I Introduction
One of the hallmarks of the fifth generation (5G) wireless systems and beyond is massive Internet of Things (IoT) connectivity [1]. A scenario for massive IoT access features a large number of devices connected to a Base Station (BS), each being sporadically active and sending short data packets (e.g., a few kilobytes or bytes). This sporadic activation entails that the set of devices trying to access at a given instant is unknown, thereby requiring random access protocols.
In the classical ALOHA model for random access [2], a packet is the smallest, atomic unit of information. The analyses in massive access scenarios are usually performed with an infinite population, where the number of users is . However, in order to examine the fundamental performance bounds of massive access protocols, one needs to look into the structure of the packet. This is where the assumption leads to a paradox: to make user identification possible, a field with a unique user address of bits must be included into packets of finite and relatively short length. To deal with this paradox, two information-theoretic approaches have been introduced recently. In the many access channel [3] the number of users is given as a function of the codeword length, which allows to preserve identification capabilities even as both tend to infinity.
Differently from this, [4] addresses the problem of with finite blocklength (FBL) packets by assuming that a packet does not contain the address of the sender. This makes the access scheme unsourced, and leads to the case in which all users share the same codebook. While U-RA was initially proposed as a theoretically elegant scheme, it can also be justified by the desire to simplify the receiver and reduce the communication overhead. This is particularly important for short IoT packets where the address field can constitute a large portion of the packet[5].
The unsourced, uncoordinated nature of the problem and the FBL effects have implications in the design of practical low-complexity coding schemes, which has been the focus of several works. Bounds of the performance of finite-length codes were derived in the initial paper by Polyanskiy [4], and later generalized to the quasi-static fading channel [6]. The basic unsourced random access was extended to the case with a large number of antennas in [7], and the impact of correlated activations was studied in [8].
Despite its benefits in terms of efficiency, U-RA keeps the question of user identification (and, consequently, user authentication) open. In this paper, we aim to answer the following: assuming that a given protocol for unsourced random access is available as a black box, how can it be extended to support user identification and authentication? Rather than deferring this question to the higher layers or additional transmissions, in this contribution we present a scheme that enables those functionalities at the lower layers, in a way that is consistent with the paradigm of U-RA, i.e., when users share the same codebook. In that sense, the main contribution of our scheme is that it enables the identification and authentication of users over U-RA; the potential performance gains compared to sourced random access is of secondary importance.
The key idea is to generate and append a message authentication code (MAC)^{1}^{1}1To avoid confusion between this term and the widely-used acronym for medium access control, the latter is avoided throughout the paper. to the packets (rather than an explicit address), which enables the identification and authentication of the users while complying with the main assumptions of U-RA. For this, we employ a two-step procedure as illustrated in Fig. 1. First, the BS broadcasts a beacon with a nonce to the users prior to data transmission. A nonce is an arbitrary number that can be used only once by each node and is generated periodically by BS. Then, each active user generates a MAC based on the nonce, a secret key (known only by the user and the BS), and the data to be sent; this field is appended to the packet and transmitted as shown in Fig. 1(b).
In the following, we introduce the system model. Next, we provide a detailed description of our scheme to enable identification and authentication in U-RA protocols, along with an analysis of the most relevant tradeoffs. Finally, we present a numerical performance evaluation of our scheme and conclude the paper.
Ii System model
We study the massive random access scenario as described by Polyanskiy [4], where users communicate through a time-slotted channel with a single BS. At each time slot, out of the users are active and send messages in the uplink, where is drawn independently and uniformly at random from the message set . All users share the same encoder , and use it to construct the codewords as , which are subject to the power constraint , where is the average power per symbol. The codewords are transmitted over a permutation-invariant and memoryless multiple access channel , i.e., it satisfies for any and , and any permutation .
We assume that the BS periodically broadcasts a beacon in the downlink as depicted in Fig. 1
. The beacon includes the necessary information for the users to synchronize, to obtain the main configuration parameters, and to estimate and invert the channel. Because we assume channel inversion is perfect, fading can be neglected
^{2}^{2}2We note that the users who cannot perform inversion due to poor channel conditions can simply remain inactive, which leads to the problem that is structurally the same. and the uplink transmissions are only affected by additive white Gaussian noise, denoted by . Consequently, the resulting Gaussian multiple access channel model at a given time slot is(1) |
At the BS, the decoder outputs an unordered list of messages from . In line with the U-RA literature [4], we assume that is fixed and known to the decoder. We note that this assumption allows the codebook to be designed based on , which does not reflect a true random access scenario. In practice, the codebook would have to be designed based on the expected maximum (or average) number of active users instead. Similarly, in practical implementations the decoder, rather than outputting a fixed number of messages, might rely on threshold-based scheme as in [9].
An error occurs whenever the does not contain a transmitted message, or if multiple users transmit the same message. More specifically, an error for user is defined as . Note that since we assume the decoder always outputs messages, it implies that for each error , the list must contain a message which was not transmitted by any of the devices. We shall refer to the set as decoder false positives. Denoting by the number of genuine (true positive) messages and by the number of false positives in the set , we have that .
Iii Identification and authentication in unsourced random access protocols
The key idea behind the proposed scheme is to generate MAC that enables identification and authentication of the users and that can be applied to U-RA protocols. The MAC is generated by user based on its data of size , its secret key , and a nonce . The secret key is fixed and only known by the corresponding user and the BS.
Our scheme is divided into phases as shown in Fig. 1. At the beginning of each round, the BS generates a new nonce and broadcasts it to all the devices. The nonce is a sequence or pseudo-random number that changes in each round but is otherwise public. Once the nonce is received, a given user generates its MAC based on the data bits it wants to transmit , its secret key , and the nonce, i.e. . Afterwards, the user appends the MAC to the data to create a packet and transmits it, as shown in Fig. 1(b). At the BS, the packets are first decoded to extract tuples. For each, the message authenticity can be verified and the identity of the sender determined by computing the MACs of the data part with different secret keys and comparing them with the MAC in the received packet . If a match is found, the authenticator declares the user with the matching key to be the potential transmitter. The whole scheme is depicted in Fig. 2.
While a nonce is commonly used to prevent replay attacks, in our scheme it has the additional function of randomizing the MAC. That is, without a nonce, a particular piece of data and secret key from a given device would always produce the same MAC, which violates the assumption that all codewords are equally likely. Typical methods to generate the MAC include, e.g., symmetric key cryptography as in AES-CMAC (RFC 4493), used in LoRaWAN, or a HMAC (RFC 2104). Any of these methods can be applied to our scheme, so the MAC is computationally challenging to guess without the secret key.
Note that in our scheme cryptographic errors, which we define as any instance where the matching MAC is generated by a key that does not belong to the actual sender, can occur. They are possible since: 1) the generated MAC might not be a unique identifier for the user (unlike the actual address) and 2) the BS must generate many MACs with different secret keys to find the one that matches the one in the received packet.
Therefore, several tradeoffs arise. The first one is between the length of the metadata and the amount of cryptographic errors
, where in the extreme case with no metadata (i.e. neither MAC nor address) identification and authentication cannot be provided. Furthermore, longer packets entail higher transmit power. Another tradeoff involves the computational complexity and probability of cryptographic errors that both increase with the number of devices supported by the system
^{3}^{3}3It could be argued that the scheme is not practical as . However, in practice good performance was observed for as large as and ..Iv Cryptographic errors: collisions, false positives and misidentifications
While the physical layer performance of U-RA can be characterized by the decoding error and decoder false positive probabilities, the full characterization of the proposed scheme has to take into account also potential cryptographic errors, erroneous acceptance of false positives, and misidentification events. For the purpose of this evaluation, we assume ideal MACs that are uniformly distributed, i.e., the probability that a given
tuple produces a specific MAC of length is .Iv-a Exhaustive search
We first consider authentication using exhaustive search, and start by studying the per-user cryptographic error probabilities. A genuine message with data transmitted by user will fail to be authenticated whenever any of the keys from users produces the same MAC when applied to . We refer to those events as type 1 error. Since there are other keys, the type 1 event happens with probability
(2) |
Because we assume that each user transmits at most one message per round, an error occurs also when the key of user applied to any of the other decoded messages in produces a valid MAC. Given that there are other decoded messages, this type 2 error happens with probability
(3) |
Taking into account both types of errors, the probability that a genuine message is successfully authenticated is
(4) |
Another type of event is when a false positive message produced by the decoder is erroneously authenticated. While (4) is conditional on the fact that there is at least one key that authenticates the message, here we cannot assume that. Since the keys from the genuine messages cannot be used again without causing type 2 error, there are keys that can potentially decode the false positive message without resulting in a collision. Since each of these keys accepts the message with probability , the probability of accepting a false positive message from the decoder is
(5) |
Note that the authenticator is generally unable to determine whether a message that fails to be authenticated belongs to the set of decoder true positive or decoder false positive messages. The only exception to this is the special case in which no key is able to decode a given message, which can only happen for false positive messages. The probability that this happens for a given false positive message is .
