Physical Layer Authentication Analysis Based on Correlative Sequence and Channel Coding

2017 2nd International Conference on Communications, Information Management and Network Security (CIMNS 2017) ISBN: 978-1-60595-498-1

Physical Layer Authentication Analysis Based on

Correlative Sequence and Channel Coding

Hua-wei SONG, Liang JIN

*

and Xu WANG

National Digital Switch System Engineering & Technological Research Center, Zhengzhou, China

*Corresponding author

Keywords: Authentication, Typical set, Channel reciprocity, Physical layer security.

Abstract. In this paper, the physical layer authentication problem is analyzed theoretically with typical set and channel coding techniques. The wireless channels have characters of reciprocity and uniqueness. High correlation advantage of both sides can be used for authentication. Firstly, the sequences SAlice and SBob are quantized by estimating the channel. The two sequences are highly correlated, but not identical. And they are naturally confidential to Eve. An authentication framework based on correlative sequences and channel coding is proposed. The attack behavior that Eve may adopt is classified. And the upper and lower bounds of Eve’s attack capability are analyzed. Through theoretical analysis, it is found that the upper and lower bounds of the success rate of attack tend to be consistent when the codeword length tends to infinity.

Introduction

In wireless communication systems, the purpose of authentication is to ensure that the received messages do come from the desired transmitter. In other words, in a good authentication system, the receiver should be able to distinguish the legitimate packets from the fake and tampered packets [1]. The traditional authentication model is proposed by Simmons, which is based on the noiseless channel model [2]. The sender Alice shares a private key K with the receiver Bob. And Eve may attack as a malicious third party. Under the best defensive strategy, the lower bound of attack success

rate is 2H K( )/2. In addition, the authentication model must share secret keys firstly or distribute the secret keys through a private channel. It is not suited to some communication scenarios, such as M2M, D2D and other networks. Because authentication depends on the key and cryptographic algorithm, the authentication system is completely invalid in case the key is leaked or the attacker has a strong computing power to crack the key.

Research on physical layer security technology arise in recent years, which is based on Wyner’s Wiretap channel model [3]. Csiszár and J. Kőrner spread it to broadcast channel [4]. In this model, it is assumed that the quality of the wiretap channel is inferior to that of the main channel. And the absolute secure communication can be realized without relying on the sharing key. Many researchers have studied the methods of secure communication. Lai studied the authentication model in noisy channel[5]. It is pointed out that secure coding can be used to protect the key under the noisy condition of the Wiretap channel model. And an interesting conclusion is proved. When the channel quality of the main channel is higher than the Wiretap channel, the proposed method can authenticate the message multiple times with the same key without significantly increasing the probability of adversary attack. This conclusion is impossible in noiseless channel.

Different from the traditional authentication methods based on cryptography, this paper studies authentication security problem based on channel characters and channel coding. Because of the reciprocity of wireless channel, both sides can estimate the channel and extract sequences in the same way. The two sequences are highly correlated, but not completely consistent. It is found that the two related sequences contain the advantages of secret sharing information that third parties do not know. The joint coding of channel character sequences and message sequences is studied by using typical set theory and wiretap channel model theory. And a coding and decoding method which can restrict third party attacks is found. When the length of code tends to infinity, the upper and lower bounds of attack performance tend to be consistent. It proves that channel feature aided security authentication is feasible.

System Model

The system model is shown in Figure 1. Alice and Bob estimate and quantize the channel. The sequences SAlice and SBob are extracted in the same way. In this process, Eve get the sequence SEve which is not related to them. Alice wants to send the message M to Bob. After encoding, Alice transmits the sequence n

X . Going through a noisy channel, Bob receives n

Y . And Eve receives n Z . Eve attempts to make the Bob receive the messages sent by him. Eve's attack can be either a message newly generated or a message which has been tampered with received information.

Alice

Eve

Bob

SAlice _S

Bob

M X Y

Z

M’

X’

[image:2.595.146.405.339.493.2]

Z’

Figure 1. System Model.

For ease of expression, this paper defines the following names and their customary expressions. The random variables are represented by the capital letters X, Y. The samples are represented by lower case letters x and y. The sample space is represented by bold upper case letters X and Y. The elements number of X is called potency, denoted as |X|. The xn _{represents a sequence n of length}

random variables X: x₁, … x_n.

