Privacy-preserving location authentication for low-altitude UAVs: A blockchain-based approach

Eﬃcient and trusted regulation of unmanned aerial vehicles (UAVs) is an essential but challenging issue in the future era of the Internet of Low-altitude Intelligence, due to the diﬃculties in UAVs’ identity recognition and location matching, potential for falsiﬁed information reporting, etc. To address this challenging issue, in this paper, we propose a blockchain-based UAV location authentication scheme, which employs a distance bounding protocol to establish a location proof, ensuring the authenticity of UAV positions. To preserve the privacy of UAVs, anonymous certiﬁcates and zero-knowledge proof are used. The security of the proposed scheme is analyzed. Experiments demonstrate the eﬃciency and feasibility of the proposed scheme


Introduction
Unmanned aerial vehicles (UAVs) offer a variety of benefits, including flexibility, mobility, and extensibility.The mobility of UAVs empowers them to be deployed swiftly and efficiently in intricate terrains.As drone technology continues advancing, it finds increasing applications such as remote sensing, disaster rescue, and surveillance [1,2].
Despite the immense potential of UAVs, a reliable technology that ensures safe communication and regulation of UAVs is still lacking [3].Firstly, the current cloud-based regulatory frameworks, such as China's UAV Cloud System and the United States' Low Altitude Authorization and Notification Capability (LAANC), are inadequate for managing the upcoming surge in drone operations in low-altitude airspace.The inherent centralized structure of these systems complicates interoperability with other mechanisms, thereby posing significant challenges in fulfilling the diverse requirements of drones in terms of airspace access, communication, and network resources [4].Furthermore, these centralized cloud services are susceptible to the risks associated with a single point of failure [5].Secondly, traditional radar-based detection methods encounter significant obstacles in efficiently acquiring flight information from drones, Security and Safety, Vol.3,2024004 especially within complex low-altitude environments.These challenges stem from the limitations of radar technology in detecting small, agile drones that operate at low altitudes, where environmental factors often impede accurate detection [6].The position data of UAVs plays a crucial role in their flight and management.Furnishing location information of UAVs aids the government supervision, ensuring adherence to regulations.Sharing the location also enables other airborne devices to grasp airspace conditions, facilitating the development of flight path strategies.In summary, location information guarantees that drones operate within designated regions, preventing unauthorized usage, and significantly enhancing both airspace security and operational efficiency.Given the substantial cost of proactive monitoring for drones, some countries currently require drones to report their location information proactively [7].However, the current solution heavily relies on third-party signals for self-positioning, creating an opportunity for malicious UAVs to easily alter and report falsified location information.Therefore, a secure and reliable position verification system emerges as a critical component to ensure the safety of UAV flights.
To address the aforementioned issues, this paper utilizes a cryptographic position verification, enabling location authentication through identity validation.To enhance the reliability and efficiency of position verification, blockchain technology is incorporated.The immutability inherent in blockchain ensures the audit-worthy integrity of position information [8].
In addition, the integration of blockchain significantly enhances the scalability of location authentication systems and their interoperability with other heterogeneous systems [9].This enables any validated node to participate in the creation of location proofs (LPs) and earn corresponding rewards.Figure 1 illustrates the process of location authentication using blockchain technology.In particular, the witnesses assist the verifier in validating the drone's location and generating proof.Upon uploading the proof, they can earn incentive rewards through collaborative efforts.
The contributions of this paper can be summarized as follows: (1) We propose a semi-centralized UAV regulation architecture based on blockchain, where any authenticated peer can conduct location authentication for UAVs using the Distance Bounding Protocol (DB Protocol).The resulting location proof is transmitted to the Verifier through the blockchain.The decentralized and tamper-proof characteristics of blockchain ensure the efficiency and trustworthiness of the entire process.(2) We design an efficient and privacy-preserving location authentication mechanism.By leveraging the capabilities of short randomizable signatures and zero-knowledge proofs, UAVs can achieve anonymous authentication with just a few communication rounds.This approach ensures the protection of UAV privacy while maintaining the efficiency of the authentication process.(3) We conduct a detailed theoretical analysis of our authentication mechanism.Meanwhile, comparative experiments have demonstrated the superiority of the proposed scheme.
The remainder of this paper is organized as follows.Section 2 introduces the relevant work in this field.Section 3 presents the system architecture and security model.The key technologies used in this paper are introduced in Section 4. The authentication details are shown in Section 5. Security analysis is discussed in Section 6.In Section 7, simulation results are presented, and the performance is also discussed.Finally, conclusions are provided in Section 8.

