Keyless authentication in the presence of a simultaneously transmitting adversary

09/29/2016 ∙ by Eric Graves, et al. ∙ University of Florida Rutgers University 0

If Alice must communicate with Bob over a channel shared with the adversarial Eve, then Bob must be able to validate the authenticity of the message. In particular we consider the model where Alice and Eve share a discrete memoryless multiple access channel with Bob, thus allowing simultaneous transmissions from Alice and Eve. By traditional random coding arguments, we demonstrate an inner bound on the rate at which Alice may transmit, while still granting Bob the ability to authenticate. Furthermore this is accomplished in spite of Alice and Bob lacking a pre-shared key, as well as allowing Eve prior knowledge of both the codebook Alice and Bob share and the messages Alice transmits.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

In this paper we study physical layer authentication over a noisy multiple access channel and no pre-shared key. Such scenarios may occur when a network is established in a hostile environment. Being able to trust the information observed is just as important as actually observing it. It also stands to reason, that always having a pre-shared key seems restrictive as it is dependent on a method to generate and secure the key. We model this scenario by considering two transmitters (Alice and ne’er-do-well Eve) and one receiver (Bob). Alice and Eve share a discrete memoryless multiple access channel (DM-MAC), so that not only may Eve try to forge messages to Bob, she may try to modify the ones Alice transmits. To further complicate the matter, we assume that Eve not only knows the codebook which Alice and Bob share, but the message Alice will send as well. Our goal is for Bob to be able to validate the authenticity of the sender (or alternatively the integrity of the information), as well as be able to decode the information given it is authentic.

Simmons first studied physical layer authentication in [1]

. Simmons allowed for Alice and Bob to have a pre-shared key, which Eve did not have access to. This key, which can be made small relative to the number of symbols it protects, in essence partitions the entire state of messages into sets which are valid and ones that are not. Any attempt by Eve to modify the message then results, with high probability, in a message included in the invalid set.

Physical layer authentication, without the use of pre-shared key, was considered by Maurer in [2]

. Instead of a pre-shared key, Alice, Bob, and Eve are given given access to different random variables, which share some arbitrary correlation. By using their individual random variables, Alice and Bob proceed in public discussion over a perfect channel to generate a secret key. This is related to authentication in that the channel being perfect allows Eve the ability to perfectly spoof any packet from Alice. Hence, the distributions of the random variables play a pivotal role in establishing the authenticity of any message. In this model the three nodes must share copies of a random variable generated from an independent and identically distributed (iid) source. And furthermore the variables that Alice and Bob share must not be “simulatable” by Eve given her random variable. Use of an iid source though guarantees no underlying code structure, which could leak information about the random variables Alice and Bob view. It is also impractical in scenarios not concerned with secrecy to first generate a secret key for authentication purposes in later transmissions.

Because of these limits others have studied authentication in noisy channels. Works include Yu et al. who in [3] used spread spectrum techniques in addition to a covert channel to ensure authentication [3]. And Xiao et al in [4], who used the unique scattering of individual users in indoor environments to authenticate packets. For purpose of discussion we focus on two works in particular. First, Lai et al., who in [5] considered the problem of authentication in a noisy channel model when Alice and Bob have a pre-shared key. In their model the link between Bob and Alice is noisy while the link between Eve and Bob is noise-free, a worst case scenario. Much like the work of Simmons, the key Alice and Bob share is used to label some transmitted sequences as valid and not. And much like Simmons work, it is then nearly impossible for Eve to pick a transmitted message that would be valid. The second work, is that of Jiang [6]. Jiang in specific considered the case where either Alice or Eve may transmit to Bob, but not simultaneously. By assuming the channels distinct, Jiang showed that even without a pre-shared secret key it was possible to guarantee authentication. This was done by considering the intersection of the distributions Alice could induce at Bob and the distributions Eve could induce at Bob had only marginal overlap if the channel from Alice to Bob was not simulatable using the channel from Eve to Bob.

In contrast, by allowing simultaneous communication, we allow more possibilities for Eve’s attack. This is because Eve does not need to attack the entire message transmitted, only a smaller portion, and thus only slightly disturb the distributions, which as mentioned previously were critical to ensuring authentication. Much like Jiang, we do this by showing that the distributions induced by the legitimate party, and the ones by the illegitimate party have marginal overlap. Unlike Jiang though, we approach the problem using traditional random coding methods and techniques. We derive a new inner bound, which is dependent on the channel not having a simulatable-like property. Unlike simulability though, this property can be controlled in part by Alice and her choice of distribution.

Ii Notation

Random variables will be denoted by upper case letters, their alphabets will be the script version of that letter, and particular realizations of that random variable will be denoted in lower case. In other words, is a random variable, and is a particular realization of . The -th extension of a random variable is denoted , and particular realizations of that random variable are denoted similarly by . To represent a particular value in the -th extension we use subscripts, such as is the value in the -th position of .

