PMI-based MIMO OFDM PHY Integrated Key Exchange (P-MOPI) Scheme
Pang-Chang Lan, Chih-Yao Wu, Chia-Han Lee, Ping-Cheng Yeh, Chen-Mou Cheng
aa r X i v : . [ c s . I T ] J a n PMI-based MIMO OFDM PHY Integrated KeyExchange (P-MOPI) Scheme
Pang-Chang Lan † , Chih-Yao Wu † , Chia-Han Lee ‡ , Ping-Cheng Yeh † , and Chen-Mou Cheng †‡ † Department of Electrical Engineering andGraduate Institute of Communication EngineeringNational Taiwan UniversityTaipei, Taiwan ‡ Research Center for Information Technology InnovationAcademia SinicaTaipei, Taiwan
Abstract —In [1], we have proposed the MIMO-OFDM PHYintegrated (MOPI) scheme for achieving physical-layer securityin practice without using any cryptographic ciphers. The MOPIscheme uses channel sounding and physical-layer network coding(PNC) to prevent eavesdroppers from learning the channel stateinformation (CSI). Nevertheless, due to the use of multipleantennas for PNC at transmitter and beamforming at receiver,it is not possible to have spatial multiplexing nor use space-timecodes in our previous MOPI scheme. In this paper, we proposea variant of the MOPI scheme, called P-MOPI, that workswith a cryptographic cipher and utilizes precoding matrix index(PMI) as an efficient key-exchange mechanism. With channelsounding, the PMI is only known between the transmitter andthe legal receiver. The shared key can then be used, e.g., asthe seed to generate pseudo random bit sequences for securingsubsequent transmissions using a stream cipher. By applying thesame techniques at independent subcarriers of the OFDM system,the P-MOPI scheme easily allows two communicating partiesto exchange over 100 secret bits. As a result, not only securecommunication but also the MIMO gain can be guaranteed byusing the P-MOPI scheme.
I. I
NTRODUCTION
In his seminal work, Wyner showed that, by information-theoretic arguments, it is possible to achieve communicationconfidentiality by exploiting the spatial diversity of wirelesschannels [2]. Wyner’s theoretical investigation has arousedmany different proposals, such as [3], [4], [5], [6], [7].While most of the existing physical-layer (PHY) securityworks focus on information theoretical approaches that aredifficult to implement in reality, our recent work [1] is oneof the pioneering works that propose practical schemes forPHY security. In the work, a MIMO-OFDM PHY integrated(MOPI) scheme has been proposed to provide communicationconfidentiality without using any cryptographic ciphers inwireless networks. By the use of channel sounding, MOPIprevents an eavesdropper from learning the channel stateinformation (CSI) of the channel between the eavesdropperand the transmitting node from the preambles or pilot tones. Abit-interleaved coded-modulation (BICM)-based physical layernetwork coding (PNC) scheme has been proposed such that an eavesdropper, due to lack of CSI, will suffer from very highbit error rate (BER) in decoding. The MOPI scheme has beenshown to provide excellent security, forcing the eavesdropperto have large estimation error even if blind channel estimationis used. The computational complexity is also prohibitivelyexpensive if the eavesdropper resorts to brute-force search torecover the CSI.Although the MOPI scheme is promising in providingrealistic PHY security, it has a serious drawback. Since themultiple antennas at the transmitter are used for PNC and themultiple antennas at the receiver are used for beamforming, itis impossible for this MOPI scheme to have spatial multiplex-ing nor use space-time codes. This limits the capability of theMIMO system. In this paper, a variant of the MOPI scheme—called P-MOPI—based on the precoding matrix index (PMI)is proposed. The precoding matrix index, commonly appliedin MIMO systems nowadays, is used as the secret key. Itis well known that the MIMO system performance can beenhanced by precoding at the transmitter, i.e., multiplying thesignal vector by a matrix before transmission. With the optimalprecoding at the transmitter, the MIMO channel can be trans-formed into several parallel subchannels, and the channel ca-pacity can be achieved. Typically there is a universal codebookthat consists of a finite number of precoding matrices. Dueto different channel realizations between the transmitter-legalreceiver and the transmitter-eavesdropper pairs, the precodingmatrix is only known between the transmitter and the legalreceiver, so the precoding matrix indices