WO2017063716A1 - Secure paring method for mimo systems - Google Patents

Secure paring method for mimo systems Download PDF

Info

Publication number
WO2017063716A1
WO2017063716A1 PCT/EP2015/074037 EP2015074037W WO2017063716A1 WO 2017063716 A1 WO2017063716 A1 WO 2017063716A1 EP 2015074037 W EP2015074037 W EP 2015074037W WO 2017063716 A1 WO2017063716 A1 WO 2017063716A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
mimo device
channel
pilot sequence
mimo
Prior art date
Application number
PCT/EP2015/074037
Other languages
French (fr)
Inventor
Stefano Tomasin
Ingmar LAND
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to CN201580083630.2A priority Critical patent/CN109417469B/en
Priority to PCT/EP2015/074037 priority patent/WO2017063716A1/en
Publication of WO2017063716A1 publication Critical patent/WO2017063716A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0875Generation of secret information including derivation or calculation of cryptographic keys or passwords based on channel impulse response [CIR]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms

Definitions

  • the present invention relates to a first MIMO device, a second MIMO device, a system and methods for channel estimation.
  • the present invention also relates to a computer-readable storage medium storing program code, the program code comprising instructions for carrying out such a method.
  • the eavesdropper will (most likely) see a poor channel to the transmitter, therefore the resulting gap between the signal to noise ratios (SNRs) of legitimate receiver and eavesdropper will be large. Since the spectral efficiency of the secret message transmission is related to this SNR gap, it is important that beamforming is properly designed according to the CSI. Note that if the channel to the eavesdropper is known, perfect secrecy can be achieved. When CSI to the eavesdropper is not available, its statistics may still be available and then we can assess the probability that the eavesdropper obtains information on the transmitted message.
  • SNRs signal to noise ratios
  • the receiver can send pilot signals in a training phase and the transmitter will estimate the channel.
  • a pilot contamination attack has been outlined in the literature that works as follows.
  • H be the N x N channel matrix of complex numbers describing the channel between Alice and Bob, and let G; and G 2 be the matrices of the Alice-Eve and Bob-Eve channels, respectively. Pilot symbols are publicly known; therefore when Bob transmits pilots, Eve may transmit the same pilots as well.
  • the channel estimated by Alice will then be the sum of the channels between Bob and Eve, i.e., channel H + G;.
  • Eve is able to modify the channel estimate and obtain an advantage.
  • Alice When Alice then performs beamforming, she will transmit on the channel H + G;.
  • the transmit beam is partially directed towards Gi, and Eve will be able to receive some of the information that is intended for Bob only. Thus the transmission will not be secure any more.
  • a first aspect of the invention provides a first MIMO device for channel estimation and verification, the first MIMO device comprising:
  • a transmitter configured to transmit a first pilot sequence
  • a receiver configured to receive a second pilot sequence
  • a channel estimator configured to estimate a first channel based on the received second pilot sequence
  • a key generator configured to generate a first key based on the estimated first channel
  • a key confirmation unit configured to determine whether the first key corresponds to a second key of a second MIMO device.
  • the first MIMO device of the first aspect can interact with a further MIMO device, e.g. the second MIMO device described below, in order to estimate and verify the channel by ex- changing pilot sequences and then securely checking if the first and second keys (which are based on channel estimates) coincide.
  • a further MIMO device e.g. the second MIMO device described below
  • the comparison is not done publicly. Instead, they extract secret keys from the estimates and then check if they coincide using a key confirmation procedure. Upon performing the confirmation procedure the first MIMO device will be able to detect a tentative from the eavesdropper to modify the channel.
  • Estimating and verifying a channel between two devices is also referred to as pairing the devices.
  • the key confirmation unit is configured to:
  • the key confirmation unit is able to securely confirm with a second MIMO device whether its first key corresponds to a second key of the second MIMO device. Since the first key is generated from a channel estimate of the first MIMO device and the second key is generated by the second MIMO device based on a channel estimate of the second MIMO device, this allows confirming whether the first and second MIMO device have estimated the same channel.
  • the first MIMO device according to the first implementation allows performing a secure channel verification.
  • the mapping is an invertible, non-identical function. The mapping can e.g. be a random function that is known to both the first and the second MIMO device.
  • the key confirmation unit is configured to determine that the first key corresponds to the second key if at least a predetermined part of bits of the first and second key are identical.
  • the predetermined part can be a fixed first part of the bits of the first and second key. If these first parts of the keys correspond, it can be assumed that the entire keys correspond. Furthermore, according to the second implementation, a secrecy level and/or a robustness of the verification procedure is increased.
  • the first MIMO device is configured to select the first pilot sequence from a set of first pilot sequences, and the transmitter is configured to transmit an index of the selected first pilot sequence after transmitting the first pilot sequence.
  • Allowing the first MIMO device to select the first pilot sequence from a set of first pilot sequences has the advantage that an attack by an eavesdropper is made more difficult: An eavesdropper cannot "overwrite" the channel by using the same pilot sequence as the first
  • the first MIMO device can be configured to receive an index of a selected se- cond pilot sequence, and the channel estimator is further configured to estimate the first channel using the received index.
  • the receiver is configured to receive a further second pilot sequence
  • the channel estimator is configured to estimate a further first channel based on the received further second pilot sequence
  • the key generator is configured to generate a further first key based on a difference between the estimated first channel and the estimated further first channel, and - the key confirmation unit is configured to determine whether the further first key corresponds to a further second key of the second MIMO device.
  • data signals can be used as pilot sequences (once data have been decoded).
  • a second aspect of the invention refers to a second MIMO device for enabling a first MIMO device to perform channel estimation and verification, the MIMO device comprising:
  • a receiver configured to receive a first pilot sequence
  • a channel estimator configured to estimate a second channel based on the received first pilot sequence
  • a key generator configured to generate a second key based on the estimated second channel
  • a key confirmation response unit configured to communicate with the first MIMO device for enabling the first device to confirm whether the second key corresponds to a first key of the first MIMO device.
  • the second MIMO device is configured to make it possible for the first MIMO device to con- firm whether the first key of the first MIMO device and the second key of the second MIMO device correspond.
  • the second MIMO device makes it possible for the first MIMO device to verify whether the channel was estimated correctly, without interference from an eavesdropper.
  • the second MIMO device can have a more "passive" role in the channel estimation, i.e., it can be configured to respond to requests from the first MIMO device.
  • the key confirmation can be carried out such that after the key confirmation, the first MIMO device knows whether the keys correspond, but the second MIMO device does not know whether the keys correspond.
  • a MIMO device can be configured such that it is a first MIMO device according to the first aspect and a second MIMO device according to the second aspect.
  • a MIMO device can comprise the features of a first and a second MIMO device.
  • the MIMO device can act both as initiator of a channel estimation and verification and as a response unit for a channel estimation and verification.
  • the key confirma- tion response unit is configured to:
  • the second MIMO device can assist a key confirmation unit of a first MIMO device to carry out a key confirmation.
  • the transmitter is configured to transmit the second pilot sequence after receiving the first pilot sequence, and wherein the second MIMO device is configured to select the second pilot sequence from a set of candidate sequences based on the estimated second channel.
  • the receiver is configured to receive a further first pilot sequence
  • the channel estimator is configured to estimate a further second channel based on the received further first pilot sequence
  • the key generator is configured to generate a further second key based on the difference between the estimated original second channel and the estimated further second channel, and
  • the key confirmation response unit is configured to communicate with the first MIMO device for confirming whether the further second key corresponds to a further first key of the first MIMO device.
  • the key generator is configured to generate the first and/or second key based on the estimated second channel by implementing advantage distillation, information reconciliation and privacy amplification phases.
  • keys can be generated such that the same key is generated for similar channel estimates. This has the advantage that the channel verification can succeed even if the first and the second MIMO device have slightly different channel estimates, e.g. due to measurement errors.
  • the second MIMO device is configured to select the second pilot sequence from a set of second pilot sequences, and the transmitter is configured to transmit an index of the selected second pilot sequence after transmitting the second pilot sequence.
  • the second MIMO device can be configured to receive an index of a selected first pilot sequence, and the channel estimator can be further configured to estimate the second channel using the received index.
  • a third aspect of the invention refers to a system comprising a first MIMO device according to the first aspect or one of the implementations of the first aspect and a second MIMO device according to the second aspect or one of the implementations of the second aspect, wherein preferably the first MIMO device and the second MIMO device are configured to use a same mapping function.
  • the system according to the third aspect may comprise a first MIMO device and a second MIMO device, wherein:
  • a transmitter at the first MIMO device is configured to transmit a first pilot sequence to the second MIMO device
  • a receiver at the first MIMO device is configured to receive a second pilot sequence transmitted by the second MIMO device
  • a channel estimator at the first MIMO device is configured to estimate a first channel based on the received second pilot sequence
  • a channel estimator of at the second MIMO device is configured to estimate a second channel based on the received first pilot sequence
  • a key generator at the first MIMO device is configured to generate a first key based on the estimated first channel
  • a key generator at the second MIMO device is configured to generate a second key based on the estimated second channel
  • a key confirmation response unit at the second MIMO device is configured to communicate with the first MIMO device for confirming whether the further second key corresponds to a further first key of the first MIMO device.
  • the mapping function can be predefined on the first and second MIMO device or it can be assigned to the devices using a secure communication channel, e.g. an encrypted channel.
  • a fourth aspect of the invention refers to a method for channel estimation and verification, the method comprising:
  • the method according to the fourth aspect of the invention can be performed by the first MIMO device according to the first aspect of the invention. Further features or implementa- tions of the method according to the fourth aspect of the invention can perform the functionality of the first MIMO device according to the first aspect of the invention and its different implementation forms.
  • a fifth aspect of the invention refers to a method for enabling a first MIMO device to perform channel estimation and verification, the method comprising:
  • the method according to the fifth aspect of the invention can be performed by the second MIMO device according to the second aspect of the invention. Further features or implementations of the method according to the fifth aspect of the invention can perform the functionality of the second MIMO device according to the second aspect of the invention and its different implementation forms.
  • a sixth aspect of the invention refers to a method for a first MIMO device and a second MIMO device to perform channel estimation and verification, the method comprising:
  • the first MIMO device transmitting a first pilot sequence
  • the second MIMO device receiving the first pilot sequence, estimating a second channel based on the received first pilot sequence, and generating a second key based on the estimated second channel
  • the second MIMO device transmitting a second pilot sequence
  • the first MIMO device receiving the second pilot sequence, estimating a first channel based on the received second pilot sequence, and generating a first key based on the estimated first channel, and
  • a seventh aspect of the invention refers to a computer-readable storage medium storing program code, the program code comprising instructions for carrying out the method of the fourth, fifth or sixth aspect or one of their implementations.
  • FIG. 1 is a block diagram illustrating a first MIMO device in accordance with an embodiment of the present invention
  • FIG. 2 is a block diagram illustrating a second MIMO device in accordance with a further embodiment of the present invention
  • FIG. 3 is a block diagram of a system in accordance with an embodiment of the present invention.
  • FIG. 4 is a flow chart of a method for channel estimation in accordance with a further embodiment of the present invention.
  • FIG. 5 is a flow chart of a method for enabling a first MIMO device to securely estimate a channel in accordance with a further embodiment of the present invention
  • FIG.6 is a flow chart of a method for a first MIMO device and a second MIMO device in accordance with a further embodiment of the present invention
  • FIG. 7 is a block diagram of a system in accordance with a further embodiment of the invention
  • FIG. 8 is a flow chart of a method for secure channel estimation in accordance with a further embodiment of the invention.
  • FIG. 9 is a flow chart of a method for secure key verification in accordance with a further embodiment of the invention.
  • FIG. 1 shows a first MIMO device 100 for channel estimation and verification, comprising a transmitter 110, a receiver 120, a channel estimator 130, a key generator 140 and a key confirmation unit 150.
  • the transmitter 110 is configured to transmit a first pilot sequence.
  • the first pilot sequence can be a predetermined pilot sequence or it can be a pilot sequence that the transmitter selects from a set of pilot sequences.
  • the receiver 120 is configured to receive a second pilot sequence.
  • the transmitter 110 and the receiver 120 can be configured to use the same antenna for transmitting and receiving the first and second pilot sequences.
  • the channel estimator 130 is configured to estimate a first channel based on the received second pilot sequence.
  • the channel estimator 130 can be configured to estimate a channel matrix based on the received second pilot sequence.
  • the key generator 140 is configured to generate a first key based on the estimated first channel.
  • the key estimation is performed such that slightly different first channel estimates yield the same first key.
  • the first key can have a length of e.g. 128 bit or 256 bit.
  • the key generator 140 can use the transmitter 110 and receiver 120 to interact with a second MIMO device.
  • the key confirmation unit 150 is configured to determine whether the first key corresponds to a second key of a second MIMO device.
  • the key confirmation unit 150 can be configured to communicate with the second MIMO device, e.g. using the transmitter 110 and receiver 120.
  • the key confirmation unit is configured to communicate such that an eavesdropper cannot identify the first and/or second key.
  • FIG. 2 shows a second MIMO device 200 for enabling a first MIMO device to perform chan- nel estimation and verification, comprising a receiver 210, a transmitter 220, a channel estimator 230, a key generator 240 and a key confirmation response unit 250.
  • the receiver 210 is configured to receive a first pilot sequence, e.g. a pilot sequence sent by the first MIMO device shown in FIG. 1.
  • a first pilot sequence e.g. a pilot sequence sent by the first MIMO device shown in FIG. 1.
  • the transmitter 220 is configured to transmit a second pilot sequence.
  • the second pilot sequence can be a predetermined second pilot sequence or it can be a pilot sequence that the second MIMO device 200 selects from a set of pilot sequences.
  • the channel estimator 230 is configured to estimate a second channel based on the received first pilot sequence.
  • the channel estimator 230 can be configured similarly or identical as the channel estimator 130 of the first MIMO device 100.
  • the key generator 240 is configured to generate a second key based on the estimated second channel.
  • the key generator 240 can be configured similarly or identical as the key generator 140 of the first MIMO device 100.
  • the key confirmation response unit 250 is configured to communicate with the first MIMO device 100 for enabling the first MIMO device 100 to confirm whether the second key corre- sponds to a first key of the first MIMO device 100.
  • FIG. 3 shows a system 300 comprising a first MIMO device 100, e.g. the MIMO device of FIG. 1, and a second MIMO device 200, e.g. the MIMO device of FIG. 2, wherein the first MIMO device 100 and the second MIMO device 200 are configured to use the same mapping function.
  • the second MIMO device 200 is configured to transmit a pilot sequence to the first MIMO device 100, which allows the first MIMO device 100 to estimate a first channel 310.
  • the first MIMO device 100 is configured to transmit a pilot sequence to the second MIMO device 200, which allows the second MIMO device 200 to estimate a second channel 320.
  • the first MIMO device 100 can be e.g. an access node of a communication network and the second MIMO device 200 can be a mobile device connected to the access node.
  • the second MIMO device 200 can be an access node of a communication network and the first MIMO device 100 can be a mobile device connected to the access node.
  • FIG. 4 shows a method 400 for channel estimation and verification.
  • the method comprises a first step 410 of transmitting a first pilot sequence and a second step 420 of receiving a second pilot sequence.
  • the method comprises a further step (not shown in FIG. 4), wherein the receiver opens a receive channel for receiving the second pilot sequence after the transmitter has received the first pilot sequence. In other words, it is as- sumed that the second pilot sequence is received only after the first pilot sequence has been transmitted.
  • a third step 430 comprises estimating a first channel based on the received second pilot sequence.
  • a first key is generated based on the estimated first channel.
  • the key generation can be performed using one of the known methods for generating keys corresponding to estimated transmit or receive channels, wherein e.g. the transmit or receive channels can be identified by a channel matrix.
  • a fifth step 450 communication with a second MIMO device is performed to determine whether the first key corresponds to a second key of a second MIMO device.
  • This communication can include transmitting and receiving encrypted information to and from a second MIMO device.
  • the method of FIG. 4 presents an elegant way to detect a pilot contamination attack, which is a major threat in the application of physical layer security. As opposed to other methods, the method of FIG. 4 can rely on pairing based on keys and binary mappings rather than signal processing approaches that may be prone to errors due to noise and interference.
  • Applications of the method include (i) communications between the base station and mobile terminals equipped with multiple antennas and (ii) securing WiFi transmissions with multiple antennas.
  • application of the method to massive MIMO is seen as a relevant ap- plication, as beamforming plays a critical role in the presence of a large number of antennas.
  • FIG. 5 shows a method 500 for enabling a first MIMO 100 device to perform channel estimation and verification.
  • the method can be performed by a second MIMO device, e.g. the second MIMO device 200 shown in FIG. 2.
  • the method comprises a first step 510 of receiving a first pilot sequence.
  • a receive channel can be opened.
  • the method is started.
  • a second step 520 a second pilot sequence is transmitted and in a third step 530, a second channel is estimated based on the received first pilot sequence.
  • the transmission of the second pilot sequence can be based on the received first pilot sequence.
  • the third step 530 can be performed before the second step 520.
  • a second key is generated based on the estimated second channel.
  • a fifth step 550 communication is performed with the first MIMO device 100 for confirming whether the second key corresponds to a first key of the first MIMO device 100.
  • the communication is in response to commands received from the first MIMO de- vice 100.
  • FIG. 6 shows a method 600 for a first MIMO device and a second MIMO device to perform channel estimation and verification.
  • a first step 610 comprises the first MIMO device 100 transmitting a first pilot sequence.
  • a second step 620 comprises the second MIMO device 200 receiving the first pilot sequence, estimating a second channel based on the received first pilot sequence, and generating a second key based on the estimated second channel.
  • a third step 630 comprises the second MIMO device 200 transmitting a second pilot sequence.
  • a fourth step 640 comprises the first MIMO device 100 receiving the second pilot sequence, estimating a first channel based on the received second pilot sequence, and generating a first key based on the estimated first channel;
  • a fifth step 650 comprises the first MIMO device 100 communicating with the second MIMO device 200 to determine whether the first key corresponds to the second key.
  • FIG. 7 is a block diagram of a system 700 comprising a first device ("Alice"), indicated with reference number 710, a second device (“Bob") indicated with reference number 720, and an eavesdropping device (“Eve”), indicated with reference number 730.
  • a channel 712 between Alice and Bob is described by the channel matrix H.
  • a channel 732 between Alice and Eve is described by channel matrix Gi.
  • a channel 734 between Eve and Bob is described by channel matrix G 2 .
  • FIG. 8 is a flow chart of a further method 800 for secure channel estimation.
  • Alice and Bob Based on the received pilots, Alice and Bob estimate the channel. Note that if Eve performs a pilot contamination attack, the estimated channel by Alice and Bob will differ, since one will be an estimate of H + Gi and the other an estimate of H + G 2 . Note further that Eve does not know H and therefore cannot enforce equality of H + Gi and the H + G 2 . In order to check the consistency of the two channels without revealing them to Eve (who could benefit from this knowledge in the following), Alice and Bob extract in step 830 a secret key from the es- timated channels (see M. Bloch, J. Barros, Physical Layer Security, Cambridge University
  • FIG. 9 is a flow chart of an example method 900 for confirming whether the secret keys of Alice and Bob correspond.
  • the encoded bits x are transmitted over the channel.
  • Bob maps the decrypted bits into another sequence of M bits by applying an invertible non-identical function h(.) to obtain the mapped value h(r').
  • the mapping is a random mapping that prevents Eve to obtain information about the sequence r when Bob is transmitting.
  • the channel reciprocity between Alice and Bob is important. However, this is relevant not only for the detection of pilot contamination but also for the forthcoming use of the channel estimate by Alice, i.e., beamforming secret messages to Bob. If the channel is different due to hardware impairments, the channel estimate that will be used by Alice after the pairing proc- ess will be not correct. In fact, Alice will beamform a signal to Bob using the channel estimate, but if it is not correct, the signal will not reach Bob, and Bob will not be able to decode the secret information. So the assumption that hardware impairments are moderate is associated with the use of this estimate.
  • Impairments can diminish the protection against attacks for the following reason: the higher the noise level or the larger the impairments, , the fewer bits can be extracted from the channel, and thus the shorter is the secret key.
  • the pilot sequence transmitted by the first MIMO device can be chosen randomly from a (large) set of sequences. After the pilot sequence has been transmitted to the second MIMO device, the first MIMO device will send another packet indicating the index of the pilot sequence. After this, the second MIMO device chooses randomly another pilot sequence from a (large) set of sequences and transmits it to the first MIMO device. After the pilot sequence has been transmitted to the first MIMO device, the second MIMO device will send another packet indicating the index of the selected second pilot sequence.
  • the extracted first and/or second key can also be used to make data transmission secret or to choose a secret key, i.e., the first and second keys can also be used for conventional security purposes.
  • the first and/or the second MIMO device can be configured to encrypt a message with the first and/or second key and to transmit the encrypted message.
  • channel variations can be tracked. Such tracking can be performed continuously and thus allows for continuous key verification as follows:
  • Data signals can be used as pilots (once data have been decoded). This data-directed channel estimation avoids the use of pilots. Pilots can still be exchanged among terminals (e.g., to simplify the channel estimation with respect to the data-directed approach).
  • the first MIMO device and the second MIMO device can compute the difference between the newly estimated channel and the previously estimated channel.
  • the two steps of first secret key extraction and then key verification can be partially integrated.
  • the method outlined above for secret key extraction provides that the first MIMO device sends to the second MIMO device a sequence of bits that allow the second MIMO device to correct up to a certain number of differences between the first MIMO device's and the second MIMO device's keys. Then, with the key verification procedure it is checked that the obtained keys are effectively the same.
  • the first MIMO device sends to the second MIMO device a sequence of bits that allow the first MIMO device to detect errors, rather than to correct them.
  • the second MIMO device can directly perform the key verification step by determining whether or not the number of differences in the two sequences is above a threshold.
  • the number of bits required to detect errors is smaller than the number required to correct errors. In practice this can represent an advantage (also simplifying the algorithm).
  • the key confirmation procedure can be carried out, e.g., by the key confirmation unit of the first MIMO device and the key confirmation response unit of the second MIMO device, as follows:
  • the bits x are transmitted over the channel, and the second MIMO device decrypts them using its extracted key b.
  • the second MIMO device then maps the decrypted bits into another sequence of M bits by applying an invertible non-identical function h(.) to obtain the mapped value h(r').
  • CSI channel state information
  • the invention allows a secure paring process between two devices equipped with multiple antennas by preventing an attacker from performing the pilot contamination attack, ensuring that the estimates of the channels obtained by the two legitimate terminals coincide, correct CSI is available, and the following transmission is secure.

Abstract

A first MIMO device for channel estimation and verification, the first MIMO device comprising: a transmitter configured to transmit a first pilot sequence, a receiver configured to receive a second pilot sequence, a channel estimator configured to estimate a first channel based on the received second pilot sequence, a key generator configured to generate a first key based on the estimated first channel, and a key confirmation unit configured to determine whether the first key corresponds to a second key of a second MIMO device.

Description

SECURE PARING METHOD FOR MIMO SYSTEMS
TECHNICAL FIELD
The present invention relates to a first MIMO device, a second MIMO device, a system and methods for channel estimation.
The present invention also relates to a computer-readable storage medium storing program code, the program code comprising instructions for carrying out such a method.
BACKGROUND
In order to ensure security in communication systems, it has been recently proposed to use physical layer security techniques, where by properly coding the transmitted signal it is possible to make it perfectly decodable to an intended receiver without leaking any information on the message to an eavesdropper device. This technique leverages the random nature of the noise affecting transmission at the physical layer and the specific characteristics of the channel among users. When multiple antennas are available at the terminals we obtain a multiple - input-multiple-output-multiple-eavesdropper (MIMOME) channel, and the availability of multiple channels further increases the security potentials of the communications. For all these techniques to work properly, the full channel state information (CSI) between the legitimate receivers is needed. For example, by beamforming the signal to the legitimate receiver the eavesdropper will (most likely) see a poor channel to the transmitter, therefore the resulting gap between the signal to noise ratios (SNRs) of legitimate receiver and eavesdropper will be large. Since the spectral efficiency of the secret message transmission is related to this SNR gap, it is important that beamforming is properly designed according to the CSI. Note that if the channel to the eavesdropper is known, perfect secrecy can be achieved. When CSI to the eavesdropper is not available, its statistics may still be available and then we can assess the probability that the eavesdropper obtains information on the transmitted message. In order to obtain CSI when channel reciprocity is available, the receiver can send pilot signals in a training phase and the transmitter will estimate the channel. However, a pilot contamination attack has been outlined in the literature that works as follows. Consider the scenario, where Alice aims at beamforming to Bob, and Eve aims at getting some information on the secret message. All users are equipped with N antennas. Let H be the N x N channel matrix of complex numbers describing the channel between Alice and Bob, and let G; and G2 be the matrices of the Alice-Eve and Bob-Eve channels, respectively. Pilot symbols are publicly known; therefore when Bob transmits pilots, Eve may transmit the same pilots as well. The channel estimated by Alice will then be the sum of the channels between Bob and Eve, i.e., channel H + G;. Therefore, with this attack, Eve is able to modify the channel estimate and obtain an advantage. When Alice then performs beamforming, she will transmit on the channel H + G;. Correspondingly, the transmit beam is partially directed towards Gi, and Eve will be able to receive some of the information that is intended for Bob only. Thus the transmission will not be secure any more.
Practical application of physical layer security techniques is ramping up only recently. The particular problem of pilot contamination for secure massive MIMO has been discussed in literature only within the last few years.
A number of solutions have been proposed in the literature to detect pilot contamination attacks, but these suffer from high complexity and/or cannot reliably prevent pilot contamination attacks.
SUMMARY OF THE INVENTION
The objective of the present invention is to provide a device, a system and a method for channel estimation, which overcome one or more of the above-mentioned problems of the prior art. A first aspect of the invention provides a first MIMO device for channel estimation and verification, the first MIMO device comprising:
a transmitter configured to transmit a first pilot sequence,
a receiver configured to receive a second pilot sequence, a channel estimator configured to estimate a first channel based on the received second pilot sequence,
a key generator configured to generate a first key based on the estimated first channel, and
- a key confirmation unit configured to determine whether the first key corresponds to a second key of a second MIMO device.
The first MIMO device of the first aspect can interact with a further MIMO device, e.g. the second MIMO device described below, in order to estimate and verify the channel by ex- changing pilot sequences and then securely checking if the first and second keys (which are based on channel estimates) coincide. In order to avoid disclosing the channel to an eavesdropper and preventing the eavesdropper from forging a message exchange, the comparison is not done publicly. Instead, they extract secret keys from the estimates and then check if they coincide using a key confirmation procedure. Upon performing the confirmation procedure the first MIMO device will be able to detect a tentative from the eavesdropper to modify the channel.
Estimating and verifying a channel between two devices is also referred to as pairing the devices.
In a first implementation of the first MIMO device according to the first aspect, the key confirmation unit is configured to:
generate a random number,
encrypt the random number with the first key to obtain a first bit sequence,
- transmit the first bit sequence,
receive a second bit sequence,
decrypt the second bit sequence with the first key, and
determine that the first key corresponds to the second key if the decrypted second bit sequence matches a mapping of the random number.
Thus, the key confirmation unit is able to securely confirm with a second MIMO device whether its first key corresponds to a second key of the second MIMO device. Since the first key is generated from a channel estimate of the first MIMO device and the second key is generated by the second MIMO device based on a channel estimate of the second MIMO device, this allows confirming whether the first and second MIMO device have estimated the same channel. Thus, the first MIMO device according to the first implementation allows performing a secure channel verification. In an embodiment, the mapping is an invertible, non-identical function. The mapping can e.g. be a random function that is known to both the first and the second MIMO device.
In a second implementation of the first MIMO device according to the first aspect, the key confirmation unit is configured to determine that the first key corresponds to the second key if at least a predetermined part of bits of the first and second key are identical.
This has the advantage that the key comparison can be performed faster. For example, the predetermined part can be a fixed first part of the bits of the first and second key. If these first parts of the keys correspond, it can be assumed that the entire keys correspond. Furthermore, according to the second implementation, a secrecy level and/or a robustness of the verification procedure is increased.
In a third implementation of the MIMO device according to the first aspect, the first MIMO device is configured to select the first pilot sequence from a set of first pilot sequences, and the transmitter is configured to transmit an index of the selected first pilot sequence after transmitting the first pilot sequence.
Allowing the first MIMO device to select the first pilot sequence from a set of first pilot sequences has the advantage that an attack by an eavesdropper is made more difficult: An eavesdropper cannot "overwrite" the channel by using the same pilot sequence as the first
MIMO device because he cannot know in advance what pilot sequence the first MIMO device will use.
Furthermore, the first MIMO device can be configured to receive an index of a selected se- cond pilot sequence, and the channel estimator is further configured to estimate the first channel using the received index. This has the advantage that a second MIMO device can choose a pilot sequence from a set of pilot sequences, thus making it impossible for an eavesdropper to overwrite the pilot sequence that is sent from the second MIMO device.
In a fourth implementation of the first MIMO device according to the first aspect:
- the receiver is configured to receive a further second pilot sequence,
the channel estimator is configured to estimate a further first channel based on the received further second pilot sequence,
the key generator is configured to generate a further first key based on a difference between the estimated first channel and the estimated further first channel, and - the key confirmation unit is configured to determine whether the further first key corresponds to a further second key of the second MIMO device.
This provides an efficient way of secure channel tracking, wherein only changes of the channel are estimated. In particular, data signals can be used as pilot sequences (once data have been decoded).
A second aspect of the invention refers to a second MIMO device for enabling a first MIMO device to perform channel estimation and verification, the MIMO device comprising:
a receiver configured to receive a first pilot sequence,
- a transmitter configured to transmit a second pilot sequence,
a channel estimator configured to estimate a second channel based on the received first pilot sequence,
a key generator configured to generate a second key based on the estimated second channel, and
- a key confirmation response unit configured to communicate with the first MIMO device for enabling the first device to confirm whether the second key corresponds to a first key of the first MIMO device.
The second MIMO device is configured to make it possible for the first MIMO device to con- firm whether the first key of the first MIMO device and the second key of the second MIMO device correspond. Thus, the second MIMO device makes it possible for the first MIMO device to verify whether the channel was estimated correctly, without interference from an eavesdropper. The second MIMO device can have a more "passive" role in the channel estimation, i.e., it can be configured to respond to requests from the first MIMO device.
Note that the key confirmation can be carried out such that after the key confirmation, the first MIMO device knows whether the keys correspond, but the second MIMO device does not know whether the keys correspond.
A MIMO device can be configured such that it is a first MIMO device according to the first aspect and a second MIMO device according to the second aspect. In other words, a MIMO device can comprise the features of a first and a second MIMO device. Thus, the MIMO device can act both as initiator of a channel estimation and verification and as a response unit for a channel estimation and verification.
In a first implementation of the second MIMO device of the second aspect, the key confirma- tion response unit is configured to:
receive a first bit sequence,
decrypt the first bit sequence with the second key,
encrypt a mapping of the decrypted first bit sequence with the second key to obtain a second bit sequence, and
- transmit the second bit sequence.
Thus, the second MIMO device can assist a key confirmation unit of a first MIMO device to carry out a key confirmation. In a second implementation of the second MIMO device of the second aspect, the transmitter is configured to transmit the second pilot sequence after receiving the first pilot sequence, and wherein the second MIMO device is configured to select the second pilot sequence from a set of candidate sequences based on the estimated second channel. This has the advantage that the second pilot sequence can be adapted to the knowledge of the channel that the second MIMO device has obtained from receiving and evaluating the first pilot sequence from a first MIMO device.
In a third implementation of the second MIMO device of the second aspect: the receiver is configured to receive a further first pilot sequence,
the channel estimator is configured to estimate a further second channel based on the received further first pilot sequence, and
the key generator is configured to generate a further second key based on the difference between the estimated original second channel and the estimated further second channel, and
the key confirmation response unit is configured to communicate with the first MIMO device for confirming whether the further second key corresponds to a further first key of the first MIMO device.
In a fourth implementation of the second MIMO device of the first or second aspect, the key generator is configured to generate the first and/or second key based on the estimated second channel by implementing advantage distillation, information reconciliation and privacy amplification phases.
This represents a particularly efficient way of generating the first and/or second key. In particular, keys can be generated such that the same key is generated for similar channel estimates. This has the advantage that the channel verification can succeed even if the first and the second MIMO device have slightly different channel estimates, e.g. due to measurement errors.
In a further implementation of the MIMO device according to the second aspect, the second MIMO device is configured to select the second pilot sequence from a set of second pilot sequences, and the transmitter is configured to transmit an index of the selected second pilot sequence after transmitting the second pilot sequence.
Also, the second MIMO device can be configured to receive an index of a selected first pilot sequence, and the channel estimator can be further configured to estimate the second channel using the received index.
A third aspect of the invention refers to a system comprising a first MIMO device according to the first aspect or one of the implementations of the first aspect and a second MIMO device according to the second aspect or one of the implementations of the second aspect, wherein preferably the first MIMO device and the second MIMO device are configured to use a same mapping function.
The system according to the third aspect may comprise a first MIMO device and a second MIMO device, wherein:
a transmitter at the first MIMO device is configured to transmit a first pilot sequence to the second MIMO device,
a receiver at the first MIMO device is configured to receive a second pilot sequence transmitted by the second MIMO device,
- a channel estimator at the first MIMO device is configured to estimate a first channel based on the received second pilot sequence, and a channel estimator of at the second MIMO device is configured to estimate a second channel based on the received first pilot sequence;
a key generator at the first MIMO device is configured to generate a first key based on the estimated first channel, and a key generator at the second MIMO device is configured to generate a second key based on the estimated second channel,
a key confirmation response unit at the second MIMO device is configured to communicate with the first MIMO device for confirming whether the further second key corresponds to a further first key of the first MIMO device.
The mapping function can be predefined on the first and second MIMO device or it can be assigned to the devices using a secure communication channel, e.g. an encrypted channel.
A fourth aspect of the invention refers to a method for channel estimation and verification, the method comprising:
transmitting a first pilot sequence,
receiving a second pilot sequence,
estimating a first channel based on the received second pilot sequence,
generating a first key based on the estimated first channel, and
- communicating with a second MIMO device to determine whether the first key corresponds to a second key of a second MIMO device.
The method according to the fourth aspect of the invention can be performed by the first MIMO device according to the first aspect of the invention. Further features or implementa- tions of the method according to the fourth aspect of the invention can perform the functionality of the first MIMO device according to the first aspect of the invention and its different implementation forms.
A fifth aspect of the invention refers to a method for enabling a first MIMO device to perform channel estimation and verification, the method comprising:
receiving a first pilot sequence,
transmitting a second pilot sequence,
estimating a second channel based on the received first pilot sequence,
generating a second key based on the estimated second channel, and
communicating with the first MIMO device for confirming whether the second key corresponds to a first key of the first MIMO device.
The method according to the fifth aspect of the invention can be performed by the second MIMO device according to the second aspect of the invention. Further features or implementations of the method according to the fifth aspect of the invention can perform the functionality of the second MIMO device according to the second aspect of the invention and its different implementation forms.
A sixth aspect of the invention refers to a method for a first MIMO device and a second MIMO device to perform channel estimation and verification, the method comprising:
the first MIMO device transmitting a first pilot sequence,
the second MIMO device receiving the first pilot sequence, estimating a second channel based on the received first pilot sequence, and generating a second key based on the estimated second channel,
the second MIMO device transmitting a second pilot sequence,
the first MIMO device receiving the second pilot sequence, estimating a first channel based on the received second pilot sequence, and generating a first key based on the estimated first channel, and
the first MIMO device communicating with the second MIMO device to determine whether the first key corresponds to the second key. A seventh aspect of the invention refers to a computer-readable storage medium storing program code, the program code comprising instructions for carrying out the method of the fourth, fifth or sixth aspect or one of their implementations.
BRIEF DESCRIPTION OF THE DRAWINGS
To illustrate the technical features of embodiments of the present invention more clearly, the accompanying drawings provided for describing the embodiments are introduced briefly in the following. The accompanying drawings in the following description are merely some embodiments of the present invention, but modifications on these embodiments are possible without departing from the scope of the present invention as defined in the claims.
FIG. 1 is a block diagram illustrating a first MIMO device in accordance with an embodiment of the present invention,
FIG. 2 is a block diagram illustrating a second MIMO device in accordance with a further embodiment of the present invention,
FIG. 3 is a block diagram of a system in accordance with an embodiment of the present invention,
FIG. 4 is a flow chart of a method for channel estimation in accordance with a further embodiment of the present invention,
FIG. 5 is a flow chart of a method for enabling a first MIMO device to securely estimate a channel in accordance with a further embodiment of the present invention,
FIG.6 is a flow chart of a method for a first MIMO device and a second MIMO device in accordance with a further embodiment of the present invention,
FIG. 7 is a block diagram of a system in accordance with a further embodiment of the invention, FIG. 8 is a flow chart of a method for secure channel estimation in accordance with a further embodiment of the invention, and
FIG. 9 is a flow chart of a method for secure key verification in accordance with a further embodiment of the invention.
DETAILED DESCRIPTION OF THE EMBODIMENTS
FIG. 1 shows a first MIMO device 100 for channel estimation and verification, comprising a transmitter 110, a receiver 120, a channel estimator 130, a key generator 140 and a key confirmation unit 150.
The transmitter 110 is configured to transmit a first pilot sequence. The first pilot sequence can be a predetermined pilot sequence or it can be a pilot sequence that the transmitter selects from a set of pilot sequences.
The receiver 120 is configured to receive a second pilot sequence. The transmitter 110 and the receiver 120 can be configured to use the same antenna for transmitting and receiving the first and second pilot sequences.
The channel estimator 130 is configured to estimate a first channel based on the received second pilot sequence. For example, the channel estimator 130 can be configured to estimate a channel matrix based on the received second pilot sequence. The key generator 140 is configured to generate a first key based on the estimated first channel. Preferably, the key estimation is performed such that slightly different first channel estimates yield the same first key. The first key can have a length of e.g. 128 bit or 256 bit. The key generator 140 can use the transmitter 110 and receiver 120 to interact with a second MIMO device.
The key confirmation unit 150 is configured to determine whether the first key corresponds to a second key of a second MIMO device. The key confirmation unit 150 can be configured to communicate with the second MIMO device, e.g. using the transmitter 110 and receiver 120. Preferably, the key confirmation unit is configured to communicate such that an eavesdropper cannot identify the first and/or second key.
FIG. 2 shows a second MIMO device 200 for enabling a first MIMO device to perform chan- nel estimation and verification, comprising a receiver 210, a transmitter 220, a channel estimator 230, a key generator 240 and a key confirmation response unit 250.
The receiver 210 is configured to receive a first pilot sequence, e.g. a pilot sequence sent by the first MIMO device shown in FIG. 1.
The transmitter 220 is configured to transmit a second pilot sequence. The second pilot sequence can be a predetermined second pilot sequence or it can be a pilot sequence that the second MIMO device 200 selects from a set of pilot sequences. The channel estimator 230 is configured to estimate a second channel based on the received first pilot sequence. The channel estimator 230 can be configured similarly or identical as the channel estimator 130 of the first MIMO device 100.
The key generator 240 is configured to generate a second key based on the estimated second channel. The key generator 240 can be configured similarly or identical as the key generator 140 of the first MIMO device 100.
The key confirmation response unit 250 is configured to communicate with the first MIMO device 100 for enabling the first MIMO device 100 to confirm whether the second key corre- sponds to a first key of the first MIMO device 100.
FIG. 3 shows a system 300 comprising a first MIMO device 100, e.g. the MIMO device of FIG. 1, and a second MIMO device 200, e.g. the MIMO device of FIG. 2, wherein the first MIMO device 100 and the second MIMO device 200 are configured to use the same mapping function.
The second MIMO device 200 is configured to transmit a pilot sequence to the first MIMO device 100, which allows the first MIMO device 100 to estimate a first channel 310. The first MIMO device 100 is configured to transmit a pilot sequence to the second MIMO device 200, which allows the second MIMO device 200 to estimate a second channel 320.
The first MIMO device 100 can be e.g. an access node of a communication network and the second MIMO device 200 can be a mobile device connected to the access node. Alternatively, the second MIMO device 200 can be an access node of a communication network and the first MIMO device 100 can be a mobile device connected to the access node.
FIG. 4 shows a method 400 for channel estimation and verification.
The method comprises a first step 410 of transmitting a first pilot sequence and a second step 420 of receiving a second pilot sequence. Preferably, the method comprises a further step (not shown in FIG. 4), wherein the receiver opens a receive channel for receiving the second pilot sequence after the transmitter has received the first pilot sequence. In other words, it is as- sumed that the second pilot sequence is received only after the first pilot sequence has been transmitted.
A third step 430 comprises estimating a first channel based on the received second pilot sequence.
In a fourth step 440, a first key is generated based on the estimated first channel. The key generation can be performed using one of the known methods for generating keys corresponding to estimated transmit or receive channels, wherein e.g. the transmit or receive channels can be identified by a channel matrix.
In a fifth step 450, communication with a second MIMO device is performed to determine whether the first key corresponds to a second key of a second MIMO device. This communication can include transmitting and receiving encrypted information to and from a second MIMO device.
The method of FIG. 4 presents an elegant way to detect a pilot contamination attack, which is a major threat in the application of physical layer security. As opposed to other methods, the method of FIG. 4 can rely on pairing based on keys and binary mappings rather than signal processing approaches that may be prone to errors due to noise and interference. Applications of the method include (i) communications between the base station and mobile terminals equipped with multiple antennas and (ii) securing WiFi transmissions with multiple antennas. In particular, application of the method to massive MIMO is seen as a relevant ap- plication, as beamforming plays a critical role in the presence of a large number of antennas.
FIG. 5 shows a method 500 for enabling a first MIMO 100 device to perform channel estimation and verification. The method can be performed by a second MIMO device, e.g. the second MIMO device 200 shown in FIG. 2.
The method comprises a first step 510 of receiving a first pilot sequence. In an initial step (not shown in FIG. 5) before the first step 510, a receive channel can be opened. When the first pilot sequence is received, the method is started. In a second step 520, a second pilot sequence is transmitted and in a third step 530, a second channel is estimated based on the received first pilot sequence. The transmission of the second pilot sequence can be based on the received first pilot sequence. To this end, the third step 530 can be performed before the second step 520. In a fourth step 540, a second key is generated based on the estimated second channel.
In a fifth step 550, communication is performed with the first MIMO device 100 for confirming whether the second key corresponds to a first key of the first MIMO device 100. Here, preferably the communication is in response to commands received from the first MIMO de- vice 100.
FIG. 6 shows a method 600 for a first MIMO device and a second MIMO device to perform channel estimation and verification. A first step 610 comprises the first MIMO device 100 transmitting a first pilot sequence.
A second step 620 comprises the second MIMO device 200 receiving the first pilot sequence, estimating a second channel based on the received first pilot sequence, and generating a second key based on the estimated second channel. A third step 630 comprises the second MIMO device 200 transmitting a second pilot sequence. A fourth step 640 comprises the first MIMO device 100 receiving the second pilot sequence, estimating a first channel based on the received second pilot sequence, and generating a first key based on the estimated first channel;
A fifth step 650 comprises the first MIMO device 100 communicating with the second MIMO device 200 to determine whether the first key corresponds to the second key.
FIG. 7 is a block diagram of a system 700 comprising a first device ("Alice"), indicated with reference number 710, a second device ("Bob") indicated with reference number 720, and an eavesdropping device ("Eve"), indicated with reference number 730. A channel 712 between Alice and Bob is described by the channel matrix H. A channel 732 between Alice and Eve is described by channel matrix Gi. A channel 734 between Eve and Bob is described by channel matrix G2.
FIG. 8 is a flow chart of a further method 800 for secure channel estimation. With reference to the scenario in FIG. 7, there are two pilot transmission phases: first Alice transmits (in step 810) pilots to Bob, and second (in step 820) Bob transmits pilots to Alice; the pilots are assumed to be publicly known.
Based on the received pilots, Alice and Bob estimate the channel. Note that if Eve performs a pilot contamination attack, the estimated channel by Alice and Bob will differ, since one will be an estimate of H + Gi and the other an estimate of H + G2. Note further that Eve does not know H and therefore cannot enforce equality of H + Gi and the H + G2. In order to check the consistency of the two channels without revealing them to Eve (who could benefit from this knowledge in the following), Alice and Bob extract in step 830 a secret key from the es- timated channels (see M. Bloch, J. Barros, Physical Layer Security, Cambridge University
Press, 2011 for details on the secret key extraction procedure). By this technique they obtain a bit sequence (key) from the channel estimates. Denote a the key generated by Alice and b the key generated by Bob. Let M be the length of the extracted keys (in number of bits). If no attack is present, the two bit sequences are identical despite noise that has affected the estimation. In the presence of an attack that has modified the channel in a way such that the resulting difference of the channel estimates is above the noise level, the two bit sequences (keys) at Alice and Bob will be different.
Therefore, in step 840 a key confirmation procedure is used to check if the two extracted keys coincide. If the extracted keys do not coincide, the pairing fails (step 850). If the extracted keys coincide, pairing success (step 860). FIG. 9 is a flow chart of an example method 900 for confirming whether the secret keys of Alice and Bob correspond. Alice generates a sequences of M random bits, denoted by r, and xors them with the secret key a (bit- wise modulo-two sum) to obtain x = a + r, i.e., Alice performs a one-time-pad encoding of the random bits. In step 910, the encoded bits x are transmitted over the channel. In step 920, Bob detects these encoded bits and decrypts them using his extracted key b, in order to obtain the random bit sequence generated by Alice: r' = x + b (modulo-two sum). Bob then maps the decrypted bits into another sequence of M bits by applying an invertible non-identical function h(.) to obtain the mapped value h(r'). On this mapped value Bob performs one time padding with his key and in step 930 sends the encrypted message to Alice: y = h(r') + b. In step 940, Alice decrypts the message by removing the one-time pad, z = y + a, and checks in step 950 if the received message is the correct mapped value of her randomly generated bits, i.e. she checks if h(r) = z. If the two mapped values are equal, Alice concludes that there is no pilot contamination attack, and pairing is successful. If the mapping is an identical mapping and the first and second key coincide, then the second device would send back r' = r thus revealing the original sequence to Eve. Then Eve can simply compute x + r = a thus obtaining a, which means that Eve knows something about the channel and can use this information to improve her attack. Therefore, preferably, the mapping is a random mapping that prevents Eve to obtain information about the sequence r when Bob is transmitting.
A few facts are worth noting: First, when Alice and Bob estimate the same channel, the extracted keys are the same and the whole procedure leads to a successful pairing. If instead the keys extracted by Alice and Bob do not correspond to each other, the decryption by Bob will lead to another message, thus to another mapped value, and the pairing process will fail. Second, Eve does not learn the channel H during this process. Third, if Eve performs an attack in the phases following the training phase, she does not get to know the secret key and thus cannot break the pairing process.
The channel reciprocity between Alice and Bob is important. However, this is relevant not only for the detection of pilot contamination but also for the forthcoming use of the channel estimate by Alice, i.e., beamforming secret messages to Bob. If the channel is different due to hardware impairments, the channel estimate that will be used by Alice after the pairing proc- ess will be not correct. In fact, Alice will beamform a signal to Bob using the channel estimate, but if it is not correct, the signal will not reach Bob, and Bob will not be able to decode the secret information. So the assumption that hardware impairments are moderate is associated with the use of this estimate. When we look specifically at robustness of the method to (moderate) mismatches, we note that the channel H is used to extract the secret key, and the secret key extraction procedure available in existing literature includes the fact that Alice and Bob have different estimates of the channel. Therefore, the solution can be considered robust to hardware impairments. Impairments, however, can diminish the protection against attacks for the following reason: the higher the noise level or the larger the impairments, , the fewer bits can be extracted from the channel, and thus the shorter is the secret key.
In the following, some variations of the general method are described. Choice of pilot sequence The pilot sequence transmitted by the first MIMO device can be chosen randomly from a (large) set of sequences. After the pilot sequence has been transmitted to the second MIMO device, the first MIMO device will send another packet indicating the index of the pilot sequence. After this, the second MIMO device chooses randomly another pilot sequence from a (large) set of sequences and transmits it to the first MIMO device. After the pilot sequence has been transmitted to the first MIMO device, the second MIMO device will send another packet indicating the index of the selected second pilot sequence.
This solution makes an attack by third device more easily detectable since the third device does not know the pilot sequence in advanced and therefore cannot "overwrite" it. Use of secret key
The extracted first and/or second key can also be used to make data transmission secret or to choose a secret key, i.e., the first and second keys can also be used for conventional security purposes. In particular, the first and/or the second MIMO device can be configured to encrypt a message with the first and/or second key and to transmit the encrypted message.
Channel tracking
After initial channel estimation and verification, channel variations can be tracked. Such tracking can be performed continuously and thus allows for continuous key verification as follows:
Data signals can be used as pilots (once data have been decoded). This data-directed channel estimation avoids the use of pilots. Pilots can still be exchanged among terminals (e.g., to simplify the channel estimation with respect to the data-directed approach).
The first MIMO device and the second MIMO device can compute the difference between the newly estimated channel and the previously estimated channel.
- They perform the secret key extraction on the computed channel difference.
They do key verification on the two extracted keys as indicated above.
Integration of secret key extraction and key verification The two steps of first secret key extraction and then key verification can be partially integrated. The method outlined above for secret key extraction provides that the first MIMO device sends to the second MIMO device a sequence of bits that allow the second MIMO device to correct up to a certain number of differences between the first MIMO device's and the second MIMO device's keys. Then, with the key verification procedure it is checked that the obtained keys are effectively the same.
An alternative solution provides that the first MIMO device sends to the second MIMO device a sequence of bits that allow the first MIMO device to detect errors, rather than to correct them. By using these bits, the second MIMO device can directly perform the key verification step by determining whether or not the number of differences in the two sequences is above a threshold. In general, the number of bits required to detect errors is smaller than the number required to correct errors. In practice this can represent an advantage (also simplifying the algorithm).
Key confirmation procedure
The key confirmation procedure can be carried out, e.g., by the key confirmation unit of the first MIMO device and the key confirmation response unit of the second MIMO device, as follows:
a. The first MIMO device generates a sequences of M random bits, denoted by r, and xors them with the secret key (bit-wise modulo-two sum) to obtain x = a + r.
b. The bits x are transmitted over the channel, and the second MIMO device decrypts them using its extracted key b.
c. The second MIMO device then maps the decrypted bits into another sequence of M bits by applying an invertible non-identical function h(.) to obtain the mapped value h(r').
d. The second MIMO device xors the mapped bits with its key and sends the encrypted message to the first MIMO device: y = h(r') + b.
e. The first MIMO device decrypts the message by removing the one-time pad, z = y + a, and checks if the received message is the correct mapped value of its randomly generated bits, i.e. check if h(r) =z.
f. If this check is passed, pairing is successful. To summarize, physical layer security allows for efficient secret transmission by exploiting characteristics of the wireless channel. Correct channel state information (CSI) is very important in methods for physical layer security, especially when devices are equipped with multiple antennas. During the channel acquisition phase, an attacker may apply a pilot contamination attack to enforce wrong CSI and thus get access to information in the following transmis- sion.
The invention allows a secure paring process between two devices equipped with multiple antennas by preventing an attacker from performing the pilot contamination attack, ensuring that the estimates of the channels obtained by the two legitimate terminals coincide, correct CSI is available, and the following transmission is secure.
The foregoing descriptions are only implementation manners of the present invention, the scope of the present invention is not limited to this. Any variations or replacements can be easily made through person skilled in the art. Therefore, the protection scope of the present invention should be subject to the protection scope of the attached claims.

Claims

A first MIMO device (100; 710) for channel estimation and verification, the first
MIMO device comprising:
a transmitter (110) configured to transmit a first pilot sequence,
a receiver (120) configured to receive a second pilot sequence,
a channel estimator (130) configured to estimate a first channel (310; 712) based on the received second pilot sequence,
a key generator (140) configured to generate a first key based on the estimated first channel (310; 712), and
a key confirmation unit (150) configured to determine whether the first key corresponds to a second key of a second MIMO device (200; 720).
The first MIMO device (100; 710) of claim 1, wherein the key confirmation unit (150) is configured to:
generate a random number,
encrypt the random number with the first key to obtain a first bit sequence, transmit the first bit sequence,
receive a second bit sequence,
decrypt the second bit sequence with the first key, and
determine that the first key corresponds to the second key if the decrypted second bit sequence matches a mapping of the random number.
The first MIMO device (100; 710) of claim 1 or 2, wherein the key confirmation unit (150) is configured to determine that the first key corresponds to the second key if at least a predetermined part of bits of the first and second key are identical.
The first MIMO device (100; 710) of one of the previous claims, wherein the first MIMO device is configured to select the first pilot sequence from a set of first pilot sequences, and wherein the transmitter is configured to transmit an index of the selected first pilot sequence after transmitting the first pilot sequence and/or wherein the first MIMO device is configured to receive an index of a selected second pilot sequence, and wherein the channel estimator is further configured to estimate the first channel based on the received index. The first MIMO device (100; 710) of one of the previous claims, wherein:
the receiver (120) is configured to receive a further second pilot sequence, the channel estimator (130) is configured to estimate a further first channel based on the received further second pilot sequence,
the key generator (140) is configured to generate a further first key based on a difference between the estimated first channel and the estimated further first channel, and
the key confirmation unit (150) is configured to determine whether the further first key corresponds to a further second key of the second MIMO device (200; 720).
A second MIMO device (200; 720) for enabling a first MIMO device to perform channel estimation and verification, the MIMO device comprising:
a receiver (210) configured to receive a first pilot sequence,
a transmitter (220) configured to transmit a second pilot sequence,
a channel estimator (230) configured to estimate a second channel (320; 712) based on the received first pilot sequence,
a key generator (240) configured to generate a second key based on the estimated second channel, and
a key confirmation response unit (250) configured to communicate with the first MIMO device for enabling the first device to confirm whether the second key corresponds to a first key of the first MIMO device.
The second MIMO device (200; 720) of claim 6, wherein the key confirmation response unit (250) is configured to:
receive a first bit sequence,
decrypt the first bit sequence with the second key,
encrypt a mapping of the decrypted first bit sequence with the second key to obtain a second bit sequence, and
transmit the second bit sequence.
The second MIMO device (200; 720) of one of claims 6 and 7, wherein the transmitter (220) is configured to transmit the second pilot sequence after receiving the first pilot sequence, and wherein the second MIMO device is configured to select the second pi- lot sequence from a set of candidate sequences based on the estimated second channel (320; 712).
9. The second MIMO device (200; 720) of one of claims 6 to 8, wherein:
the receiver (210) is configured to receive a further first pilot sequence, the channel estimator (230) is configured to estimate a further second channel based on the received further second pilot sequence, and
the key generator (240) is configured to generate a further first key based on a difference between an estimated original first channel and the estimated further second channel, and
the key confirmation response unit (250) is configured to communicate with the first MIMO device (100; 710) for confirming whether the further second key corresponds to a further first key of the first MIMO device (100; 710).
10. The MIMO device (100, 200) of one of the previous claims, wherein the key generator (240) is configured to generate the first and/or second key based on the estimated second channel by implementing advantage distillation, information reconciliation and privacy amplification phases.
11. A system (300) comprising a first MIMO device (100; 710) according to one of claims 1 to 5 and a second MIMO device (200; 720) according to one of claims 6 to 10, wherein preferably the first MIMO device and the second MIMO device are configured to use a same mapping function.
12. A method (400) for channel estimation and verification, the method comprising:
transmitting (410) a first pilot sequence,
receiving (420) a second pilot sequence,
estimating (430) a first channel based on the received second pilot sequence, generating (440) a first key based on the estimated first channel, and communicating (450) with a second MIMO device (200; 720) to determine whether the first key corresponds to a second key of a second MIMO device (200; 720). A method (500) for enabling a first MIMO device (100; 710) to perform channel estimation and verification, the method comprising:
receiving (510) a first pilot sequence,
transmitting (520) a second pilot sequence,
estimating (530) a second channel based on the received first pilot sequence, generating (540) a second key based on the estimated second channel, and communicating (550) with the first MIMO device (100; 710) for confirming whether the second key corresponds to a first key of the first MIMO device (100; 710).
A method (600) for a first MIMO device (100; 710) and a second MIMO device (200;
720) to perform channel estimation and verification, the method comprising:
the first MIMO device (100; 710) transmitting (610) a first pilot sequence, the second MIMO device (200; 720) receiving (620) the first pilot sequence, estimating a second channel based on the received first pilot sequence, and generating a second key based on the estimated second channel,
the second MIMO device (200; 720) transmitting (630) a second pilot sequence,
the first MIMO device (100; 710) receiving (640) the second pilot sequence, estimating a first channel based on the received second pilot sequence, and generating a first key based on the estimated first channel, and
the first MIMO device (100; 710) communicating (650) with the second MIMO device (200; 720) to determine whether the first key corresponds to the second key.
A computer-readable storage medium storing program code, the program code comprising instructions for carrying out the method of one of claims 12 to 14.
PCT/EP2015/074037 2015-10-16 2015-10-16 Secure paring method for mimo systems WO2017063716A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201580083630.2A CN109417469B (en) 2015-10-16 2015-10-16 MIMO system secure pairing method
PCT/EP2015/074037 WO2017063716A1 (en) 2015-10-16 2015-10-16 Secure paring method for mimo systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2015/074037 WO2017063716A1 (en) 2015-10-16 2015-10-16 Secure paring method for mimo systems

Publications (1)

Publication Number Publication Date
WO2017063716A1 true WO2017063716A1 (en) 2017-04-20

Family

ID=54364273

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/074037 WO2017063716A1 (en) 2015-10-16 2015-10-16 Secure paring method for mimo systems

Country Status (2)

Country Link
CN (1) CN109417469B (en)
WO (1) WO2017063716A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447725B1 (en) 2017-01-24 2019-10-15 Apple Inc. Secure ranging wireless communication
WO2022234454A1 (en) * 2021-05-03 2022-11-10 Lenovo (Singapore) Pte. Ltd. Key establishment using wireless channel information

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111953362B (en) * 2020-07-16 2022-01-14 深圳安吉尔饮水产业集团有限公司 Communication method, communication device, communication transceiver and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1542488A1 (en) * 2003-12-12 2005-06-15 Telefonaktiebolaget LM Ericsson (publ) Method and apparatus for allocating a pilot signal adapted to the channel characteristics
WO2006081122A2 (en) * 2005-01-27 2006-08-03 Interdigital Technology Corporation Method and system for deriving an encryption key using joint randomness not shared by others
EP1775875A1 (en) * 2004-08-04 2007-04-18 Matsushita Electric Industrial Co., Ltd. Radio communication device, radio communication system, and radio communication method
WO2007124054A2 (en) * 2006-04-18 2007-11-01 Interdigital Technology Corporation Method and system for securing wireless communications
US20150036516A1 (en) * 2013-07-31 2015-02-05 Huawei Technologies Co., Ltd. Method for detecting eavesdroppers in a wireless communication system

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101288260A (en) * 2005-01-27 2008-10-15 美商内数位科技公司 Method and system for deriving an encryption key using jointrandomness not shared by others
US8331488B2 (en) * 2009-10-13 2012-12-11 Qualcomm Incorporated Methods and apparatus for communicating information using non-coherent and coherent modulation
US8325697B2 (en) * 2009-10-13 2012-12-04 Qualcomm Incorporated Methods and apparatus for selecting and transmitting pilots
US8744082B2 (en) * 2010-11-03 2014-06-03 Futurewei Technologies, Inc. System and method for securing wireless communications
CN102869013B (en) * 2012-08-29 2015-09-30 北京邮电大学 Based on the safe communication system of radio channel characteristic
CN103167490B (en) * 2013-04-12 2016-03-02 中国人民解放军信息工程大学 Wireless key distribution method, Apparatus and system
CN107437984B (en) * 2016-05-27 2020-11-10 华为技术有限公司 Information transmission method and device
CN107018576B (en) * 2017-03-28 2019-10-11 西安电子科技大学 Accidental access method based on grid chart

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1542488A1 (en) * 2003-12-12 2005-06-15 Telefonaktiebolaget LM Ericsson (publ) Method and apparatus for allocating a pilot signal adapted to the channel characteristics
EP1775875A1 (en) * 2004-08-04 2007-04-18 Matsushita Electric Industrial Co., Ltd. Radio communication device, radio communication system, and radio communication method
WO2006081122A2 (en) * 2005-01-27 2006-08-03 Interdigital Technology Corporation Method and system for deriving an encryption key using joint randomness not shared by others
WO2007124054A2 (en) * 2006-04-18 2007-11-01 Interdigital Technology Corporation Method and system for securing wireless communications
US20150036516A1 (en) * 2013-07-31 2015-02-05 Huawei Technologies Co., Ltd. Method for detecting eavesdroppers in a wireless communication system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447725B1 (en) 2017-01-24 2019-10-15 Apple Inc. Secure ranging wireless communication
US10931708B2 (en) 2017-01-24 2021-02-23 Apple Inc. Secure ranging wireless communication
WO2022234454A1 (en) * 2021-05-03 2022-11-10 Lenovo (Singapore) Pte. Ltd. Key establishment using wireless channel information

Also Published As

Publication number Publication date
CN109417469B (en) 2021-09-07
CN109417469A (en) 2019-03-01

Similar Documents

Publication Publication Date Title
Shakiba-Herfeh et al. Physical layer security: Authentication, integrity, and confidentiality
Jorswieck et al. Broadcasting into the uncertainty: Authentication and confidentiality by physical-layer processing
JP4734344B2 (en) Method and system for deriving encryption key using joint randomness (JRNSO) not shared with others
Azimi-Sadjadi et al. Robust key generation from signal envelopes in wireless networks
Verma et al. Physical layer authentication via fingerprint embedding using software-defined radios
CN105187200B (en) Method for generating a key in a network, and user and network on a network
KR101446629B1 (en) Apparatus and method for secure data transmission in wireless communication system
US9781079B2 (en) Security key generator
Li et al. Dynamic subcarrier coordinate interleaving for eavesdropping prevention in OFDM systems
US10396986B2 (en) Method for generating a secret between users of a network, and users of the network which are configured for this purpose
CN113038468A (en) Method for distributing and negotiating quantum key of wireless terminal of Internet of things
US20150146872A1 (en) Apparatus and method for transmitting sensitive data using relay
Im et al. Secret key agreement with large antenna arrays under the pilot contamination attack
KR20090067209A (en) A method and system for enhancing cryptographic capabilities of a wireless device using broadcasted random noise
US10735963B1 (en) Wireless communication method for secure side-channel signaling and authentication at the physical layer
Rahbari et al. Full frame encryption and modulation obfuscation using channel-independent preamble identifier
US20220294618A1 (en) Improvements to qkd methods
CN111065096A (en) Physical layer encryption transmission system for wireless communication and method thereof
WO2017063716A1 (en) Secure paring method for mimo systems
CN106102049B (en) A kind of safe transmission message approach using the characteristic of channel
CN107979460B (en) Method and apparatus for generating a cryptographic key
CN108847911A (en) A kind of OFDM channel training method for authenticating based on independence check code
Zheng et al. Profiling the strength of physical-layer security: A study in orthogonal blinding
CN109996231A (en) A kind of secret communication method in multiaerial system
CN116017451A (en) IPv6 terminal identity authentication method utilizing 5G NR physical layer information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15787499

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15787499

Country of ref document: EP

Kind code of ref document: A1