Related work
Depending on the system architecture, location-proof systems are classified into two categories: centralized and distributed systems [10].In a centralized solution, a trusted and fixed wireless infrastructure, often a WiFi access point, is employed to verify the proximity of mobile users and generate proof of their location.Saroiu and Wolman [11] proposed using communication infrastructure (cell tower or WiFi access point) to generate location proofs for devices.Each device would be identified with a public key to guarantee the device's identity is unforgeable.Javali et al. [12] used channel state information (CSI) to verify the location information of mobile users and employed fuzzy vault for feature matching to complete location verification.Yi et al. [13] rely on WiFi and cellular networks to provide location proofs for privacy protection.The validator can verify the location without needing to know the exact coordinates of the user.Chen et al. [14] introduced a scheme to ensure the security of continuous position data, focusing on integrity and source verification.In their approach, the acceleration sensor is utilized to continuously capture acceleration data throughout the user's movement, generating proof of position.Conversely, distributed schemes involve the generation of location proof by nearby user devices.Gambs introduces PROPS [15], a privacy-preserving location-proof system that uses neighboring nodes as witnesses to generate location proofs.However, PROPS cannot resist P-W collusions.STAMP [16] proposed an entropy-based trust model to guard users from P-W collusion and utilizes commitment to offer finegrained location privacy control for users.Davis et al. [17] proposed a location-proof scheme for privacy protection, wherein the user and the proving party sign their personal ID, geographical location, and other contextual information, generating a digest to serve as proof.However, this scheme fails to address the issue of collusion between the user and the witness.PASPORT [10] is another distributed locationproof generation system.In PASPORT the author introduced and modified TREAD [18], a lightweight DB protocol, to protect user privacy during the location-proof process.
In order to provide a higher level of system security, some location-proof schemes have introduced blockchain technology.In Amoretti's scheme [19], the user collects proof of location from its neighbors through blockchain networks.Wu et al. [20] used zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) to design the zk-PoL protocol, where the user requests a location certificate from the nearby AP, and generates location proof as it needed.Certificate digest and service records are recorded on the chain to prevent users from abusing location proof.In addition, blockchain can be used to motivate other users to participate in the authentication process, Nosouhi et al. [21] achieves blockchain construction and motivation through a Bitcoin-like approach.Any device participating in location authentication or blockchain mining can receive incentives.Yu et al. [22] employs zk-SNARK to establish a blockchain-based location-proof system with privacy protection.However, the proposed method does not prevent collusion between the prover and witnesses.
In centralized schemes, the nodes responsible for generating location proofs are typically assumed to be trustworthy.However, the reliability of these nodes relies on the proper functioning of a substantial number of wireless access points.Compared to communication infrastructure-based solutions, a distributed scheme relies on nearby user equipment to generate location proof and has lower costs.However, a dishonest witness may collude with a distant malicious prover and issue a fake location proof for them, which is called Prover-Witness (P-W) collusion.

System model
In this section, we present the system composition of the proposed scheme, including various roles and system assumptions, as well as security models, to comprehensively demonstrate the advantages of the proposed architecture.