Secure Authentication Based on Correlative Sequence and Channel Coding

Related Sequences and Their Properties

Alice and Bob send pilot signals firstly, then channel estimation is carried out. Thus, the channel information sequence is obtained. Eve implements passive eavesdropping during this process. It is supposed that the channels between Alice and Bob are hab and hba, while the channels between Alice, Bob and Eve are hae, hbe. Through channel estimation, Alice and Bob can get their approximate values. As shown in Figure 2, Alice broadcast pilot signal at time t, Bob and Eve obtain hˆab

 

t and hˆae

 

t through channel estimation. And Bob broadcast pilot signal at time t+, Alice and Eve obtain





ˆ ba

h t andhˆ_be



t



. The existing research results show that the channel of both sides of

communication reciprocity in short time [8]. So hˆab

 

t and hˆba



t



are highly correlated. When the distance between the Eve and Alice, Bob exceeds half of the signal wavelength, it can be considered that the wiretap channel is not related to the legitimate channel. So the channel information estimated by Eve is not related to Alice and Bob [9].

Alice Bob

Eve hab(t)

hba(t+τ)

[image:3.595.198.394.271.375.2]

hae(t) hbe(t+τ)

Figure 2. Channel estimation with reciprocity.

It is assumed that the channel changes slowly. Through channel estimation, different estimates of the same channel characteristics can be obtained based on multiple symbols in pilot signals. Because of the high correlation between SAlice and SBob, they can be viewed as sequences generated by a set of independent identically distributed random variables. The inconsistency can be seen as a disturbance of the random variable V. And the sequence set is VL. According to the typical set theory, there is following lemma [10]:

Lemma1: With the increase of L, the probability of extracting sequence belonging to a typical sequence is approaching 1.

Proof: The type of sequence is the ratio of the occurrence number for each character in a character set. A distribution of random variables V corresponds to one type. The number of typical sets is defined as N. That is, there are N types. Considering the occurrence probability of random variable V is almost equal, that is, N typical sets will appear in almost equal probabilities.

Theoretical Basis of Secure Authentication

Secure authentication means that the attacker Eve cannot forge or tamper an authenticated message under limited attempts. The traditional authentication theory is based on the difficulty of cracking cryptographic algorithms. In recent years, the technology of physical layer security arises based on information theory. The basic idea may be described as below. When secret communication occurs between legitimate parties, eavesdropper intercepts communication information. If the receiver gets a zero amount of mutual information between the sequence and the transmitted sequence, the communication system is called perfect security (also known as unconditional security). The theory of security capacity is firstly introduced, then followed by the security authentication theory and authentication framework.

which is leaked to the eavesdropper. More specifically, in order to transmit message m , the

sender sends

x



f m

( )

. Here f is a random encoder. After received by the destination node, the

estimated value of the message

m

 

g

( )

y

is obtained. Here g is a decoder. The attacker knows exactly how the system is designed, so it knows the codebook used by the source node. If there is f

and g, 0, positive integer n0_{, for any positive integer n,}  n n0

2nRS

 (1)





Pr M M  (2)

1

( ; )

I M

n Z  (3)

The rate of perfect secrecy Rsis reachable. The perfect secrecy capacity Cs is defined as the

determined upper bound of set Rs. The numerical value satisfies above conditions. It has been proved

that the perfect secrecy capacity is:

max [ ( ; ) ( ; )]

S

U X YZ

C I U Y I U Z 

 

  ₍₄₎

In (4), the function [ ]x  max( , 0)x is established. U is an auxiliary variable and satisfies the

Markov chain

U

 

X

(

YZ

)

.

For all Markov chain U satisfied above situations, then

I U Z

( ; )



I U Y

( ; )

, we call that the wiretap channel noise is lower than the main channel. In other words, it has the advantage of channel. On the other hand, if the wiretap channel noise is not lower than the main channel, there is a distribution to meet

U

 

X

( , )

Y Z

,

I U Y

( ; )



I U Z

( ; )

. Hence perfect secrecy capacity is nonzero. In the Wiretap channel model, the source node and the destination node need not pre- distribution key. With the use of codebook which have higher bit rate than the rate of security information (the message is mapped to several different codewords), the perfect security of communication can be achieved. Typically, the codeword rate is set to a rate that can be supported by the source-destination channel. It enables the legitimate receiver to correctly recover the codeword at that rate. But the rate is too high for attackers to decode.

