physical layer security for wireless networksulukus/papers/talks/lts-talk...physical layer security...

Physical Layer Security for Wireless Networks

Sennur Ulukus

Department of ECE

University of Maryland

[email protected]

Joint work with Shabnam Shafiee, Nan Liu, Ersen Ekrem, Jianwei Xie and Pritam Mukherjee.

LTS, August 22, 2013.

1

Security in Wireless Systems

• Inherent openness in wireless communications channel: eavesdropping and jamming attacks

Bob

Alice

Eve

2

Security in Wireless Systems

A

B

E

Security and confidentiality problems occur in civilian, military, private organizational networks: ad-hoc, cellular, WiFi, sensor, body-area, etc.

What is the Physical Layer?

The lowest layer of the 7-layer OSI protocol stack.

The level at which bits are transmitted/received.

Countering Security Threats in Wireless Systems

• Cryptography

– at higher layers of the protocol stack

– based on the assumption of limited computational power at Eve

– vulnerable to large-scale implementation of quantum computers

• Techniques like frequency hopping, CDMA

– at the physical layer

– based on the assumption of limited knowledge at Eve

– vulnerable to rogue or captured node events

• Physical layer security


– no assumption on Eve’s computational power

– no assumption on Eve’s available information

– unbreakable, provable, and quantifiable (in bits/sec/hertz)

– implementable by signal processing, communications, and coding techniques

3

Beginnings of Security Research: Shannon 1949

• Noiseless bit pipes to Bob and Eve.

Bob

Eve

Alice

W

W

X X

X

W

• Eve gets whatever Bob gets.

• Secure communications is not possible.

4

Shannon’s 1949 Security Paper

• Noiseless bit pipes to Bob and Eve.

keys

Bob

Eve

Alice

W

X X

X

W W

KK

• One-time pad: X =W ⊕K

• If K is uniform, then X is independent of W . If we know K, then W = X ⊕K.

• For perfect secrecy, length of K (key rate) must be as large as length of W (message rate).

5

Beginnings of Cryptography

• Private key cryptography

– Based on one-time pad

– There are separate secure communication links for key exchange

– Encryption and decryption are done using these keys

• Public key cryptography

– Encryption is based on publicly known key (or method)

– Decryption can be performed only by the desired destination

– Security based on computational advantage

– Security against computationally limited adversaries

– Certain operations are easy in one direction, difficult in the other direction

∗ Multiplication is easy, factoring is difficult (RSA)∗ Exponentiation is easy, discrete logarithm is difficult (Diffie-Hellman)

6

Cryptography versus Physical Layer Security

7

Wyner’s Wiretap Channel

• Wyner introduced the wiretap channel in 1975.

• Major departure from Shannon’s model: noisy channels.

• Eve’s channel is degraded with respect to Bob’s channel: X → Y → Z

BobAlice

W X Y

Z

W

|n

H W Z

Eve

• Secrecy is measured by equivocation, Re, at Eve, i.e., the confusion at Eve:

Re = limn→∞

1n

H(W |Zn)

8

Notions of Perfect Secrecy

• Perfect secrecy is achieved if Re = R

• This is perfect weak secrecy:

limn→∞

1n

I(W ;Zn) = 0

• Also, there is perfect strong secrecy:

limn→∞

I(W ;Zn) = 0

• All capacity results obtained for weak secrecy have been extended for strong secrecy.

• However, there is still no proof of equivalence or strict containment.

9

Capacity-Equivocation Region

• Wyner characterized the optimal (R,Re) region:

R ≤ I(X ;Y )

Re ≤ I(X ;Y )− I(X ;Z)

• Main idea is to split the message W into two coordinates, secret and public: (Ws,Wp).

• Ws needs to be transmitted in perfect secrecy.