can therefore be usedas keys. With the proposed efficient key-exchange mechanism,the shared secret key, easily over 100 bits long, can be used,e.g., as the seed to generate pseudo random bit sequences,and secured MIMO communications can then be achieved,by using a stream cipher. This is the fundamental differencebetween MOPI and P-MOPI despite their otherwise strikingsimilarity: while MOPI is designed to replace a cryptographiccipher and encrypts messages at physical layer, P-MOPI isdesigned to work with one—it merely uses physics to establishthe shared key between the communicating parties.he rest of this paper is organized as follows. The relevantbackground information is reviewed in Section II. The scenarioconsidered is described in Section III. The PMI-based key-exchange scheme is described in Section IV. The performanceof the proposed P-MOPI scheme is evaluated using computersimulation, with the results presented and discussed in SectionV. Conclusions are addressed in Section VI.II. B
ACKGROUNDS
A. MIMO Systems with Precoding
First let us review how the precoding matrix is used inthe MIMO system. Alice first sends out a reference signalfor Bob to estimate the channel matrix H AB and decides theoptimal precoding matrix. Note that the channel here standsfor the channel on a subcarrier or on certain subcarriers ofOFDM, and the index of subcarrier is omitted for simplicity.In practical situations, in order to reduce the complexity andthe feedback overhead, a universal codebook F that consists ofa finite number of precoding matrices is used. Each precodingmatrix in the codebook has an index called precoding matrixindex (PMI).Consider the following MIMO channel capacity formula C H , F = log det[ I n + E s n s σ F † H † HF ] , (1)where I n is the identity matrix with n denoting the minimumnumber of antennas at Alice and Bob, E s is the symbolenergy, n s is the noise power, σ is the noise variance, † means the Hermitian, F is the precoding matrix, and H is thechannel. Bob finds the precoding matrix and its correspondingPMI from the codebook that maximizes the channel capacity.Mathematically, ˆ F = argmax F ∈F C H , F , (2)where ˆ F is the best precoding matrix from the codebook F .We denote the PMI associated with ˆ F by i PMI . B. Stream Ciphers
A stream cipher is a symmetric-key cipher based on theidea of Shannon’s one-time pads. Typically, a stream ciphergenerates a sequence of a pseudorandom bit stream called the keystream , which is XOR’ed with the plaintext. It is this bit-by-bit way of encryption that gives the name “stream cipher.”A perhaps simplest form of a stream cipher is a linearfeedback shift register (LFSR) with its output fed into anonlinear filter function to generate the keystream. Note thatthe nonlinear filter function is of essential importance here;otherwise the structure of an n -bit LFSR can easily berecovered using the Berlekamp-Massey algorithm given 2 n keystream bits. Such a nonlinear filter, if well-designed, canresist most attacks if the number of leaked keystream bits isrelatively small compared with the product of the LFSR widthand the algebraic degree of the nonlinear filter. The interestedreader is referred to [8] for further detail in filter design. It isalso possible to construct other kinds of LFSR-based stream Figure 1. System Model. ciphers. One such example is Trivium, a combiner generatortype of stream cipher, which has a security level of and canbe implemented with slightly more than two thousand NANDgate equivalents [9].It is also possible to construct a stream cipher using astandard or light-weight block cipher. For example, KATANand KTANTAN belong to a family of small and efficient blockciphers. The family is based on LFSR, and they share the samekey size of 80 bits. KTANTAN is smaller than KATAN, butthe key is burnt into the device and hence can not be changed.The smallest cipher in the family can be implemented in lessthan 500 gates in 0.13 µm CMOS technology, while achievingencryption speed of 12.5 kbits/sec. More details about KATANand KTANTAN can be found in [10].III. S
YSTEM S ETUP
