Practical Physical Layer Security Schemes for MIMO-OFDM Systems Using Precoding Matrix Indices

of 15
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
1 Practical Physical Layer Security Schemes for MIMO-OFDM Systems Using Precoding Matrix Indices Chih-Yao Wu, Pang-Chang Lan, Ping-Cheng Yeh, Member, IEEE, Chia-Han Lee, Member, IEEE, and Chen-Mou Cheng Abstract—In physical-layer security, secret bits are extracted from wireless channels. With the assumption of channel reci- procity, the legitimate users share the same channel which is independent of the channels between the legitimate users
  1 Practical Physical Layer Security Schemes forMIMO-OFDM Systems Using Precoding MatrixIndices Chih-Yao Wu, Pang-Chang Lan, Ping-Cheng Yeh,  Member, IEEE  , Chia-Han Lee,  Member, IEEE  , andChen-Mou Cheng  Abstract —In physical-layer security, secret bits are extractedfrom wireless channels. With the assumption of channel reci-procity, the legitimate users share the same channel whichis independent of the channels between the legitimate usersand the eavesdropper, leading to secure transmissions. However,practical implementation of the physical layer security facesmany challenges. First, for the correlated channel such as themultiple-inputand multiple-output(MIMO) channel, the securityis decreased due to the correlation between the generated secretbits. Second, the nearby eavesdropper posts a security threatdue to observing the same channel as the legitimate user’s.Third, the eavesdroppers might try to reconstruct the wirelessenvironments. In this paper, we propose two practical physicallayer security schemes for the MIMO orthogonal frequency-division multiplexing (MIMO-OFDM) systems: the precodingmatrix index (PMI)-based secret key generation with rotationmatrix (MOPRO) and the channel quantization-based (MOCHA)scheme. The former utilizes PMI and rotated reference signalsto prevent the eavesdroppers from learning the secret keyinformation and the latter applies channel quantization in orderto extract more secret key bits. It is shown that not only the securecommunication but also the MIMO gain can be guaranteed byusing the proposed schemes.  Index Terms —Physical-layer security, MIMO-OFDM, secretkey generation, cryptography, precoding matrix index. I. I NTRODUCTION Making confidential transmissions over wireless environ-ments is a critical issue. Recently, building secure transmissionschemes on physical layer (PHY) has drawn great research in-terest. The research on physical-layer security can be classifiedinto two categories: security schemes without secret key andthe key-based schemes. In his seminal work, Wyner introducesthe concept of wiretap channel [1]. His theoretical investiga-tion has aroused many proposals on achieving information-theoretic secrecy without the help of the traditional cryptogra-phy key, such as [2]–[4]. On the other hand, generating secretkeys via correlated randomness provides another direction of research on physical layer security. The idea, simultaneouslybrought up by Maurer [5] and Ahlswede and Csiszár [6], is tofocus on the information-theoretic secret key distribution. Thesecure transmission is then achieved by using the conventionalsymmetric-key cryptography.For the key-based physical layer security systems, the wire-less transmission medium is considered a promising choice of the randomness source for secrecy extraction since the richscattering in wireless environments results in different multi-path fading at each mobile terminal. If the channel reciprocityholds, the physical channels are only shared among legitimateusers and inaccessible to the malicious users, providing away for the secret key generation. However, several recentpublications point out the vulnerabilities of this approach. In[7], a simple attack method is proposed to break the securityof channel reciprocity-based key generation schemes. By esti-mating the reference signals 1 transmitted by legitimate nodes,an eavesdropper is able to acquire the channel informationbetween itself and the legal parties, reconstruct the wholephysical surroundings, and then simulate the channels fromthe reconstructed wireless environments. Another threat comesfrom the nearby eavesdroppers [9]. It is usually believed thatthe wireless channels are independent by a distance of severalwavelength. Unfortunately, some experiments on examiningthe channel correlation have shown that this argument may bequestionable—the wireless channels are highly correlated eventhough the two users are separated by  one meter   [9]. Anotherproblem is