Channel Coding for Secure Authentication. The secure encoding method uses the advantage of channel to achieve the perfect security. If the wiretap channel noise is greater than the main channel

noise, there is an input distribution PX _{to satisfy ( ; )}I X Y I X Z( ; )0_{. Thus, for a given N (where N}

is related to the security capacity), there is a positive integer n1_,  n n0_{, that satisfies the conditions:}

[ ( ; ) ( ; )]

2n I X Y I X Z N (5)

Similarly, for a given message space and N, there is a positive integer n2, n n2, that

satisfies the condition:

( ; )

2nI X Y  M * N (6) According to Shannon coding theorem, as long as the code length n is long enough, there is a channel codebook C between Alice and Bob. C has ₂nI X Y( ; ) _{codewords which make the maximum}

error probability of the decoding to be arbitrarily small.

does not know the codeword corresponding to the message M. Moreover, through the eavesdropping process Eve still cannot improve the success rate of attack, and then it becomes security authentication coding.

Here we need to generate a codebook for secure authentication coding. It is referred to the encoding scheme for DMC channels [11]. Specifically, the source node assigns a unique index for a ε-strong typical sequence, and the non-typical sequence is uniformly numbered 0. hˆab

 

t , hˆae

 

t , hˆba



t



,





ˆ be

h t are written as S S V V₁, ₂, ,_{1 2}. The amount of private information is I S S V V



1; 2 1, 2



, which can

be obtained from S S V V1, 2, ,1 2. At most, codebook is contained by 2L H S V V 1 1, 2 codewords. The

codebook is divided into N subsets, and every subset is associated with a typical set. Since the length of the message and the typical set satisfy (6), the number of codewords in each subset is greater than M . The source node then divides each subset into M binary codewords, each of which represents a message. The following figure shows the structure of the codebook.

Subset 1 _{Subset N}

Codeword 1 _{Codeword |M|} Codeword 1 Codeword |M|

Figure 3. Code book used in secure authentication coding scheme.

Security Authentication Framework

Alice and Bob transmit pilot signals firstly, and then channel estimation is carried out. Thus, highly correlated channel information sequences SAlice and SBob are obtained. Eve implements passive eavesdropping in this process and obtains SEve.

Alice attempt to sending the message M to Bob. After encoding, Alice obtained sequences n X . The encoding function is defined as f: M, SAlice->Xn.

Through a noisy channel, Bob receives n

Y . After decoding, the message M is restored or the message is rejected. Decoding function g is g: n

Y , S_Bob->M∪{}. The  indicates that decoding is failure, or the message is not from Alice.

The codebook consists of N* M codewords. The channel information sequences corresponds to N typical sets. Each message corresponds to one of the subsets.

Eve attempts to make the Bob accept the messages sent by him. For the sake of simplicity, it is assumed that the coding function and the codebook are public. Eve knows all the details except the relevant sequence.

Security Analysis

Now we discuss authentication security. The so-called security authentication is under the limited attack of Eve, the probability of successful attack is negligible. We hope that Eve can't forge an authenticated message through listening channel and dynamically modifying the received message.

Eve can eavesdrop the output of the channel, and can initiate active attacks. There are mainly following two kinds of attacks:

(1)Impersonation attack

Eve can block normal communications during the authentication process. Eve sends messages to Bob, expecting to be authenticated as Alice.

(2) Substitution attack

success rate of substitution attack will gradually increase. If encoding and decoding can make the eavesdropper to obtain zero information of the key, then the attacker's ability is limited to the level of guessing the key. In this case, the substitution attack is the same as the impersonation attack.

The success rate of Eve attack is defined as PD, and the success rate of impersonation attack is PI, and the success rate of substitution attack is PS. There are:

𝑃_𝐷 = max {𝑃_𝐼, 𝑃_𝑆} (7) Because the substitution attack contains process of impersonation attack, its success rate is slightly higher: P_I < P_S. The following analysis is about the success rate of Eve authentication attacks, that is, the upper and lower bounds of PD.