The system model, shown in Fig. 1, consists of three nodes,Alice, Bob, and Eve, and three wireless MIMO channels: H AB , H AE , and H BE . The source node, Alice, wants totransmit confidential messages to the destination node, Bob,through H AB . Due to the broadcast nature of wireless chan-nels, these messages will be overheard by the eavesdropper,Eve, through H AE . If Bob transmits some signals to Alice,those signals will also be overheard by Eve through H BE .It is assumed that the channel between Alice and Bob issymmetric, i.e., H AB = H BA , and the channel realizations of H AB , H AE , and H BE are independent to each other. Aliceis assumed to have four antennas while Bob is assumed tohave two antennas and both Alice and Bob use the OFDMtechnique during transmission, whereas Eve can have anarbitrary number of antennas.As will be described in details later, a universal codebookcontaining precoding matrices and PMI’s for precoding isavailable to Alice, Bob, and Eve, and the MIMO channelcapacity function for PMI estimation is known by Eve.IV. T HE P-MOPI S
CHEMES
In the original MOPI scheme [1], the multiple antennas atthe transmitter are used for PNC and the multiple antennas atthe receiver are used for beamforming. This provides highlysecure wireless communications. Yet, the scheme sacrifices theMIMO capability of using spatial multiplexing or space-timecodes. In order to use antennas in a more efficient manner, wepropose the P-MOPI scheme in this paper, which allows Alicend Bob to use PMI to exchange keys for subsequent use incryptographic ciphers to secure their communications.
A. P-MOPI
In a typical MIMO system with precoding, Alice acquiresthe PMI via the feedback from Bob. Eve can easily detectthe PMI through eavesdropping. But what if the PMI is notfed back to Alice, and instead, Bob sends the same referencesignal to Alice? Under the assumption of channel reciprocity( H AB = H BA ), Alice is able to compute the PMI that isthe same as Bob’s. At Eve’s side, without the feedback, sheis unable to figure out the PMI since the channel H AE isdifferent from H AB (and H BA ). Now the PMI, only sharedbetween Alice and Eve, can be used as a secret key.The typical size of PMI is to bits long dependingon the number of MIMO antennas. Let us assume it is bits. Through our scheme, Alice and Bob can share secretbits over one subcarrier. In OFDM systems, the independentfading realizations between subcarriers or subbands lead toabundant generation of independent PMI’s. As long as thewhole channel can be divided into more than subbandswith nearly uncorrelated fading which are easy to acquire ingeneral, our scheme enables Alice and Bob to share over secret bits. The secret key can then be used to generate arandom sequence for data to be transmitted securely usinga stream cipher. With a key of size over secret bits, asecurity level way above O (cid:0) (cid:1) (meaning Eve should try atleast about O (cid:0) (cid:1) times to approach her best performance)can be achieved, which is the usual strength requirement fora cryptographic cipher.The steps of the proposed scheme are summarized below:1) Alice transmits a reference signal to Bob to let Bob makechannel estimation.2) Bob estimates the channel on a single subcarrier ora subband (which consists of several subcarriers de-pending on the channel coherence bandwidth). Channelrealization H AB is acquired at Bob’s side.3) Bob conducts the corresponding precoding matrix ˆ F Bob for H AB by finding argmax F C H , F . He regards the PMI i PMI , Bob of the precoding matrix ˆ F Bob as a key and putit into his key set K Bob .4) During the next time slot, Bob sends a sounding signalto Alice. Alice acquires the corresponding precodingmatrix ˆ F Alice for H BA for every subcarrier. Alice thenputs i PMI , Alice into its key set K Alice . Since the channelreciprocity holds, ˆ F Bob and ˆ F Alice are the same, and soare K Bob and K Alice .5) Alice and Bob may drop out-of-date keys to make sure K Bob = K Alice at any time.6) Alice uses a stream cipher to encrypt data with the keyset K Alice . Afterwards, Alice transmits the encrypteddata to Bob and Bob decrypts the data using its own keyset K Bob . During the transmission, precoding is appliedin order to achieve better MIMO performance.7) (Optional rekeying) In rare situations where K Bob = K Alice , Alice and Bob need to rekey by going to Step 1.Such a mismatched key can be detected, e.g., as follows.Alice first picks a random number X and transmits theencryption of X under K Alice , along with the SHA-256 digest of X in plaintext . At the receiving end,Bob decrypts using K Bob , calculates its SHA-256 digest,checks to see if it matches the received digest, anddeclares a rekeying if there is a mismatch.
B. P-MOPI for slow-varying channel
In the P-MOPI scheme, PMI is used as the key. In theslow-varying channel, the optimal precoding matrix will staysimilar, so the PMI (and the key) will be the same for along period of time. From the security point of view, keysshould be changed frequently, so that means the basic P-MOPI scheme proposed earlier only works well under thefast-varying channel. For the slow-varying channel, we needto make a revision, as proposed below.1) Alice transmits the reference signal s regularly in orderto update her precoding matrix to match the latestchannel condition.2) If the new PMI is different from the previous PMI, Bobreplies with the reference signal r ; if the new PMI isthe same as the previous PMI, Bob first replies a flagbit to inform Alice the channel is static, and then sendsa rotated reference signal Ur immediately, where U isa randomly generated unitary matrix.3) The flag bit is for Alice to remain the same precoding for the static channel , and the rotated reference signal Ur is for her to obtain the key through PMI estimation.Since Bob knows U , he obtains the PMI as well.4) Alice then uses the key for stream cipher as before.5) Since Alice still transmits the normal reference signal s regularly, Bob can estimate H AB all the time. Ifthe PMI for precoding is not the same as the previousPMI, it means the channel becomes dynamic. Then Bobtransmits another flag bit to inform Alice to change backto normal P-MOPI scheme without U .Notice that in order to estimate the PMI for the reference signal Ur , Alice and Bob need to perform the following operation(instead of Eqn. (2)): ˆ F = argmax F ∈F ¯ C H , F , (3)where ¯ C H , F = log det[ I n + E s n s σ F † ( HU ) † ( HU ) F ] , (4) = log det[ I n + E s n s σ ¯F † H † H¯F ] , (5)where ¯F = UF . This means that Alice tries to find thebest precoding matrix based on a modified channel capacityfunction.The purpose of introducing U is to generate a new keywhen the channel does not change much. Apparently Eveannot acquire any information about U . Moreover, the PMIis obtained through an optimization process, which is an non-linear process. Without knowing the channel H , it is hopelessfor Eve to obtain the correct PMI even when the codebookand the MIMO channel capacity function is known publicly.However, we should consider the influence of U . For Alice, theestimation effective channel is ( H AB + n ) U = H AB U + nU ,where n is denoted as white gaussian noise. For Bob, theestimation effective channel is H AB U + n . If U is chosenas unitary matrix, the estimation error of Alice has the samestatistics compared to Bob’s estimation error. It is obvious thatthere is no noise enhancement with the multiplication of U .Compared to the basic P-MOPI scheme, the P-MOPIscheme for the slow-varying channel needs to transmit oneextra flag bit and requires Alice and Bob to do extra com-putation for finding PMI. Nevertheless, the security is highlyimproved. V. S CHEME E VALUATION
The success of the proposed P-MOPI relies on the follow-ing factors: channel coherence time and channel coherencebandwidth. Channel coherence time determines whether Aliceand Bob can obtain the same PMI and channel coherencebandwidth decides how many independent channels can beobtained. The more available independent channels, the moresecret bits can be generated. In this section, we will evaluatethe feasibility of the proposed P-MOPI scheme.We take the simulation set up generally used inpopular 4G standard - Long Term Evolution (LTE)[11], [12] to evaluate P-MOPI scheme. The detailedsimulation parameters are provided in the following tables.Simulation SetupChannel model SCME channel modelMIMO system × single user MIMOSubcarrier bandwidth kHzTotal bandwidth MHzCenter frequency GHzSCME scenario Urban macroBob’s velocity , , (km/hr)Codebook 4-bit Householder codebook A. Channel coherence bandwidth
