Description

1
Practical Physical Layer Security Schemes for
MIMO-OFDM Systems Using Precoding Matrix
Indices
Chih-Yao Wu, Pang-Chang Lan, Ping-Cheng Yeh, Member, IEEE, Chia-Han Lee, Member, IEEE, and
Chen-Mou Cheng
Abstract—In physical-layer security, secret bits are extracted
from wireless channels. With the assumption of channel reci-
procity, the legitimate users share the same channel which
is independent of the channels between the legitimate users

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.

Related Documents

Share

Transcript

1
Practical Physical Layer Security Schemes forMIMO-OFDM Systems Using Precoding MatrixIndices
Chih-Yao Wu, Pang-Chang Lan, Ping-Cheng Yeh,
Member, IEEE
, Chia-Han Lee,
Member, IEEE
, andChen-Mou Cheng
Abstract
—In physical-layer security, secret bits are extractedfrom wireless channels. With the assumption of channel reci-procity, the legitimate users share the same channel whichis independent of the channels between the legitimate usersand the eavesdropper, leading to secure transmissions. However,practical implementation of the physical layer security facesmany challenges. First, for the correlated channel such as themultiple-inputand multiple-output(MIMO) channel, the securityis decreased due to the correlation between the generated secretbits. Second, the nearby eavesdropper posts a security threatdue to observing the same channel as the legitimate user’s.Third, the eavesdroppers might try to reconstruct the wirelessenvironments. In this paper, we propose two practical physicallayer security schemes for the MIMO orthogonal frequency-division multiplexing (MIMO-OFDM) systems: the precodingmatrix index (PMI)-based secret key generation with rotationmatrix (MOPRO) and the channel quantization-based (MOCHA)scheme. The former utilizes PMI and rotated reference signalsto prevent the eavesdroppers from learning the secret keyinformation and the latter applies channel quantization in orderto extract more secret key bits. It is shown that not only the securecommunication but also the MIMO gain can be guaranteed byusing the proposed schemes.
Index Terms
—Physical-layer security, MIMO-OFDM, secretkey generation, cryptography, precoding matrix index.
I. I
NTRODUCTION
Making conﬁdential transmissions over wireless environ-ments is a critical issue. Recently, building secure transmissionschemes on physical layer (PHY) has drawn great research in-terest. The research on physical-layer security can be classiﬁedinto two categories: security schemes without secret key andthe key-based schemes. In his seminal work, Wyner introducesthe concept of wiretap channel [1]. His theoretical investiga-tion has aroused many proposals on achieving information-theoretic secrecy without the help of the traditional cryptogra-phy key, such as [2]–[4]. On the other hand, generating secretkeys via correlated randomness provides another direction of research on physical layer security. The idea, simultaneouslybrought up by Maurer [5] and Ahlswede and Csiszár [6], is tofocus on the information-theoretic secret key distribution. Thesecure transmission is then achieved by using the conventionalsymmetric-key cryptography.For the key-based physical layer security systems, the wire-less transmission medium is considered a promising choice of the randomness source for secrecy extraction since the richscattering in wireless environments results in different multi-path fading at each mobile terminal. If the channel reciprocityholds, the physical channels are only shared among legitimateusers and inaccessible to the malicious users, providing away for the secret key generation. However, several recentpublications point out the vulnerabilities of this approach. In[7], a simple attack method is proposed to break the securityof channel reciprocity-based key generation schemes. By esti-mating the reference signals
1
transmitted by legitimate nodes,an eavesdropper is able to acquire the channel informationbetween itself and the legal parties, reconstruct the wholephysical surroundings, and then simulate the channels fromthe reconstructed wireless environments. Another threat comesfrom the nearby eavesdroppers [9]. It is usually believed thatthe wireless channels are independent by a distance of severalwavelength. Unfortunately, some experiments on examiningthe channel correlation have shown that this argument may bequestionable—the wireless channels are highly correlated eventhough the two users are separated by
one meter
[9]. Anotherproblem is the MIMO channel correlation between antennas,which results in the bit correlation of the generated secretkeys. As a result, several issues for the reciprocity-based keygeneration schemes should be emphasized: The ﬁrst one is therisk of the channel estimation through the reference signals,the second one is the nearby eavesdropper problem which isoften ignored by the reciprocity-based schemes, and the lastone is the problem of correlated secret key bits.In this paper, a multiple-input and multiple-output (MIMO)orthogonal frequency-division multiplexing (OFDM) physicallayer key generation scheme utilizing the precoding matrixindex (PMI) and rotated reference signals, called MOPRO,is proposed. It is well known that the performance of aMIMO system can be enhanced by precoding at the transmitter[10], i.e., multiplying the signal vector by a matrix beforetransmission. With the optimal precoding at the transmitter,the MIMO channel can be transformed into parallel subchan-nels, and the optimal channel capacity can be achieved. Inorder to reduce the feedback overhead and the complexity,typically there is a universal codebook consisting of a ﬁ-nite number of precoding matrices. Due to different channelrealizations between the transmitter-legal receiver and the
1
Reference signals are signals with predeﬁned patterns known by both thetransmitter and receiver in advance. The transmitter sends the reference signalto the receiver, which estimates channel based on the reference signal. Thereis no restriction on the type of reference signals in this paper. One example isCRS [8] which is deﬁned by the 3rd Generation Partnership Project (3GPP)community.
