UAV-Undertaker: Securely Verifiable Remote Erasure Scheme ...downloads.hindawi.com/journals/wcmc/2019/8913910.pdf · ResearchArticle UAV-Undertaker: Securely Verifiable Remote Erasure

Research ArticleUAV-Undertaker Securely Verifiable RemoteErasure Scheme with a Countdown-Concept for UAV viaRandomized Data Synchronization

Sieun Kim 1 Taek-Young Youn 2 Daeseon Choi 3 and Ki-Woong Park 4

1 SysCore Lab Sejong University Seoul Republic of Korea2Electronics and Telecommunications Research Institute Deajeon Republic of Korea3Dept of Medical Information Kongju National University Kongju Republic of Korea4Dept of Computer and Information Security Sejong University Seoul Republic of Korea

Correspondence should be addressed to Ki-Woong Park woongbaksejongackr

Received 31 January 2019 Revised 28 March 2019 Accepted 22 April 2019 Published 16 May 2019

Academic Editor Ilsun You

Copyright copy 2019 Sieun Kim et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Unmanned aerial vehicles (UAVs) play an increasingly core role in modern warfare with powerful but tiny embedded computingsystems actively applied in the military field Confidential data such as military secrets may be stored inside military devices suchas UAVs and the capture or loss of such data could cause significant damage to national security Therefore the developmentof securely verifiable remote erasure techniques for military devices is considered a core technology In this study we devised averifiable remote erasure scheme with a countdown-concept using randomized data synchronization to satisfy securely verifiableremote erasure technology The scheme allows the GCS (Ground Control Station) to remotely erase data stored in the UAV evenon loss of communication and returns proof of erasure to GCS after erasure Our approach classifies the accumulated data storedin the UAV as a new data type and applies the characteristics of that data type to generate the proof of erasure We select a small-volume data sample (rather than all of the data) and perform prior learning only on that sample in this way we can obtain theprobative power of the evidence of erasure with a relatively small amount of traffic When we want to erase data of 100 Mbytes ofremote device 100 Mbytes of data transfer is required for related work whereas our system has data transfer according to the ratioof amount of randomly selected data By doing this communication stability can be acquired even in unstable communicationsituations where the maximum traffic can change or not be predicted Furthermore when the UAV sends the proof of erasure tothe GCS the UAV does its best to perform the erasure operation given its situation

1 Introduction

In 2011 the USmilitary lost control of an American LockheedMartin RQ-170 Sentinel unmanned aerial vehicle (UAV)during amission over AfghanistanTheUAVwas captured byIranian forces [1] which successfully extracted informationreleased a video obtained from the captured UAV andsubsequently constructed a copy of the RQ-170 the Saegheh[2] As demonstrated by this episode the theft of militaryUAVs causes significant damage including the loss of secretdata such as collected information [3] Consequently it isindispensable to assure the security of the UAV [4ndash6]

Erasing data as needed can safeguard confidential infor-mation stored on remote devices Generally if a user sendsan erasure request the remote device receives it and performsthe erasure However UAVs remotely performing a missioncannot always receive the signal [7ndash9] As such techniquesare needed to completely erase the data stored in remoteUAVs following a loss

Recognition that sensitive information has been leaked(ie the erasure process has not been performed) is criticaland so confirmation of erasure must be performed in averifiable manner (verifiable erasure) Verifying the result ofthe erasure operation as 1-bit response has low reliability [10]

HindawiWireless Communications and Mobile ComputingVolume 2019 Article ID 8913910 11 pageshttpsdoiorg10115520198913910

2 Wireless Communications and Mobile Computing

Blocking Erasure Request

GCSUAV Attacker

Unverifiable Erasure

GCSAttacker

UAV

Performing Erasure Despite Loss of Control and Sending Proof of Erasure

Proof of

Erasure GCSUAV Attacker

GCS

Attack

Attacker

eraseresponse

GCS

Erasure Request

Erasure Request

False Result

(a) (b)

(e)

(d)

(c)

response

erase

receive

Figure 1Three situations faced by unmanned aerial vehicles (UAVs) after attack or capture (a)UAVon a flightmission (b)UAVs performinga flight mission is captured by an attacker (c) receiving unverifiable result of erasure (d) blocked erasure requests by attackers and (e)performing erasure operation and transmitting proof of erasure following capture

Obvious proof of erasure must be presented and there mustbe nomechanism by whichmalicious users can generate falseevidence

Figure 1 indicates three situations that UAVsmay be facedwith after attack or capture In conventional remote erasuresystems [11 12] a Ground Control Station (GCS that isthe control center that provides human control of UAVs)can erase data by sending an erasure signal to a lost UAVHowever when communication is cut conventional remoteerasure is not available We devised counter-based erasurewhich can erase data in an uncontrollable environment Thisstudy is an extension of our previous work [13 14] in whichwe focused on the system design of trustworthy remoteerasure for UAVs However our objective here was to devisea mechanism to select random seed data using accumulateddata and develop a method for trustworthy remote erasureThe devised scheme has a count value which decrementsvalue one by one and erases data when the counter valuereaches zero The GCS can retain stored data only throughperiodically sending the specific value to the UAV If the GCSdoes not send the specific value to the remote UAV and thecounter reaches zero the UAV erases the data In terms ofverification most existing mechanisms provide nothing oronly a simple response (erase or not erase) Our remote era-sure system provides relatively complex but verifiable proofof erasure through randomized data synchronization Upona process of erasure of data the remote UAV continuously

generates a proof of erasure until the UAV is completelystopped this proof is repeatedly sent to the GCS The GCSchecks that the proof has been received and verifies thatremote data are erased

The remainder of this paper is organized as followsSection 2 reviews the related works of verifiable remote dataerasure Section 3 describes the materials and gives detailsof our mechanism UAV-Undertaker Section 4 describes twoexperiment results about overhead in terms of communi-cation and computation This paper ends in Section 5 withconclusion on our work

2 Related Works

To resolve problem of erasure of remotely stored data withverifiability the researchers have devised approaches whichgenerate a provable value of erasure operation We analyzedseveral of them and identified the limiting factors in applyinga verifiable erasure for UAVs