System architecture
As discussed earlier, distributed solutions may encounter P-W collusion, which is deemed unacceptable in regulatory scenarios.On the other hand, centralized solutions require collaboration with communication infrastructure and face interoperability issues with heterogeneous systems.To tackle this challenge, a semicentralized system based on blockchain was introduced in Figure 2. In our scheme, a certification authority (CA) issues authentication certificates to UAVs.These certificates include trusted peer parameters and UAV identity information.With the certificate, the UAV can initiate location authentication with the perception peers.The generated location proof can be involved in the consensus process by perception peers to create blocks and obtain incentives.Verifiers can then use the on-chain position proof to confirm the UAV's location.The specific descriptions of different roles are as follows: (1) UAV (unmanned aerial vehicle): UAVs are bound by regulatory constraints that mandate them to report their location.However, they also prioritize their privacy and security concerns.To balance these conflicting requirements, UAVs can employ cryptographic techniques and secure communication protocols to protect their location data.(2) CA (certificate authority): CA is responsible for issuing anonymous certificates to UAVs and managing trusted perception nodes.It is considered a trusted authority in this article.(3) TP (trusted peers): TP refers to perception nodes that communicate with UAVs to verify positions and generate position proof (LP).They can be any device licensed by CA.Typically, there are ground stations like access points (AP) or base stations (BS).( 4) Verifier: The verifier may be a regulatory agency or a location-based service provider (LBSP) [23].
Therefore, it is necessary to obtain the true location information of the drone.The verifier can obtain the position proof generated by TP on the chain.( 5) Blockchain: To solve the problem of centralized architecture, blockchain is introduced in our system to provide a secure channel for trusted data interaction.As a distributed and immutable ledger, blockchain integrates multiple stakeholders to achieve distributed authentication of UAVs.

Security model and design goals
Before introducing the details of our scheme, it is important to discuss the security model and our design goals.
CA is trustworthy and will carefully review the registration requests of UAVs and TPs to verify the legitimacy of their identities.Malicious UAVs may impersonate their legitimate identity or generate fake LPs to evade regulation.UAV users are rational.Therefore, they will not share their private keys with others.TP is semi-trustworthy and will not collude with UAVs to generate fake LP, as they have all been reviewed by CA.However, they are curious and will try to obtain the identity information of UAVs.
As mentioned above, all parties involved in the system have different requirements, especially how to solve the contradictions between data security, privacy, efficiency, and system scalability.Our design goals can be summarized as follows: Security: (1) Without the knowledge of corresponding keys, an adversary cannot impersonate UAV or TP; (2) UAVs are unable to generate counterfeit proofs with any untrusted nodes, nor can they falsely claim the ownership of legitimate proofs from other UAVs [16].
Privacy: UAVs can hide their identity during the authentication and LP generation process.Adversaries are unable to extract any information from these aforementioned processes.
Availability and scalability: The system aims to draw a maximum number of perception nodes into participating in location authentication tasks, all while upholding security measures.Additionally, the system is designed to withstand DDoS and other attacks without encountering vulnerabilities associated with single points of failure.

Building blocks 4.1 Zero-knowledge proof
The zero-knowledge protocol [24] (ZKP) enables the prover to convince the verifier that a statement is true without exposing any information about the secret.A ZKP protocol can be written as [25]: where (α, β) ∈ Z 2 p are secrets, U ∈ G 1 denotes a mathematical statement and (g, h) ∈ G 2 1 are public parameters.
An interactive ZKP protocol can be transformed into a non-interactive ZKP protocol using the Fiat-Shamir heurisitcs [26].This conversion helps to reduce communication rounds and overhead in the protocol.

RPS Signature
PS signature was proposed by Pointcheval and Sanders [27].The PS signature scheme supports signing a set of messages or commitments, but the generated signature only contains a fixed number of elements.At the same time, it supports signature randomization and has advantages such as efficiency and privacy.PS signature is also redactable [28], given a set of message M = (m 1 , m 2 , . . ., m n ) ∈ Z n p and corresponding PS signature σ, it is easy to derive a valid signature of the subset of M. The RPS signature includes the following algorithms: (1) Keygen(1 k , n): Set 1 k as the security parameter and n as the number of keys, choose two random numbers (x, y) ∈ Z 2 p as a pair of secret keys, the public keys are denoted as ( X, ), the formulas are: (2) Sign(sk, M): Given the message set M and a rand number r ∈ Z p , the signature σ = (σ 1 , σ 2 ) can be computed as: (3) Derive(pk, σ, M, I): If the signature owner wants to derive the signature on I(I ⊂ M).Choose two random number (r 1 , r 2 ) ∈ Z 2 p , and compute as: So the derived signature can be denoted as σ = (σ 1 , σ 2 , σ 3 , σ ) (4) Verify(pk, σ, I): On input the public key pk, message I and the corresponding derived signature σ, verifier can validate as follows: where c i = H(σ 1 ||σ 2 ||σ ||S||i).If the above equation holds, return 1; Otherwise return 0.