The Lower Bound on the Success Rate of Authentication Attacks

Firstly, the lower bound of authentication performance is discussed, which means the minimum of PD. According to the previous assumptions, Eve knows the codebook of channel coding. It is also known that the codebook is divided into N groups, but does not know which subset of the codebook is used. Since the probability of every typical set appears almost equally, impersonation attacks by guessing of Eve is taken into account. Eve randomly selects a typical set, with a probability of success of 1/N. Without proof, the following theorem is given:

Theorem 1: the lower bound of the success rate of attacks is1/N.

The Upper Bounds on the Success Rate of Authentication Attacks

In this model, the correlation between SAlice and SBob is higher than SEve. These three sequences have the advantage of mutual information, that is:

(S_Alice;S_Bob) > (S_Alice;S_Eve)

I I (8)

( _Alice; _Bob) > ( _Bob; _Eve)

I S S I S S (9) Based on the wiretap channel model, Csiszar proposes the "strong security" Wiretap channel coding [12]. Defines a wiretap channel codebook , and P(x,z) is the joint distribution. ( )Q z is the

edge distribution of z. P(x|z) =P(x,z)

Q(z) is the the conditional distribution when Z = z.

A division of is { ,₁ , _N}. It is defined as a map f : { ,₁ , _N}. k is introduced here

to indicate a subscript. Since Qk is conditional distribution of z, when the input is a evenly distribution on k. That is

( ) ( , ) / ( )

k

k k

x

Q P x z P







z

(10)

( ) ( ) ( , ),

1

N

av k k

k

d f P d Q Q







(11)

( _k, ) _k( ) ( ) k

d Q Q Q Q







z  z

1

(12)

Here d Q Q( _k, ) is the distance between the distribution Qk and

Q

. When (d Q Qk, ) is zero,

observing through the output of the channel Zn, Eve unable to distinguish any subset k from . Intuitively, if properly chosen and f , d_av( )f can be made as available arbitrarily small. In the

given output z, the transmitted codeword x comes from the subset k, and Eve cannot obtain any

Lemma 2[5,13]: Consider a wiretap channel ( , ), and choose  > 0. Suppose  n is

a type class with P x( ) bounded away from 0, and such that I X Y( ; ) > I(X; Z) + 2



. Then, there exist

a codebook with size 2n I X Y[ ( ; )]

, drawn from P, and equal-size disjoint subsets 1, , N of

with [ ( ; ) ( ; ) 2 ]

2n I X Y I X Z

N    , such that N k

  is the codeword with exponentially small average probability of error for the main channel  . Moreover, the partition function f : { ,1 , }N

of with f1( )k  _k,k1, ,N has exponentially small d_av( )f for the distribution defined on by

( , ) 1 ( | ), , n C

P x z  P z x x z _{. Furthermore, I N( ; )Z is exponentially small.}

Proof: see [13].

By lemma 2, dav( )f is exponentially small, assuming that:

d_av(f) = ε₁ = e−nα ₍₁₃₎

Consider the set of Eve observations Zn is divided into two parts. One is a small set U, which make

d(z) to be smaller, the remaining part is the complement _U. There is the following definition:

U ≜ {z: d(z) > √ε1} (14)

Based on lemma 2, choose integers n1 and n2 to meet the following:

1 1

1

( ) E

min

K K H B B K K F      

P P I

P P ₍₁₅₎

   

 

2 ; ; 2

2n I X Y I X Z  N (16) Then select n so that n>max{n₁, n₂}. By analyzing the success rate of substitution attacks P_S, we can obtain the following theorem.

Theorem 2: the upper bound of success rate of attacks is 1

N+ ε′. When the codeword length n

approaches infinity, ε′ approaches 0.