The security of the communications mainly depends onthe size of the key space, i.e. the number of available keys.Hence, it is desirable to know how many available keys can begenerated by our P-MOPI scheme. Fig. 2 shows the simulationresult of the channel correlation among the subcarriers in theSCME urban-macro channel model. In general, a correlationbelow . can be regarded as nearly uncorrelated. We can seethat the correlation decreases to . at about a -subcarrierseparation, which shows that the coherence bandwidth of thechannel is about × k = 300 kHz. With total systembandwidth MHz, the number of independent PMI’s can be C o rr e l a t i on Figure 2. Channel correlation among the subcarriers under noiseless SpatialChannel Modeling Extended (SCME) urban-macro channel model. P r ob ( P M I = P M I ) Velocity=0km/hr, w/ UVelocity=0km/hr, w/o UVelocity=3km/hr, w/ UVelocity=3km/hr, w/o UVelocity=10km/hr, w/ UVelocity=10km/hr, w/o U
Figure 3. Probability of Alice and Bob obtaining the same PMI versus thetime difference of channel esitmations under noiseless SCME urban-macrochannel model. acquired is M / k ∼ = 66 in one time slot. With the -bit Householder codebook, ×
66 = 264 bits are generated asthe cryptography key. It outperforms the conventional requiredsecurity level of -bits key block cipher. B. Probability of Alice and Bob obtaining the same key
In the wireless communications, the velocity of the mobiledevice significantly affects the channel coherence time, whichdetermines the downlink/uplink switching duration in our P-MOPI scheme. In Fig. 3, it depicts the probability of Alice andBob obtaining the same PMI versus the time difference of theirchannel estimations. Note that the time difference is resultedfrom the delay of Bob sending the reference signal back toAlice. When Bob is not moving, the channel is static and theMIs are always the same. With Bob moving at a speed of km/hr, the probability can be held above . for ms. WithBob moving at km/hr, the probability remains above . for ms. Remember that the random rotation unitary matrix U is used for the slow-varying channel. From the figure, theexistence of U does not decrease the performance. It evenincreases the probability when Alice’s and Bob’s channelsare not closely correlated. The concept is that if two channelrealizations are separated from each other, the multiplicationof U provides them the similar basis. So the two channelrealizations will become closer after the rotation by U . C. Influence of channel estimation error
In this subsection, we illustrate the influences of the channelestimation error in Fig. 4. The estimation error is modeled asa Gaussian noise. The SNR is defined as the ratio of referencesignal power to the noise variance. From the figure, at amoderate SNR like dB, the influence of estimation errorcan be neglected. Especially, the reference signal power isusually set large in order to ensure the correctness of channelestimation. And we can see that with U , the probability ofboth PMI’s being the same is significantly increased. D. Rekeying
The P-MOPI scheme requires channel reciprocity in orderfor achieving key exchange between Alice and Bob. Eventhough the channel is reciprocal, sometimes the noise orinterference in the channel can be so high, and the receivedreference signals at Alice and Bob are severely distorted suchthat i PMI , Alice = i PMI , Bob . In these cases, Alice and Bob cannot establish a shared secret key and will need to rekey byrestarting the whole procedure.Fig. 3 shows the probability that the channel between Aliceand Bob is indeed reciprocal in high-SNR or nearly noiselesssituations. We can see that as long as the time differencebetween Alice’s and Bob’s channel soundings is within 1 ms,the probability that i PMI , Alice = i PMI , Bob is very close to ,resulting in low chance of rekeying. However, for channelswith higher mobility, the probability drops and the chance ofrekeying gets higher.Although rekeying is not a fatal problem as Alice and Bobcan restart the keying process and will succeed in a smallnumber of rounds with high probability, frequent rekeyingwill result in performance degradation, which happens whenthe channel varies too quickly or when the mobility is toohigh. Therefore, it is still desirable to incorporate channelcoding with our P-MOPI in our future work to reduce thechance of rekeying. This can be done by transmitting referencesignals over contiguous subcarriers and use the similarity ofthe channels experienced by these subcarriers as source ofredundancy. Another approach would be to modify the P-MOPI design so that Bob can have some control on thePMI experienced by Alice instead of solely determined by thechannel. If this can be done, channel coding can be applied.Such design is currently in progress.
20 22 24 26 28 30 32 34 36 38 400.650.70.750.80.850.90.951 SNR P r ob ( P M I = P M I ) Velocity=0 w/ UVelocity=0 w/o UVelocity=3 w/ UVelocity=3 w/ UVelocity=10 w/ UVelocity=10 w/o U
Figure 4. PMI reciprocity probability versus SNR under SCME urban-macrochannel model
VI. C
ONCLUDING R EMARKS
In this paper, we have proposed an efficient secret key ex-change mechanism for MIMO-OFDM systems. The proposedP-MOPI scheme utilizes the precoding matrix indices as secretkeys. The PMI is obtained by finding the precoding matrixthat maximizes the MIMO channel capacity function. Due toindependent channel realizations, the eavesdropper is unableto learn the channel state information between the transmitterand the legal receiver, resulting in the secure communication.Two P-MOPI schemes were proposed for fast-varying andslow-varying channels respectively. A random matrix is intro-duced in the P-MOPI scheme for the slow-varying channelcondition to update keys frequently. The P-MOPI scheme,unlike the previous version of MOPI scheme, can take fulladvantage of the multiple antennas through precoding. Thefeasibility of the scheme has been evaluated through computersimulations.Finally, we note that it is also possible to use a random-ness extractor such as a cryptographic hash function underappropriate circumstances [13] to extract shared secrets fromthe PMIs of all subcarriers instead of uncorrelated subcarriers,as we have proposed and examined in this paper. It warrantsfurther investigation as whether this will improve or worsen therekeying probability, an important trade-off between securityand usability. A
CKNOWLEDGMENTS R EFERENCES[1] J.-P. Cheng, Y.-H. Li, P.-C. Yeh, and C.-M. Cheng, “MIMO-OFDMPHY Integrated (MOPI) scheme for confidential wireless transmission,”in , 2010, pp. 1–6.[2] A. D. Wyner, “The wire-tap channel,”
Bell Syst. Tech. J. , vol. 54, no. 8,pp. 1355–1387, 1975.[3] X. Li, J. Hwu, and E. P. Ratazzi, “Array redundancy and diversity forwireless transmissions with low probability of interception,” in
Proc.IEEE Conf. Acoustics, Speech and Signal Processing , vol. 4, 2006, pp.525–528.4] M. L. Jørgensen, B. R. Yanakiev, G. E. Kirkelund, P. Popovski, H. Yomo,and T. Larsen, “Shout to secure: Physical-layer wireless security withknown interference,” in
IEEE Global Telecommunications Conf. , 2007,pp. 33–38.[5] S. Goel and R. Negi, “Guaranteeing secrecy using artificial noise,”
IEEETrans. Wireless Commun. , vol. 7, pp. 2180–2189, Jun. 2008.[6] M. Kobayashi and M. Debbah, “On the secrecy capacity of frequency-selective fading channels : A practical Vandermonde precoding,” in
IEEE19th Int. Symp. Personal, Indoor and Mobile Radio Communications ,2008.[7] S. Lakshmanan, C.-L. Tsao, R. Sivakumar, and K. Sundaresan, “Secur-ing wireless data networks against eavesdropping using smart antennas,”in , 2008, pp. 19–27.[8] A. Canteaut, “Filter generator,”
Encyclopedia of Cryptography andSecurity, H.C.A. van Tilborg, Ed., Springer , 2005.[9] N. Mentens, J. Genoe, B. Preneel, and I. Ver-bauwhede, “A low-cost implementation of Trivium,” .[10] C. D. Canniere, O. Dunkelman, and M. Knezevic, “Katan and ktantan- afamily of small and efficient hardware-oriented block ciphers,”
LectureNotes in Computer Science, Cryptographic Hardware and EmbeddedSystems , vol. 5747, 2009.[11] , 3GPP RAN1 SP-46, 3rd Generation Partner-ship Project Std., 2009.[12] , 3GPP RAN1 RP-47, 3rd Generation Partner-ship Project Std., 2010.[13] P.-A. Fouque, D. Pointcheval, and S. Zimmer, “HMAC is a randomnessextractor and applications to TLS,” in