Distance bounding protocol
To ensure the authenticity of the drone's location, the distance bounding protocol [29] is chosen for UAVs' location authentication.The DB protocol calculates the distance based on the round trip time (RTT) between the challenge and the response.The prover, which is the UAV in this case, must efficiently compute and respond with its secret parameters along with the challenge sent by the verifier, which is called fast bit exchange.
To address the various security challenges, there are multiple variants of the DB Protocol [30][31][32].One of the most significant challenges is the terrorist fraud (TF) attacks [33], dishonest provers, and malicious colluders collaborating to create false proofs to deceive verifiers.In response to this, we have selected TREAD [18] as our location-proof protocol.TREAD prevents TF attacks based on a reasonable assumption that if a malicious protect gives this information to his compliance, the compliance can then adapt and replay successfully the information received during a new session.And this is something that a rational witness cannot allow to happen.
5 Proposed privacy-preserving location authentication scheme

System initialization
In this phase, the CA defines the authentication policy and publishes the public parameters in the blockchain.
Specifically, CA selects a security parameter λ, and chooses a set of three cyclic groups G 1 , G 2 , and G 3 of order p with a type III bilinear mapping that satisfies e : G 1 × G 2 → G T .Then, CA sets generators as (g, g) ∈ G 1 * G 2 .Then, CA randomly chooses (x, y) ∈ Z 2 p as the system secret keys, and computes the public keys as equation (2).Finally, CA publishes parameters as follows: Any legitimate communication facility can register with CA as a location authentication node, referred to as a trusted peer (TP) in this article.Take TP i as an example, CA assigns the corresponding RPS public key (Y i , Ỹi ) to TP i and adds it to the trusted peer set S N = {TP i }, i = 1, . . ., n.In addition, TP also holds encryption keys (sk i , pk i ), corresponding to the encryption algorithms Enc pk (pt) and Dec sk (ct).

Credential Issuance
The UAV u chooses a random number sk u ∈ Z p and computes: Then, the UAV u sends its (π u , U ) and identity information to CA.After CA receives the information, it will verify the validity of U according to π u .If it passes the check, CA chooses a random number r u ∈ Z p and computes: The signature combined by CA into credential Cred u = (σ 1 , σ 2 ).CA will save the Cred u and U at local.Besides, CA sends the list of TP and corresponding public keys to the UAV u.
After receiving the Cred u , UAV u can verify the validity through the following formula:

LP request
During the UAV flight, the verifier needs to obtain proof of the UAV's position.The verifier generates a random number seed ∈ Z p and applies a Hash chain to calculate: where T is the maximum number of available times for this request.Verifier constructs tx and uploads it on chain: tx = ( X, h T , TS, Sign skv ).( 13) Meanwhile, the Verifier will send seed to the u.If any TP completes the LP upload of the UAV, the Verifier can obtain relevant information by itself from the chain without the need for secondary interaction with the UAV.

Anonymous authentication
Figure 3 shows the workflow of location authentication during the UAV flight.The UAV u initiates anonymous location authentication to TP i , assuming this is the tth location authentication request from the UAV.The UAV u selects random numbers r d , t d ∈ Z 2 p and calculates: where The derived signature denotes as cred u = (σ 1 , σ 2 , σ 3 , σ ).To prove that the cred u belongs to itself, UAV u computes: Specifically, UAV u randomly generates a ∈ Z p and l bits random number α, β ← {0, 1} l , then calculates: Finally, UAV lets π cred = (c, s), m = (cred u , π cred , α, β, h t ), and encrypts and sends it to TP i : TP i uses Dec sk T P i (m) to decrypt the ciphertext and obtain m, and verifies cred u by follow: If the above equation holds, TP i computes : Check if it satisfies the equation: If all verifications pass, TP i performs location authentication for UAV.