When the need arises for discussion of the actual distribution of the random variable over their particular alphabet, we will use with that related random variable as a subscript ( is the distribution has over ). When the distribution is clear from context, we drop the subscript. By we denote when

form a Markov chain

.

By we define the set , where is the induced type of . Generally, is referred to as a strongly typical set. We assume that follows the delta convention outlined in [7, Convention 2.11]. Furthermore by and we define the entropy (conditional entropy resp.) of random variable ( given resp.), where and . Finally by we denote the mutual information of random variables and , where .

Iii Channel Model

Fig. 1: Channel model

For our channel model, graphically represented in Figure 1, Alice and Eve share a DM-MAC with Bob. Alice wishes to transmit a message , while Eve attempts to modify its content so that Bob will believe Alice transmitted some that is not equal to . By we denote the number of symbols that will be transmitted over the channel. Alice uses a possibly stochastic function to generate her sequence which she transmits. Eve simultaneously chooses a sequence as a function of the message and encoder, which she transmits concurrently with Alice’s transmission. We assume that there exists an element representative of the state when Eve decides not to transmit (hence Eve not attacking is denoted .) Because the distribution associated with the output of the MAC when Eve is silent is of distinct importance, we refer to it specifically by . In general, Bob will receive a value , and then will use a decoder

to either output an estimate of the message, or instead to declare that Eve is attempting to intrude. We assume that Alice, Bob and Eve have access to the encoder

and the decoder .

Iv Theorems and Definitions

We expect the code to decode to the correct message when Eve is not attacking (), and to either decode to the correct message or detect manipulation when Eve is attacking (). These expectations lead directly lead to the following definition for our physical layer authentication code.

Definition 1.

A -physical layer authentication code is any encoder-decoder pair , for which the encoder takes messages and the decoder satisfies

A code which meets these two requirements, can both decode and authenticate with high probability. We do not concern ourselves with the optimization of these two probabilities, and instead focus first on guaranteeing existence. As we will show using random coding, there exist codes such that both probabilities go to zero as grows to infinity. Section V establishes the following inner bound on the rate of a physical layer authentication code.

Theorem 2.

where contains all such that

  • for all distributions such that .

If the distribution which achieves capacity is a member of , then the inner bound is also an outer bound. In general though, this is not the case. The necessity of auxiliary random variable can be demonstrated through a simple example. Let , and , and define the DM-MAC by

where the realizations of are enumerated . For this channel though, choosing

results in

Thus for all distributions . Now, instead lets introduce the auxiliary random variable , and set , with and . It is clear that if then Bob can detect Eve, which corresponds to the case . In specific the value results with probability if equal or thus Eve must have . Clearly, assuming , and . Thus it follows that . By adding an auxiliary random variable, we have now made the inner bound non-empty and thus increased our inner bound region. In this example it is not hard to see that in fact we can let and approach capacity.

Finally, in this work we assume that Eve knows the message and encoding function . Why not allow for Eve to know as well? While this does in fact make Eve more powerful, it actually simplifies the math. Indeed allowing Eve knowledge of results in the property that for every -physical layer authentication code there exist a corresponding deterministic physical layer authentication code such that . This follows because for any

Thus the existence of a sequence of rate codes such that and converge to , implies the existence of a sequence of rate deterministic codes for which and converge to as well. Hence considering deterministic encoders is sufficient for determining the maximum rate. Restricting the codes in Section V results in the same conditions except without the auxiliary , with instead replacing it. Our inner bound then is strictly smaller, as one would expect, due to the arguments of our example.

V Achievability

V-a Construction

Fix a distribution . Define , and for all randomly and independently select . For transmission, Alice chooses a value of according to the distribution , and sends the value over the DM-MAC, . Bob, who receives a sequence from the channel, uses the decoder defined by

to estimate the message or declare intrusion.

For the remainder of the paper, by we will denote the random variable over the codebooks. Any particular is itself a function which defines a distribution over as given earlier.

V-B Reliability under no attack

Given that , an error will occur if either or if . By using the union bound we may individually consider the probabilities of the two events. For the first event there exists an such that

(1)

by [7, Lemma 2.12]. For the second, the existence of an for which

(2)

whenever , for some , can be shown through traditional random coding arguments.

V-C Detection

For any codebook, the value of is fixed. We want to show that the average over all codebooks results in as increases. If the average probability of error for both the cases when Eve attacks and when she does not, converge to , then there must exist a sequence of codes where the individual errors converge to as well.