Proof: Firstly, rewrite d_av( )f in lemma 2:

( ) | ( ) ( ) ( ) ( ) |

n N

av k k k

k z Z

d f P C Q z P C Q z

  

 

 1 =

   

n z Z

Q z d z





(17)

d(z) = | ( | ) ( ) |

N

k k

k

P C z P C

 



1 = | ( | ) | N k k

P C z N  



1 1 (18)

The second equation is established because the channel inputs are uniformly distributed. According to the definition of U,U, and (18), it is available:

d_av(f) = ∑ Q(z)d(z)

z∈U

+ ∑ Q(z)d(z)

z∈U

Take (13) into consideration, for z ∈ U, there are the following inequality:

√ε1∑ Q(z) z∈U

≤ ∑ Q(z)d(z)

z∈U

≤ d_av(f) ≤ ε₁

After collation:

max {kP(k|z) − 1

N} ≤ | ( | ) | N

k k

P C z N







1

1

=d(z)_{≤ √ε1}

So:

max_{kP(k|z) ≤ √ε1}+1

N (20)

Then:

P_S ≤ ∑ P(z) max_{z k}P(k|z)

= ∑z∈UP(z) maxkP(k|z)+ ∑_z∈U P(z) maxkP(k|z)

(a)≤ ∑z∈UQ(z)+ √ε1+ 1 N

(b) ≤ √ε1+ √ε1+ 1 N

(c) ≤ 1

N+ 2e −nα/2

Inequality (a) was established because of maxkP(k|z) ≤ 1. Inequality (b) is established because

of (19). Inequality (c) is established because of (20).

Defining ε′ = 2e−nα/2_{, when n tends to infinity, ε′ tends to 0. Proof complete!}

From theorem 2, we can see that the upper bound of the substitution attack and the lower bound of the impersonation attack approach to 1

N when the codeword length n is approaching infinity. That is to

say, the success rate of Eve’s attack coincides with the upper and lower bounds.

Summary

As mentioned above, the requirements for authentication security are channel correlation advantages. This is lower than the requirement of secure transmission. From the point of view of information theory, the private information shared by Alice and Bob forms advantage. Because the estimation of channel can be continues during communication, it ensures the freshness of the extracted sequence. The authentication framework described in this paper does not need to design and implement complex cryptographic algorithms. Because the channel is closely related to the physical location, this method can be used as a useful supplement to high-level authentication. It is easy to realize double authentication of key and location. This paper theoretically proves the feasibility of authenticating sequences by means of reciprocal channel characters. There is a coding method combining authentication code with channel coding, which can realize the security of authentication. However, this encoding requires that the code length approach infinity. How to design a computationally feasible coding may be next problem.

Acknowledgement

The authors would like to thank the reviewers for their detailed reviews and constructive comments. This paper was significantly strengthened because of their inputs. This work is supported in part by National High-Tech Research & Development Program of China (863 Program) SS2015AA011306; National Natural Science Foundation of China under Grants No.61601514, 61401510, 61521003, 61501516 and Project funded by China Postdoctoral Science Foundation: 2016M592990.

References

[1] P. L. Yu, J. S. Baras, and B. M. Sadler. Physical-layer authentication. IEEE Trans. Inf. Forensics Security, vol. 3, pp. 38-51, Mar. 2008.

[2] Simmons, G J. Authentication theory/coding theory. In Proc CRYPTO84 on Advances in Cryptology. NewYork, NY, USA, pp.411-431, Springer-Verlag Inc. Aug.1985.

[4] I Csiszár, J Kőrner. Broadcast channels with confidential messages[J]. IEEE Trans. Inf. Theory, 24(3):339-348, May 1978.

[5] Lai Lifeng, ElGamal, H, and Poor, HV. Authentication over noisy channels[J]. IEEE Trans.Inf.Theory, vol.55, pp.906-916, Feb.2009.

[6] Xiao Liang, Greenstein L J, Mandayam N B, et al. Fingerprints in the ether: Using the physical layer for wireless authentication[OL]. http://arxiv.org/abs/0907.4877v1, 2009.

[7] Wu Xiaofu, Zhen Yan, Cong Ling, et al. A physical-layer authentication assisted scheme for enhancing 3GPP authentication[OL]. http://arxiv.org/abs/1502.07565, 2015.

[8] Liu Ruoheng, Wade Trappe. Securing Wireless Communications at the Physical Layer[M]. Springer New York Dordrecht Heidelberg London, 2010.

[9] Jakes W C. Microwave Mobile Communications[M]. Piscataway, NJ, USA, Wiley-IEEE Press,1993:11-50

[10] Thomas M Cover, Joy A Thomas. Elements of Information Theory[M]. Wiley-Blackwell, USA, July. 2006.

[11] I Csiszár, J Körner. Information Theory: Coding Theorems for Discrete Memoryless Systems[M]. New York, Academic, 1981.