Perito and Tsudik [15] use a PoSE (Proof of SecureErasure) for secure code updates on embedded devices byverifying the erasure of memory A verifier sends verifier-selected randomness of the size of memory to a prover andthe proverrsquos memory is filled with the received value Theprover returns the very same randomness written on thememory to the verifier As both the verifier and the proversend a random value of memory size to each other this

Wireless Communications and Mobile Computing 3

UpdateIdle

If receive msg

Performed per interval

Aer sending

msg Send Msg

Authenti-cation

FailSuccess

Verify Proof

ReceiveProof

If receive proof

Aer receiving

proof

Aer update

GCS

Communication Protocol Erasure Protocol

Aer di

(a) (b)

Figure 2 Overall process of the proposed remote erasure system (a) Unmanned aerial vehicle (UAV)-Undertaker from the Ground ControlStation (GCS) viewpoint (b) UAV-Undertaker from the UAV viewpoint If the count value becomes zero the UAV erases data and repeatedlysends the proof of erasure to the user (ie the GCS)

protocol has a huge overhead concerning communicationIn our system as shown in Figure 9 of Section 4 when asmall amount of data (ie 120572 =2) is selected as a seed andtransmitted the instantaneous amount of transferred data issignificantly lower than when live tracking all data (ie 120572=100) In other words our system shares the burden of therequired data transfer amount to verify the erasure operationTherefore our system can significantly reduce instantaneousamount of transferred data which is a limitation of theabove study Dziembowski et al [16] proposed a scheme thatreduces the communication complexity of PoSE A verifiersends a seed to a proverThe prover performs a hash functionusing the seed and retains the sizable result value using allof the proverrsquos memory The calculated hash value can onlybe generated once because it uses a secret key stored inthe memory and so it can be proof of erasure Howeverwhile this scheme reduces the communication overhead ofPoSE a huge calculative overhead arises Ammar et al [17]introduced SPEED which guarantees erasure on embeddedsystem The protocol is implemented in isolated memoryusing the Trusted Software Module A verifierrsquos distance ismeasured by the Distance Bounding (DB) protocol whichestablishes an upper bound on the physical distance betweena verifier and a prover The prover authenticates the verifierthrough the DB protocol and erases data if verification ispassed successfully To verify erasure the prover sends theproof as the message authentication code value of the entirememory However the scheme is limited in terms of distanceand so is not applicable for UAVs

Our approach solves verifiable erasure through proof oferasure [15ndash18] that only the user can identify as in theabove studies However our approach creates a proof oferasure in such a way that the memory blocks each havea dependency on the block which guarantees more robustevidence Furthermore in contrast to past studies which didnot consider losses in the communication environment weaimed to achieve remote erasure of UAVs after hijack loss

andor disconnection Also the sensor system in cloud is sim-ilar to our system in that it collects data from remote devicesand processes them to achieve specific goals However in thecase of the cloud sensor system the collected information islimited to the sensor data and ismerely used for providing themonitoring to the user In the case of our system the collectedinformation is the memory information of the remote deviceIt can be seen that there is a difference from the cloud sensorsystem in that it verifies whether or not the erasure operationis performed by utilizing this

3 Proposed System Architecture

Our UAV-Undertaker consists of two parts the communi-cation protocol and verifiable erasure protocol We confirmwhether or not control of the UAV is lost by communicatingwith the UAV Therefore it is important to verify that amessage originates from the stated sender (ie authenticcommunication) and has not been changed This authenti-cation role is implemented as the communication protocolusing a hash chain mechanism [19] We also implement theverifiable erasure protocol which generates proof of erasureto verify that the erasure operation was really performed Weclassify the data region according to the number of timesthe data will be written in order to increase the probativepower of proof of erasure with just a small amount of data(thus improving efficiency) The operation result value iscreated by accurately performing the implemented erasureoperation Therefore a cryptographic accelerator such as theTPM (Trusted Platform Module) must be used in order tomake the results of the computation trustworthy

Figure 2 shows the overall process of our approach fromboth the GCS andUAVviewpoints From the GCS viewpointthe GCS sends an authentication request message to the UAVat intervals and then waits for a message from the UAV Ifthe GCS receives a message from the UAV it verifies thatthe message is authentic if so it updates the value to be


Table 1 Notations of the entity and messages

Definition of the Entity SymbolsGCS Ground Control StationUAV Unmanned Aerial VehicleDenotationmsg = 120572 120573 Message contains two contexts (120572 and 120573)msg = 120572 (120573) Message always contains 120572 context but 120573 context is optionally containedDefinition of the Message Symbols119870119909119910 A symmetric key shared between 119909 and 119910119864119870 119861 Encrypt 119861 with key119870119909 Value to compute with hash function119899 Number of hash function calculations119903 Retransmission bit119894 Authentication countℎ(119909) Result of 119909 in the hash function119873119900119899119888119890 Generated random data against replay attacksℎ119897 Address of hot data modified after previous authentication119886119897 Address of accumulated data modified after previous authenticationℎV Set containing the addresses of hot data randomly selected and the values of those data119886V Set containing the addresses of accumulated data randomly selected and the values of those data119875119900119864 Proof of ErasureDefinition of the Greek Symbols120572 Ratio of amount of randomly selected data in accumulated data region120573 Ratio of amount of randomly selected data in hot data region120574 Number of re-authentication permits120575 Initial value of the counter

sent next If communication with the UAV is cut off and theUAV performs the erasure operation and the GCS repeatedlyreceives the proof of erasure from the UAV and verifies itFrom the UAV viewpoint after decrementing the counter byone the UAV waits for a message from the GCS (idle state)A UAV that has successfully authenticated a GCS updateof the hash value for the next authentication initializes thedecreasing count value to 120575 (ie the initial value of thecounter) and waits for the message to be received again(idle state) If the UAV does not receive a message from theGCS before the count value reaches a certain value the UAVrepeatedly erases stored data and repetitively sends proof oferasure through a low frequency

31 Communication Protocol To allow the sender of eachmessage to be authenticated hash chains and messageencryption are used in the communication protocol Toencrypt a message the UAV must share the symmetric keysecurely offline with the GCS before departure Our approachis designed to execute the erasure protocol after 120574 times ofrequests for reauthentication because the UAV may be con-fronted with a mere transient communication failure where120574 can be set freely according to the circumstances of missionTable 1 defines the entity symbols and the message symbols