• Wp has two roles:

– Carries some information on which there is no secrecy constraint

– Provides protection for Ws by creating confusion for the eavesdropper

10

A Typical Capacity-Equivocation Region


R ≤ I(X ;Y )

Re ≤ I(X ;Y )− I(X ;Z)

• A typical (R,Re) region:

Cs C R

Re

• There might be a tradeoff between rate and its equivocation:

– Capacity and secrecy capacity might not be simultaneously achievable

11

A Typical Capacity-Equivocation Region


R ≤ I(X ;Y )

Re ≤ I(X ;Y )− I(X ;Z)

• A typical (R,Re) region:

Re

R

p(x)

p(x)

b

Cs

CCs

b

• There might be a tradeoff between rate and its equivocation:

– Capacity and secrecy capacity might not be simultaneously achievable

12

Secrecy Capacity

• Perfect secrecy when R = Re.

• The maximum perfect secrecy rate is the secrecy capacity:

Cs = maxX→Y→Z

I(X ;Y )− I(X ;Z)

• Main idea is to replace Wp with dummy indices, Ws, which carry no information.

• In particular, each Ws is mapped to many codewords:

– Stochastic encoding (a.k.a. random binning)

• To send message Ws securely, we send Xn(Ws,Ws) where Ws is random.

• This one-to-many mapping aims to confuse the eavesdropper

13

Main Tool: Stochastic Encoding

• Each message Ws is associated with many codewords: Xn(Ws,Ws).

(1, 1) . . . (1, j)(

1, 2nRs

)

. . .

(i, 1) . . . (i, j)(

i, 2nRs

)

. . .

(2nRs , 1) . . . (2Rs , j)(

2nRs , 2nRs

)

. . .

...

...

...

...

...

...

...

...

...

...

2nRs

2nRs

Stochastic encoding

Message i

Eve’s decoding capability

14

Stochastic Encoding: 64-QAM Example

Bob’s Noise Eve’s Noise

Bob’s Constellation Eve’s Constellation

2log 64 6 b/sB

C 2log 16 4 b/sE

C

2 b/ss B E

C C C

15


Divide Bob’s constellation into 4 subsets.

Message 1

Message 2

Message 3

Message 4

16


All red stars denote the same message. Pick one randomly.

Message 1

Message 2

Message 3

Message 4

17


Bob can decode the message reliably.

Message 1

Message 2

Message 3

Message 4

18


For Eve, all 4 messages look equally likely.

Message 1

Message 2

Message 3

Message 4

19

General Wiretap Channel

• Csiszar and Korner considered the general wiretap channel in 1978.

• Eve’s signal is not necessarily a degraded version of Bob’s signal.

Bob

Alice

X

Y

Z

W

|n

H W Z

VW

Eve

20

General Capacity-Equivocation Region

• General (R,Re) region:

R ≤ I(V ;Y )

Re ≤ I(V ;Y |U)− I(V ;Z|U)

for some (U,V ) such that U →V → X → Y,Z.

• Two new ingredients in the achievable scheme

– V : channel prefixing

– U : rate splitting

21

General Capacity-Equivocation Region

• Contrast with the degraded case

R ≤ I(V ;Y ) R≤ I(X ;Y )

Re ≤ I(V ;Y |U)− I(V ;Z|U) Re≤ I(X ;Y )− I(X ;Z)





22

General Secrecy Capacity

• Contrast with the degraded case

R ≤ I(V ;Y ) R≤ I(X ;Y )

Re ≤ I(V ;Y |U)− I(V ;Z|U) Re≤ I(X ;Y )− I(X ;Z)





• General secrecy capacity expression:

Cs = maxV→X→Y Z

I(V ;Y )− I(V ;Z)

i.e., rate splitting is not needed.

23

Main Tool: Channel Prefixing

• A virtual channel from V to X .

• Additional stochastic mapping from the message to the channel input: W →V → X .

• Real channel: X → Y and X → Z. Constructed channel: V → Y and V → Z.

Bob

W X

Y

Z

W

|n

H W Z

V

Alice

Eve

• With channel prefixing: V → X → Y,Z.

• From DPI, both mutual informations decrease, but the difference may increase.

• The secrecy capacity:

Cs = maxV→X→Y Z

I(V ;Y )− I(V ;Z)

24

Gaussian Wiretap Channel

• Leung-Yang-Cheong and Hellman considered the Gaussian wire-tap channel in 1978.

Y = X +N1 and Z = X +N2

Bob

Alice

X

Y

Z

W

|n

H W Z

W

Eve

• Degraded: No channel prefixing is necessary and Gaussian signalling is optimal.