2
transmitter-eavesdropper pairs, the precoding matrix is onlyknown between the transmitter and the legal receiver. Theprecoding matrix indices can then be used as secret keys.To prevent the threats mentioned earlier, we introduce theidea of rotating the reference signal by multiplying it witha unitary matrix, which is inspired by the work by Cheng
et al.
[11]. The secrecy information is hidden in the rotatedreference signals and the secret key information is obtainedduring the channel estimation procedure. With the proposedMOPRO scheme, the key disagreement probability is signiﬁ-cantly reduced and the communication overhead of the publicdiscussion is decreased. Moreover, the proposed system resiststhe attacks from the malicious users and resolves the nearbyeavesdropper problem. In addition, the generated secret keybits are uniformly distributed, avoiding the channel correlationproblem. The greatest thing of all, with the proposed scheme,the security can be achieved and the MIMO precoding gainon system capacity can also be achieved without modiﬁcationon traditional MIMO precoding operations.We also design a channel quantization-based MIMO-OFDMscheme, called MOCHA, to utilize the whole channel matrix.Although it is able to generate more secret bits than usingits corresponding precoding matrix, embedding secrecy in theentire channel matrix makes the rotation on reference signalsnon-unitary, increasing the channel estimation error. Thus, thisscheme is only suitable for the high signal-to-noise ratio (SNR)scenarios.With the proposed MOPRO or MOCHA key generationmechanism, the shared secret key can be used as the seed togenerate pseudo random bit sequences, and then secure MIMOcommunications can be achieved by using a stream cipher orany other cryptographic techniques.The rest of this paper is organized as follows. The relatedwork is reviewed in Sec. II. The background introduction of the MIMO precoding and the system setup are described inSec. III. PMI-based secret key generation schemes are de-scribed in Sec. IV, and the channel quantization-based schemeis shown in Sec. V. Sec. VI then discusses the difﬁculties of analysis by information-theoretic approaches. In Sec. VII, theperformances of the proposed MOPRO and MOCHA schemesare evaluated and discussed. Conclusions are addressed inSec. VIII.II. R
ELATED
W
ORK
Although the information-theoretic bounds on the secrecyextraction from the wireless channel can be derived [5], [6],how to design a practical key agreement scheme to achievethe secret key capacity remains an open problem [12]. Inhis paper, Maurer provides two fundamental steps to forma feasible key agreement protocol: information reconciliationand privacy ampliﬁcation [13], [14] (see also the paper byJana
et al.