the MIMO channel correlation between antennas,which results in the bit correlation of the generated secretkeys. As a result, several issues for the reciprocity-based keygeneration schemes should be emphasized: The first one is therisk of the channel estimation through the reference signals,the second one is the nearby eavesdropper problem which isoften ignored by the reciprocity-based schemes, and the lastone is the problem of correlated secret key bits.In this paper, a multiple-input and multiple-output (MIMO)orthogonal frequency-division multiplexing (OFDM) physicallayer key generation scheme utilizing the precoding matrixindex (PMI) and rotated reference signals, called MOPRO,is proposed. It is well known that the performance of aMIMO system can be enhanced by precoding at the transmitter[10], i.e., multiplying the signal vector by a matrix beforetransmission. With the optimal precoding at the transmitter,the MIMO channel can be transformed into parallel subchan-nels, and the optimal channel capacity can be achieved. Inorder to reduce the feedback overhead and the complexity,typically there is a universal codebook consisting of a fi-nite number of precoding matrices. Due to different channelrealizations between the transmitter-legal receiver and the 1 Reference signals are signals with predefined patterns known by both thetransmitter and receiver in advance. The transmitter sends the reference signalto the receiver, which estimates channel based on the reference signal. Thereis no restriction on the type of reference signals in this paper. One example isCRS [8] which is defined by the 3rd Generation Partnership Project (3GPP)community.  2 transmitter-eavesdropper pairs, the precoding matrix is onlyknown between the transmitter and the legal receiver. Theprecoding matrix indices can then be used as secret keys.To prevent the threats mentioned earlier, we introduce theidea of rotating the reference signal by multiplying it witha unitary matrix, which is inspired by the work by Cheng et al.  [11]. The secrecy information is hidden in the rotatedreference signals and the secret key information is obtainedduring the channel estimation procedure. With the proposedMOPRO scheme, the key disagreement probability is signifi-cantly reduced and the communication overhead of the publicdiscussion is decreased. Moreover, the proposed system resiststhe attacks from the malicious users and resolves the nearbyeavesdropper problem. In addition, the generated secret keybits are uniformly distributed, avoiding the channel correlationproblem. The greatest thing of all, with the proposed scheme,the security can be achieved and the MIMO precoding gainon system capacity can also be achieved without modificationon traditional MIMO precoding operations.We also design a channel quantization-based MIMO-OFDMscheme, called MOCHA, to utilize the whole channel matrix.Although it is able to generate more secret bits than usingits corresponding precoding matrix, embedding secrecy in theentire channel matrix makes the rotation on reference signalsnon-unitary, increasing the channel estimation error. Thus, thisscheme is only suitable for the high signal-to-noise ratio (SNR)scenarios.With the proposed MOPRO or MOCHA key generationmechanism, the shared secret key can be used as the seed togenerate pseudo random bit sequences, and then secure MIMOcommunications can be achieved by using a stream cipher orany other cryptographic techniques.The rest of this paper is organized as follows. The relatedwork is reviewed in Sec. II. The background introduction of the MIMO precoding and the system setup are described inSec. III. PMI-based secret key generation schemes are de-scribed in Sec. IV, and the channel quantization-based schemeis shown in Sec. V. Sec. VI then discusses the difficulties of analysis by information-theoretic approaches. In Sec. VII, theperformances of the proposed MOPRO and MOCHA schemesare evaluated and discussed. Conclusions are addressed inSec. VIII.II. R ELATED  W ORK Although the information-theoretic bounds on the secrecyextraction from the wireless channel can be derived [5], [6],how to design a practical key agreement scheme to achievethe secret key capacity remains an open problem [12]. Inhis paper, Maurer provides two fundamental steps to forma feasible key agreement protocol: information reconciliationand privacy amplification [13], [14] (see also the paper byJana  et al.  [15]). Information reconciliation aims at generatingtwo identical sequences based on the random observationsat the two legitimate users. The public discussion channelhelps legal users to communicate with each other to obtain thesame sequence. After the generation of the identical sequences,information discussed through the public channel, which isrevealed to the passive attacker, should be wiped out. Inthe step of privacy amplification, the secret key is extractedfrom the sequences generated in the information reconciliationphase by linear mapping or using universal hash function[16] to eliminate the information leakage during the publicdiscussion [17].For secrecy extraction from the channel state information,an intuitive way is to quantize the complex channel coefficientsdirectly. The phase information [18], [19] or the amplitudeinformation [20], [21] of the complex channel can be uti-lized to generate secret keys. Nevertheless, when consideringthe practical situation with channel estimation error, thoseschemes usually have poor key agreement probability. Tomake the direct channel quantization more robust, protocolsutilizing the public discussion channel based on the principlesof information reconciliation and privacy amplification aredesigned to improve the key agreement probability [22]–[24].Due to the increased degree of freedom in the widebandchannel and the MIMO channel, more secret bits are expected.The problems of secret sharing and the information-theoreticbounds in wideband systems are discussed in [25], [26]. Due tothe channel correlation in the MIMO systems, direct channelquantization faces the problem that the generated secret keybits are correlated instead of uniformly distributed, resultingin the significant reduction in the security level. Jana  et al. address the problem of correlation in the bit sequences throughthe use of universal hash functions [15]. It is also possible todecorrelate the channels, but the price is the extremely highfeedback overhead for the decorrelation vectors [27], [28].This paper proposes MOPRO and MOCHA to  simultane-ously  combat the three threats mentioned at the beginning of this paper. Although the close eavesdropper problem may betackled by using reconfigurable antennas [29]–[31], MOPROand MOCHA are the first schemes that solve the closeeavesdropper problem through digital signal processing, whichresults in a lower implementation cost. The method proposedby Chen  et al.  [22] may look similar to the MOCHA schemeproposed in this paper, but there are actually several differ-ences. Their method requires both Alice and Bob to estimatethe wireless channel by normal reference signals in advance,and the product of the secret key matrix and the channel matrixare transmitted through public discussion. As a result, Evemay guess the wireless channel between Alice and Bob bythe method in [7]. After gaining the channel information, Evecan successfully decrypt the secret key information from thepublic discussion. On the other hand, MOCHA rotates thereference signals, and both Alice and Bob estimate the secretkeys through channel estimation. The abovementioned risk isavoided.III. S YSTEM  S ETUP In this section, we first review the MIMO-OFDM precodingscheme, and then the system model is introduced. The nota-tions in this paper are as follows.  ( · ) † denotes the Hermitian. ( · ) ∗ represents the conjugate.  ( · ) T  stands for the transposition. C m × n is the set of   m  by  n  complex matrices. ⌈·⌉ is the ceilingfunction.  ( · ) − 1 means the matrix inversion.  3 Fig. 1. System model.  A. MIMO with Precoding Precoding is an operation for the MIMO system to utilizethe best subchannel gains. After precoding, the optimal chan-nel capacity can be achieved by appropriately allocating thetransmission power to subchannels following the water-fillingprinciple [10], [32]. A MIMO channel  H  can be decomposedusing the singular value decomposition (SVD) [33] and obtain H  =  UΣV † , where  U  and  V  are complex unitary matrices,and  Σ  is a rectangular diagonal matrix with non-negativereal numbers on the diagonal. Love and Heath prove thatthe optimal precoding matrix  ¯V  is which consists of thefirst several columns of the right singular vectors  V  [34].The optimal precoding matrix requires the full channel stateinformation (CSI) to be available at the transmitter side, whichis, unfortunately, impractical due to the feedback overhead. In-stead, the codebook-based precoding, which strikes a balancebetween the feedback overhead, the equalizer complexity, andthe system performance [35], has been widely adopted by themodern communication standards such as LTE and WiMAX[36]. A universal codebook consisting of a finite numberof precoding matrices is shared among the communicationterminals, and each precoding matrix in the codebook has anindex called precoding matrix index (PMI). The suboptimalprecoding matrix is selected from the codebook by the receiverand the corresponding PMI is then sent to the transmitter.In the MIMO-OFDM system, the transmitter first sends outa reference signal for the receiver to estimate the channelmatrix  H . Note that the channel here stands for the channelon a subcarrier or on certain OFDM subcarriers. The receiverfinds the precoding matrix and its corresponding PMI from theuniversal codebook   F   that maximizes the following channelcapacity [37]: C  H , F  = log 2  det  I n  +  E  s n s σ 2 F † H † HF  ,  (1)where  I n  is the identity matrix with  n  denoting the minimumnumber of antennas at the transmitter and the receiver,  E  s is the total power of the transmitted signal vector,  n s  isthe number of data,  σ 2 is the noise variance, and  F  is theprecoding matrix. The best precoding matrix  ˆ F  from thecodebook   F   is ˆ F = argmax F ∈F  C  H , F .  (2) Alice Bob Eve Start secure communication Collect PMI (secret key)   Fig. 2. Signaling procedure of the MOP scheme. Note that the optimal precoding matrix is constructed from theright singular vectors (RSV).  B. System Model The system model is shown in Fig. 1. Let us considerthree users, Alice, Bob, and Eve, and three wireless MIMOchannels,  H AB ,  H AE  , and  H BE  . The source user, Alice,wants to transmit confidential messages to the destinationuser, Bob, through  H AB . Due to the broadcasting natureof wireless channels, these messages will be overheard bythe eavesdropper, Eve, through  H AE  . If Bob transmits somesignals to Alice, those signals will also be overheard byEve through  H BE  . It is assumed that the MIMO-OFDM-based system uses time-division duplexing (TDD) and theMIMO channel reciprocity holds in the transposed form, i.e., H AB = ( H BA ) T  . Perfect channel reciprocity is assumedthroughout this paper, and scenarios with imperfect channelreciprocity are left to future work. Alice, Bob, and Eve areassumed to be equipped with  M  A ,  M  B , and  M  E   number of antennas respectively. Note that there is no restriction on Eve’slocation.The universal codebook containing precoding matrices andthe corresponding PMIs is available to Alice, Bob, and Eve.Both Alice and Bob use the MIMO channel capacity functionfor the PMI estimation, which is also known by Eve. Themapping between precoding matrix and secrecy key sequenceis a predefined, public information. Alice, Bob, and Eve havethe knowledge of this mapping in advance. The protocol usedby Alice and Bob is known by Eve, too. Eve is assumed tobe a passive attacker who will not jam the channel or falsifythe public discussion between Alice and Bob.IV. PMI- BASED  S ECRET  K EY  G ENERATION Due to different channel realizations between thetransmitter-legal receiver and the transmitter-eavesdropper  4 pairs, the precoding matrix of a MIMO system is onlyknown between the transmitter and the legal receiver. Theprecoding matrix indices can thus be used as secret keys. Inthis section, we describe the proposed PMI-based secret keygeneration schemes. We first show the design based solely onthe PMI, called MOP, and explain the risks. Then, MOPRO,the scheme based on both the PMI and the rotated matrix, isintroduced.  A. The MOP Scheme In a typical MIMO system with codebook-based precoding,Alice acquires PMI via the feedback from Bob, and Evecan easily detect the PMI through eavesdropping. Now let usconsider this: What if the PMI is not fed back to Alice, andinstead, Bob sends the same reference signal to Alice? Underthe assumption of channel reciprocity, i.e.,  H AB = ( H BA ) T  ,Alice and Bob are able to compute the same PMI, but Eve isunable to obtain the PMI if  H AE  and H BE  are independent to H AB and  H BA , respectively. The PMI, only shared betweenAlice and Bob, can be used as secret keys. This is what exactlyMOP does.We know that the estimated precoding matrix has theminimum  chordal distance  from the optimal precoding matrix,which spans the same space by the right singular vectors of the channel matrix. Therefore, the estimated precoding matrixcan be regarded as a quantized version of the space spannedby the right singular vectors. To extract more secret bits fromthe channel matrix, the transposed channel matrix can alsobe used for the PMI estimation to utilize the left singularvectors (LSV). To fully utilize the channel information on eachsubcarrier, the channel estimation results in the same subbandare averaged. This channel averaging method is similar towhat is described in [28]. While [28] aims at the temporallyand spatially correlated channels, MOP applies this method tothe correlated channels in frequency domain. If the channelestimation errors on each subcarrier are independent, thevariance of the error can be reduced by a factor proportionalto the number of the correlated channels in one subband.The signaling procedure of the MOP scheme is depictedin Fig. 2, and the steps of the MOP scheme are detailed asfollows.1) Alice transmits a reference signal  r  ∈  C M  A × N  r forBob to make channel estimation.  