• The secrecy capacity:

Cs = maxX→Y→Z

I(X ;Y )− I(X ;Z) = [CB −CE ]+

i.e., the difference of two capacities.

25

Caveat: Need Channel Advantage

The secrecy capacity: Cs = [CB −CE ]+

Bob’s channel is better Eve’s channel is better

Bob

Alice

X

Y

Z

W

|n

H W Z

W

Eve

Bob

Alice

X

Y

Z

W

|n

H W Z

W

Eve

positive secrecy no secrecy

Cs =CB −CE Cs = 0

26

Two Recurring Themes

• Creating advantage for the legitimate users:

– computational advantage (cryptography)

– knowledge advantage (spread spectrum)

– channel advantage (physical layer security)

• Exhausting capabilities of the illegitimate entities:

– exhausting computational power (cryptography)

– exhausting searching power (spread spectrum)

– exhausting decoding capability (physical layer security)

27

Obvious Applications with Natural Channel Advantage 1) Near Field Communications

2) Medical Communications 3) Military/Civilian Green Zones

Outlook at the End of 1970s and Transition into 2000s

• Information theoretic secrecy is extremely powerful:

– no limitation on Eve’s computational power

– no limitation on Eve’s available information

– yet, we are able to provide secrecy to the legitimate user

– unbreakable, provable, and quantifiable (in bits/sec/hertz) secrecy

• We seem to be at the mercy of the nature:

– if Bob’s channel is stronger, positive perfect secrecy rate

– if Eve’s channel is stronger, no secrecy

• We need channel advantage. Can we create channel advantage?

• Wireless channel provides many options:

– time, frequency, multi-user diversity via fading

– cooperation via overheard signals

– multi-dimensional signalling via multiple antennas

– signal alignment

28

Fading Wiretap Channel

• In the Gaussian wiretap channel, secrecy is not possible if

CB ≤CE

• Fading provides time-diversity: Can it be used to obtain/improve secrecy?

Bob

X

Y

Z

W

|n

H W Z

W

Alice

Eve

29

MIMO Wiretap Channel

• In SISO Gaussian wiretap channel, secrecy is not possible if

CB ≤CE

• Multiple antennas improve reliability and rates. How about secrecy?

Bob

Alice

XY

Z

W

|n

H W Z

.

.

.

.

.

.

W

Eve

30

Broadcast (Downlink) Channel

• In cellular communications: base station to end-users channel can be eavesdropped.

• This channel can be modelled as a broadcast channel with an external eavesdropper.

Alice

Bob 2

Eve

1 2,W W

X

2Y

Z

Bob 1

1Y

1W

2W

1 2, |

nH W W Z

31

Internal Security within a System

• Legitimate users may have different security clearances.

• Some legitimate users may have paid for some content, some may not have.

• Broadcast channel with two confidential messages.

X

2Y

Bob\Eve 1

1Y

1 2 1ˆ , ( | )

nW H W Y

2 1 2ˆ , ( | )

nW H W Y

1 2,W W

Alice

Bob\Eve 2

32

Multiple Access (Uplink) Channel

• Alice and Charles want to have secure communication with Bob in the presence of Eve.

• Simultaneous multi-message secrecy. Opportunities for deaf cooperation.

Alice

Bob

1W

1X

Y

Z

1 2ˆ ˆ,W W

1 2, |

nH W W Z

Charles

2W 2

X

Eve

33

Interference Channel with Confidential Messages

• Interference results in performance degradation, requires sophisticated transceiver design.

• From a secrecy point of view, interference (overheard signal) results in loss of confidentiality.

Alice

1W 1

X 1Y

2Y

1 2 1ˆ , ( | )

nW H W Y

Charles

2W 2

X

Bob\Eve 1

2 1 2ˆ , ( | )

nW H W Y

Bob\Eve 2

34

Cooperative Channels

• Overheard information at communicating parties:

– Forms the basis for cooperation; results in loss of confidentiality

• How do cooperation and secrecy interact?

• Can Charles help without learning the messages going to Bob?