For the probability of error given Eve attacking

(3)

By symmetry we need only consider a particular value of , and hence we focus on

(4)

The probability of error in this case is dependent on what Eve decides to transmit, which as mentioned previously is dependent upon the codebook, , and the actual message transmitted . For every codebook then, it is important to consider the probability of a value particular occurring given the codebook, message, and sequence transmitted. This is made explicit by writing equation (4) as

(5)

Next we seek to determine the probability of error given a particular codebook and . This action is equivalent to summing over , for equation (5) can be written

(6)

Consider , for a fixed value , there exists an such that

(7)

due to [7, Lemma 2.12]. Furthermore because the distribution is considered fixed, and because the defining the typical set (recall Section II), there exists a such that

(8)

where

are random variables that are jointly distributed according to the type induced from

, due to [7, Problem 2.5.b]. Because the distribution of is not fixed over all values of and , to efficiently apply equations (7) and (8) we must partition the values of so that over every partition we only need worry about a single distribution. To this end, let the set contain all possible joint distributions on . With a slight abuse of notation, a particular realization of will be denoted in order to emphasize that is representative of a certain distribution over . Introducing and applying equations (7) and (8), we may upper bound equation (6) by

(9)

We have introduced the notation into equation (9) to make explicit the dependence of the entropy on the distribution of . Having dealt with the term , we turn towards completing the summation. To this end,

(10)

is an upper bound of equation (9). Equation (10) follows first from

(11)

And secondly from [7, Problem 2.10],

(12)

While it may appear that the bound induced from equation (11) introduces a large amount of error, due to channel coding it does not. Recall that are representative of the region for which the decoder outputs . These regions should rarely overlap, and thus it is most likely that for a , there is only a single value of for which is non zero.

Letting be the set of all distributions on which may meet the requirements presented in the max of equation (12), and be the number of such that , we can more succinctly write equation (10) by

(13)

where . The term has been removed since it is uniquely determined by . We now turn our attention to giving an upper bound , which will complete the proof.

In fact, there exists a such

(14)

due to the Hoeffding bound, alternatively [7, Lemma 17.9]. This is because , and hence since each codeword is chosen independently from the distribution, is simply the probability that the sum of independent and identically distributed binomial random variables is greater than . In this case the probability of the random variable can be upper bounded by for some .

Therefore there exists a , such that

(15)

upper bounds (13) since the maximum value of , and . By summing over all and then recognizing since is at most polynomial in , we obtain an such that

(16)

upper bounds equation (15).

Equation (16) leaves us with a bound dependent on the value of when compared to for the maximum value of . Consider the case where , where equation (15) becomes

For this term converges to . Indeed, recall that for all , and that

Conceptually, this bound relates to attacks where Eve does not care what value of Bob chooses, as long as it is not .

Now, consider the alternative situation in which , for which equation (16) reduces to

which clearly goes to if . But if and only if

(17)

for the condition implies that . Combining back the two situations, and excluding the distributions of such that there exists a satisfying equation (17) gives that on average for our coding scheme . Which as discussed prior proves the existence of a set of codes which satisfy our inner bound.

Vi Discussion

Of critical importance in our result is the ability of Eve to find a distribution such that . By fixing , this implies , which implies the channel must be “simulatable” (see [2]) given in order for Eve to manipulate those values of . On the other hand fixing gives that the channel must be manipulable (see [8]) for all values of Eve chooses to use.

References

  • [1] G. J. Simmons, “Authentication theory/coding theory.,” in 1984 CRYPTO, Adv. Crypt., pp. 411–431, 1984.
  • [2] U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. Info. Theory, vol. 39, pp. 733–742, May 1993.
  • [3] P. Yu, J. Baras, and B. Sadler, “Physical-layer authentication,” IEEE Trans. Info. For. Sec., vol. 3, pp. 38–51, March 2008.
  • [4] L. Xiao, L. Greenstein, N. B. Mandayam, and W. Trappe, “Using the physical layer for wireless authentication in time-variant channels,” IEEE Trans. Wire. Comm., vol. 7, pp. 2571–2579, July 2008.
  • [5] L. Lai, H. El-Gamal, and H. Poor, “Authentication over noisy channels,” IEEE Trans. Info. Theory, vol. 55, pp. 906–916, Feb 2009.
  • [6] S. Jiang, “Keyless authentication in a noisy model,” IEEE Trans. Info. For. Sec., vol. 9, pp. 1024–1033, June 2014.
  • [7] I. Csiszár and J. Körner, Information Theory: Coding Theorems for Discrete Memoryless Systems. Cambridge University Press, 2nd ed., 2011.
  • [8] E. Graves and T. F. Wong, “A coding approach to guarantee information integrity against a byzantine relay,” in 2013 IEEE Int. Sym. Info. Theory, pp. 2780–2784, IEEE, 2013.