[15]). Information reconciliation aims at generatingtwo identical sequences based on the random observationsat the two legitimate users. The public discussion channelhelps legal users to communicate with each other to obtain thesame sequence. After the generation of the identical sequences,information discussed through the public channel, which isrevealed to the passive attacker, should be wiped out. Inthe step of privacy ampliﬁcation, the secret key is extractedfrom the sequences generated in the information reconciliationphase by linear mapping or using universal hash function[16] to eliminate the information leakage during the publicdiscussion [17].For secrecy extraction from the channel state information,an intuitive way is to quantize the complex channel coefﬁcientsdirectly. The phase information [18], [19] or the amplitudeinformation [20], [21] of the complex channel can be uti-lized to generate secret keys. Nevertheless, when consideringthe practical situation with channel estimation error, thoseschemes usually have poor key agreement probability. Tomake the direct channel quantization more robust, protocolsutilizing the public discussion channel based on the principlesof information reconciliation and privacy ampliﬁcation aredesigned to improve the key agreement probability [22]–[24].Due to the increased degree of freedom in the widebandchannel and the MIMO channel, more secret bits are expected.The problems of secret sharing and the information-theoreticbounds in wideband systems are discussed in [25], [26]. Due tothe channel correlation in the MIMO systems, direct channelquantization faces the problem that the generated secret keybits are correlated instead of uniformly distributed, resultingin the signiﬁcant reduction in the security level. Jana
et al.
address the problem of correlation in the bit sequences throughthe use of universal hash functions [15]. It is also possible todecorrelate the channels, but the price is the extremely highfeedback overhead for the decorrelation vectors [27], [28].This paper proposes MOPRO and MOCHA to
simultane-ously
combat the three threats mentioned at the beginning of this paper. Although the close eavesdropper problem may betackled by using reconﬁgurable antennas [29]–[31], MOPROand MOCHA are the ﬁrst schemes that solve the closeeavesdropper problem through digital signal processing, whichresults in a lower implementation cost. The method proposedby Chen
et al.
[22] may look similar to the MOCHA schemeproposed in this paper, but there are actually several differ-ences. Their method requires both Alice and Bob to estimatethe wireless channel by normal reference signals in advance,and the product of the secret key matrix and the channel matrixare transmitted through public discussion. As a result, Evemay guess the wireless channel between Alice and Bob bythe method in [7]. After gaining the channel information, Evecan successfully decrypt the secret key information from thepublic discussion. On the other hand, MOCHA rotates thereference signals, and both Alice and Bob estimate the secretkeys through channel estimation. The abovementioned risk isavoided.III. S
YSTEM
S
ETUP
In this section, we ﬁrst review the MIMO-OFDM precodingscheme, and then the system model is introduced. The nota-tions in this paper are as follows.
(
·
)
†
denotes the Hermitian.
(
·
)
∗
represents the conjugate.
(
·
)
T
stands for the transposition.
C
m
×
n
is the set of
m
by
n
complex matrices.
⌈·⌉
is the ceilingfunction.
(
·
)
−
1
means the matrix inversion.
3
Fig. 1. System model.
A. MIMO with Precoding
Precoding is an operation for the MIMO system to utilizethe best subchannel gains. After precoding, the optimal chan-nel capacity can be achieved by appropriately allocating thetransmission power to subchannels following the water-ﬁllingprinciple [10], [32]. A MIMO channel
H
can be decomposedusing the singular value decomposition (SVD) [33] and obtain
H
=
UΣV
†
, where
U
and
V
are complex unitary matrices,and
Σ
is a rectangular diagonal matrix with non-negativereal numbers on the diagonal. Love and Heath prove thatthe optimal precoding matrix
¯V
is which consists of theﬁrst several columns of the right singular vectors
V
[34].The optimal precoding matrix requires the full channel stateinformation (CSI) to be available at the transmitter side, whichis, unfortunately, impractical due to the feedback overhead. In-stead, the codebook-based precoding, which strikes a balancebetween the feedback overhead, the equalizer complexity, andthe system performance [35], has been widely adopted by themodern communication standards such as LTE and WiMAX[36]. A universal codebook consisting of a ﬁnite numberof precoding matrices is shared among the communicationterminals, and each precoding matrix in the codebook has anindex called precoding matrix index (PMI). The suboptimalprecoding matrix is selected from the codebook by the receiverand the corresponding PMI is then sent to the transmitter.In the MIMO-OFDM system, the transmitter ﬁrst sends outa reference signal for the receiver to estimate the channelmatrix
H
. Note that the channel here stands for the channelon a subcarrier or on certain OFDM subcarriers. The receiverﬁnds the precoding matrix and its corresponding PMI from theuniversal codebook
F
that maximizes the following channelcapacity [37]:
C
H
,
F
= log
2
det
I
n
+
E
s
n
s
σ
2
F
†
H
†
HF
,
(1)where
I
n
is the identity matrix with
n
denoting the minimumnumber of antennas at the transmitter and the receiver,
E
s
is the total power of the transmitted signal vector,
n
s
isthe number of data,
σ
2
is the noise variance, and
F
is theprecoding matrix. The best precoding matrix
ˆ
F
from thecodebook
F
is
ˆ
F
= argmax
F
∈F
C
H
,
F
.