Figure 3 shows the message flow when communicationbetween the UAV and the GCS is performed without prob-lems First the GCS encrypts the number of hash function

calculations (119899) and the value to compute with hash function(119909) using a symmetric key already shared between the GCSand the UAV it then sends an initialization request message(Message 1-1) containing that encrypted value to the UAVWhen the value is received from the GCS the UAV computesℎ119899(119909) encrypts it and sends an initialization response mes-sage (Message 1-2) to the GCS The GCS confirms that theUAV received the correct 119909 and 119899 The GCS and the UAVwho have verified each other start exchanging authenticationmessages using a hash chain The GCS sends messages tothe UAV at regular intervals When the maximum countvalue is 120575 (seconds) and the number of reauthenticationtimes is 120574 the interval is calculated using (1) The constantldquo1rdquo in (1) is added because GCS waits for the interval andthen sends the next message The constant ldquo2rdquo in (1) ismultiplied to prevent the timer from being initialized duringthe maximum authentication latency that can occur on oursystem

119894119899119905119890119903V119886119897 =120575

2 (1 + 120574)(119904119890119888119900119899119889119904) (1)

After the UAV receives a message (Message 1-3) contain-ing the hash value from the GCS the UAV calculates thehash value of the received value and compares the valuewith the previously stored value If two values are equalthe UAV initializes the count value to 120575 and updates thestored value with the hash value received from the GCS


UAVGCS

Initiate Timer4 Verify Msg 1-2

6 Verify Msg 1-3Initiate TimerUpdate Hash Value of UAV

8 Verify Msg 1-4

hellip

n ndash i + 1

0 0

Message 1-1 GCS UAV EMessage 1-2 UAV GCS EMessage 1-3 GCS UAV EMessage 1-4 UAV GCS E

Hash Value Stored in UAV

n

n ndash i

hellip

hellip

GCS

hellip

Number of Hash Function Calculations

Stored in UAV

intervali

intervali

1 Initialization Request Msg(1-1)

3 Initialization Response Msg(1-2)2 Calculate ℎ

n(x)

ℎn(x)

ℎnminusi+1

(x)

ℎnminusi

(x)

KGCSUAV x n NonceGCSKGCSUAV ℎ

n(x) NonceGCS

KGCSUAV ℎnminusi

(x) rNonceGCS KGCSUAV n minus i NonceUAV ℎl al ( ℎ a)

5 ith Authentication Response Msg(1-3)

7 ith Authentication Request Msg(1-4)

Figure 3 Message flow depending on the communication environment Messages 1-1ndash1-4 are those sent when communication between theunmanned aerial vehicle (UAV) and the Ground Control Station (GCS) is performed without problems

After confirming that the message is sent from the GCS theUAV sends a message (Message 1-4) containing the memoryinformation along with the n minus i to the GCS ℎV and 119886V(changed memory information) contained in Messages 1-4are not encrypted and transmitted The reason is that in oursystem ℎV and 119886V can include very large amounts of dataand encrypting these data is expected to have a very highcomputational overhead Even if the malicious user success-fully acquires the unencrypted ℎV and 119886V the user cannotgenerate the false proof because the last hash value used in theerasure operation cannot be determined These transactionsare repeated 119899 times if communication is good When thenumber of authentication (119894) exceeds 119899 (ie the maximumnumber of hash function calculations) the GCS and theUAV reexchange the new 119899 and 119909 through Message 1-1 andMessage 1-2

Figure 4 shows the message flow from when UAV couldnot receive the hash value from the GCS until the countervalue reaches 0 atwhich point it initiates the erasure protocolIf the GCS sends an authentication request message (Message2-1) to the UAV but does not receive the authenticationresponse message from the UAV the GCS waits the intervaltime and then sends again the message containing the samehash value At this time the 119903 bit (ie the retransmission)is set to 1 and included in the message (Message 2-2)If the UAV faced a temporary communication failure itwill subsequently receive a reauthentication request message(Message 2-2) from the GCS the UAV checks the 119903 bit

recognizes resending and confirms that the hash value storedin the UAV and received value are equal If the two values areequal the UAV returns value (n minus i) which means the nexthash value request At that time the UAV does not updatethe stored counter value or hash value If the two values arenot equal the UAV calculates the hash value of the receivedvalue and compares it with the stored value If the two valuesare equal the UAV resets the counter value and updates thestored hash value After that the user and the UAV resumenormal communication However if the next hash value isnot received from the GCS and the value of the counterinserted in the UAV reaches 0 the UAV performs an erasureprotocol and sends a message (Message 2-3) including proofof erasure and the memory information changed since themost recent successful authentication to the GCS througha certain frequency In order for the GCS to verify that theUAV performed an erase operation the GCS must know thechanged memory information in the UAV However after thecommunication between the GCS and the UAV is lost theGCS do not know information of data changed in the UAVThusMessage 2-3 contains the changed memory informationsince the communication was disconnected As our approachtakes the best effort approach the UAV repeatedly performsthe erasure operation after transmitting the proof of erasureand continues to send the proof of erasure (Message 2-4)to the GCS The number of times an erase operation isperformed depends entirely on a given amount of time to theUAV after the erase operation has begun


UAVGCS

Message 2-1 GCS UAV EMessage 2-2 GCS UAV EMessage 2-3 UAV GCS Message 2-4 UAV GCS

n ndash i + 1

4 Erasure Operation

hellip

interval

interval

6 Erasure Operation

hellip

Best Effort

GCS Hash Value Stored in UAV


Stored in UAV1 Authentication Request Msg(2-1)2 Re-authentication Request Msg(2-2)

3 Re-authentication Request Msg(2-2)

5 Erasure Proof Msg(2-3)


ℎnminusi+1

(x)

KGCSUAV ℎnminusi

(x) r NonceGCSKGCSUAV ℎ

nminusi(x) r = 1 NonceUAV

PoE ℎl al

PoE

Figure 4 Message flow depending on the communication environment If the unmanned aerial vehicle (UAV) does not receive the hashvalue from the Ground Control Station (GCS) before the counter value reaches 0 the UAV proceeds with the erasure process and sends proofof erasure to the GCS