LP generation and verify
TP i starts the fast bit exchange by generating a l bits random number γ ← {0, 1} l , signs for it, and sends it to the UAV: Param = (γ, Sign skTPi ).
UAV verifies the signature by Verify pkTP i (γ), and computes δ = β ⊕ γ, then notifies TP i of readiness.TP i sends random challenge bit b k at stage k(k = 1, . . ., l) and starts timing.
After receiving the challenge bit, UAV replies quickly as: On getting the response r k , TP i records the receive time and computes the time difference, which denotes ∆t k .After l rounds of interaction, TP i checks if the response bits satisfy: TP i calculates the upper bound of the distance between both parties using the following formula: where c is the speed of light and t 0 is the calculation delay of the UAV.
It should be noted that, depending on actual requirements, two types of location proofs can be provided for drones: The first is the proof of existence, meaning that if the ∆t k is short enough, it's inferred that the drone is in proximity to the TP i .The second method involves numerical proof, wherein the actual distance d max between the TP i and the drone is computed using the time ∆t k spent on bit exchange.Additionally, the distances calculated from multiple witnesses at various positions can be leveraged to determine the precise location of the drone through localization algorithms [34].
Here, we use proof of existence to illustrate the proposed mechanism.If the calculated result is within the allowable range, TP i generates LP and sends it to UAV, where Loc is the actual location information of the TP i : LP = (Loc, TS, Sign skTP i ).
The UAV generates signature π LP = (c LP , s LP ) for LP and sends it back to TP i : TP i constructs tx LP and uploads it on chain: If the cred u is legal and h t meets the: The proof will be successfully recorded on the chain, and TP i receive corresponding rewords.After the tx LP is uploaded to the chain, the verifier uses Verify pkTP i (Loc, TS) to verify the signature of TP i .Then, the verifier checks the π LP by e(σ 3 , g) = e(Y ci n+1−i , σ ), e(σ 1 , σ X) = e(σ 2 , g). ( If it holds, Verifier computes: Finally, Verifier computes if it satisfies: If all the aforementioned checks are successfully passed, it indicates that the location proof of the UAV has been accepted by the verifier.

Security analysis
In this section, we analyze the security performance and other features of the proposed location authentication scheme.
Security: The authentication security of UAV is based on RPS Signature [28] and ZKP protocol.Without the system master key, an adversary cannot issue any fake certificates unless it can break the unforgeability of the RPS signature.In the authentication process, the UAV employs a knowledge signature to demonstrate its knowledge of the certificate.As a rational user, he never shares keys, which prevents an adversary from impersonating his identity.In addition, the UAV obtains the public key of TP from CA and uses ECC to initiate a location authentication request [35,36].Only TP holding the private key can decrypt it.Both the UAV and TP will sign on the LP to ensure that it will not be impersonated by others.Privacy: The RPS Signature achieves unlinkability between signatures through the incorporation of two random elements.However, aiming to enhance efficiency, the proposed scheme utilizes hash chain technology.This permits others to correlate Location Proofs on the chain through the relation of hash chain parameters.Despite this, UAVs retain their anonymity as they claim the knowledge of certificates via non-interactive zero-knowledge proofs.
Availability and scalability: We ensure the scalability and availability of the entire system by introducing blockchain technology.The distributed architecture of blockchain guarantees the absence of single points of failure, and the malfunction of an individual blockchain node will not disrupt the overall system operation.The Certificate Authority is not singular within this system.UAVs possess the flexibility to select suitable CAs and perception nodes for authentication based on specific requirements.The blockchain records location proofs in an immutable manner, assuring regulatory effectiveness over drones.Furthermore, similar to the utilization of blockchain in Bitcoin and Ethereum [37,38], verifiers can utilize digital currency as an incentive to encourage perception nodes to engage in the authentication process.
7 Performance evaluation