(2)
Alice Bob Eve
Start secure communication Collect PMI (secret key)
Fig. 2. Signaling procedure of the MOP scheme.
Note that the optimal precoding matrix is constructed from theright singular vectors (RSV).
B. System Model
The system model is shown in Fig. 1. Let us considerthree users, Alice, Bob, and Eve, and three wireless MIMOchannels,
H
AB
,
H
AE
, and
H
BE
. The source user, Alice,wants to transmit conﬁdential messages to the destinationuser, Bob, through
H
AB
. Due to the broadcasting natureof wireless channels, these messages will be overheard bythe eavesdropper, Eve, through
H
AE
. If Bob transmits somesignals to Alice, those signals will also be overheard byEve through
H
BE
. It is assumed that the MIMO-OFDM-based system uses time-division duplexing (TDD) and theMIMO channel reciprocity holds in the transposed form, i.e.,
H
AB
= (
H
BA
)
T
. Perfect channel reciprocity is assumedthroughout this paper, and scenarios with imperfect channelreciprocity are left to future work. Alice, Bob, and Eve areassumed to be equipped with
M
A
,
M
B
, and
M
E
number of antennas respectively. Note that there is no restriction on Eve’slocation.The universal codebook containing precoding matrices andthe corresponding PMIs is available to Alice, Bob, and Eve.Both Alice and Bob use the MIMO channel capacity functionfor the PMI estimation, which is also known by Eve. Themapping between precoding matrix and secrecy key sequenceis a predeﬁned, public information. Alice, Bob, and Eve havethe knowledge of this mapping in advance. The protocol usedby Alice and Bob is known by Eve, too. Eve is assumed tobe a passive attacker who will not jam the channel or falsifythe public discussion between Alice and Bob.IV. PMI-
BASED
S
ECRET
K
EY
G
ENERATION
Due to different channel realizations between thetransmitter-legal receiver and the transmitter-eavesdropper
4
pairs, the precoding matrix of a MIMO system is onlyknown between the transmitter and the legal receiver. Theprecoding matrix indices can thus be used as secret keys. Inthis section, we describe the proposed PMI-based secret keygeneration schemes. We ﬁrst show the design based solely onthe PMI, called MOP, and explain the risks. Then, MOPRO,the scheme based on both the PMI and the rotated matrix, isintroduced.
A. The MOP Scheme
In a typical MIMO system with codebook-based precoding,Alice acquires PMI via the feedback from Bob, and Evecan easily detect the PMI through eavesdropping. Now let usconsider this: What if the PMI is not fed back to Alice, andinstead, Bob sends the same reference signal to Alice? Underthe assumption of channel reciprocity, i.e.,
H
AB
= (
H
BA
)
T
,Alice and Bob are able to compute the same PMI, but Eve isunable to obtain the PMI if
H
AE
and
H
BE
are independent to
H
AB
and
H
BA
, respectively. The PMI, only shared betweenAlice and Bob, can be used as secret keys. This is what exactlyMOP does.We know that the estimated precoding matrix has theminimum
chordal distance
from the optimal precoding matrix,which spans the same space by the right singular vectors of the channel matrix. Therefore, the estimated precoding matrixcan be regarded as a quantized version of the space spannedby the right singular vectors. To extract more secret bits fromthe channel matrix, the transposed channel matrix can alsobe used for the PMI estimation to utilize the left singularvectors (LSV). To fully utilize the channel information on eachsubcarrier, the channel estimation results in the same subbandare averaged. This channel averaging method is similar towhat is described in [28]. While [28] aims at the temporallyand spatially correlated channels, MOP applies this method tothe correlated channels in frequency domain. If the channelestimation errors on each subcarrier are independent, thevariance of the error can be reduced by a factor proportionalto the number of the correlated channels in one subband.The signaling procedure of the MOP scheme is depictedin Fig. 2, and the steps of the MOP scheme are detailed asfollows.1) Alice transmits a reference signal
r
∈
C
M
A
×
N
r
forBob to make channel estimation.