Charles\Eve

1|

nH W Y

W1

X Y

1Y

2X

W

BobAlice

35

A

D

B

C

Untrusted (but Friendly) Relays

Nodes B and C relay information without being able to decode its content.

Fading Broadcast Channel with Confidential Messages

• Both users want secrecy against each other.

• In a non-fading setting, only one user can have a positive secure rate.

• With full CSIT and CSIR: Gaussian signalling with power control is optimal.

• Ekrem et. al., Ergodic Secrecy Capacity Region of the Fading Broadcast Channel, ICC 2009.

36

The Secrecy Capacity Region

• (Squared) channel gains are exponential random variables with means σ1,σ2, respectively.

0 0.1 0.2 0.3 0.4 0.5 0.6 0.70

0.1

0.2

0.3

0.4

0.5

0.6

0.7

R1

R2

σ1 = σ

2 = 1

σ1 = 1, σ

2 = 0.5

• Fading (channel variation over time) is beneficial for secrecy.

• Both users can have positive secrecy rates in fading (even if they have the same averagequality). This is not possible without fading.

37

Fading Wiretap Channel without CSI

• Fast fading channel: no CSI anywhere.

• Discrete signalling is optimal.

0 1 2 3 4 5 6 7 81

2

3

4

5

6

7

8

9

10

Power

Pos

ition

s of

mas

s po

ints

3points

4points

5points

2points

• Mukherjee et. al., Fading Wiretap Channel with No CSI Anywhere, ISIT 2013.

38

Gaussian MIMO Wiretap Channel

• Multiple antennas improve reliability and rates. They improve secrecy as well.

Bob

Alice

XY

Z

W

|n

H W Z

.

.

.

.

.

.

W

Eve

• No channel prefixing is necessary and Gaussian signalling is optimal. The secrecy capacity:

Cs = maxK:tr(K)≤P

12

log∣∣∣HMKH⊤

M + I∣∣∣− 1

2log

∣∣∣HEKH⊤E + I

∣∣∣• As opposed to the SISO case, CS =CB −CE . Tradeoff between the rate and its equivocation.

• Shafiee et. al., Towards the Secrecy Capacity of the Gaussian MIMO Wire-tap Channel: The2-2-1 Channel, IEEE Trans. on Information Theory, 2009.

39

Cooperative Channels and Secrecy

• How do cooperation and secrecy interact?

• Is there a trade-off or a synergy?

Charles\Eve

1|

nH W Y

W1

X Y

1Y

2X

W

BobAlice

• Ekrem et. al., Secrecy in Cooperative Relay Broadcast Channels, IEEE Trans. on InformationTheory, 2011.

40

Interactions of Cooperation and Secrecy

• Existing cooperation strategies:

– Decode-and-forward (DAF)

– Compress-and-forward (CAF)

• Decode-and-forward:

– Relay decodes (learns) the message.

– No secrecy is possible.

• Compress-and-forward:

– Relay does not need to decode the message.

– Can it be useful for secrecy?

• Achievable secrecy rate when relay uses CAF:

I(X1;Y1,Y1|X2)− I(X1;Y2|X2) = I(X1;Y1|X2)− I(X1;Y2|X2)︸︷︷︸+ I(X1;Y1|X2,Y1)︸︷︷︸secrecy rate of the additional term

wiretap channel due to CAF

41

Gaussian Relay Broadcast Channel (Charles is Stronger)

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.60

0.02

0.04

0.06

0.08

0.1

0.12

0.14

R1 (bits/channel use)

R2

(bits/channel use)

Joint jamming and relayingRelaying

Alice

Charles/Eve

Bob

R1

R2

• Bob cannot have any positive secrecy rate without cooperation.

• Cooperation is beneficial for secrecy if CAF based relaying (cooperation) is employed.

• Charles can further improve his own secrecy by joint relaying and jamming.

42

Secure Degrees of Freedom: Motivation

• For most multi-user wiretap channels, secrecy capacity is unknown.

• Partial characterization in the high power, P, regime.

• Secure degrees of freedom (d.o.f.) is defined as:

Ds△= lim

P→∞

Cs12 logP

• Rest of this talk:

– Secrecy penalty paid in d.o.f

– Role of a helper for security

– D.o.f. optimal deaf cooperation

– Secure d.o.f. of some multi-user channels

43

Canonical Gaussian Wiretap Channel

• Canonical Gaussian wiretap channel with power P,

Z

h

g

N1

N2

X Y

• The secrecy capacity is known exactly:

Cs =12

log(1+h2P

)− 1

2log

(1+g2P

)• In this case, Cs does not scale with logP, and Ds = 0.

• Severe penalty for secrecy. D.o.f. goes from 1 to 0 due to secrecy.

44

Cooperative Jamming

• Cooperative jamming from helpers improves secure rates [Tekin, Yener, 2008].

g1

Y2 W

Wh1

W X1

N1

N2

Y1

• Secure d.o.f. with i.i.d. Gaussian cooperative jamming is still zero.

• Positive secure d.o.f. by using nested lattice codes [He, Yener, 2009].

• Question: What is the exact secure d.o.f.?

45

Gaussian Wiretap Channel with M Helpers

• The exact secure d.o.f. with M helpers is MM+1 .

• Even though they are independent, more helpers is better.

XM+1

X2

X3 W

Wh1

W X1

g1

N1

N2

Y1

Y2

• Tools: Real interference alignment and structured coding.

• Xie et. al., Secure Degrees of Freedom of the Gaussian Wiretap Channel with Helpers,Allerton Conference, 2012.

46

Secure Signal Alignment with M Helpers

• Alignment for the M = 2 case:

X3

U2

U3

V2 V3 V2 V3 U2

V2 V3

U2U3

U3

X1

X2

Y1

Y2

h1

g1

• The transmitter sends M independent sub-messages.

• M helpers send an independent cooperative jamming signal each.

• Each cooperative jamming signal is aligned with one sub-message at the eavesdropper.

• All cooperative jamming signals are aligned together at the legitimate receiver.

47

Eavesdropper CSI?

• The previous achievable scheme required perfect knowledge of eavesdropper CSI.

X3

V2 V3 U2

U3

V3V2

U2

U3

V2 V3

U2 U3

X1

X2

Y1

Y2

h1

g1

• Generally, it is difficult or impossible to obtain the eavesdropper’s CSI.

• Question: What is the exact secure d.o.f. without eavesdropper CSI?

• The exact secure d.o.f. is still MM+1 .

• Xie et. al., Secure Degrees of Freedom of the Gaussian Wiretap Channel with Helpers and NoEavesdropper CSI: Blind Cooperative Jamming, CISS 2013.

48

Secure Signal Alignment with M Helpers without Eavesdropper CSI

• Alignment for M = 2 helpers without eavesdropper CSI:

X3

U1 V3 U2V2V3V2

U1

U3

U2

U3

U1 U2 U3

V2 V3

X1

X2

Y1

Y2

h1

g1

• The transmitter sends M independent sub-messages and also a cooperative jamming signal.

• M helpers send an independent cooperative jamming signal each.

• All M+1 cooperative jamming signals are blue aligned together at the legitimate receiver.

• All cooperative jamming signals span the entire space at the eavesdropper.

49

Multiple Access Wiretap Channel

• Each user has its own message to be kept secret from the external eavesdropper.

W2

W1 W2

WK XK

WK

WKW1

N1

N2

X1 Y1

Y2

X2

X3W3

W1 W2 · · ·

· · ·

• The exact sum secure d.o.f. is K(K−1)K(K−1)+1 .

• Xie et. al., Secure Degrees of Freedom of the Gaussian Multiple Access Wiretap Channel,ISIT 2013.

50

Secure Signal Alignment for the Multiple Access Channel

• Alignment for the K = 3 case:

V3

U1

U1 U2 U3

U2

U3

V1

V2

X1

X2

Y1

Y2

X3

V1

U2

V2

U3

V3

V1 V2 V3

U1

• Each transmitter divides its own message into K −1 sub-messages.

• The total K jamming signals from the K users span the whole space at the eavesdropper.

• The jamming signals are aligned in the same dimension at the legitimate receiver.

51

Secure Signal Alignment for the Multiple Access Channel

• Alignment for the K = 3 case:

U3

{

Y2

U1 U2

X1

X2

Y1

X3

V1

U2

V2

U3

V3

V1 V2

U1

U2

V1

V2

V3

U1

U3

1

V3

︸︷︷︸

K(K−1)

• Each transmitter divides its own message into K −1 sub-messages.

• The total K jamming signals from the K users span the whole space at the eavesdropper.

• The jamming signals are aligned in the same dimension at the legitimate receiver.

52

Interference Channel with an External Eavesdropper

• External eavesdropper model (IC-EE).

WK

1

W1

W2

Y1 W1

Y2 W2

WK

Z

WK

X1

X2

XKYK

• Secure all messages against the external eavesdropper.

53

Interference Channel with Confidential Messages

• Confidential message model (IC-CM).

WK

W1

W2

W1

Y2 WK

−2W2

WK

−KWK

X1

X2

XKYK

Y1 WK

−1

• Secure all messages against all unintended receivers.

54

Unified Model: Internal and External Security

• Interference channel with confidential messages and one external eavesdropper (IC-CM-EE):

WK

1

W1

W2 Y2 WK

−2W2

WK

−KWK

Z

WK

X1

X2

XKYK

Y1 WK

−1W1

• Secure all messages against the internal unintended receivers and the external eavesdropper.

55

Secure Signal Alignment for the Unified K-User IC-CM-EE

• The exact sum secure dof is K(K−1)2K−1 .

• Added challenge: simultaneous alignment at multiple receivers.U1

V23

V12V13

V23

V31V32

V12 V13

V23

V31 V32

X1

X2

Y1

Y2

X3

U2

U3

Y3

ZU1

U2

U3

U1

U2

U3

V13V12

V23

V31V32

V23U2

U3

U1

V32 V31

V12V13

U3

U1

U2

V31V32

V13 V12

V21

V21

V21

V21

V21

• Xie et. al., Unified Secure DoF Analysis of K-User Gaussian Interference Channels, ISIT2013.

56

Going Back to where We have Started

• Cryptography














57


• Cryptography














58


• Cryptography












– based on the assumption of limited ???????? at Eve



59

Two Recurring Themes

• Creating advantage for the legitimate users:

– computational advantage (cryptography)

– knowledge advantage (spread spectrum)

– channel advantage (physical layer security)

• Exhausting capabilities of the illegitimate entities:

– exhausting computational power (cryptography)

– exhausting searching power (spread spectrum)

– exhausting decoding capability (physical layer security)

60

Three Dimensions of Advantage

• Three known dimensions of advantage: knowledge, computational, channel advantage.

SS

knowledge

advantage

computational

advantage

channeladvantage

b

bb

PLS

Crypto

• Each method uses only one possible dimension of advantage.

61

Hybrid Schemes

• Hybrid schemes: move to another dimension when an advantage is lost.

SS

knowledge

advantage

computational

advantage

channeladvantage

b

bb

PLS

Crypto

hybrid schemes

• Still a single dimension is used.

62

Hybrid Schemes

• Hybrid schemes: move to another dimension when an advantage is lost.

SS

knowledge

advantage

computational

advantage

channeladvantage

b

bb

PLS

Crypto

hybrid schemes

• Still a single dimension is used.

63

Combined Schemes

• Combine and utilize multiple dimensions of advantage

SS

knowledge

advantage

computational

advantage

channeladvantage

b

bb

PLS

Crypto

combined schemes

b

• Multi-dimensional, multi-faceted, cross-layer security.

64

Conclusions

• Wireless communication is susceptible to eavesdropping and jamming attacks.

• Wireless medium also offers ways to neutralize the loss of confidentiality:

– time, frequency, multi-user diversity via fading

– cooperation via overheard signals

– multi-dimensional signalling via multiple antennas

– secure signal alignment

• Information theory directs us to methods that can be used to achieve:

– unbreakable, provable, and quantifiable (in bits/sec/hertz) security

– irrespective of the adversary’s computation power or inside knowledge

• Resulting schemes implementable by signal processing, communications and coding tech.

• Many open problems...

65

physical layer security for wireless networksulukus/papers/talks/lts-talk...physical layer security...

Documents