f i r m (UE , mac , key ) @ a )
| ( Ex # r . L t k R e v e a l (UE) @ r & r < i ) ) ) "
with five lemmas. The lemmas ExecutableRequest and
ExecutableConfirm ensure that the protocols work. The lemma lemma S e c r e c y _ m e s s a g e :
" A l l n # i . S e c r e t M s g ( n ) @i
CN _auth_UE means the process that the CN can authenticate ==>
the UE. The lemma UE _auth_CN _Key means the process ( n o t ( Ex # j . K( n ) @j ) )
| ( Ex CN # k . L t k R e v e a l (CN) @k) "
that the UE authenticates the CN and negotiates a key with
CN. The lemma Secrecy_message specifies the confidentiality 5. The running results of all proposed protocols are shown
of the corresponding message. in Fig. 7, Fig. 8, Fig. 9 and Fig. 10.
lemma E x e c u t a b l e R e q u e s t : Fig. 7 shows the Tamarin execution result of the improved
e x i s t s −t r a c e
" Ex UE m # i # j . S e n d R e q u e s t ( UE ,m) @i & R e c v R e q u e s t ( UE ,m) @j"
5G-AKA protocol. From Fig. 7, the output of all lemmas
is displayed as verified. It means that the CN successfully
lemma E x e c u t a b l e C o n f i r m :
e x i s t s −t r a c e
authenticates the UE, the UE successfully authenticates the
" Ex UE m key # i # j . RecvConfirm ( UE , m, key ) @i & SendConfirm ( CN, and a key is established between the UE and the CN.
UE , m, key ) @j"
Meanwhile, the confidentiality of the UE’s identity SUPI and
lemma CN_auth_UE : the negotiated key key is achieved.

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2437

Fig. 8 shows the Tamarin execution result of the UAV though the long-term secret key of the UE K is compromised,
service access authentication protocol. From Fig. 8, the output it is difficult for an adversary to derive the value RAND
of all lemmas is displayed as verified. It means that the based on the hard problem of MLWE and further derive the
CN successfully authenticates the UAV, the UAV successfully preceding session key KRAN . Therefore, the improved 5G-
authenticates the CN, and a key is established between the UAV AKA protocol supports PFS.
and the RAN. Meanwhile, the confidentiality of the UAV’s ESL Attack Resistance: In the improved 5G-AKA protocol,
identity SUPI is achieved. the key KRAN actually depends on the long-term secret key
Fig. 9 shows the Tamarin execution result of the UAV- K and the random value RAND. Even obtaining the ephemeral
assisted UE access authentication protocol. From Fig. 9, the secret value RAND, the adversary cannot obtain the long-term
output of all lemmas is displayed as verified. It means that secret key K, and further derive the key KRAN . Thus, the
the CN successfully authenticates the UE, the UE successfully improved 5G-AKA protocol can resist ESL attack.
authenticates the CN, and a key is established between the Withstanding Several Protocol Attacks: The improved 5G-
UE and the UAV. Meanwhile, the confidentiality of the UE’s AKA protocol can withstand several protocol attacks as
identity SUPI is achieved. follows.
Fig. 10 shows the Tamarin execution result of the UE • Replay attack: The UE and the 5G/6G core network can
handover authentication protocol. From Fig. 10, the output of detect replayed messages by the random number RAND
all lemmas is displayed as verified. It means that the target and the sequence number SQN, respectively.
UAV successfully authenticates the UE, the UE successfully • Impersonation attack: Any adversary cannot impersonate
authenticates the target UAV, and a key is established between a legitimate UE to access the 5G/6G core network, or
the UE and the target UAV. impersonate the 5G/6G core network to provide network
services since the mutual authentication between the
5G/6G core network and the UE is realized.
B. Informal Security Analysis • MITM attack: The adversary cannot impersonate any one
In this section, we prove the security of the proposed scheme of the UE or 5G/6G core network entities to communicate
by using informal security analysis. For simplification, we take with the other party, so cannot launch a MITM attack.
the improved 5G-AKA protocol as an example, and the proof • DOS/DDOS attack: The improved 5G-AKA protocol
of other processes is similar to that of the improved 5G-AKA can resist DOS/DDOS attack. On the one hand, since
protocol. the improved 5G-AKA protocol can resist impersonation
Mutual Authentication: The improved 5G-AKA protocol attack, replay attack, etc., it can prevent attackers from
achieves mutual authentication between the UE and the 5G/6G impersonating legitimate users to access the network and
core network. The UE and the 5G/6G core network share thus occupy network resources. On the other hand, com-
a long-term secret key K. The UE generates a value MAC pared to other schemes, the improved 5G-AKA protocol
with the K, and the 5G/6G core network authenticates the UE consumes a small amount of computational overhead to
by checking MAC. Similarly, the 5G/6G network generates a identify malicious UEs, so that it can resist DOS/DDOS
value RES ∗ with the K, and the UE authenticates the 5G/6G attack to a certain extent.
core network by checking RES ∗ . Attackers without K cannot Quantum Security: The improved 5G-AKA protocol can
calculate the value MAC /RES ∗ . Thus, mutual authentication resist quantum attack. Only these algorithms, including
is achieved between the UE and the 5G/6G core network. CRYSTALS-Kyber, hash function, and symmetric algorithm,
Identity Anonymity: The improved 5G-AKA protocol can are used. According to the National Institute of Standards and
achieve identity anonymity. The UE’s identity SUPI is Technology (NIST) [46], the CRYSTALS-Kyber algorithm
encrypted with the RAND, and the RAND is encrypted with has become one of the main families believed to be able to
the public key of the 5G/6G core network. Only the 5G/6G resist quantum attack. Additionally, it has been proven that
core network can get the RAND and obtain the SUPI. symmetric algorithms and hash functions should be usable in
Resistance to Traceability Attack: In the improved 5G-AKA a quantum era [51].
protocol, after an attacker replays a message RES ∗ of a Finally, we compare the security properties of the improved
specific UE to multiple devices, the response values of the 5G-AKA protocol with that of other related schemes, as shown
source UE and other devices will only be verification failures. in TABLE III. From TABLE III, it can be concluded that the
Therefore, the attacker cannot trace a specific UE according improved 5G-AKA protocol provides more robust security
to the message RES ∗ . than other related schemes.
Data Security: At the end of the improved 5G-AKA For the UAV service access authentication protocol and
protocol, a basic key KRAN is computed to protect the the UAV-assisted UE access authentication protocol, only a
communication data between the UE and the RAN. Only the small number of operations, including symmetric encryption
UE and the ground RAN can obtain the KRAN , so the data and decryption operations, hash operations, etc., are added
security between the UE and the ground RAN can be ensured. based on the improved 5G-AKA protocol. These opera-
PFS: In the improved 5G-AKA protocol, the key KRAN tions do not compromise security. Thus, the UAV service
depends on the key Knetwork and the random value RAND. access authentication protocol and the UAV-assisted UE access
The key Knetwork is derived from the long-term secret key authentication protocol can also support the above security
K shared between the UE and the 5G/6G core network. Even properties. Therefore, the proposed scheme can support mutual

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2438 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

TABLE III
C OMPARISON OF S ECURITY P ROPERTIES

TABLE IV
S IGNALING OVERHEAD

authentication, identity anonymity, data security, PFS, resis-

tance to traceability attack, ESL attack, protocol attacks, etc.,
which meets the security requirements defined in Section III-C.

VIII. P ERFORMANCE E VALUATION

In this section, we evaluate the performance of the proposed
scheme with other related schemes. For simplification, we
take the improved 5G-AKA protocol as an example, and the
overhead of other protocols is similar to that of the improved
5G-AKA protocol. Since there is no authentication scheme
for the UAV relay to assist ground UEs in obtaining network Fig. 11. Comparison of signaling overhead. (a) Total signaling overhead.
services, we mainly compare the proposed scheme with the (b) Signaling overhead for identifying malicious UEs.
existing 5G-AKA protocol [8], and the typical satellite-assisted
UE access authentication schemes, including Zhao et al.’s
scheme [34], Kumar and Garg scheme [36], Yang et al.’s of a regular hash is usually 256 bits, while the output value of
scheme [39] and Guo and Du scheme [40]. Considering a message authentication code is 64 bits. The response value
that a large number of signaling messages or a large size RES is 128 bits. The key is 256 bits. The sequence number is
of messages transmitted during the authentication process 48 bits [45]. The authentication management field AMF is 16
could potentially lead to network congestion, critical node bits. The random number is 128 bits. The SUPI/identity is 49
failures, etc., we compare the signaling overhead and com- bits [53]. The timestamp is 32 bits.
munication overhead of relevant schemes. Considering that
performing cryptographic operations consumes computational A. Signaling Overhead
resources, potentially leading to increased battery consumption On the signaling overhead, we evaluate the improved 5G-
and performance degradation, we compare the computational AKA protocol in conjunction with other related schemes
overhead of relevant schemes. Furthermore, considering UEs’ based on the number of total signaling messages and the
limited storage and energy resources, we compare the storage number of signaling messages consumed to identify a mali-
overhead and energy consumption on the UE side in relevant cious UE. For the sake of fairness, we will split the entities
schemes. in these comparison schemes into three parts: UE, RAN,
For the sake of fairness, we refer to the NIST standards [52] and network. Meanwhile, we only consider the signaling
and assume that the security strength in these comparison overhead during the actual authentication process. According
schemes is equivalent to AES 128 bits. Concretely, the key to different application scenarios, the signaling overhead in
used for symmetric encryption and decryption is 128 bits. these related schemes is shown in TABLE IV. The sixth
The parameters based on the RLWE/MLWE hard problem column in TABLE IV represents the total signaling overhead,
are that the value q is 12 bits, the seed used to generate while the seventh column represents the signaling overhead
the system matrix is 256 bits, and n = 256 (ring Rq = generated before successfully identifying a malicious UE.
Zq [X ]/(X n +1)) [47]. The private and public keys of ECC Fig. 11 depicts the comparison result of the improved
are 256 bits and 512 bits. The key size of large integer factor- 5G-AKA protocol and other related schemes regarding the
ization cryptographic algorithm is 3072 bits. The output value number of signaling messages with the increasing number

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2439

TABLE V
C OMPUTATIONAL O PERATION

TABLE VI
C OMMUNICATION OVERHEAD

Fig. 12 depicts the comparison result of the related schemes

Fig. 12. Comparison of computational overhead.
regarding the computational overhead as the number of
authentication increases. From Fig. 12(a), the computational
overhead of the improved 5G-AKA protocol is much less than
of UEs. From Fig. 11(a), the total signaling overhead of the
that of the existing 5G-AKA protocol [8] and Yang et al.’s
improved 5G-AKA protocol is less than that of Kumar et al.’s
scheme [39], and similar to that of other schemes. From
scheme [36] and the existing 5G-AKA protocol [8], and
Fig. 12(b), compared with other related schemes, the improved
larger than that of Yang et al.’s scheme [39] and Guo et al.’s
5G-AKA protocol consumes a small amount of computational
scheme [40]. From Fig. 11(b), compared with other related
overhead for the 5G/6G core network to identify a mali-
schemes, the improved 5G-AKA protocol generates a small
cious UE.
amount of signaling overhead before the 5G/6G core network
successfully identifying a malicious UE. In Yang et al.’s
scheme [39] and Guo et al.’s scheme [40], the UE directly C. Communication Overhead
authenticates with satellites, which can effectively reduce
On the communication overhead, we evaluate the improved
signaling overhead, but this will undoubtedly increase storage
5G-AKA protocol with other related schemes based on the
and computational costs on the satellites, whose resources are
total size of messages transmitted during the authentication
limited.
process. For the existing 5G-AKA protocol [8], some param-
eters depending on ECC are transmitted. For Zhao et al.’s
B. Computational Overhead scheme [34], only some lightweight parameters, such as
On the computational overhead, we evaluate the improved hash values, identity, etc., are transmitted. For Yang et al.’s
5G-AKA protocol in conjunction with other related schemes scheme [39], some parameters depending on FFC are trans-
based on the total computational time and the computational mitted. For Kumar and Garg scheme [36], Guo and Du
time consumed for the 5G/6G core network or the access scheme [40], and the improved 5G-AKA protocol, some
node to identify a malicious UE. We only consider the parameters based on the RLWE/MLWE hard problem are
overhead of these operations, including bilinear-pairing, hash, transmitted. TABLE VI lists the communication overhead
modular exponentiation, elliptic curve point multiplication, consumed in these schemes.
symmetric encryption/decryption, and polynomial multiplica- Fig. 13 depicts the comparison result of the related schemes
tion. The running time of these operations is represented as regarding the communication overhead as the number of UE
tbp , th , tme , tecpm , tse and tpm , respectively. According to increases. From Fig. 13, it can be seen that the improved 5G-
the tested result on ATxmega128A1 micro controller [54], AKA protocol, Kumar and Garg scheme [36], Yang et al.’s
tbp = 4.7ms, th = 0.02ms, tme = 3.8ms, tecpm = 1.8ms, scheme [39] and Guo and Du scheme [40] consume more
tse = 0.03ms, and tpm = 0.1ms. The second column of communication overhead than other schemes. The improved
TABLE V lists the primary computational operations used in 5G-AKA protocol, Kumar et al.’s scheme [36], and Guo et al.’s
these comparison schemes, while the third column lists the scheme [40] are based on lattice theory cryptography and can
computational operations required for 5G/6G core network resist quantum attack. The parameters based on lattice theory
entities or access points to identify a malicious UE in these cryptography are relatively large, inevitable and currently
comparison schemes. Nu − j denotes the remaining maximum insurmountable. People can justify communication overhead
access number for a UE. by considering security against quantum attack, as existing

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2440 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

Fig. 13. Comparison of communication overhead. Fig. 14. Comparison of storage overhead.

schemes cannot resist these attacks. The communication over-

head of the improved 5G-AKA protocol is greater than that
of Guo et al.’s scheme [40], but Guo and Du scheme [40] is
susceptible to traceability attack, etc.

D. Storage Overhead
On the storage overhead, we only consider the storage
requirement of the UE. For the existing 5G-AKA protocol [8],
the UE mainly needs to store the long-term secret key K, the
identity SUPI, the sequence number SQN, the public key of
the 5G/6G core network pkHN , the authentication and key Fig. 15. Comparison of energy consumption on UE.
management field AMF, as well as the generator on elliptic
curves G. For Zhao et al.’s scheme [34], the UE needs to store
the temporary identity TIDU , the maximum access number
UE side. According to [55], the energy consumption can be
NU , the shared authentication key KA , and the remaining
calculated by the equation E = Ecomm + Ecomp . Ecomm
maximum access number NU − m. For Kumar and Garg
refers to the communication energy cost and can be calculated
scheme [36], the UE needs to store the hash values (C , D),
as Ecomm = nS ES + nR ER , where nS refers to the sending
the hidden random number E, as well as the public parameter
bytes, nR refers to the receiving bytes, ES and ER represent
a and the public key θ. For Yang et al.’s scheme [39], the
the energy consumption required to send and receive a byte,
UE needs to store the group public key gpk, group private
respectively. Ecomp refers to the computational energy cost
key gsk [i ], the public key of the satellite pkLEO , the public
and can be calculated by the sum of the energy consumptions
key of the ground station pkGS , as well as the identity of the
of cryptographic operations. The computational and commu-
network ID. For Guo and Du scheme [40], the UE needs to
nication energy cost on UE can be easily acknowledged as
store the hash values (DP, V), the public key of satellite pmL ,
Table VII.
the secret key smu , the public ring element a, as well as the
We referred to the data tested on hardware platform
master public key pTCS . For the improved 5G-AKA protocol,
MICAz [56]. The testbed operates at voltage 3V, average
the UE mainly needs to store the long-term secret key K, the
current draw 8mA, current draw in receive mode 19.7mA,
identity SUPI, the authentication and key management field
current draw in transmit mode 17.4mA, and data rate
AMF, the public key of the 5G/6G core network pkHN , as
250kbps. Thus, we can acknowledge ES = 3V ∗ 17.4mA ∗
well as the parameter ρ.
8/250kbps = 0.00167mJ and ER = 3V ∗ 19.7mA ∗
Fig. 14 depicts the comparison result of the related schemes
8/250kbps = 0.00189mJ . Additionally, based on the run-
in terms of storage overhead. From Fig. 14, the storage
ning time of cryptographic operations in Section VIII-B, the
overhead of the improved 5G-AKA protocol is less than that
energy consumptions of the bilinear-pairing, hash, modular
of Guo and Du scheme [40], similar to that of Kumar and Garg
exponentiation, elliptic curve point multiplication, symmetric
scheme [36], and larger than that of other schemes. However,
encryption/decryption and polynomial multiplication can be
the improved 5G-AKA protocol provides more robust security
calculated as Ebp = 4.7ms ∗ 3V ∗ 8mA = 0.1128mJ , Eh ≈
properties than other related schemes. The size of lattice-based
0.0005mJ , Eme = 0.0912mJ , Eecpm = 0.0432mJ , Ese ≈
cryptographic algorithms is generally high, which is inevitable
0.0007mJ , and Epm = 0.0024mJ , respectively.
and the main direction for our future optimization.
Fig. 15 shows the comparison results of UE side energy
consumption as the number of authentication increases. From
E. Energy Consumption Fig. 15, the energy overhead of the improved 5G-AKA proto-
In this section, we compare the improved 5G-AKA protocol col is smaller than Yang et al.’s scheme [39], Guo et and Du
with other schemes regarding energy consumption on the scheme [40], and Kumar and Grag scheme [36], and larger

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2441

TABLE VII
E NERGY C ONSUMPTION ON UE

than that of the existing 5G-AKA protocol [8] and Zhao et al.’s
scheme [34]. However, the improved 5G-AKA protocol pro-
vides more robust security properties than other related
schemes.
Discussion: In conclusion, according to the security compar-
ison results in TABLE III, the performance comparison results
in Fig. 11, Fig. 12, Fig. 13, Fig. 14, Fig. 15, the improved
5G-AKA protocol has better performance in security than the
existing 5G-AKA protocol [8], Zhao et al.’s scheme [34],
Kumar and Garg scheme [36], Yang et al.’s scheme [39],
and Guo and Du scheme [40]. Notably, compared with the Fig. 16. Hardware circuit of the protocols.
existing 5G-AKA protocol [8], Zhao et al.’s scheme [34] and
Yang et al.’s scheme [39], the improved 5G-AKA protocol, to generate random numbers and perform hash calculations.
Kumar et al.’s scheme [36], Guo and Du scheme [40] can The processing unit is mainly used for critical calculation
resist quantum attack, which is more suitable for the future operations of the protocols. In implementing the improved
5G/6G core network. However, the communication overhead, 5G-AKA protocol, the processing unit contains the Number-
storage overhead, and energy consumption in the improved Theoretic Transform (NTT) core, the adder, the subtractor,
5G-AKA protocol, Kumar and Garg scheme [36], Guo and Du and some peripheral control circuits. In implementing the
scheme [40] are all high, which is inevitable, and currently existing 5G-AKA protocol, the processing unit contains the
insurmountable in the academic community. Additionally, Elliptic Curve Scalar Multiplication (ECSM) core, the adder,
the improved 5G-AKA protocol consumes less signaling the subtractor, and some peripheral control circuits. The NTT
overhead and energy consumption, and costs similar com- core is mainly used to realize polynomial multiplication on the
munication overhead and computational overhead compared ring, which occupies most of the computational overhead in
to Kumar and Garg scheme [36]. The improved 5G-AKA the improved 5G-AKA protocol. We use the NTT core in [58]
protocol consumes similar computational overhead and much for hardware implementation. The ECSM core is mainly
less storage overhead than Guo and Du scheme [40]. In used to realize the scalar multiplication on ECC. According
addition, for Guo and Du scheme [40], the access network to the 3GPP standard [8], the 5G-AKA protocol consumes
needs to store the public keys of all UEs, which will result in three scalar multiplication operations, which occupies the
significant storage overhead on the access node. primary time consumption. We independently designed the
ECSM core for hardware implementation. The storage unit
mainly comprises several Block Random Access Memories
IX. I MPLEMENTATION (BRAMs), which store intermediate values generated while
In this section, we implement the improved 5G-AKA pro- running the protocols. Additionally, we design the control unit
tocol and the existing 5G-AKA protocol [8] on FPGA to test to coordinate the hash unit, processing unit, and storage unit.
their entire running time. Firstly, the protocols are described by The implemented results are shown in TABLE VIII.
the Verilog HDL language to describe their hardware circuits. “Frequency” represents the frequency at which the circuit
Then, the hardware circuit is simulated by the Xilinx Vivado operates. The operating frequency of an FPGA depends on
simulator to determine whether the logic is correct. Finally, the multiple factors, including its architecture, design complexity,
hardware circuit is synthesized, mapped, placed, and routed on circuit path latency, and clock allocation. “Slice” represents
the Xilinx Kintex-7(XC7K325T-2FFG900I). Kintex 7 FPGAs the essential logical resources of FPGA, and the fewer slices
provide our designs with exceptional price/performance/watt used, the fewer resources occupied. “DSP” represents the
at 28nm while giving high DSP ratios, and cost-effective pack- built-in multiplication computing unit in FPGA, and the less
aging. The Kintex 7 family is ideal for applications including DSP is used, the fewer computing resources are occupied.
3G and 4G wireless solutions [57]. The hardware circuit “BRAM” represents the storage resources of FPGA, and the
consists of four units, including the hash unit, processing less BRAM is used, the less storage resources are occupied.
unit, storage unit and control unit, as shown in Fig. 16. The The existing 5G-AKA protocol [8] costs 2212 slices, 2
hash unit, employing the SHA3 family, including SHA3-256, DSPs, and 2.5 BRAMs, and takes about 23.7 ms at the
SHA3-512, SHAKE-128, and SHAKE-256, is mainly used frequency of 200 MHz. The improved 5G-AKA protocol

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2442 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

TABLE VIII
C OMPARISON OF I MPLEMENTATION

consumes 2321 slices, 1 DSP, and 12 BRAMs, and takes HDL Hardware Description Language
about 0.123 ms at the frequency of 222 MHz. Thus, the HECC Hyper Elliptic Curve Cryptography
running time of the improved 5G-AKA protocol is far less than IKEv2 Internet Key Exchange version 2
that of the existing 5G-AKA protocol, with almost the same LWE Learning With Errors
resource consumption. The main reason the BRAM used in MITM Man-In-The-Middle
implementing the improved 5G-AKA protocol is greater than MLWE Module Learning With Errors
that of the 5G-AKA protocol is that these values related to NCC Network Control Centre
the CRYSTALS-Kyber algorithm are generally large, requiring NIST National Institute of Standards and Technology
more storage resources. NTT Number-Theoretic Transform
PFS Perfect Forward Secrecy
X. C ONCLUSION PUF Physical Unclonable Function
This paper first proposes an improved 5G-AKA protocol. RAN Radio Access Network
Using the improved 5G-AKA protocol, the ground UE can RLWE Ring Learning With Errors
securely access the 5G/6G core network through the ground SUCI SUbscription Concealed Identifier
RAN. Then, by slightly modifying the improved 5G-AKA SUPI SUbscription Permanent Identifier
protocol, this paper proposes an authentication scheme for UAV Unmanned Aircraft Vehicle
UAV-assisted UEs to access the 5G/6G network. By the UE User Equipment
proposed scheme, the UAV can first access the 5G/6G core
network and then assist the ground UE in continuously R EFERENCES
obtaining network service. The security analysis shows that the [1] “Technical specification group services and system aspects; unmanned
proposed scheme supports these security properties, including aerial system (UAS) support in 3GPP; (Release 17),” 3GPP, Sophia
mutual authentication, identity anonymity, data security, PFS, Antipolis, France, Rep. TS 22.125, V17.6.0, 2022.
resistance traceability attack, quantum attack, and protocol [2] M. Ibnkahla, Q. M. Rahman, A. I. Sulyman, H. A. Al-Asady, J. Yuan,
and A. Safwat, “High-speed satellite mobile communications: tech-
attacks. The performance evaluation result shows that the nologies and challenges,” Proc. IEEE, vol. 92, no. 2, pp. 312–339,
proposed scheme consumes moderate signaling overheads Feb. 2004, doi: 10.1109/JPROC.2003.821907.
and low computational overheads. Finally, the implementation [3] S. Zhang, Y. Zeng, and R. Zhang, “Cellular-enabled UAV communi-
cation: A connectivity-constrained trajectory optimization perspective,”
result shows that the running time of the improved 5G-AKA IEEE Trans. Commun., vol. 67, no. 3, pp. 2580–2604, Mar. 2019,
protocol is far less than that of the existing 5G-AKA protocol, doi: 10.1109/TCOMM.2018.2880468.
with almost the same resource consumption. [4] W. Xu, S. Wang, S. Yan, and J. He, “An Efficient wideband spec-
trum sensing algorithm for unmanned aerial vehicle communication
networks,” IEEE Internet Things J., vol. 6, no. 2, pp. 1768–1780,
Apr. 2019, doi: 10.1109/JIOT.2018.2882532.
A BBREVIATION [5] J. Rodríguez-Piñeiro, Z. Huang, X. Cai, T. Domínguez-Bolaño, and
3G third-Generation X. Yin, “Geometry-based mpc tracking and modeling algorithm for time-
varying UAV channels,” IEEE Trans. Wireless Commun., vol. 20, no. 4,
3GPP third Generation Partnership Project pp. 2700–2715, 2021, doi: 10.1109/TWC.2020.3044077.
4G fourth-Generation [6] “Technical specification group services and system aspects; enhancement
5G fifth-Generation for unmanned aerial vehicles; stage 1; (Relese 17),” 3GPP, Sophia
Antipolis, France, Rep. TR22.829 V17.1.0, 2019.
6G sixth-Generation [7] “Technical specification group services and system aspects; study on
5G-AKA 5G Authentication and Key Agreement security aspects of unmanned aerial systems (UAS); (Release 17),”
AES Advanced Encryption Standard 3GPP, Sophia Antipolis, France, Rep. TR 33.854, V17.1.0, 2021.
[8] “Technical specification group services and system aspects; security
AKA Authentication and Key Agreement architecture and procedures for 5G system; (Release 18),” 3GPP, Sophia
BRAM Block Random Access Memories Antipolis, France, Rep. TR 33.501, V18.2.0, 2023.
DDOS Distributed Denial Of Service [9] D. Basin, J. Dreier, L. Hirschi, S. Radomirovic, R. Sasse, and V. Stettler,
DOS Denial Of Service “A formal analysis of 5G authentication,” in Proc. ACM SIGSAC Conf.
Comput. Commun. Secur. (CCS), 2018, pp. 1383–1396.
DSP Digital Signal Processing [10] “Technical specification group services and system aspects; procedures
DTLS Datagram Transport Layer Security for the 5G system (5GS); stage 2; (Release 18),” 3GPP, Sophia Antipolis,
DY Dolev-Yao France, Rep. TS 23.502, V18.2.0, 2023.
[11] “Technical specification group radio access network; NR; NR and NG-
ECC Ellipse Curve Ctyptography RAN overall description; stage 2; (Release 17),” 3GPP, Sophia Antipolis,
ECIES Elliptic Curve Integrated Encryption Scheme France, Rep. TS 38.300, V17.5.0, 2023.
ECSM Elliptic Curve Scalar Multiplication [12] J. Arkko, K. Norrman, M. Näslund, and B. Sahlin, “A USIM
compatible 5G AKA protocol with perfect forward secrecy,” in
ESL Ephemeral Secret Leakage Proc. IEEE Trustcom/BigDataSE/ISPA, 2015, pp. 1205–1209,
FPGA Field Programmable Gate Array doi: 10.1109/Trustcom.2015.506.

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
MA et al.: UAV-ASSISTED UE ACCESS AUTHENTICATION SCHEME FOR 5G/6G NETWORK 2443

[13] H. Yang, H. Zheng, J. Zhang, Y. Wu, Y. Lee, and Y. Ji, “Blockchain- [33] G. Zheng, H. T. Ma, C. Cheng, and Y.-C. Tu, “Design and logical
based trusted authentication in cloud radio over fiber network for 5G,” analysis on the access authentication scheme for satellite mobile commu-
in Proc. 16th Int. Conf. Opt. Commun. Netw. (ICOCN), 2017, pp. 1–3, nication networks,” IET Inf. Secur., vol. 6, no. 1, pp. 6–13, Mar. 2012.
doi: 10.1109/ICOCN.2017.8121598. [34] W. Zhao, A. Zhang, J. Li, X. Wu, and Y. Liu, “Analysis and design
[14] F. Pan, Y. Jiang, H. Wen, R. Liao, and A. Xu, “Physical layer security of an authentication protocol for space information network,” in Proc.
assisted 5G network security,” in Proc. IEEE 86th Veh. Technol. Conf. IEEE Mil. Commun. Conf., 2016, pp. 43–48.
(VTC), 2017, pp. 1–5, doi: 10.1109/VTCFall.2017.8288343. [35] A. D. Jurcut, J. Chen, A. Kalla, M. Liyanage, and J. Murphy, “A
[15] F. Pan, H. Wen, H. Song, T. Jie, and L. Wang, “5G security archi- novel authentication mechanism for mobile satellite communication
tecture and light weight security authentication,” in Proc. IEEE/CIC systems,” in Proc. IEEE Wireless Commun. Netw. Conf. (WCNC)
Int. Conf. Commun. China Workshops (CIC/ICCC), 2015, pp. 94–98, Workshop, 2019, pp. 1–7.
doi: 10.1109/ICCChinaW.2015.7961587. [36] U. Kumar and M. Garg, “Learning with error-based key agreement
[16] Y. Aydin, G. K. Kurt, E. Ozdemir, and H. Yanikomeroglu, “Group and authentication scheme for satellite communication,” Int. J. Satell.
handover for drone base stations,” IEEE Internet Things J., vol. 8, Commun., vol. 40, no. 2, pp. 83–95, 2022.
no. 18, pp. 13876–13887, Sep. 2021, doi: 10.1109/JIOT.2021.3068297. [37] W. Meng, K. Xue, J. Xu, J. Hong, and N. Yu, “Low-latency authentica-
[17] Y. Zhang, D. He, L. Li, B. Chen, “A lightweight authentication and key tion against satellite compromising for space information network,” in
agreement scheme for Internet of Drones,” Comput. Commun., vol. 154, Proc. IEEE 15th Int. Conf. Mobile Ad Hoc Sensor Syst. (MASS), 2018,
pp. 455–464, Mar. 2020. pp. 237–244.
[18] M. Nikooghadam, H. Amintoosi, SK H. Islam, and M. F. Moghadam, [38] K. Xue, W. Meng, S. Li, D. S. L. Wei, H. Zhou, and N. Yu, “A secure
“A provably secure and lightweight authentication scheme for Internet of and efficient access and handover authentication protocol for Internet of
Drones for smart city surveillance,” J. Syst. Archit., vol. 115, May 2021, Things in space information networks,” IEEE Internet Things J., vol. 6,
Art. no. 101955, doi: 10.1016/j.sysarc.2020.101955. no. 30, pp. 5485–5499, Jun. 2019, doi: 10.1109/JIOT.2019.2902907.
[19] A. D. E. Berini, M. A. Ferrag, B. Farou, and H. Seridi, “HCALA: [39] Q. Yang, K. Xue, J. Xu, J. Wang, F. Li, and N. Yu, “AnFRA: Anonymous
Hyperelliptic curve-based anonymous lightweight authentication scheme and fast roaming authentication for space information network,” IEEE
for Internet of Drones,” Pervasive Mobile Comput., vol. 92, May 2023, Trans. Inf. Forensics Security, vol. 14, pp. 486–497, 2019.
Art. no. 101798. [40] J. Guo and Y. Du, “A novel RLWE-based anonymous mutual authen-
[20] C. Pu and Y. Li, “Lightweight authentication protocol for unmanned tication protocol for space information network,” Secur. Commun.
aerial vehicles using physical unclonable function and chaotic Netw., vol. 2020, pp. 1–12, Aug. 2020.
system,” in Proc. IEEE Int. Symp. Local Metrop. Area Netw. (LANMAN), [41] “Technical specification group services and system aspects; study on
2020, pp. 1–6, doi: 10.1109/LANMAN49260.2020.9153239. using satellite access in 5G; stage 1; (Release 16),” 3GPP, Sophia
[21] N. Mäurer, T. Gräupl, C. Schmitt, and G. D. Rodosek, “PMAKE: Antipolis, France, Rep. TR 22.822, V16.0.0, 2018.
Physical unclonable function-based mutual authentication key exchange [42] “Technical specification group radio access network; study on new radio
scheme for digital aeronautical communications,” in Proc. IFIP/IEEE (NR) to support non-terrestrial networks; (Release 15),” 3GPP, Sophia
Int. Symp. Integr. Netw. Manage.(IM), 2021, pp. 206–214. Antipolis, France, Rep. TR 38.811, V15.4.0, 2020.
[22] G. Bansal and B. Sikdar, “A secure and efficient mutual authen- [43] “Technical specification group radio access network; solutions for NR
tication protocol framework for unmanned aerial vehicles,” in to support non-terrestrial networks (NTN); (Release 16),” 3GPP, Sophia
Proc. IEEE Globecom Workshops (GC Wkshps), 2021, pp. 1–6, Antipolis, France, Rep. TR 38.821, V16.0.0, 2023.
doi: 10.1109/GCWkshps52748.2021.9682006. [44] D. Dolev and A. C. Yao, “On the security of public key protocols,”
[23] T. Alladi, V. Venkatesh, V. Chamola, and N. Chaturvedi, “Drone-MAP: IEEE Trans. Inf. Theory, vol. 29, no. 2, pp. 198–208, Mar. 1983.
A novel authentication scheme for drone-assisted 5G networks,” in Proc. [45] “Technical specification group services and system aspects; 3G security;
IEEE Conf. Comput. Commun. Workshops (INFOCOM WKSHPS), 2021, security architecture; (Release 17),” 3GPP, Sophia Antipolis, France,
pp. 1–6, doi: 10.1109/INFOCOMWKSHPS51825.2021.9484594. Rep. TS 33.102, V17.0.0, 2022.
[24] T. Alladi, V. Chamola, Naren, and N. Kumar, “PARTH: A two- [46] “Report on post-quantum cryptography,” U.S. Dept. Commerce, Nat.
stage lightweight mutual authentication protocol for UAV surveillance Inst. Stand. Technol., Gaithersburg, MD, USA, Rep. NISTIR 8105,
networks,” Comput. Commun., vol. 160, pp. 81–90, Jul. 2020. Oct. 2016. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/ir/2016/
[25] D. Yang, Y. Zhao, K. Wu, X. Guo, and H. Peng, “An efficient NIST.IR.8105.pdf
authentication scheme based on zero trust for UAV swarm,” in [47] R. Avanzi et al., CRYSTALS-Kyber Algorithm Specifications and
Proc. Int. Conf. Netw. Netw. Appl. (NaNA), 2021, pp. 356–360, Supporting Documentation (Version 3.01), Nat. Inst. Stand. Technol.,
doi: 10.1109/NaNA53684.2021.00068. Gaithersburg, MD, USA, Jan. 2021.
[26] C. Pu, A. Wall, K.-K. R. Choo, I. Ahmed, and S. Lim, “A lightweight and [48] (Nat. Inst. Stand. Technol., Gaithersburg, MD, USA). Post-Quantum
privacy-preserving mutual authentication and key agreement protocol for Cryptography. (2022). [Online]. Available: https://csrc.nist.gov/Projects/
Internet of Drones environment,” IEEE Internet Things J., vol. 9, no. 12, post-quantum-cryptography/selected-algorithms-2022
pp. 9918–9933, Jun. 2022, doi: 10.1109/JIOT.2022.3163367. [49] “Tamarin.” github. Accessed: Nov. 2023. [Online]. Available: http://
[27] M. A. Khan et al., “A provable and privacy-preserving authenti- tamarin-prover.github.io/
cation scheme for UAV-enabled intelligent transportation systems,” [50] Tamarin Manual. tamarin-prover.com. Accessed: Aug. 2023.
IEEE Trans. Ind. Informat., vol. 18, no. 5, pp. 3416–3425, May 2022, [Online]. Available: https://tamarin-prover.github.io/manual/book/001_
doi: 10.1109/TII.2021.3101651. introduction.html
[28] K. Lounis, S. H. H. Ding, and M. Zulkernine, “D2D-MAP: A drone [51] C. H. Bennett, E. Bernstein, G. Brassard, and U. Vazirani, “Strengths and
to drone authentication protocol using physical unclonable functions,” weaknesses of quantum computing,” SIAM J. Comput., vol. 26, no. 5,
IEEE Trans. Veh. Technol., vol. 72, no. 4, pp. 5079–5093, Apr. 2023, pp. 1510–1523, 1997, doi: 10.1137/s0097539796300933.
doi: 10.1109/TVT.2022.3224611. [52] (Nat. Inst. Stand. Technol., Gaithersburg, MD, USA). Special
[29] S. A. Chaudhry, K. Yahya, M. Karuppiah, R. Kharel, A. K. Bashir, and Publication 800-57: Recommendation for Key Management Part 1:
Y. B. Zikria, “GCACS-IoD: A certificate based generic access control General (Revision 5). (2020). [Online]. Available: https://doi.org/10.
scheme for Internet of Drones,” Comput. Netw., vol. 191, May 2021, 6028/NIST.SP.800-57pt1r5
Art. no. 107999. [53] S. R. Hussain, M. Echeverria, O. Chowdhury, N. Li, and E. Bertino,
[30] T. Alladi, Naren, G. Bansal, V. Chamola, and M. Guizani, “Privacy attacks to the 4G and 5G cellular paging protocols using side
“SecAuthUAV: A novel authentication scheme for UAV-ground station channel information,” in Proc. 26th Annu. Netw. Distrib. Syst. Secur.
and UAV-UAV communication,” IEEE Trans. Veh. Technol., vol. 69, Symp. (NDSS), 2019, pp. 1–15.
no. 12, pp. 15068–15077, Dec. 2020, doi: 10.1109/TVT.2020.3033060. [54] Q. Wang, D. Wang, C. Cheng, and D. He, “Quantum2FA: Efficient
[31] R. Karmakar, G. Kaddoum, and O. Akhrif, “A PUF and fuzzy extractor- quantum-resistant two-factor authentication scheme for mobile devices,”
based UAV-ground station and UAV-UAV authentication mechanism IEEE Trans. Dependable Secure Comput., vol. 20, no. 1, pp. 193–208,
with intelligent adaptation of secure sessions,” IEEE Trans. Mobile Jan./Feb. 2023, doi: 10.1109/TDSC.2021.3129512.
Comput., early access, Jun. 8, 2023, doi: 10.1109/TMC.2023.3284216. [55] Y. Sun, J. Cao, M. Ma, Y. Zhang, H. Li, and B. Niu, “EAP-DDBA:
[32] B. Bera, A. K. Das, and A. K. Sutrala, “Private blockchain-based access Efficient anonymity proximity device discovery and batch authentication
control mechanism for unauthorized UAV detection and mitigation in mechanism for massive D2D communication devices in 3GPP 5G
Internet of Drones environment,” Comput. Commun., vol. 166, no. 2021, HetNet,” IEEE Trans. Dependable Secure Comput., vol. 19, no. 1,
pp. 91–109, Jan. 2021. pp. 370–387, Jan./Feb. 2022, doi: 10.1109/TDSC.2020.2989784.

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.
2444 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 21, NO. 2, APRIL 2024

[56] K.-A. Shim, “BASIS: A practical multi-user broadcast Yinghui Zhang received the Ph.D. degree from
authentication scheme in wireless sensor networks,” IEEE Xidian University in 2013. He is currently a
Trans. Inf. Forensics Security, vol. 12, pp. 1545–1554, 2017, Professor with the National Engineering Laboratory
doi: 10.1109/TIFS.2017.2668062. for Wireless Security, Xi’an University of Posts and
[57] (Xilinx, Inc., San Jose, CA, USA). Kintex 7. Accessed: Nov. 2023. Telecommunications, China. His current research
[Online]. Available: https://www.xilinx.com/products/silicon-devices/ includes wireless network security, cloud computing
fpga/kintex-7.html security, access control, security, and privacy in IoT.
[58] “NTT Core.” github.com. Accessed: Nov. 2023. [Online]. Available:
https://github.com/acmert/kyber-polmul-hw

Ruhui Ma received the Ph.D. degree in cyber

security from Xidian University, Xi’an, Shaanxi,
China, in 2020, where she is currently an Associate
Professor. Her research interests include wireless
communication and LTE/LTE-A/5G/6G networks.
Ben Niu received the B.S. degree in information
security and the M.S. and Ph.D. degrees in cryp-
tography from Xidian University in 2006, 2010, and
2014, respectively. He is currently working as an
Associate Professor with the Institute of Information
Engineering, Chinese Academy of Sciences. He
was a Visiting Scholar with The Pennsylvania
State University from 2011 to 2013. His current
research interests include network security and pri-
Jin Cao (Member, IEEE) received the B.S. and vacy computing.
Ph.D. degrees from Xidian University, Xi’an,
Shaanxi, China, in 2008 and 2015, respectively,
where he is currently a Professor with the
School of Cyber Engineering. His research interests
include wireless network security and LTE/LTE-
A/5G networks.

Hui Li (Member, IEEE) received the B.Sc. degree

Shiyang He received the M.S. degree in telecom-
from Fudan University in 1990, and the M.A.Sc.
munications engineering from Xidian University,
and Ph.D. degrees from Xidian University, Xian,
Xian, Shaanxi, China, in 2016, where he is cur-
Shaanxi, China, in 1993 and 1998, respectively,
rently pursuing the Ph.D. degree with the school
where he has been a Professor with the School
of Cyber Engineering. His research interests include
of Cyber Engineering since June 2005. He is a
cryptographic algorithm, hardware speedup, and
coauthor of two books. His research interests are in
field-programmable gate array architectures and
the areas of cryptography, wireless network security,
applications.
information theory, and network coding. He served
as the Technique Committee Co-Chair of ISPEC
2009 and IAS 2009.

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 23,2024 at 09:13:40 UTC from IEEE Xplore. Restrictions apply.