N
r
is the length of the reference signal.2) Bob estimates the channel on a single subcarrier or asubband which consists of several subcarriers, dependingon the channel coherence bandwidth and the precodinggranularity.
H
ABk
∈
C
M
B
×
M
A
is acquired for the
k
thsubcarrier at Bob’s side.3) Bob computes the averaged channel
H
AB
=
1
n
nk
=1
H
ABk
for the subband consisting of
n
subcarri-ers.4) Bob conducts the corresponding precoding matrix
ˆ
F
Bob
,
RSV
= argmax
F
C
H
AB
,
F
, where
ˆ
F
Bob
,
RSV
∈
C
M
A
×
n
s
. Bob regards the PMI
i
Bob
,
RSV
of the precod-ing matrix
ˆ
F
Bob
,
RSV
as a key and puts it into his keyset
K
Bob
.5) Bob collects the PMI
i
Bob
,
LSV
by ﬁnding
ˆ
F
Bob
,
LSV
=argmax
F
C
(
H
AB
)
T
,
F
, where
ˆ
F
Bob
,
LSV
∈
C
M
B
×
n
s
, andputs it into
K
Bob
, too.6) During the next time slot, Bob sends a sounding ref-erence signal to Alice. Alice ﬁnds the correspondingprecoding matrices
ˆ
F
Alice
,
RSV
and
ˆ
F
Alice
,
LSV
. Alicethen puts
i
Alice
,
LSV
and
i
Alice
,
RSV
into its key set
K
Alice
.7) Repeat steps 3 to 6 for all subbands in the OFDMsystem.8) Alice uses a stream cipher to encrypt data
X
with thekey set
K
Alice
, along with the SHA-256 digest of
X
in
plaintext
. Afterwards, Alice transmits the encrypteddata to Bob, and Bob decrypts the data using its ownkey set
K
Bob
. Bob calculates the SHA-256 digest of thedecrypted data, and checks if it matches the receiveddigest. A key agreement error is declared if there is amismatch. During the transmission, MIMO precoding isapplied in order to achieve better performance.Since we assume that the channel reciprocity holds, i.e.,
H
BA
= (
H
AB
)
T
,
ˆ
F
Bob
,
RSV
and
ˆ
F
Alice
,
LSV
are the same,and so are
ˆ
F
Bob
,
LSV
and
ˆ
F
Alice
,
RSV
. As a result,
K
Bob
and
K
Alice
are identical. Note that Alice and Bob may drop out-of-date keys to make sure
K
Bob
=
K
Alice
at any time. Alsonote that a well-designed codebook, e.g., DFT codebook [38],can be easily extended to different size. This means that thecodebook size in the MOP scheme can be adaptively adjustedaccording to the instantaneous condition, thus providing ex-cellent ﬂexibility.
B. Risks of MOP
In the reciprocity-based secret key generation schemes, thedistance of the eavesdropper to the legitimate users determinesthe security level. In general, the distance of several wave-length provides nearly independent channels. For the MIMOcase, Eve experiences an even difﬁcult situation—the antennaarrangements and the direction of movement of Alice and Bobhave dramatic impacts on the MIMO channel between them.Nevertheless, some risks might threaten the feasibility andthe security of the reciprocity-based key generation schemes,including MOP. The ﬁrst risk is the following. If the MIMOchannels have no correlation, it can be expected that thekeys will be uniformly distributed. However, realistic channelsusually have correlation such that the generated keys may havecorrelation, which decreases the security level. This is thecommon risk of the reciprocity-based security schemes. In thepapers by Patwari
et al.
[27] and Chen
et al.
[28], they try tomake the generated key bits uniformly distributed by using thedecorrelation vector. Yet, it is shown that the key disagreementprobability is very high due to the estimation error if Aliceand Bob estimate the decorrelation vector independently. Onthe other hand, if the decorrelation vector is estimated by oneuser and then transmitted to the other user, extremely largecommunication overhead is needed. The second risk comesfrom the channel estimation error. If, unfortunately, duringthe process of ﬁnding the optimal PMI, the wireless channel ismapped to a point at the boundaryof two different quantizationregions, Alice and Bob might estimate the biased keys and fail

We Need Your Support

Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks