blind transmitter authentication for spectrum security and … · 2018-04-02 · in the shared...
TRANSCRIPT
Blind Transmitter Authentication for Spectrum Securityand Enforcement
Vireshwar KumarElectrical and Computer
Engineering,Virginia Tech,
Blacksburg, VA, [email protected]
Jung-Min “Jerry" ParkElectrical and Computer
Engineering,Virginia Tech,
Blacksburg, VA, [email protected]
Kaigui BianElectronics Engineering and
Computer Science,Peking University,
Beijing, [email protected]
ABSTRACTRecent advances in spectrum access technologies, such ascognitive radios, have made spectrum sharing a viable op-tion for addressing the spectrum shortage problem. How-ever, these advances have also contributed to the increasedpossibility of “hacked” or “rogue” radios causing harm to thespectrum sharing ecosystem by causing significant interfer-ence to other wireless devices. One approach for counteringsuch threats is to employ a scheme that can be used by aregulatory entity (e.g., FCC) to uniquely identify a trans-mitter by authenticating its waveform. This enables theregulatory entity to collect solid evidence of rogue transmis-sions that can be used later during an adjudication process.We coin the term Blind Transmitter Authentication (BTA)to refer to this approach. Unlike in the existing techniquesfor PHY-layer authentication, in BTA, the entity that isauthenticating the waveform is not the intended receiver.Hence, it has to extract and decode the authentication sig-nal “blindly” with little or no knowledge of the transmis-sion parameters. In this paper, we propose a novel BTAscheme called Frequency offset Embedding for Authenticat-ing Transmitters (FEAT). FEAT embeds the authenticationinformation into the transmitted waveform by inserting anintentional frequency offset. Our results indicate that FEATis a practically viable approach and is very robust to harshchannel conditions. Our evaluation of FEAT is based on the-oretical bounds, simulations, and indoor experiments usingan actual implementation.
Categories and Subject DescriptorsC.2.1 [Computer-Communication Networks]: NetworkArchitecture and Design—wireless communication
KeywordsPHY-layer authentication; transmitter identification; cogni-tive radios; spectrum sharing and management
Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full cita-tion on the first page. Copyrights for components of this work owned by others thanACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-publish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from [email protected]’14, November 3–7, 2014, Scottsdale, Arizona, USA.Copyright 2014 ACM 978-1-4503-2957-6/14/11 ...$15.00.http://dx.doi.org/10.1145/2660267.2660318.
1. INTRODUCTIONIn the shared spectrum access model, the secondary users
(i.e., users with secondary access priority) employ cognitiveradio and/or other advanced technologies to access the spec-trum opportunistically [10]. Unlike legacy radios, these tech-nologies enable a user to readily re-configure the transmis-sion parameters, allowing for greater flexibility, but such afeature also increases the possibility of malicious or “rogue”transmitters that pose a serious threat to other transmitters.Here, a “rogue” transmitter is defined as a non-complianttransmitter that violates regulator-prescribed spectrum ac-cess rules. One approach for deterring rogue transmissionsis for a regulator (e.g., FCC’s Enforcement Bureau) to havethe capability to uniquely identify or authenticate “rogue”transmitters [22]. However, the regulator that is attempt-ing to identify the non-compliant transmitter is not the in-tended receiver. Hence, we refer to such a receiver as a“blind receiver”. As the name implies, the blind receiver haslittle, if any, knowledge about the communication parame-ters needed to demodulate and decode the detected signal.Hence, the blind receiver would need to carry out transmit-ter authentication at the PHY-layer, where the least amountof knowledge of the communication parameters is needed toauthenticate the transmitter. We coin the term Blind Trans-mitter Authentication (BTA) to refer to the problem of au-thenticating a transmitter by extracting its unique, identi-fiable information from the received signal with little or noknowledge of the transmission parameters.
For BTA to be a viable approach for spectrum accessenforcement, all transmitters should be mandated to em-ploy a mechanism for embedding an authentication signal—which contains the identity of the transmitter and possiblya certificate of compliance (e.g., FCC Declaration of Con-formity)—into the message signal (which contains the datathat the transmitter wants to send). Also, tamper resistancetechniques should be employed to prevent hackers from cir-cumventing this embedding mechanism. In this paper, weassume that such mechanisms are incorporated into eachradio used by a secondary user.
We want to emphasize that there are a few importantdifferences between BTA and the conventional PHY-layerauthentication problem [25, 32]. In the latter problem, itis assumed that the receiver (that is authenticating the sig-nal) has complete knowledge of the transmission parame-ters, whereas in the former problem, the receiver is “blind”.Moreover, most, if not all, of the PHY-layer authenticationschemes are designed to work when the received signal’s
signal to interference and noise ratio (SINR) is sufficientlyhigh—e.g., high enough to demodulate and decode the mes-sage signal correctly. Because a blind receiver is not the “in-tended” receiver, it may need to carry out BTA at a locationwhere the SINR is very low with significant multipath fad-ing. Conventional PHY-layer authentication schemes wouldperform very poorly under such conditions. An ideal BTAscheme satisfies three requirements: (1) It incurs minimaloverhead in terms of the message throughput and transmis-sion power; (2) It enables a receiver to “blindly” extract theauthentication information from the signal with little or noknowledge of the transmission parameters; and (3) Authen-tication can be performed under very harsh conditions (i.e.,low SINR and significant multipath fading).
In this paper, we propose a BTA scheme called Frequencyoffset Embedding for Authenticating Transmitters (FEAT).To the best of our knowledge, FEAT is the first scheme thatsatisfies the three requirements of an ideal BTA scheme.FEAT modifies the frequency offset of each frame of themessage signal to embed the authentication signal into themessage signal. This is achieved in such a way that theauthentication signal does not interfere with the decodingprocess of the message signal. Also, the authentication sig-nal can be estimated at the blind receiver with only limitedknowledge about the transmission parameters by estimatingthe frequency offset of each frame.
This paper’s main contributions are summarized below.
• We have defined the BTA problem, and described howit differs from the conventional PHY-layer authentica-tion problem.
• We propose a BTA scheme called FEAT. We havedemonstrated that FEAT is the first scheme that satis-fies all of the required criteria of an ideal BTA scheme.According to our results, FEAT outperformed the ex-isting PHY-layer authentication approaches in all ofthe performance criteria that were considered.
• We have evaluated FEAT using simulation results andtheoretical analysis. In addition, we have verified thevalidity of FEAT by carrying out experiments with anactual implementation.
The rest of the paper is organized as follows. We providethe related work in Section 2 and describe the technical back-ground in Section 3. We discuss the proposed scheme in Sec-tion 4 and analyze it in Section 5. We evaluate the proposedscheme by comparing with the prior art in Section 6. Wediscuss a prototype implementation of the proposed schemein Section 7. Section 8 concludes the paper by highlightingthe main contributions.
2. RELATED WORKPHY-layer authentication schemes can be broadly divided
into two categories: intrinsic and extrinsic approaches. Theschemes in the first category utilize the transmitter-unique“intrinsic” characteristics of the waveform as unique signa-tures to authenticate/identify transmitters. They includeRF fingerprinting, and electromagnetic signature identifi-cation [5, 8, 14, 27]. Although these intrinsic approacheshave been shown to work in controlled lab environments,their sensitivity to factors—such as temperature changes,channel conditions, and interference—limit their efficacy inreal-world scenarios. The schemes in the second category
Charlie
(Unaware Receiver)
Bob
(Aware Receiver)
Eve
(Adversary)
Dave
(Blind Receiver)
Alice
(Transmitter)
Figure 1: Authentication scenario.
enable a transmitter to “extrinsically” embed an authenti-cation signal (e.g., digital signature) in the message signaland enable a receiver to extract it. Such schemes includePHY-layer watermarking [7, 11, 13, 16] and transmitter au-thentication [17, 20, 21, 25, 28, 29, 32]. On one hand, theintrinsic approaches require the blind receiver to have onlya little knowledge about the transmission parameters to au-thenticate the transmitter, but they are limited by their lowrobustness against noise and security attacks [9]. On theother hand, the extrinsic approaches can be made highly ro-bust against noise and security threats, but they require theblind receiver to have complete knowledge about the trans-mission parameters. Hence, the authors in [31] propose anauthentication scheme in which the authentication signal isembedded into the message signal extrinsically to modifyan intrinsic characteristic (cyclo-stationary signature) of themessage signal. This enables the blind receiver to decode theauthentication signal with high robustness with only a lit-tle knowledge about the transmission parameters. However,this scheme achieves authentication at the cost of loss in themessage throughput.
3. TECHNICAL BACKGROUND
3.1 Models and AssumptionsNetwork Model: We assume that Alice, Bob, Charlie,
Dave and Eve are five users which share the same wirelessmedium, as shown in Figure 1. Alice intends to transmitmessages to Bob and Charlie via the wireless medium asper the rules established for dynamic spectrum sharing. Al-ice utilizes cyclic prefix based orthogonal frequency-divisionmultiplexing (CP-OFDM) for its message signals, but canreconfigure its PHY-layer parameters as per the require-ments for the wireless medium [26]. OFDM is an spectrumefficient modulation scheme used in high bit-rate wirelesscommunications, e.g., IEEE 802.11a. Alice conveys the in-formation about these parameters to Bob as well as Charlieso that they can demodulate and decode Alice’s message sig-nal. Dave (a.k.a. “blind receiver”) represents a regulatoryentity that needs to authenticate Alice. Suppose Alice andDave have agreed on a keyed authentication scheme thatenables Dave to blindly authenticate the waveforms that hereceives from Alice. For this to work, we must require Alice’sradio to embed an authentication signal into her message sig-nal’s waveform using the agreed authentication scheme, andDave must have the capability to extract and decode theauthentication signal from the received signal. We assumethat tamper-resistance techniques are employed to deter ma-
licious users from circumventing or altering the embeddingprocess carried out by Alice’s radio [19, 24, 30]. Bob (a.k.a.“aware receiver”) has knowledge about the authenticationscheme and can decode the message signal as well as theauthentication signal from the received waveforms. Charlie(a.k.a. “unaware receiver”) does not know the authentica-tion scheme and cannot authenticate Alice’s waveforms, butshould be able to demodulate and decode Alice’s messagesignal. Eve represents an adversary, and she is able to launchvarious types of attacks against Alice, e.g., extracting iden-tity of Alice from the authentication signal, tampering withAlice’s message signals, impersonation attacks, and replayattacks. We assume that Eve does not know the key used togenerate Alice’s authentication signal. More details on Eveare provided in Section 3.2.
Channel Model: Dave receives signals from Alice andEve with low SINR and significant multipath. Also, theremay be simultaneous transmissions from Alice and Eve onthe same spectrum band. This means that Dave may receivesignals from Alice and Eve at the same time. Hence, Daveshould be able to authenticate even when the SINR is below0 dB. Usually, it is very difficult for a receiver to decode themessage signal under such harsh channel conditions [1].
Knowledge at Dave: It is assumed that Dave is awareof the fact that CP-OFDM is employed by Alice and Eveto modulate the message signals. Dave also knows the cen-ter frequency and the sampling frequency of their signals;these parameters are typically standardized as part of anair-interface standard [26].
3.2 Performance CriteriaWe present a set of performance criteria which can be
used to evaluate BTA schemes. We will use them to evalu-ate FEAT, and compare the performance of FEAT with theprior art.
Overhead: Embedding the authentication signal in themessage signal requires applying changes to the message sig-nal itself, and thus incurs some type of PHY-layer overheadwhen a signal with authentication is compared to a signalwithout authentication. Examples of such overhead includedrop in message throughput, increase in bandwidth, increasein complexity of the transmitter (Alice) and aware receiver(Bob), and degradation of error performance, i.e., bit errorrate (BER), of the message signal at the aware receiver.
Transparency: This criterion dictates that a BTA schemeshould embed the authentication signal into the message sig-nal such that it enables the blind receiver (Dave) to extractthe authentication signal, while at the same time, enablesthe unaware receiver (Charlie) to recover the message signalwithout requiring the unaware receiver to change its demod-ulation or decoding procedure. This criterion also quantifiesthe possible impact of the authentication scheme on the errorperformance of the message signal at the unaware receiver.
Authentication Rate: The authentication rate is de-fined as the amount of authentication information (com-puted in bits) that can be transmitted per second. Theauthentication signal is embedded by altering the messagesignal in a certain manner so that the blind receiver candetect the alteration and use it to extract the authentica-tion information. The rate at which the alteration can bemade determines the authentication rate. Usually, the mes-sage rate (or message throughput) affects the authenticationrate.
Robustness to Noise and Fading: This criterion de-termines the authentication signal’s error performance at theaware receiver and the blind receiver. Note that the blindreceiver should be able to extract the authentication signalfrom the received signal even in harsh channel conditions(i.e., very low SNR and significant multipath).
Authentication of Concurrent Transmissions: Thiscriteria considers the feasibility of authentication of multi-ple transmitters which are transmitting concurrently. Thismeans that if both, Alice and Eve, are transmitting on thesame spectrum band at the same time, Dave should be ableto uniquely extract the authentication signals correspondingto Alice and Eve from the received signal. The concurrenttransmissions hamper the decoding of their authenticationsignals in two ways—sample-by-sample interference and au-thentication signature interference. Since an OFDM signalis Gaussian in nature, sample-by-sample interference fromsamples of one transmitter can be considered Gaussian noiseto the other transmitter. The authentication signature in-terference depends on the BTA scheme utilized to embedthe authentication signal into the message signal.
Blind Authentication: The blind receiver is not the in-tended recipient of the transmitted signal, and hence it doesnot know the transmission parameters, e.g., frame format,preamble samples, modulation scheme, and pilot samples.However, the blind receiver needs to be able to verify theauthentication signal. This criterion takes into account theminimum amount of information needed by Dave to extractthe authentication signal from the received signal.
Security: There are four facets of security that need tobe considered: privacy, integrity, impersonation, and re-play. To protect the privacy of Alice from Eve, the BTAscheme should not reveal the identity of Alice through theauthentication signal. To ensure integrity, the BTA schemeshould prevent Eve from modifying/corrupting Alice’s mes-sages without being detected by Dave. To thwart imperson-ation, the BTA scheme should prevent Eve from creatingvalid proofs of authenticity for her messages that can be usedto impersonate Alice. To thwart replay attacks launched byEve, Alice’s authentication signal should incorporate coun-termeasures that deter the interception and replay of theauthentication signal.
4. DESCRIPTION OF FEATWe propose a BTA scheme that we refer to as Frequency
offset Embedding for Authenticating Transmitters (FEAT).In the following text, we describe FEAT in the context ofthe authentication scenario depicted in Figure 1.
Alice embeds the authentication signal in the form of em-bedded frequency offset (EFO) in each frame of the mes-sage signal in the baseband. The embedded signal in thebaseband is sent to the oscillator where it gets up-convertedand transmitted along with the inherent carrier frequencyoffset (CFO) due to the inaccurate oscillator. This over-all frequency offset does not affect the decoding procedureof the message signal by Bob and Charlie as being the in-tended receivers, they estimate and correct any frequencyoffset present in the received signal with the help of thepreamble symbols, and the pilot samples. Dave estimatesthe authentication signal blindly. Further, we discuss in de-tail the generation of the message signal (MSa) and authen-tication signal (ASa), and embedding of ASa into MSa byAlice followed by extraction of the message signal (MSb)
Table 1: Notations.
MSa message signal generated by AliceASa authentication signal generated by AliceMSb message signal extracted by BobASb authentication signal extracted by BobMSc message signal extracted by CharlieASd authentication signal extracted by DaveNf size of IFFT used in each OFDM symbol of MSa
Nc size of cyclic prefix in each OFDM symbol of MSa
Ns number of OFDM symbols in each frame of MSa
Fs sampling frequency of MSa
fa the maximum value of embedded frequency offset (EFO)
and authentication signal (ASb) by Bob, extraction of themessage signal (MSc) by Charlie, extraction of the authen-tication signal (ASd) by Dave, and verification of ASb andASd. The notations for the important parameters used inthe paper are provided in Table 1.
Generation of MSa: The message data to be transmit-ted is assumed to be a sequence of quadrature amplitudemodulated (QAM) samples which are statistically indepen-dent and identically distributed with zero mean and averagepower represented by σ2
s . For each OFDM symbol, Alicegenerates Nf samples by taking the Inverse Fast FourierTransform (IFFT) of Nu QAM samples corresponding toNu non-zero sub-carriers loaded with data or pilot samples.The last Nc samples out of the Nf samples are repeated atthe beginning of the Nf samples as the cyclic prefix (CP) togenerate an OFDM symbol of No = Nf +Nc samples. Themessage signal is transmitted in frames, and each frame con-tains Ns = Np + Nd OFDM symbols, where Np representsthe number of symbols carrying the preamble and Nd rep-resents the symbols carrying data. The samples of a frameis represented by {s(n)}, where n = 0, 1, · · ·Ns · No − 1.Figure 2 illustrates the symbol and frame structure of MSa.
Generation of ASa: The authentication signal containsthree pieces of information: frequency, location and time(represented by F , L and T , respectively) at which themessage signal is authorized to be transmitted. A time-stamp, represented by TS, is also used to prevent replay ofthe authentication signal. This information, represented byAm = {TS, F, L, T}, is digitally signed using a privacy pre-serving group signature scheme [3], and the signature of Amis represented by sign(Am). Here, we assume that a uniquemembership certificate has been issued by a designated cer-tificate authority (CA) to each member (including Alice) ofthe group of secondary users, and Dave has access to allthe information available at the designated CA. Hence, oneauthentication sequence is given by As = {Am, sign(Am)}.Each As is channel-coded with an error-correcting code (e.g.,convolution code), and synchronization and guard bits areappended to generate ASa of Ka bits.
Embedding of ASa into MSa: For embedding theauthentication signal into the message signal, we propose anovel scheme called Frame Frequency Modulation (FFM)where the frequency offset of each frame of the message sig-nal is modified (modulated) according to the authenticationsignal. FFM of order M (M -FFM) is represented by a setof M possible frequency offsets corresponding to M = 2b
possible b-bit authentication symbols. Here, an authentica-tion symbol is defined as a set of b authentication bits, andis obtained by using b-bit Gray code. The set of frequencyoffsets in M -FFM can be represented by {fm} such that
fm = fa ·(
1− 2 · m− 1
M − 1
), (1)
Preamble
(Np symbols)
Data
(Nd symbols)
Cyclic Prefix
(Nc samples)
Data
(Nf samples)
Frame
(Ns symbols)
Symbol
(No samples)
Figure 2: Structure of the OFDM message signal.
(a) M=2 (b) M=4
Figure 3: Mapping of authentication symbols to frequencyoffsets in M -FFM.
where m = 1, 2, · · · ,M , and fa is the maximum positivefrequency offset that can be used to embed the authentica-tion signal into a frame of the message signal. Figures 3aand 3b represent the mapping schemes for 1-bit authentica-tion symbols and 2-bit authentication symbols, respectively.Note that fM−m+1 = −fm, for m = 1, 2, · · · , M
2.
In kth frame of the message signal, we embed the authenti-cation symbol, represented by ak, by embedding a frequencyoffset, fk. Hence, for n = 0, 1 · · ·Ns · No − 1, each sampleof a frame of the embedded signal in the baseband is given
by x(n) = s(n) · ej2πfkFsn, where Fs is the sampling fre-
quency. The embedded signal is up-converted to the carrierfrequency (Fc) and transmitted. Assuming that CFO dueto the inaccurate oscillator at Alice is ft, the total frequencyoffset of the transmitted signal is fk + ft.
Extraction of MSb, ASb, and MSc: After down-converting and sampling the received signal, Bob, with theknowledge of the preamble symbols and the pilot samples,can estimate and correct the frequency offset in each frameand extract the message signal, MSb. Also, Bob maps thefrequency offset in each of the frames to the closest oneamong {fm}, for m = 1, 2 · · ·M , given by equation (1)and estimates the authentication signal, ASb. Charlie, alsoequipped with the knowledge of the preamble symbols andthe pilot samples, can correct the frequency offset in eachframe and extract the message signal, MSc. Since Charlieis not interested in the frequency offsets of the frames of themessage signal, the information contained in these frequencyoffsets is simply discarded by Charlie.
Extraction of ASd: Dave, the blind receiver, does nothave the knowledge about the preamble symbols or the pilotssamples inserted in the message signal. Hence, to blindly es-timate the transmitted authentication signal, Dave needs tocarry out four tasks—signal detection and sampling, sym-bol synchronization, frame synchronization, and frame fre-quency estimation.
Signal Detection and Sampling: Since Dave has the knowl-edge of the center frequency and sampling frequency of thetransmitted signal, it down-converts and samples the re-
ceived signal in the considered frequency band. Assum-ing a Gaussian channel, Dave observes the received sig-nal with Nr discreet samples which can be represented by
r(n) = ej2π fr
Fsn · x(n) + w(n) for n = 0, 1, · · ·Nr − 1, where
fr is the frequency offset due to the oscillator at Dave. Theadditive noise w(n) is assumed to be independent of x(n),and circularly complex Gaussian with zero mean, and σ2
w
variance. It can be observed that the frequency offset ineach frame of the received signal has one constant part,fc = ft+fr, and a variable part, fk, carrying authenticationsignal.
Symbol Synchronization: Estimation of symbol bound-
aries includes estimation of the IFFT size (Nf ), the CP size
(Nc) and the sample offset (α). Dave estimates these threeparameters using the sub-optimal maximum likelihood (ML)scheme described in [33] which utilizes the correlation in thereceived signal induced due to CP. The likelihood function,
Λ(r, Nf , Nc, α), can be expressed by
Λ =1
Nn · Nc
Nn−1∑i=0
Nc−1∑l=0
r∗(i · (Nf + Nc) + α+ l
)· r(i · (Nf + Nc) + Nf + α+ l
).
where r∗(n) is the complex conjugate of r(n), and Nn =
b(Nr− α)/(Nf + Nc)c. Here, bvc denotes the largest integer
less than or equal to v. Nf , Nc and α can be estimated as
Nf , Nc, α = argmaxNf ,Nc,α
∣∣∣∣Λ(r, Nf , Nc, α)∣∣∣∣ .where |v| denotes the absolute value of v. Dave obtains theestimate of the constant part of the frequency offset as
fc =Fs
2πNf· ∠λ, (2)
where λ = Λ(r, Nf , Nc, α), and ∠c denotes the polar angleof the complex number c. After symbol synchronization, thereceived signal is represented by rs(n) = r(α + n) for n =0, 1, · · ·Nr−α. Note that the perfect symbol synchronization
is achieved when Nf = Nf , Nc = Nc, and α = α, where α isthe actual sample offset. In this case, the theoretical valueof λ can be obtained as in Appendix A.
Frame Synchronization: Estimation of frame boundariesincludes estimation of the total number of symbols in a frame
(Ns), and the symbol offset (β). Dave estimates these twoparameters using the correlation among the preamble sym-bols of the consecutive frames of the received signal. The
likelihood function, Ψ(rs, Ns, β), can be expressed by
Ψ =1
Kr · No
Kr−1∑k=0
No−1∑l=0
r∗s
(k · Ns · No + β · No + l
)· rs
((k + 1) · Ns · No + β · No + l
).
where Kr = b(Nr−α−β ·No)/(Ns ·No)c, and No = Nf+Nc.
Hence, Ns, and β can be estimated as
Ns, β = argmaxNs,β
∣∣∣∣Ψ(rs, Ns, β)∣∣∣∣ .
−10 −8 −6 −4 −2 010
2
103
104
SNR (dB)
RM
SE
Simulated Theoretical
Figure 4: Theoretical CRLB and simulated RMSE in the
estimate of fk at the blind receiver with M = 2, fa =5 kHz, Nf = 64, Nc = 16, Ns = 50.
The number of received frames is obtained as Kr = b(Nr −α − β · No)/(Ns · No)c. After frame synchronization, the
received signal is represented by rf (n) = rs(β · No + n)
for n = 0, 1, · · · Kr · Ns · No − 1. Note that the perfect
frame synchronization is achieved when Ns = Ns, and β =β, where β is the actual symbol offset. In this case, the
theoretical value of ψ = Ψ(rs, Nb, β) can be obtained as inAppendix B.
Frame Frequency Estimation: Having synchronized withthe received signal, Dave estimates the correlation betweenthe CP samples and the corresponding data samples in the
symbols of each of the frames. For k = 0, 1, · · · Kr, thecorrelation is given by
Φ(k) =1
Ns · Nc
Ns−1∑i=0
Nc−1∑l=0
r∗f
(k · Ns · No + i · No + l
)· rf
(k · Ns · No + i · No + Nf + l
).
Hence, the frequency offset for each frame is estimated as
fo(k) =Fs
2πNf∠Φ(k), (3)
The estimate of frequency offset embedded in the frame
through M -FFM is obtained by fk = fo(k) − fc, where fcis obtained from equation (2). Finally, Dave maps fk to theclosest one among {fm}, for m = 1, 2 · · ·M , given by equa-tion (1), and estimates the authentication symbol of ASdwhich is denoted as ak.
Verification of ASb and ASd: Having estimated theauthentication signal, ASb or ASd, an estimate of the trans-
mitted authentication sequence, As, is extracted by remov-ing the synchronization and guard bits, and then carryingout error detection and correction. After extraction of vari-ous contents of the authentication signal, their authenticityis verified by utilizing the techniques for group signatureverification [3].
5. ANALYSISIn this section, we evaluate FEAT using Matlab-based
simulation results. Specifically, we discuss the error perfor-mance of the authentication signal when Dave is the receiver.We also discuss security issues relevant to FEAT.
−10 −8 −6 −4 −2 010
−4
10−3
10−2
10−1
100
SNR (dB)
BE
R
fa = 5 kHz, M = 2
fa = 10 KHz, M = 2
fa = 5 kHz, M = 4
fa = 10 kHz, M = 4
(a)
−10 −8 −6 −4 −2 010
−4
10−3
10−2
10−1
100
SNR (dB)
BE
R
Ns = 50, N
f = 64, N
c = 16
Ns = 25, N
f = 64, N
c = 16
Ns = 50, N
f = 128, N
c = 16
Ns = 25, N
f = 128, N
c = 16
Ns = 25, N
f = 128, N
c = 32
(b)
Figure 5: Error performance of ASd with (a) Nf = 64, Nc = 16, Ns = 50, and (b) M = 2, fa = 5 kHz.
5.1 Error PerformanceTo analyze the error performance of the authentication
signal in FEAT, we assume that perfect symbol and framesynchronization have been achieved by Dave. An error inthe authentication symbol means ak 6= ak which occurs
when the mapping of estimated EFO, fk, to the closestone among {fm}, for m = 1, 2 · · ·M , leads to a differentEFO as compared to the transmitted EFO, fk. This hap-pens when the error in the estimate of the EFO exceeds themagnitude of half of the difference between two consecutive
EFOs, i.e.,∣∣∣fk − fk∣∣∣ > fa
M−1. Theoretically, the mean square
error (MSE) of the estimate of fk is lower bounded by theCramer-Rao Lower-Bound (CRLB) [4, 6]. We obtain the
CRLB of the estimate of fk in FEAT as
CRLB =1
8π2Nc·(
1
ρ2+
2
ρ
)· F 2
s
N2fNs
, (4)
where ρ = σ2s/σ
2w, represents the SNR. In Figure 4, we
present the root mean square error (RMSE) of the estimate
of fk at different SNRs. Note that the simulated RMSEin FEAT is quite close to its theoretical bound given bysquare-root of the CRLB. The RMSE vs. SNR curve helpsto estimate the error performance of ASd at a particularSNR given the specific values of different parameters (pre-sented in equation (4)). For instance, in Figure 4, RMSE
of the estimate of fk at SNR of −6 dB is 2 kHz. Hence, inthis example, we can estimate the error performance of ASdwhen fa = 5 kHz and M = 2. However, since the frequency
estimate fk is non-Gaussian in nature, we analyze the effectof different parameters on the error performance of the au-thentication signal through simulation where the samplingfrequency Fs is chosen to be 5 MHz [26].
Effect of ρ: In Figure 5a, when we observe the curvewith fa = 5 kHz and M = 2, we note that FEAT is quiterobust against noise, and the error performance improves(i.e., BER decreases) significantly with increase in SNR, e.g.,BER ≈ 0.03 at SNR = −8, and BER ≈ 0.003 at SNR = −6.This is because each frame of the message signal contains alarge number of samples (Ns ·No) which are used to estimateone symbol of the authentication signal.
Effect of fa: As the largest possible value of EFO, fa, isincreased, BER of ASd decreases as observed in Figure 5a.This is because by increasing EFO, we effectively account
for a larger margin of error in fk. However, there are somelimitations on the value of fa as discussed in Appendix C).
Effect of M : While FEAT with M = 2 can carry only1 authentication bit per frame of the message signal, butFEAT with M = 4 can carry 2 authentication bits per frameof the message signal. This means that the authenticationrate (defined in Section 3.2) is increased by increasing M .However, as shown in Figure 5a, as M increase, the BERof ASd increases significantly. This means that M leads toa trade-off between the error performance and the authen-tication rate of ASd. This trade-off may play an importantrole in the cases where the size of data to be communicatedbetween the transmitter and the intended receivers, is small.
In order to authenticate Eve, Dave should receive all thebits from at least one complete authentication sequence.Note that in order to verify the authentication signal, atleast one complete authentication sequence should be re-ceived by Dave. This means that the estimated number
of frames of received signal Kr should be greater than thelength of one complete authentication sequence, Ka, i.e.,
Kr ≥ Ka. This means that for FEAT with M = 2, thenumber of frames transmitted by Eve should be more thanthe length of one authentication sequence which is Ka. How-ever, when the size of data is small, the number of framesbeing transmitted can be significantly small. Hence, the au-thentication rate needs to be increased at the cost of theerror performance to ensure embedding of the authentica-tion bits of at least one authentication sequence. This willallow the transmitter to be authenticated for all its trans-mission including the burst mode.
Effect of Nf and Nc: In Figure 5b, we observe that theBER decreases by increasing Nf and Nc. Recall that Nc(CP size) is the number of samples in each OFDM symbolwhich are correlated with their corresponding data samplesfor frequency estimation. This implies that with the increasein Nc, the estimation error in frequency decreases leading tothe decrease in BER of ASd.
Effect of Ns: In Figure 5b, we observe that increasing Ns(frame size) leads to an improvement in error performance,i.e., we achieve lower BER of ASd. However, larger framesize also leads to lower frame rate which results into lowerauthentication rate. Hence, we again observe a trade-offbetween the authentication rate and the error performanceof ASd in terms of Ns. We also observe that when thetotal number of CP samples in a frame given by Nc · Ns(used for correlation to estimate an authentication symbol)
remains the same at a particular value of Nf , the BER ofASd remains the same.
Moreover, the value of Ns leads to another trade-off be-tween the authentication rate and the transparency, whichis one of the main issues that we address through FEAT.We need to use the unit for transmitting one authenticationsymbol as a frame since we aim to embed the authenticationin an absolute transparent manner. In other word, FEAT al-lows for the presence of unaware receivers (those who do notknow about FEAT) in the network, e.g., Charlie. However,if the network environment does not require the conditionof absolute transparency (i.e., the network does not havean unaware receiver), we could embed a frequency offset inany number (as low as 1) of OFDM symbols. However, asshown in Figure 5b, decreasing the number of symbols forfrequency estimation significantly reduces the error perfor-mance. Hence, we can achieve an absolute transparency andhigh robustness to noise at low authentication rate for ASdthrough FEAT, but the approach used in FEAT can also beutilized to achieve any feasible level of the error performanceand the authentication rate of ASd at cost of transparency.
5.2 Security and Robustness of FEATIn addition to the strength of the cryptographic primi-
tives used to create the authentication signal, the securityof a BTA scheme also depends on the contents of the au-thentication signal and the embedding scheme (i.e., methodfor embedding the authentication signal into the messagesignal). We discuss these security issues in the context ofFEAT in the following paragraphs.
Privacy: We ensure that Alice’s privacy is protected byemploying the privacy preserving group signature schemeproposed in [3]. When this scheme is used, Eve or Bobcan verify the authenticity of Alice’s authentication signal,but more importantly Eve cannot discover Alice’s identitythrough the authentication process. However, the schemedoes allow Dave (the regulator) to extract Alice’s identity.
Hardware integrity: We assume that tamper resistancetechniques are employed to prevent hackers from circum-venting the authentication signal embedding mechanism. Thetamper-resistant hardware detects any attempt to alter theembedding process [24]. Moreover, before embedding theauthentication signal, it ensures that there is no frequencyoffset present in the message signal. This means that se-lective addition/removal of the authentication signal is notpossible.
Integrity of the Authentication Signal: As men-tioned previously, the authentication signal is made up ofauthentication sequences, and each authentication sequenceincludes a digital signature. The digital signature ensuresthe integrity of the authentication signal.
Robustness to Impersonation Attack: In a successfulimpersonation attack, Eve should be able to create proofsof authenticity for her messages to trick Bob and Dave intothinking that those messages have been created by Alice.Additionally, in the case of spectrum sharing, Eve may at-tempt to perform location, time, and frequency spoofing inorder to gain unauthorized access to spectrum. Therefore,the authentication signal has to be designed to make suchexploits infeasible. FEAT ensures that such an attack isreadily detected because the authentication signal includesthe information about authorized location L, time-frame T ,
0 10 20 30 40 50 60 70 800
0.2
0.4
0.6
0.8
Delay (α)
Cor
rela
tion
(λ)
Figure 6: Correlation vs. Delay.
and frequency F along with the certificate C containing theidentity of the transmitter.
Robustness to Replay Attack: To launch replay at-tacks, Eve needs to store and re-transmit authenticationsignals previously transmitted by Alice. However, such re-played transmissions can be readily detected by Bob andDave since the authentication signal contains a time-stampTS that cannot be tampered without being detected.
Successful Transmission of the Authentication Sig-nal: We consider the transmission to be successfully au-thenticated if the transmitted signal contains at least oneauthentication sequence. Due to the low authentication ratein FEAT, Dave may be unable to authenticate Alice’s trans-mission if the transmitted message signal does not containenough number of frames to embed a complete authentica-tion sequence. Therefore, it is imperative to utilize a shortdigital signature so that the authentication sequence willbe short. For this reason, FEAT utilizes a Elliptic CurveCryptography (ECC) based signature scheme instead of aconventional digital signature scheme (such as RSA-basedsignatures) [18]. It is well known that ECC-based cryp-tosystems can provide an equivalent level of security with amuch shorter key when compared with conventional cryp-tosystems. For instance, ECC with a key size of 163 bitsprovides an equivalent level of security to the signature whencompared with RSA with a key size of 1024.
Robustness to Interference: Eve may also attemptto corrupt Alice’s authentication signal through selectivelyjamming the authentication signal. This type of attack,called obstruction of authentication (OOA) jamming [17],may remain undetected if the transmission power requiredby Eve to corrupt the authentication signal is small as in thecase of PHY-layer authentication schemes based on hierar-chical modulation [25]. In these schemes, the message signalis embodied by a high-power constellation while the authen-tication signal is carried on a low-power constellation. Anadversary can emit just enough interference to exploit thepower difference between the two constellations to disablethe decoding of the authentication signal without disablingthe decoding of the message signal.
In FEAT, the frequency offset in an OFDM symbol isestimated using the correlation between CP samples andcorresponding data samples of the symbol. Hence, only asubset of samples in an OFDM symbol is utilized for esti-mation of the frequency offset. This means that the changein the correlation among samples in a symbol other thanthe samples related to CP samples bear no effect on the ex-
−10 −8 −6 −4 −2 010
−4
10−3
10−2
10−1
100
SNR (dB)
BE
R
FEAT Gelato ATM
(a) AWGN channel
−10 −8 −6 −4 −2 010
−4
10−3
10−2
10−1
100
SNR (dB)
BE
R
FEAT Gelato ATM
(b) Rayleigh fading channel
Figure 7: Comparison of error performance of ASd in FEAT with fa = 5 kHz, Gelato with Na = 12, and ATM with θ = π/8,where Nf = 64, Nc = 16, and Ns = 50. .
traction of the authentication signal in terms of interferenceto the characteristics used to estimate ASd, i.e., frequencyoffset. If the received signal contains mutually exclusive sub-sets of CP samples from multiple transmitters, these subsetscan be extracted and utilized to estimate frequency offsetsin the signals received from multiple transmitters concur-rently. In FEAT, the probability that the set of CP samplesof the two signals are mutually exclusive can be calculatedto be pe = 1 − Nc/Nf . This means that when we esti-mate λ = Λ(r, Nf , Nc, α) to achieve the symbol synchro-nization discussed in Section 4, we can observe two indepen-dent peaks with probability pe. To illustrate this property,we consider that Dave receives concurrent signals of equalpower from Alice with sample offset α = 20 and Eve withsample offset α = 60. In this case, Figure 6 shows the am-plitude of λ vs. α for known values of Nf and Nc. We caneasily detect the start of the symbol of the signals from Aliceat sample 20 and Eve at sample 60. When we synchronizewith α = 20, we can extract the authentication signal of Al-ice. On the other hand, when we synchronize with α = 60,we extract the authentication signal of Eve. Hence, FEAT isextremely robust against interference from an adversary, andhence OOA jamming attack is not possible for Eve withoutdetection. This means that FEAT enables Dave to detectthe identity of Eve easily if Eve utilizes even a small powerto jam the message or authentication signals from Alice.
6. PERFORMANCE EVALUATIONBased on the performance criteria established in Section 3.2,
we evaluate FEAT through comparison with two schemeswhich represent the existing art of PHY-layer authentica-tion: Authentication Tagging with Modulation (ATM)[25],and Gelato [31].
In FEAT, one bit of the authentication signal is embed-ded in each frame of the message signal by modifying itsfrequency offset, i.e., M = 2. In ATM, the authenticationsignal is embedded into the message signal by changing thephase of the QAM message samples. An authentication bitof 1 is embedded by shifting the phase of a QAM sample to-wards the Q-axis (representing quadrature-phase) by θ. Anauthentication bit of 0 is embedded by shifting the phase to-wards the I-axis (representing in-phase) by θ. For the sakeof comparison, we embed one authentication bit per framewhich means that the phase of all the QAM samples in aframe are shifted in only one direction corresponding to the
authentication bit to be embedded. In Gelato, the authen-tication signal is embedded into the transmitted OFDM sig-nal by repeating Na QAM samples over the sub-carriers togenerate a cyclo-stationary signature. For the sake of com-parison, we embed one authentication bit per frame whichmeans that all the OFDM symbols in a frame carry thesame signature. An authentication bit of 1 is embedded byrepeating the QAM samples from the first Na sub-carriersto the next Na sub-carriers. An authentication bit of 0 isembedded by repeating the QAM samples from the last Nasub-carriers to the previous Na sub-carriers.
Overhead: In FEAT, Alice embeds the frequency offsetinto the message signal through simple vector multiplicationover each frame. This means that no significant computa-tion overhead is incurred to include FEAT at Alice. Also,there are no power and message throughput overheads atAlice. In general, an intended receiver utilizes the pream-ble symbols added at the beginning of each frame, and thepilot samples in each symbol of the received signal to esti-mate and correct the frequency offset. In effect, no changeis required in the message decoding procedure at Bob, andthe embedding of the authentication signal has no effect onthe error performance of the message signal at Bob. More-over, no significant overhead is incurred at Bob to use thosefrequency estimates to estimate the authentication signal.In ATM, no significant computational overhead is neededto embed authentication at Alice along with no power andmessage throughput overheads. Bob using its pilot symbolscan estimate and remove the phase offset and hence, thereis no effect on the error performance of the message signalat Bob. In Gelato, the computation overhead to embed theauthentication signal at Alice is non-significant. However,since Na out of Nu useful sub-carriers are loaded with re-dundant data samples, the message data-rate is reduced byNaNu· 100 %. For instance, with Na = 6 and Nu = 48, Alice
loses 12.5% of its data-rate. Although Bob does not sufferin terms of the error performance of the message signal, themessage decoding procedure needs to be modified to discardthe data samples at the redundant sub-carriers.
Transparency: In the existing standards describing PHY-layer specifications, there is a significant margin allowed forthe carrier frequency offset (CFO) in the message signalsdue to inaccurate oscillators at the transmitters and the re-ceivers. For instance, as per IEEE 802.11g [2], the absolutevalue of CFO due to an inaccurate oscillator should be less
Table 2: Comparison of FEAT and prior art.
Scheme Overhead Transparency Authentication Robustness Authentication BlindRate to Noise & Fading of Concurrent TX Authentication
[13] Low Good Low Medium Good Poor[17] Low Poor High Medium Poor Poor[21] Low Poor Low Good Good Poor[25] High Good High Poor Poor Poor[31] High Poor Low Good Poor Medium[32] High Good High Poor Poor Poor
FEAT Low Good Low Good Good Good
than 25 ppm of the carrier frequency. This means that fortransmitted signals at 2.4 GHz, a frequency offset of ±60kHz is allowed. Also, the preamble structure (inserted ineach frame) ensures that a frequency offset of 2 · 60 kHz= 120 kHz (considering the margin for the oscillator at re-ceiver) can be tolerated by each frame of the message signal.In FEAT, Charlie utilizes the preamble symbols added atthe beginning of each frame, and the pilot samples in eachsymbol of the message signal to estimate and remove the fre-quency offset. Hence, there is no effect on the error perfor-mance of the message signal at Charlie. In ATM, the phaseoffset can be estimated using the pilot symbols and hencethere is no effect on the error performance of the messagesignal at Charlie. In Gelato, Charlie can demodulate themessage signal, but the demodulated signal would not makesense for Charlie since it being the unaware of the presenceof the authentication scheme does not know the presenceof the repetition of QAM message samples on some of thesub-carriers. Hence, unlike FEAT and ATM, Gelato is nottransparent with the unaware receiver.
Authentication Rate: By design, in FEAT, ATM aswell as Gelato, one bit of authentication signal is embeddedinto each frame of the message signal. Hence, the authenti-cation rate is equal to the frame rate of the message signal.
Robustness to Noise and Fading: We simulate FEAT,ATM and Gelato using Matlab to estimate their error perfor-mance at different SNR. With AWGN channel, FEAT per-forms significantly better than ATM and Gelato as shownin Figure 7a. For instance, at SNR of −6 dB, the BERin FEAT is 0.003 as compared to 0.2 in Gelato, and 0.3in ATM. We also present the error performance of the au-thentication signal in a Rayleigh fading channel with 200Hz doppler shift in Figure 7b. Recall that since Dave doesnot have the information of the pilot signals used by Alice,it is not possible for it to counter the channel effects gen-erated due to multipath. Hence, in Figure 7b, we observethat the BER in ATM is close to 0.5. However, even inthese channel conditions, FEAT achieves sufficient BER sothat the authentication sequence can be recovered using theerror correcting code.
Authentication of Concurrent Transmissions (TX):FEAT is robust to interference as discussed in Section 5.2.Hence, in presence of concurrent transmissions from Aliceand Eve, each of the two can be authenticated at Dave.However, neither Gelato nor ATM can be used to extractthe authentication signal from the received signal corruptedby interference from the similar type of signal. In ATM,the phase offsets in the received samples containing the au-thentication signals from Alice and Eve cannot be separated.In Gelato, in the absence of interference, each OFDM sym-bol contains one signature. But, when the received signalcontains signals from multiple transmitters, multiple cyclo-
stationary signatures can be observed in the received OFDMsymbol, and there is no way to extract the authenticationsignature corresponding to a specific transmitter.
Blind Authentication: At a receiver, after down con-verting and sampling the received signal, time and frequencysynchronization are the first steps to be performed to extractthe message signal. A significant amount of work has beendone in the field of blind (non-data-aided) parameter estima-tion, e.g., time and frequency offset estimation, for OFDMsignals [12, 15, 23, 33]. Also, it has been shown in [14] thatcarrier frequency offset (CFO) is an intrinsic characteristicof a transmitter, and it can be used for authentication. Notethat the actual CFO of an oscillator in a transmitter usuallyremains close to a constant value although some variationsmay be caused due to long life-span, temperature, and otherenvironmental factors. Moreover, it has been shown in [21]that an authentication signal can be extrinsically embeddedinto the pilot symbols of the message signal in the form offrequency offsets. However, the blind receiver cannot utilizethis scheme due to lack of knowledge of the pilot symbols.In FEAT, the authentication signal is embedded into eachframe of the message signal using frequency offset such thatit can be extracted using the techniques of blind parame-ter estimation. However, Dave (the blind receiver) needsto know the center frequency and the sampling frequencyof the transmitted signal to authenticate the received sig-nal. Gelato with the sample and symbol synchronizationmechanism (proposed in this paper) can be used with thesame knowledge as needed in FEAT. In ATM, other thanthe center frequency and the sampling frequency, the blindreceiver also needs to know the modulation being used bythe transmitter. In general, the center frequency and thesampling frequency depend on the standard to be utilizedto set up the network [26] and hence, their knowledge canbe considered to be available a priory. However, modula-tion schemes depend on the channel conditions between thetransmitter and the intended receivers and hence, it is sub-ject to change. This means that FEAT and Gelato enableblind authentication, but ATM does not.
Security: Considering that the contents and the lengthof the authentication signal in the three schemes are same,we compare the robustness of the scheme in the case whereEve may attempt to corrupt the authentication signal trans-mitted by Alice, i.e. OOA jamming attack. Since FEAT isthe most robust scheme against interference, it is also themost robust scheme against OOA jamming attack. More-over, since FEAT is the most robust scheme against noise asshown in Figure 7a, it is also the most secure scheme againstincessant jamming.
Table 2 provides a qualitative comparison of FEAT andthe state of the art in PHY-layer authentication, includingGelato and ATM, in terms of the performance criteria dis-
Figure 8: LabVIEW VI illustrating the implementation of FEAT.
−10 −5 0 5 1010
−4
10−3
10−2
10−1
100
SNR (dB)
BE
R
MSb (Implementation)
MSb (Simulation)
ASd (Implementation)
ASd (Simulation)
Figure 9: Comparison of the error performance of MSb andASd in implementation and simulation.
cussed in Section 3.2. Note that FEAT outperforms theprior art in every respect except for authentication rate.
7. EXPERIMENTAL VALIDATIONWe conducted a number of experiments using an imple-
mentation of FEAT. In the experiments, we used three Uni-versal Software Radio Peripheral (USRP) radios, one eachfor Alice (transmitter), Bob (aware receiver), and Dave (blindreceiver). National Instruments’ LabVIEW is utilized as thesystem-design platform to configure the three USRPs. Al-ice and Bob use IEEE 802.11af [26] to communicate witheach other. Alice also embeds an authentication signal us-ing FEAT so that Dave is able to authenticate Alice.
Model and Assumptions: The three radios are placedin an indoor environment in such a way that the distancebetween any two radios is approximately 1 meter. The dis-tances between the radios are limited by the fact that allthe radios need to be connected to the computer runningthe LabVIEW application through network cables. Hence,to obtain a wide range of SNR values (from −10 dB to 10dB), we add Gaussian noise at Bob and Dave in addition tothe channel-induced noise added to the signal transmittedover-the-air. Here, we assume that adding Gaussian noiseafter receiving the signal is equivalent to increasing the dis-tance between the transmitter and the receivers.
Design: We utilize the following PHY-layer parameters—the center frequency Fc = 915 MHz, the sampling frequencyFs = 1 MHz, IFFT size Nf = 64, the CP size Nc = 16,the number of useful sub-carriers Nu = 52 (48 for data sam-ples and 4 for pilot samples), and the number of symbols ineach frame Ns = 50. The preamble consists of four sym-bols (i.e., Np = 4)—two symbols each for short and longpreamble sequence. We utilize quadrature amplitude shiftkeying (QPSK) as the modulation scheme for the messagesignal. The data contained in the message signal consists
of a time-stamp and a text, and is transmitted without anyerror correction coding. The authentication signal consistsof a set of random bits for synchronization, a time-stampand a text data without any error correction coding. It isembedded into the message signal using FEAT with M = 2and fa = 1 kHz. Since Bob is the receiver with the knowl-edge of all the PHY-layer parameters, he demodulates anddecodes the received signal. The received message signalis synchronized using a time-stamp, and compared with thetransmitted message signal to calculate the BER of the mes-sage signal.
Dave extracts the authentication signal by synchronizingwith the received signal which is processed in blocks of 1million samples (i.e., the number of samples received persecond). Since the processing overhead needed to achievesynchronization is quite high, the parameters such as IFFT
size (Nf ), CP size (Nc), and frame size (Ns) are estimatedonly for the first block of the received samples. During theexperiments, we noticed that the value of sample offset (α)changes slowly because of the clock mismatch between thehardware platforms. Hence, the sample offset (α) and sym-
bol offset (β) are estimated for each block of received sam-ples. The received authentication signal is synchronized us-ing the synchronization bits, and compared with the trans-mitted authentication signal to calculate the BER of theauthentication signal.
Figure 8 shows the LabVIEW VI of Alice illustrating thevarious steps needed to embed an authentication symbol intoa frame of the message signal. The message signal is gener-ated by creating conventional OFDM signals—mapping themessage bits to QAM symbols, performing IFFT, addingCP, and adding preamble symbols. To embed the authen-tication signal, the message signal is multiplied sample-by-sample with a vector which embeds the frequency offset; thisprocess is carried out by the blocks enclosed in the gray boxshown in Figure 8.
Results: Figure 9 shows the error performance of themessage signal at Bob (MSb) and the authentication sig-nal at Dave (ASd). The error performance from Matlabsimulations with the same PHY-layer parameters are alsopresented as a benchmark. We observe that the error per-formance of the USRP implementation is quite close to theerror performance obtained from the simulations in the caseof the authentication signal. However, the same is not truefor the message signal. This result can be explained by rec-ognizing the fact that the channel noise is Gaussian in thesimulations, whereas the channel noise is not truly Gaussianin the over-the-air experiments when the message signal isdecoded sample-by-sample. However, when an authentica-tion symbol is estimated by correlating the CP samples oflength Nc · Ns = 800 with their corresponding data sam-ples of equal length, then the channel noise added in the
over-the-air experiments can be considered to be Gaussianfor the authentication signal as a result of the central limittheorem.
8. CONCLUSIONIn this paper, we have defined the BTA problem, and pro-
posed a novel scheme called FEAT that satisfies all of therequired criteria of the BTA problem. Through analyticalanalysis, simulations, and experiments with an USRP-basedimplementation, we have shown that FEAT is a viable ap-proach for authenticating transmitters even in very harshchannel environments, where the SINR is low and the mul-tipath fading is significant.
9. ACKNOWLEDGMENTSThis work was partially sponsored by NSF through grants
CNS-1314598 and IIP-1265886; by the Beijing Natural Sci-ence Foundation under grant 4143062; and by the industryaffiliates of the Broadband Wireless Access & ApplicationsCenter and the Wireless @ Virginia Tech group.
10. REFERENCES[1] Design considerations for minimum SNR. http://
www.cisco.com/en/US/docs/wireless/technology/
mesh/7.3/design/guide/Mesh_chapter_011.pdf.Accessed: May 15, 2014.
[2] Information technology-Telecommunications andinformation exchange between systems-Local andmetropolitan area networks-Specific requirements-Part11: Wireless LAN medium access control (MAC) andphysical layer (PHY) specifications. IEEE Standard802.11-2012.
[3] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. Apractical and provably secure coalition-resistant groupsignature scheme. In Advances in Cryptology -CRYPTO 2000, volume 1880 of Lecture Notes inComputer Science, pages 255–270. Springer BerlinHeidelberg, 2000.
[4] C. R. N. Athaudage and K. Sathananthan.Cramer-Rao lower bound on frequency offsetestimation error in OFDM systems with timing errorfeedback compensation. In Fifth InternationalConference on Information, Communications andSignal Processing, pages 1231–1235, 2005.
[5] V. Brik, S. Banerjee, M. Gruteser, and S. Oh. Wirelessdevice identification with radiometric signatures. InProc. ACM MobiCom, pages 116–127, 2008.
[6] M.-H. Cheng and C.-C. Chou. Maximum-likelihoodestimation of frequency and time offsets in OFDMsystems with multiple sets of identical data. SignalProcessing, IEEE Transactions on, 54(7):2848–2852,July 2006.
[7] I. Cox, M. Miller, and A. McKellips. Watermarking ascommunication with side information. Proc. IEEE,87(7):1127–1141, July 1999.
[8] B. Danev and S. Capkun. Transient-basedidentification of wireless sensor nodes. In Int. Conf.Inform. Process. Sensor Netw., pages 25–36, Apr.2009.
[9] B. Danev, H. Luecken, S. Capkun, and K. Defrawy.Attacks on physical-layer identification. In ACMWiSec, pages 89–98, 2010.
[10] S. Dudley, W. Headley, M. Lichtman, E. Imana,X. Ma, M. Abdelbar, A. Padaki, A. Ullah, M. Sohul,T. Yang, and J. Reed. Practical issues for spectrummanagement with cognitive radios. Proceedings of theIEEE, 102(3):242–264, March 2014.
[11] C. Fei, D. Kundur, and R. Kwong. Analysis anddesign of secure watermark-based authenticationsystems. IEEE Trans. Inform. Forensics Security,1(1):43–55, Mar. 2006.
[12] T. Fusco and M. Tanda. Blind synchronization forOFDM systems in multipath channels. IEEE Trans.Wireless Commun., 8(3):1340–1348, 2009.
[13] N. Goergen, T. Clancy, and T. Newman. Physicallayer authentication watermarks through syntheticchannel emulation. In IEEE Symp. New FrontiersDynamic Spectrum, pages 1–7, Apr. 2010.
[14] W. Hou, X. Wang, and J.-Y. Chouinard. Physical layerauthentication in OFDM systems based on hypothesistesting of CFO estimates. In IEEE ICC, 2012.
[15] H. Ishii and G. W. Wornell. OFDM blind parameteridentification in cognitive radios. In IEEE 16th Int.Symp. Personal, Indoor and Mobile Radio Commun.,volume 1, pages 700–705, Sept 2005.
[16] J. Kleider, S. Gifford, S. Chuprun, and B. Fette. Radiofrequency watermarking for OFDM wireless networks.In Proc. IEEE Int. Conf. Acoustics, Speech, andSignal Process., volume 5, pages 397–400, May 2004.
[17] V. Kumar, J.-M. Park, T. Clancy, and K. Bian.PHY-layer authentication by introducing controlledinter symbol interference. In IEEE CNS, pages 10–18,2013.
[18] K. Lauter. The advantages of elliptic curvecryptography for wireless security. IEEE WirelessCommunications, page 63, 2004.
[19] C. Li, A. Raghunathan, and N. Jha. An architecturefor secure software defined radio. In Design,Automation and Test in Europe (DATE), pages448–453, 2009.
[20] Y. Liu, P. Ning, and H. Dai. Authenticating primaryusers’ signals in cognitive radio networks viaintegrated cryptographic and wireless link signatures.In IEEE Symp. Security and Privacy, pages 286–301,May 2010.
[21] R. Miller and W. Trappe. Short paper: ACE:authenticating the channel estimation process inwireless communication systems. In Proc. ACMWiSec, pages 91–96, 2011.
[22] J.-M. Park, J. Reed, A. Beex, T. Clancy, V. Kumar,and B. Bahrak. Security and enforcement in spectrumsharing. Proc. IEEE, 102(3):270–281, March 2014.
[23] A. Punchihewa, V. Bhargava, and C. Despins. Blindestimation of OFDM parameters in cognitive radionetworks. IEEE Trans. Wireless Commun.,10(3):733–738, March 2011.
[24] N. Smith, D. Johnston, G. Cox, and A. Shaliv. Device,method, and system for secure trust anchorprovisioning and protection using tamper-resistanthardware, April 2014. US Patent App. 13/631,562.
[25] X. Tan, K. Borle, W. Du, and B. Chen. Cryptographiclink signatures for spectrum usage authentication incognitive radio. In Proc. ACM WiSec, pages 79–90,June 2011.
[26] J.-S. Um, S.-H. Hwang, and B.-J. Jeong. Acomparison of PHY layer on the Ecma-392 and IEEE802.11af standards. In CROWNCOM, 7th Int. ICSTConf. on, pages 313–319, 2012.
[27] O. Ureten and N. Serinken. Wireless security throughRF fingerprinting. Canadian J. Electr. Comput. Eng.,32(1):27–33, 2007.
[28] X. Wang, Y. Wu, and B. Caron. Transmitteridentification using embedded pseudo randomsequences. IEEE Trans. Broadcast., 50:244–252, Sep.2004.
[29] L. Xiao, L. Greenstein, N. Mandayam, andW. Trappe. Using the physical layer for wirelessauthentication in time-variant channels. IEEE Trans.Wireless Commun., 7(7):2571–2579, July 2008.
[30] S. Xiao, J. Park, and Y. Ye. Tamper resistance forsoftware defined radio software. In COMPSAC, pages383–391, 2009.
[31] L. Yang, Z. Zhang, B. Y. Zhao, C. Kruegel, andH. Zheng. Enforcing dynamic spectrum access withspectrum permits. In Proc. ACM MobiHoc, pages195–204, 2012.
[32] P. Yu, J. Baras, and B. Sadler. Physical-layerauthentication. IEEE Trans. Inf. Forensics Security,3(1):38–51, Mar. 2008.
[33] T. Yucek and H. Arslan. OFDM signal identificationand transmission parameter estimation for cognitiveradio applications. In IEEE GlobeCom, pages4056–4060, 2007.
APPENDIXA. SYMBOL SYNCHRONIZATION (λ)
For very largeNr, when no authentication signal is embed-ded, λ = σ2
s ·ejεfc , where fc is the constant frequency offset,and ε = 2πNf/Fs [33]. When FEAT is utilized to embedthe authentication signal, we could define M sets of frameswith the frequency offsets fc + fk, where fc = ft + fr, andfk = fm for m = 1, 2, · · · ,M . Assuming that the authenti-cation symbols are statistically independent and identicallydistributed, λ is given by
λ =σ2s
M·M∑m=1
ejε(fc+fm)
=σ2s
M· ejεfc ·
M/2∑m=1
ejεfm +
M∑m=M/2+1
ejεfm
=
σ2s
M· ejεfc ·
M/2∑m=1
ejεfm +
M/2∑m=1
ejεfM−m+1
=
σ2s
M· ejεfc ·
M/2∑m=1
ejεfm +
M/2∑m=1
e−jεfm
=
2σ2s
M· ejεfc ·
M/2∑m=1
cos εfm
=2σ2
s
M· ejεfc ·
M/2∑m=1
cos εfa
(1− 2 · m− 1
M − 1
). (5)
B. FRAME SYNCHRONIZATION (ψ)For very large Nr, when no authentication signal is em-
bedded, each frame has the same frequency offset and hencethe relative frequency offset between consecutive frames iszero which means ψ = σ2
s . When FEAT is utilized to embedthe authentication signal, we could define M2 sets of relativefrequency offsets between two consecutive frames—M setsof frequency offset 0, M − 1 sets of frequency offset + 2fa
M−1,
and so on. Hence, ψ is given by
ψ =σ2s
M2·M +
σ2s
M2
M−1∑m=1
M −mNo
No−1∑l=0
ej2π 2mfa
(M−1)Fsl
+σ2s
M2
M−1∑m=1
M −mNo
No−1∑l=0
ej2π −2mfa
(M−1)Fsl
=σ2s
M2·
M +
M−1∑m=1
M −mNo
No−1∑l=0
2 cos 2π2mfa
(M − 1)Fsl
≈ σ2
s
M2·
M +
M−1∑m=1
(M −m) · sin 4π mfa(M−1)Fs
No
No · sin 2π faFs
. (6)
C. THEORETICAL LIMITS ON EFO (fa)In the presence of very large number of samples present
for synchronization, the performance of the proposed syn-chronization algorithm depends mainly on fa. From equa-tion (5), we note that the absolute value of λ decreases byincreasing fa. This means that the probability of detectionof the peak of Λ decreases by increasing fa. Again, fromequation (6), we observe that the absolute value of ψ de-creases by increasing fa. This means that the probability ofdetection of the peak of Ψ decreases by increasing fa. Onthe other hand, by increasing fa, we can enhance the errorperformance of FEAT as shown in Section 5. Therefore, weneed to find theoretical bounds on fa.
From equation (5), for M = 2, λ is given by
λ = σ2s · ejεfc · cos εfa.
where ε = 2πNf/Fs. Hence, the maximum value of λ isachieved when fa = 0. This means that the synchronizationis achieved with highest accuracy when no authenticationsignal is embedded into the message signal. On the otherhand, when fa = π/(2ε) = Fs/(4πNf ), the absolute valueof λ is 0. This means that it is difficult to achieve the syn-chronization if the EFO is close to Fs/(4πNf ). Hence, toachieve sufficient level of robustness for synchronization ofthe received signal and for extraction of the authenticationsignal, fa needs to be sufficiently larger than 0, but suffi-ciently smaller than Fs/(4πNf ).
Moreover, in the existing standards describing PHY-layerspecifications, there is a limited margin allowed for the car-rier frequency offset (CFO) in the message signals due toinaccurate oscillators at the transmitters and the receivers.For instance, as per IEEE 802.11g [2], the absolute value ofCFO due to an inaccurate oscillator should be less than 25ppm of the carrier frequency. Hence, we need to ensure thatft+fa ≤ Fo, where Fo is the allowed frequency offset as perthe standard.