C2

Cold Data Region Accumulated Data Region Hot Data Region

Storage of UAV

C1 C3

hellip hellip Cn

A1 A2 A3 A4 A5 A6

hellip hellip hellip

hellip hellip hellip hellip hellip An


H2H1 H3

Hn

Figure 5 Unmanned aerial vehicle (UAV) storage divided into three regions cold data region accumulated data region and hot data region

32 Verifiable Erasure Protocol For data erasure ourapproach classifies the UAV storage into three data regionsaccording to the expected number of writes of the data(Figure 5)The first region is a cold data region (ie data thatwill never be modified after the UAV departs) the secondis the accumulated data region (ie data that will not bemodified after it has been written for example video shot bythe UAV) and the third is a hot data region (ie data thatis actively modified) The mechanism assumes that the GCSknows the address values of the three data regions

Our proposed proof of erasure generation methodrequires the live tracking of accumulated data and hot data(except for cold data that does not change because each datapoint has a dependency on each other in the proof of erasure)However since tracking all the data causes considerablecommunication overhead we randomly select data to act asseeds and transmit authentication messages containing justthose data (Figures 6 and 7)

The selected data is managed by recording the addressvalue and data type in the seed block table In the accumulateddata region the number of seed data selects120572of the numberof modified data blocks from time 119905n-1 at which the previousseed block was selected to the current time 119905n at which theseed block selection occurs Therefore when selecting seeddata the seed is selected uniformly regardless of the time atwhich the data were generated In the hot data region thenumber of seed data selects 119905ℎ119890 ℎ119900119905 119889119886119905119886 119903119890119892119894119900119899 119904119894119911119890 times 120573 among modified data blocks from time 119905n-1 at which theprevious seed block was selected to the current time 119905n atwhich the seed block selection occurs The value of 120572 and120573 can be directly selected by the user If the GCS and theUAV are in very good communication (high bandwidth) andthere is no problem sending and receiving a lot of data theGCS can increase the probative power of proof by setting thevariable (120572) high Conversely if the GCS and the UAV are inpoor communication (low bandwidth) and cannot exchange


C2

Cold Data Accumulated Data Hot Data

0 Addrof A3

1

Seed Block Table

Storage of UAV

helliphelliphelliphelliphellip

Addr of H41 Addr of Hn-1

tntn-1tn-2

Data generated between tn-2 and tn-1

Time

Data generated between tn-1 and tn

hellip hellip

C1 C3

hellip hellip Cn

A 1 A 2 A 3 hellip hellip hellipA 4 A 5 A 6

hellip hellip hellip hellip hellip hellip

H4 hellip hellip

A k-1 A k A k+1

Hn-2 Hn-1 Hn

A 1 A 2 A 3 A 4 A 5 A 6

hellip hellip hellip A k-1 A k A k+1

hellip hellip hellip hellip hellip A n


H2H1 H3

H4

Hn-1Hn-2 Hn

Hn-2 Hn-1 Hn

Figure 6 Random selection of data fromunmanned aerial vehicle (UAV) storage and the seed block tableThe gray block ofmemory indicatesdata selected as seed blocksThe seed blocks are selected fromdata generated between time 119905n-1 at which the previous seed block was selectedand time 119905n at which the seed block selection occurs

UAVGCS

hellip

A3

tn-1

tn

Accumulated Data Hot Data

A5 H4

Verify Msg 1-4

Ak Hn-1

Random Selection of Data


Verify Msg 1-4

in Message 1-4

hellip

in Message 1-4

GCS

Address of A3(Several Times of Authentications)

hellip

Authentication Request Msg(1-3)


Authentication Response Msg(1-4)


ℎ a

ℎ a

Figure 7 Process of sending randomly selected seed data to the Ground Control Station (GCS)The gray blocks represent randomly selectedmemory blocks and t represents an arbitrary time


Figure 8 Memory state of the unmanned aerial vehicle (UAV) after the predecessor step to erase accumulated data and hot data Inaccumulated data and hot data regions the remaining blocks excluding the seed data blocks are overwritten with 119862119899

1015840 which is the result ofthe erasure operation of the cold data region

large amounts of data the GCS can lower the amount ofcommunication data by setting the variable (120572) very low Inother words the GCS can set the variable according to thesituation where the GCS use our system

If the UAV counter reaches zero the erasure protocolproceeds in the following order erasure of cold data erasureof accumulated data and erasure of hot data For erasure ofcold data the erasure operation is performed without anypredecessor because the GCS already knows all of the valuesThe UAV overwrites the first block (C1) of the cold data withthe last hash value received from the GCSTheUAVperformsan XOR operation of the C2 block of the memory and C1block wiped with the last hash value received from the GCSand wipes the C1 block with the calculated value From nowon the wiped C1 block is denoted by 1198621

1015840 Next the C2 blockis wiped to the value obtained by the XOR operation of the11986211015840 block and the C2 block The repeated wiping of memory

proceeds in the same way (see (2)) until wiping the Cn block(ie the last block of cold data)

1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)

For accumulated data region and hot data the GCS cannotknow all of the stored values and so predecessors are requiredThe address value of the changed data after the last successfulauthentication time should be recorded in the main memoryThe remaining blocks excluding the seed data block areoverwritten with 119862119899

1015840 which is the result of the erasureoperation of the cold data The bottom side of Figure 8shows the memory state after this predecessor step Thenthe UAV performs the XOR operation with the A2 blockof accumulated data and the A1 block of accumulated dataand wipes the A2 block with the result value If confrontedwith the seed data (eg A3) during the above operationthe UAV performs the XOR operation with the 1198602

1015840 blockof accumulated data and the hash value of the A3 block ofaccumulated data andwipes the A3 blockwith the result value(see (3)) In this way all data stored in the accumulated data

region and the hot data region are erased In other words theseed data of hot data are also calculated from (4)

1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)

1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)

The process above is defined as the first round Startingfrom the second round the erasure process proceeds withoutdistinguishing the data region unlike the first round TheUAV wipes 1198621

1015840 with the result of the XOR operation of the11986211015840 block and 119867119899

1015840 block After that the UAV wipes 11986221015840

with the result of the XOR operation of 119862110158401015840 block and 1198622

1015840This process continues until the last block of hot data isoverwritten without any distinction of the data region tocomplete the second round To prevent forensic we proceedthrough multiple rounds We assume that the repeatedlywiped memory cannot be recovered so it is impossibleto extract information from the memory After the secondround process as proof of erasure the block 119867119899

10158401015840 value iscomputed using a hash function and the UAV sends thatvalue (proof of erasure) to the GCS as Frequency Shift Keying(FSK) via the low frequency The GCS who has received theproof of erasure from the UAV will be able to calculate theproof of erasure and confirm the validity of the message

In the first part of the erasure process the last hash valuesent by the GCS is used as a seed in the erasure processto enhance security The hash value used as the seed is anencrypted value so an attacker cannot determine this valueEach value calculated by the above erasure process has adependency on the previous memory data Therefore evenif the attacker knows some blocks of memory a false proofcannot be generated

4 Experimental Results

To test performance of the devised protocol we implementedan experimental environment using the T2080 as the UAVflight computer [20] the T2080 has a 128 Mbytes NOR flash


50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth

Order of Authentication Message

= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)

Figure 9 Amount of data transferred according to the rate at which accumulated data are generated and 120572 (a) Constant amount of datawritten to the SD card over time interval (b) random amount of data written to the SD card over time interval (c) amount of transferred datawhen the data is generated as shown in Figure 9(a) on the unmanned aerial vehicle (UAV) and (d) amount of transferred data when the datais generated as shown in Figure 9(b) on the UAV

memory SD connector to interface and SATA interfaceThrough this implementation we conduct two experimentsto investigate how practical the proposed scheme is thecommunication overhead according to 120572 and the erasurelatency of the erasure process according to memory size Weconducted experiments on SD cards inserted in the T2080The block size used in the XOR operation was determinedbased on howmany 512-byte blocks were sequentially read ata time and the size of one block used in our experiment was1Kbytes which was determined by reading 512-byte blockstwice in succession

41 Communication Overhead Experiment This experimentmeasured the amount of data transferred according to the rate

at which accumulated data are generated and 120572 The amountof transferred data in the experiment is the amount of datathat is sent when the UAV sends an authentication responsemessage to the user To reproduce an environment similar toa real UAVs storage we used a data generator called iozone[21] to write dummy data to the SD card For 3 minutes and30 seconds a total of 100 Mbytes of accumulated data wasgenerated through the data generator Figures 9(a) and 9(b)show the amount of data written to the SD card over the timeinterval In Figure 9(a) the data generator always writes aconstant amount of data but in Figure 9(b) the amount ofdata to write largely changes with time Figure 9(c) showsthe amount of transferred data when the data is generatedas shown in Figure 9(a) and Figure 9(d) shows the amount


of transferred data when the data is generated as shownin Figure 9(b) In both experiments 120572 was set to 2 1050 and 100 Each experiment has two random selectionsof data and the random selection of data occurred at thetime indicated by 119905n-1 and 119905n in Figure 9 For comparisonthe random selection of data occurred at the same timein both experiments Authentication was performed every45 seconds

In our system the amount of transferred data after arandom selection of data occurs is greatly increased Ascan be seen from the experimental results the increasedamount of transferred data is highly dependent on 120572 Theamount of generated data also affects the amount of datatransferred but the amount of data transferred is very smallif 120572 is small In other words our system makes it possibleto select 120572 depending on the situation enabling timer-based erasure operation and erasure verification even whenthe maximum transmission amount of the UAV is largelyrestricted In addition even if the amount of generated datasuddenly increases a sample of generated data is selectedand transmitted so it is possible to communicate morestably by sending less data during unstable communicationsituations

42 Erasure Operation Overhead Experiment In this exper-iment we measured the erasure latency according to thememory size of the UAV where the erasure latency was thetime from when the embedded timer reaches 0 to whenthe proof of erasure is generated Our approach divides thememory region into three regions according to the type ofdata and performs the erasure operation So we divided thememory used in the experiment into the following regions5 of the total memory for the cold data region 85 forthe accumulated data region and 10 for the hot dataregion Since we wanted the erasure latency to be affectedonly by memory size in this experiment we equally set allthe variables except for memory size In this experimentthe values of 120572 and 120573 were set to 2 Figure 10 shows eachnumber of the proof transmit for 1 Gbytes 2 Gbytes 4Gbytes and 16 Gbytes memory size when a limited timeof 8 minutes is given to the UAV that initiated the erasureoperation The data transfer rate via FSK is recommendedto be 345 bits per second [22] Therefore our experimentalso sent 345 bits per second when transferring the proof oferasure The amount of data changed after communicationwas disconnected and was assumed to be 100 Mbytes Theerasure latency recorded in the graph is the average value oferasure latency measured through three times of the eraseoperation

As we might expect the erasure latency of first roundincreased with thememory size In the rest of the experimentexcept for the 1 Gbytes scenario the difference between theerasure latency of the first round execution and the erasurelatency of the second round execution was large This isbecause the number of hash operations increased as memorysize increasedThe first transmission of proof of erasure takes9 seconds longer than the subsequent proof transmissionsince it contains the address value of the changed data

1G 2G 4GMemory Size (bytes)

Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0

Erasure operationTransferring proof

Figure 10 Experimental result for erasure latency according to thememory size of the unmanned aerial vehicle (UAV)

since communication was lost As can be seen from theexperimental results if the UAV timer reaching zero it has 8minutes to perform the erasure operation 32 times at 1Gbytes17 times at 2 Gbytes 8 times at 4 Gbytes and 2 times at 16Gbytes In other words the UAV makes the best efforts inthe given situation to erase the data and transfer the proofof erasure

5 Conclusions

We have proposed a mechanism to provide proof of erasureoperations after erasing data stored on UAVs even if controlof a remotely deployed UAV is lost To do this we used acountdown-based approach and hash chain to authenticatethe sender of received messages and to trigger the erasureoperation even after communication is lostThe accumulateddata of the UAV is classified into new data types the featuresof the data are actively utilized in the erasure operation andthe proof of erasure operation is transmitted so that the GCScan verify whether the erasure operation has actually beenperformed

Our approach does not track all the data when generatingproof of erasure and so there is relatively little communica-tion overhead instead we select seed data to generate proofof erasure By allowing the amount of transferred data togenerate proof through the value of 120572 timer-based erasureand erasure verification are possible evenwhen themaximumamount of transmission is greatly limited Furthermore sincea UAV that had lost control and started the erasure operationwould not know what situation it was in we used the besteffort method to perform the erasure operation

Data Availability

The data used to support the findings of this study areavailable from the corresponding author upon request


Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work was supported by the National Research Foun-dation of Korea (NRF) [Grant no NRF-2017R1C1B2003957]and by the Institute for Information amp CommunicationsTechnology Promotion (IITP) of the Korea government(MSIT) [Grant no 2019-0-00426 and no 2018-0-00420]

References

[1] D Cenciotti Iran Unveils New UCAV Modeled on CapturedUS RQ-170 Stealth Drone The Aviationist 2016 httpstheav-iationistcom20161002iran-unveils-new-ucav-modeled-on-captured-u-s-rq-170-stealth-drone

[2] S Shane and D E Sanger Drone Crash in Iran Reveals SecretUS Surveillance Effort New York Times 2011 httpswwwny-timescom20111208worldmiddleeastdrone-crash-in-iran-reveals-secret-us-surveillance-bidhtml

[3] L A White ldquoThe need for governmental secrecy why theus government must be able to withhold information in theinterest of national securityrdquo Virginia Journal of InternationalLaw vol 43 p 1071 2002

[4] N Uchida S Takeuchi T Ishida and Y Shibata ldquoMobile trafficaccident prevention system based on chronological changesof wireless signals and sensorsrdquo Journal of Wireless MobileNetworks Ubiquitous Computing and Dependable Applicationsvol 8 no 3 pp 57ndash66 2017

[5] CGrittiM Onen RMolvaW Susilo andT Plantard ldquoDeviceidentification and personal data attestation in networksrdquo Jour-nal of Wireless Mobile Networks Ubiquitous Computing andDependable Applications (JoWUA) vol 9 no 4 pp 1ndash25 2018

[6] N Uchida K Ito T Ishida and Y Shibata ldquoAdaptive arrayantenna controlmethodswith delay tolerant networking for thewinter road surveillance systemrdquo Journal of Internet Services andInformation Security (JISIS) vol 7 no 1 pp 2ndash13 2017

[7] F Arena P Giovanni and M Collotta ldquoA survey on driverlessvehicles from their diffusion to security featuresrdquo Journal ofInternet Services and Information Security (JISIS) vol 8 no 3pp 1ndash19 2018

[8] A J Kerns D P Shepard J A Bhatti and T E HumphreysldquoUnmanned aircraft capture and control via GPS spoofingrdquoJournal of Field Robotics vol 31 no 4 pp 617ndash636 2014

[9] A Rawnsley ldquoIranrsquos alleged drone hack tough but possi-blerdquo Wired 2011 httpswwwwiredcom201112iran-drone-hack-gps

[10] F Hao D Clarke and A F Zorzo ldquoDeleting secret datawith public verifiabilityrdquo IEEE Transactions on Dependable andSecure Computing vol 6 pp 617ndash629 2016

[11] M D Leom K Kwang R Choo and R Hunt ldquoRemote wipingand secure deletion on mobile devices a reviewrdquo Journal ofForensic Sciences vol 61 no 6 pp 1473ndash1492 2016

[12] X Yu ZWang K SunW T ZhuNGao and J Jing ldquoRemotelywiping sensitive data on stolen smartphonesrdquo in Proceedingsof the 9th ACM Symposium on Information Computer andCommunications Security ASIA (CCS) pp 537ndash542 ACMJapan 2014

[13] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of the 3rdInternational Symposium onMobile Internet Security (MobiSec)vol article 8 pp 1ndash9 Cebu Philippines 2018

[14] S Kim T-Y Youn D Choi and K-W Park ldquoSecurely control-lable and trustworthy remote erasure on embedded computingsystem for unmanned aerial vehiclerdquo in Proceedings of theResearch Briefs on Information amp Communication TechnologyEvolution (ReBICTE) vol 4 article 3 2018

[15] D Perito and G Tsudik ldquoSecure code update for embeddeddevices via proofs of secure erasurerdquo in Proceedings of theEuropean Symposium on Research in Computer Security pp643ndash662 Springer 2010

[16] S Dziembowski T Kazana and D Wichs ldquoOne-time com-putable self-erasing functionsrdquo in eory of Cryptography vol6597 ofLectureNotes in Computer Science pp 125ndash143 SpringerHeidelberg Germany 2011

[17] M Ammar B Crispo W Daniels and D Hughes ldquoSpeedsecure provable erasure for class-1 iot devicesrdquo in Proceedings ofthe 8th ACM Conference on Data and Application Security andPrivacy (CODASPY) pp 111ndash118 2018

[18] G O Karame and W Li ldquoSecure erasure and code update inlegacy sensorsrdquo in Proceedings of the International Conferenceon Trust and Trustworthy Computing vol 9229 pp 283ndash299Springer International Publishing 2015

[19] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981

[20] M Slonosky ldquoTrusted boot in COTS computingrdquo MilitaryEmbedded Systems 2015 httpmil-embeddedcomarticlestrusted-boot-cots-computing

[21] W D Norcott ldquoIozone filesystem benchmarkrdquo httpwwwiozoneorgdocsIOzone msword 98pdf

[22] L Deshotels ldquoInaudible sound as a covert channel in mobiledevicesrdquoWOOT 2014

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


Blocking Erasure Request

GCSUAV Attacker

Unverifiable Erasure

GCSAttacker

UAV

Performing Erasure Despite Loss of Control and Sending Proof of Erasure

Proof of

Erasure GCSUAV Attacker

GCS

Attack

Attacker

eraseresponse

GCS

Erasure Request

Erasure Request

False Result

(a) (b)

(e)

(d)

(c)

response

erase

receive

Figure 1Three situations faced by unmanned aerial vehicles (UAVs) after attack or capture (a)UAVon a flightmission (b)UAVs performinga flight mission is captured by an attacker (c) receiving unverifiable result of erasure (d) blocked erasure requests by attackers and (e)performing erasure operation and transmitting proof of erasure following capture

Obvious proof of erasure must be presented and there mustbe nomechanism by whichmalicious users can generate falseevidence

Figure 1 indicates three situations that UAVsmay be facedwith after attack or capture In conventional remote erasuresystems [11 12] a Ground Control Station (GCS that isthe control center that provides human control of UAVs)can erase data by sending an erasure signal to a lost UAVHowever when communication is cut conventional remoteerasure is not available We devised counter-based erasurewhich can erase data in an uncontrollable environment Thisstudy is an extension of our previous work [13 14] in whichwe focused on the system design of trustworthy remoteerasure for UAVs However our objective here was to devisea mechanism to select random seed data using accumulateddata and develop a method for trustworthy remote erasureThe devised scheme has a count value which decrementsvalue one by one and erases data when the counter valuereaches zero The GCS can retain stored data only throughperiodically sending the specific value to the UAV If the GCSdoes not send the specific value to the remote UAV and thecounter reaches zero the UAV erases the data In terms ofverification most existing mechanisms provide nothing oronly a simple response (erase or not erase) Our remote era-sure system provides relatively complex but verifiable proofof erasure through randomized data synchronization Upona process of erasure of data the remote UAV continuously

generates a proof of erasure until the UAV is completelystopped this proof is repeatedly sent to the GCS The GCSchecks that the proof has been received and verifies thatremote data are erased

The remainder of this paper is organized as followsSection 2 reviews the related works of verifiable remote dataerasure Section 3 describes the materials and gives detailsof our mechanism UAV-Undertaker Section 4 describes twoexperiment results about overhead in terms of communi-cation and computation This paper ends in Section 5 withconclusion on our work

2 Related Works

To resolve problem of erasure of remotely stored data withverifiability the researchers have devised approaches whichgenerate a provable value of erasure operation We analyzedseveral of them and identified the limiting factors in applyinga verifiable erasure for UAVs

Perito and Tsudik [15] use a PoSE (Proof of SecureErasure) for secure code updates on embedded devices byverifying the erasure of memory A verifier sends verifier-selected randomness of the size of memory to a prover andthe proverrsquos memory is filled with the received value Theprover returns the very same randomness written on thememory to the verifier As both the verifier and the proversend a random value of memory size to each other this


UpdateIdle

If receive msg


Aer sending

msg Send Msg

Authenti-cation

FailSuccess

Verify Proof

ReceiveProof

If receive proof

Aer receiving

proof

Aer update

GCS


Aer di

(a) (b)















119894119899119905119890119903V119886119897 =120575

2 (1 + 120574)(119904119890119888119900119899119889119904) (1)



UAVGCS



8 Verify Msg 1-4

hellip

n ndash i + 1

0 0



n

n ndash i

hellip

hellip

GCS

hellip


Stored in UAV

intervali

intervali



n(x)

ℎn(x)

ℎnminusi+1

(x)

ℎnminusi

(x)


n(x) NonceGCS

KGCSUAV ℎnminusi









UAVGCS


n ndash i + 1

4 Erasure Operation

hellip

interval

interval

6 Erasure Operation

hellip

Best Effort







ℎnminusi+1

(x)

KGCSUAV ℎnminusi



PoE ℎl al

PoE


C2


Storage of UAV

C1 C3

hellip hellip Cn

A1 A2 A3 A4 A5 A6




H2H1 H3

Hn






C2


0 Addrof A3

1

Seed Block Table

Storage of UAV



tntn-1tn-2


Time


hellip hellip

C1 C3

hellip hellip Cn



H4 hellip hellip

A k-1 A k A k+1

Hn-2 Hn-1 Hn

A 1 A 2 A 3 A 4 A 5 A 6




H2H1 H3

H4

Hn-1Hn-2 Hn

Hn-2 Hn-1 Hn


UAVGCS

hellip

A3

tn-1

tn


A5 H4

Verify Msg 1-4

Ak Hn-1



Verify Msg 1-4

in Message 1-4

hellip

in Message 1-4

GCS


hellip





ℎ a

ℎ a









1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)





1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)

1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)











50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)











Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



UpdateIdle

If receive msg


Aer sending

msg Send Msg

Authenti-cation

FailSuccess

Verify Proof

ReceiveProof

If receive proof

Aer receiving

proof

Aer update

GCS


Aer di

(a) (b)















119894119899119905119890119903V119886119897 =120575

2 (1 + 120574)(119904119890119888119900119899119889119904) (1)



UAVGCS



8 Verify Msg 1-4

hellip

n ndash i + 1

0 0



n

n ndash i

hellip

hellip

GCS

hellip


Stored in UAV

intervali

intervali



n(x)

ℎn(x)

ℎnminusi+1

(x)

ℎnminusi

(x)


n(x) NonceGCS

KGCSUAV ℎnminusi









UAVGCS


n ndash i + 1

4 Erasure Operation

hellip

interval

interval

6 Erasure Operation

hellip

Best Effort







ℎnminusi+1

(x)

KGCSUAV ℎnminusi



PoE ℎl al

PoE


C2


Storage of UAV

C1 C3

hellip hellip Cn

A1 A2 A3 A4 A5 A6




H2H1 H3

Hn






C2


0 Addrof A3

1

Seed Block Table

Storage of UAV



tntn-1tn-2


Time


hellip hellip

C1 C3

hellip hellip Cn



H4 hellip hellip

A k-1 A k A k+1

Hn-2 Hn-1 Hn

A 1 A 2 A 3 A 4 A 5 A 6




H2H1 H3

H4

Hn-1Hn-2 Hn

Hn-2 Hn-1 Hn


UAVGCS

hellip

A3

tn-1

tn


A5 H4

Verify Msg 1-4

Ak Hn-1



Verify Msg 1-4

in Message 1-4

hellip

in Message 1-4

GCS


hellip





ℎ a

ℎ a









1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)





1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)

1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)











50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)











Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









119894119899119905119890119903V119886119897 =120575

2 (1 + 120574)(119904119890119888119900119899119889119904) (1)



UAVGCS



8 Verify Msg 1-4

hellip

n ndash i + 1

0 0



n

n ndash i

hellip

hellip

GCS

hellip


Stored in UAV

intervali

intervali



n(x)

ℎn(x)

ℎnminusi+1

(x)

ℎnminusi

(x)


n(x) NonceGCS

KGCSUAV ℎnminusi









UAVGCS


n ndash i + 1

4 Erasure Operation

hellip

interval

interval

6 Erasure Operation

hellip

Best Effort







ℎnminusi+1

(x)

KGCSUAV ℎnminusi



PoE ℎl al

PoE


C2


Storage of UAV

C1 C3

hellip hellip Cn

A1 A2 A3 A4 A5 A6




H2H1 H3

Hn






C2


0 Addrof A3

1

Seed Block Table

Storage of UAV



tntn-1tn-2


Time


hellip hellip

C1 C3

hellip hellip Cn



H4 hellip hellip

A k-1 A k A k+1

Hn-2 Hn-1 Hn

A 1 A 2 A 3 A 4 A 5 A 6




H2H1 H3

H4

Hn-1Hn-2 Hn

Hn-2 Hn-1 Hn


UAVGCS

hellip

A3

tn-1

tn


A5 H4

Verify Msg 1-4

Ak Hn-1



Verify Msg 1-4

in Message 1-4

hellip

in Message 1-4

GCS


hellip





ℎ a

ℎ a









1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)





1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)

1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)











50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)











Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



UAVGCS



8 Verify Msg 1-4

hellip

n ndash i + 1

0 0



n

n ndash i

hellip

hellip

GCS

hellip


Stored in UAV

intervali

intervali



n(x)

ℎn(x)

ℎnminusi+1

(x)

ℎnminusi

(x)


n(x) NonceGCS

KGCSUAV ℎnminusi









UAVGCS


n ndash i + 1

4 Erasure Operation

hellip

interval

interval

6 Erasure Operation

hellip

Best Effort







ℎnminusi+1

(x)

KGCSUAV ℎnminusi



PoE ℎl al

PoE


C2


Storage of UAV

C1 C3

hellip hellip Cn

A1 A2 A3 A4 A5 A6




H2H1 H3

Hn






C2


0 Addrof A3

1

Seed Block Table

Storage of UAV



tntn-1tn-2


Time


hellip hellip

C1 C3

hellip hellip Cn



H4 hellip hellip

A k-1 A k A k+1

Hn-2 Hn-1 Hn

A 1 A 2 A 3 A 4 A 5 A 6




H2H1 H3

H4

Hn-1Hn-2 Hn

Hn-2 Hn-1 Hn


UAVGCS

hellip

A3

tn-1

tn


A5 H4

Verify Msg 1-4

Ak Hn-1



Verify Msg 1-4

in Message 1-4

hellip

in Message 1-4

GCS


hellip





ℎ a

ℎ a









1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)





1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)

1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)











50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)











Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



UAVGCS


n ndash i + 1

4 Erasure Operation

hellip

interval

interval

6 Erasure Operation

hellip

Best Effort







ℎnminusi+1

(x)

KGCSUAV ℎnminusi



PoE ℎl al

PoE


C2


Storage of UAV

C1 C3

hellip hellip Cn

A1 A2 A3 A4 A5 A6




H2H1 H3

Hn






C2


0 Addrof A3

1

Seed Block Table

Storage of UAV



tntn-1tn-2


Time


hellip hellip

C1 C3

hellip hellip Cn



H4 hellip hellip

A k-1 A k A k+1

Hn-2 Hn-1 Hn

A 1 A 2 A 3 A 4 A 5 A 6




H2H1 H3

H4

Hn-1Hn-2 Hn

Hn-2 Hn-1 Hn


UAVGCS

hellip

A3

tn-1

tn


A5 H4

Verify Msg 1-4

Ak Hn-1



Verify Msg 1-4

in Message 1-4

hellip

in Message 1-4

GCS


hellip





ℎ a

ℎ a









1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)





1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)

1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)











50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)











Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



C2


0 Addrof A3

1

Seed Block Table

Storage of UAV



tntn-1tn-2


Time


hellip hellip

C1 C3

hellip hellip Cn



H4 hellip hellip

A k-1 A k A k+1

Hn-2 Hn-1 Hn

A 1 A 2 A 3 A 4 A 5 A 6




H2H1 H3

H4

Hn-1Hn-2 Hn

Hn-2 Hn-1 Hn


UAVGCS

hellip

A3

tn-1

tn


A5 H4

Verify Msg 1-4

Ak Hn-1



Verify Msg 1-4

in Message 1-4

hellip

in Message 1-4

GCS


hellip





ℎ a

ℎ a









1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)





1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)

1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)











50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)











Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









1198621198991015840 = 119862119899 oplus 119862119899minus1 (2)





1198601198991015840 = ℎ (119860119899) oplus 119860119899minus1 (3)

1198671198991015840 = ℎ (119867119899) oplus 119867119899minus1 (4)











50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)











Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



50000

40000

30000

20000

10000

0

Writ

e ro

ughp

ut (k

byte

s)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

tn-1 tn

(a)

00~30

30~60

60~90

90~120

120~150

150~180

180~210

Time Interval

W

(b)

50000

40000

70000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(c)

50000

40000

70000

80000

60000

30000

20000

10000

0Am

ount

of T

rans

ferr

ed D

ata (

kbyt

es)

3rd

Auth

4th

Auth

1st A

uth

5th

Auth

2nd

Auth


= 50

= 100

= 2

= 10

(d)











Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








Eras

ure L

aten

cy (s

econ

ds)

16G

400

300

200

100

0




5 Conclusions



Data Availability





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





Acknowledgments


References

























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


Documents

UAV-Undertaker: Securely Verifiable Remote Erasure Scheme ...downloads.hindawi.com/journals/wcmc/2019/8913910.pdf · ResearchArticle UAV-Undertaker: Securely Verifiable Remote Erasure