Theoretical analysis
The DB protocol has been extensively discussed in many papers [39][40][41], so the theoretical analysis stage mainly discusses the performance of the Credential issue, Anonymous authentication, and LP generation and verify.
Considering the marginal effects, we only consider the exponentiation operation and pairing operation costs of group elements.We represent the exponentiation operation and pairing operation on As shown in Table 1, although the computational cost of UAV in verifying certificate validity equation (11) and exporting sub-certificates (Eq.( 14)) is related to the total number n, it can be observed that UAV only needs to be calculated once, the equation ( 14) can be transformed as σ i , and each time the credential is presented, the UAV only needs to perform two additional exponentiation operations to obtain it.
Table 2 shows the communication costs of UAVs.In LP generation and verify, we consider the fast bit exchange of the DB protocol as the number of communication rounds per session.

Experimental analysis
We deployed the experiment based on a personal computer equipped with 11th Gen Intel (R) Core (TM) i7-11700F @ 2.50 GHz CPU and 16 GB of memory, all experiments were carried out on a VMware Workstation 15 Pro virtual machine with 4GB of memory, with the virtual machine version being Ubuntu 18.04 LTS.The RPS signature algorithm is implemented based on the GO PBC library, with GO version 1.18.Other encryption uses secp256r1 elliptic curve, SHA-256 hash function, and AES. Figure 4 shows the time cost of different numbers of trusted peers and different stages.The Credential Issue is performed by CA, the Credential Show includes the certificate export and Zero-knowledge proof generation of UAV, and the Credential Verify is completed by TP.From the data in Figure 4, it can be seen that the time cost of Credential Issuance is almost unaffected by the Peer Number.In fact, the time cost of Credential Issuance is only maintained at around 1.5 ms.Because Peer Number mainly affects the number of summation operations on the domain, this operation has a smaller demand for computational performance.The time cost of Credential Show increases rapidly with the increase of Peer Number, as the increase in Peer Number results in multiplication operations on the domain, but it only consumes 200 ms at 500 peers.Similarly, the time for Credential Verify is also fixed, maintained at around 60 ms.
Communication overhead is an important factor for drones.We analyzed and compared it with STAMP [16] and BCSLPV [21].Figure 5 shows the communication overhead under different Key sizes.The compared articles used RSA encryption, and we correspondingly set elliptic curve parameters with the same security strength.Our scheme has communication costs of 1064 bytes, 1210 bytes, and 1283 bytes under different strength keys, respectively.It can be seen that the communication overhead of this scheme is much lower than that of STAMP and BCSLPV.

Conclusion
In this paper, we propose a blockchain-based UAV location authentication scheme.The utilization of blockchain technology provides scalability for the entire system.The distance bounding protocol was utilized to generate reliable location proofs of UAVs.Additionally, short randomizable signatures and zero-knowledge proof are introduced to preserve the privacy of UAVs.Security analysis and experiments have shown that our solution can provide efficient and safe position regulation for UAVs.
In future research, we aim to investigate identity authentication and data interaction between UAVs and heterogeneous devices, to maximize effectiveness of UAVs.By exploring these areas, we anticipate enhancing the capabilities of UAVs and enabling seamless communication and collaboration with various devices, ultimately improving their overall performance and efficiency.

Figure 1 .
Figure 1.An illustration of UAV location proof

Figure 2 .
Figure 2. System model of UAV location verification system

Figure 3 .
Figure 3. Workflow of location authentication respectively, using Dec and Enc to represent elliptic curve encryption and decryption.Symbols |Z r | , |G 1 | , |G 2 | denotes the size of corresponding group elements.|H|, |l|, and |Sign| represent hash computation, distance bounding challenge, and elliptic curve signature size, respectively.

Figure 4 .
Figure 4.The time cost of different authentication operations under different peer numbers