Iv-B Heuristic search
We now turn our attention to the heuristic search, in which the authenticator stops as soon as it finds a matching key. While more efficient, this approach cannot detect type 1 and type 2 errors defined above, and thus the probability of erroneously authenticating a message increases.
Providing exact analytical expressions for the heuristic case proves to be difficult, due to the dependency on the order in which packets are authenticated, the number of decoder false positives and true positives, and how they are interleaved. To that end, we will provide only approximations, noting that they are very close to the true values. We shall assume without loss of generality that the messages are authenticated in the order . Furthermore, we will neglect the events where the sender of message becomes incorrectly identified as the sender of one of the previous messages , which happens with very low probability^{4}^{4}4Note that we do not neglect misidentification events in general, but only the case where specific user authenticates a specific message, which is tied to the probability and hence very low..
We first consider the probability of correctly authenticating a genuine message. In the heuristic search case the successful authentication of message can happen even if there are cryptographic collisions, as long as the correct user happens to be tested first. For a set of successfully authenticating keys, this happens with probability . By marginalizing over the number of keys additional to the genuine key we obtain
(6) |
where is the number of remaining keys which is the total number of keys, , minus those that have authenticated any of the previous messages. is nonincreasing, and since the authenticator may have been unable to authenticate some of the previous messages. As already mentioned, in the heuristic approach the detection of collisions (type 1 and type 2 errors) is not possible, which can result in misidentification, i.e., attributing a genuine message to the wrong user. The probability of misidentifying the -th message is the probability that one or more of the non-genuine keys authenticate the message before the correct one:
(7) | ||||
(8) |
On the other hand, if the message is a false positive, the probability of accepting it is equal to the probability of at least one user producing a matching MAC:
(9) |
We note that from the point of view of the receiver there is no difference between misidentification and false positive authentication, hence, the total error probability should include both. For a given packet, which is genuine with probability and a false positive with probability we obtain
(10) |
Lastly, let us remark that when , we have that . Substituting back in equations (6) - (10), we obtain the approximate probabilities which are independent of packet number and allow us to drop the subscript . This allows to simplify the comparison between the exhaustive and heuristic approach.
In Fig. 3 we show the probability of successful authentication and probability of mis-authentication as a function of the total number of devices for the exhaustive and heuristic search. In addition to the small gain in terms of success probability, the latter method allows to reduce the complexity as, on average, it requires only half of the MAC checks (assuming the probability of transmission is uniform across the devices). This is at the cost of an increased probability of mis-authentication. Since the eq. (6) and (10) used to produce the solid red curves are approximations that neglect some of the effects mentioned earlier, we provide also the results obtained through numerical simulations. Clearly, the differences are very minor making the approximations a viable tool.
Iv-C Spoofing attacks
It is of interest to consider what happens when an attacker sends a forged message with the intent of getting it accepted by the authenticator. Without private keys the attacker is not able to compute the correct MAC for the spoofed and current so it has to generate MAC bits at random. As such, from the cryptographic point of view, the message acts as a false positive, and the transmitter cannot target a specific device (i.e. it cannot choose whom it is impersonating). However, from the physical layer point of view this is an actual transmitted codeword, and as such subject to probability of decoding , so the total probability of successful spoof is
(11) |
This is to be compared to the traditional frame structure where the source address is included in the packet. In that case, the authenticator only tries the single MAC associated to that user, and the spoof attack is successful with probability .
V Results
We start by looking into the physical layer performance. The results were obtained based on the random coding bound given in [4, eq. (3)-(10)]. The codeword length (number of symbols) was chosen to be . In Fig. 4 we depict the achievable error probability as a function of the total transmit power . The values are shown for a range of packet sizes and for two cases and . In line with the assumption that two users selecting the same message is considered an error (c.f. Section II), for each curve we can observe a floor at (visible only for the solid blue). In general, the higher B and K are, the steeper the curves become and the transition from almost certain error to very high reliability (such as ) becomes increasingly abrupt. This is even better explained with Fig. 5 which shows SNR as a function of for fixed error rates. Firstly, as the packet size increases, less power is needed to decrease . For example, with , when improving error rate from to requires , while with the same shift requires less than
. Secondly, there is a point where the system turns from being noise-limited to interference-limited (curves merging). Such a phase transition occurs for lower packet sizes the more simultaneous messages
there are.In Fig. 6 we combine all the earlier insights and look into the total probability of mis-authentication that takes into account both the physical and cryptographic layer performance. These results are obtained assuming a population of users and messages. In the plots, the blue line represents a packet consisting solely of the information bits, i.e. . Since there is no additional means of authentication, every decoded packet is accepted and hence . The red line denotes our proposed scheme in which the packet consists of information bits and a MAC, that is, in total , where is fixed. The values reported here correspond to the exhaustive search variant, hence, the total probability of mis-authentication is with given by (5). Lastly, the yellow curve represents the classic packet structure, where the address is also included (here as well) which yields . In such case, the receiver checks only one key corresponding to the given address, hence we have that . It is important to keep in mind that the most basic mode of operation (blue) does not provide any way of identifying the users, and as such it is not directly comparable with the other two. Furthermore, it might not provide sufficient level of reliability when the packets are very short, which is due to the floor on . What might be surprising, is that the classic packet structure actually performs slightly worse than our proposed scheme (at least until level which should be more than enough). This is because even though the probability of MAC collision is significantly lower, the packet needs to be larger to accommodate the address, which requires higher SNR.
Vi Conclusions
In this contribution we proposed a method to introduce identification and authentication capabilities to the algorithms that follow the framework of unsourced random access. Our scheme adds very limited amount of metadata to the communication, which is especially important for the short IoT packets. Furthermore, as a consequence of not including explicit user identification, the packets are fully anonymous to everyone except the BS, which opens the door to new use cases and applications. This is in contrast to traditional protocols, where only the message content is assumed to be secret while the identities are public. The extra functionalities come at the cost of increased processing at the receiver. However, our results show that by avoiding the address we not only improve the spectral efficiency, but for a given transmit power we are also able to decrease the overall mis-authentication probability compared to the case where the address is included as a part of the packet.
References
- [1] C. Bockelmann et al., “Towards massive connectivity support for scalable mmtc communications in 5g networks,” IEEE Access, vol. 6, pp. 28 969–28 992, 2018.
- [2] N. Abramson, “THE ALOHA SYSTEM: another alternative for computer communications,” in Proceedings of the November 17-19, 1970, fall joint computer conference. ACM, pp. 281-285, 1970.
- [3] X. Chen, T.-Y. Chen, and D. Guo, “Capacity of gaussian many-access channels,” IEEE Trans. Inf. Theory, vol. 63, no. 6, pp. 3516–3539, 2017.
- [4] Y. Polyanskiy, “A perspective on massive random-access,” in IEEE Int. Symp. Inf. Theory (ISIT), June 2017, pp. 2523–2527.
- [5] G. Durisi, T. Koch, and P. Popovski, “Toward massive, ultrareliable, and low-latency wireless communication with short packets,” Proceedings of the IEEE, vol. 104, no. 9, pp. 1711–1726, Sept 2016.
- [6] S. S. Kowshik and Y. Polyanskiy, “Fundamental limits of many-user MAC with finite payloads and fading,” Jan. 2019, arXiv:1901.06732.
- [7] A. Fengler, G. Caire, P. Jung, and S. Haghighatshoar, “Massive MIMO unsourced random access,” Jan. 2019, arXiv:1901.00828.
- [8] K. Stern, A. E. Kalør, B. Soret, and P. Popovski, “Massive random access with common alarm messages,” in Proc. IEEE Int. Symp. Inf. Theory (ISIT), July 2019, pp. 1–5.
- [9] R. Calderbank and A. Thompson, “CHIRRUP: a practical algorithm for unsourced multiple access,” Information and Inference: A Journal of the IMA, vol. 9, no. 4, pp. 875–897, 12 2019. [Online]. Available: https://doi.org/10.1093/imaiai/iaz029