N  r  is the length of the reference signal.2) Bob estimates the channel on a single subcarrier or asubband which consists of several subcarriers, dependingon the channel coherence bandwidth and the precodinggranularity.  H ABk  ∈  C M  B × M  A is acquired for the  k thsubcarrier at Bob’s side.3) Bob computes the averaged channel  H AB = 1 n  nk =1 H ABk  for the subband consisting of   n  subcarri-ers.4) Bob conducts the corresponding precoding matrix ˆ F Bob , RSV  = argmax F C  H AB , F , where  ˆ F Bob , RSV  ∈ C M  A × n s . Bob regards the PMI  i Bob , RSV  of the precod-ing matrix  ˆ F Bob , RSV  as a key and puts it into his keyset  K Bob .5) Bob collects the PMI  i Bob , LSV  by finding  ˆ F Bob , LSV  =argmax F C  ( H AB ) T  , F , where  ˆ F Bob , LSV  ∈  C M  B × n s , andputs it into  K Bob , too.6) During the next time slot, Bob sends a sounding ref-erence signal to Alice. Alice finds the correspondingprecoding matrices  ˆ F Alice , RSV  and  ˆ F Alice , LSV . Alicethen puts i Alice , LSV  and  i Alice , RSV  into its key set K Alice .7) Repeat steps 3 to 6 for all subbands in the OFDMsystem.8) Alice uses a stream cipher to encrypt data  X   with thekey set  K Alice , along with the SHA-256 digest of   X  in  plaintext  . Afterwards, Alice transmits the encrypteddata to Bob, and Bob decrypts the data using its ownkey set  K Bob . Bob calculates the SHA-256 digest of thedecrypted data, and checks if it matches the receiveddigest. A key agreement error is declared if there is amismatch. During the transmission, MIMO precoding isapplied in order to achieve better performance.Since we assume that the channel reciprocity holds, i.e., H BA = ( H AB ) T  ,  ˆ F Bob , RSV  and  ˆ F Alice , LSV  are the same,and so are  ˆ F Bob , LSV  and  ˆ F Alice , RSV . As a result,  K Bob  and K Alice  are identical. Note that Alice and Bob may drop out-of-date keys to make sure  K Bob  =  K Alice  at any time. Alsonote that a well-designed codebook, e.g., DFT codebook [38],can be easily extended to different size. This means that thecodebook size in the MOP scheme can be adaptively adjustedaccording to the instantaneous condition, thus providing ex-cellent flexibility.  B. Risks of MOP In the reciprocity-based secret key generation schemes, thedistance of the eavesdropper to the legitimate users determinesthe security level. In general, the distance of several wave-length provides nearly independent channels. For the MIMOcase, Eve experiences an even difficult situation—the antennaarrangements and the direction of movement of Alice and Bobhave dramatic impacts on the MIMO channel between them.Nevertheless, some risks might threaten the feasibility andthe security of the reciprocity-based key generation schemes,including MOP. The first risk is the following. If the MIMOchannels have no correlation, it can be expected that thekeys will be uniformly distributed. However, realistic channelsusually have correlation such that the generated keys may havecorrelation, which decreases the security level. This is thecommon risk of the reciprocity-based security schemes. In thepapers by Patwari  et al.  [27] and Chen  et al.  [28], they try tomake the generated key bits uniformly distributed by using thedecorrelation vector. Yet, it is shown that the key disagreementprobability is very high due to the estimation error if Aliceand Bob estimate the decorrelation vector independently. Onthe other hand, if the decorrelation vector is estimated by oneuser and then transmitted to the other user, extremely largecommunication overhead is needed. The second risk comesfrom the channel estimation error. If, unfortunately, duringthe process of finding the optimal PMI, the wireless channel ismapped to a point at the boundaryof two different quantizationregions, Alice and Bob might estimate the biased keys and fail


Jul 23, 2017
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks