Securing Wireless Communications of the Internet of Things from the Physical Layer, An Overview

The security of the Internet of Things (IoT) is receiving considerable interest as the low power constraints and complexity features of many IoT devices are limiting the use of conventional cryptographic techniques. This article provides an overview of recent research efforts on alternative approaches for securing IoT wireless communications at the physical layer, specifically the key topics of key generation and physical layer encryption. These schemes can be implemented and are lightweight, and thus offer practical solutions for providing effective IoT wireless security. Future research to make IoT-based physical layer security more robust and pervasive is also covered.


I. INTRODUCTION
The Internet of Things (IoT) aims to allow ubiquitous connections between things with computing, communication, and sensing ability. IoT applications include smart cities, smart traffic, healthcare, smart home, industrial monitoring, and environment monitoring, etc. [1], [2], which have revolutionized every aspect of our life. On the other hand, many open research problems still remain to allow this technology to become widely available as proposed [3]. For example, IoT security and privacy remains a major concern as indicated by the UK IoT government report [4] and agreed by many experts [5]. To this end, research into effective IoT security remains a key objective as indicated by major sponsors such as the US National Science Foundation [6], the European Horizon 2020 research programs [7], and the UK's Engineering and Physical Sciences Research Council [8].
The number of connected devices has already exceeded the world's population and is increasing exponentially. It is predicted by numerous sources that IoT devices will number 10 billion by 2020 [9]. For example, Cisco estimated there would be 6.58 connected devices per person by 2020, i.e., about 50 billion devices in total [10]. With the huge amount of IoT devices, wireless communication is preferred as it allows easy installation and provides ubiquitous connection. Wireless air interfaces involved in the IoT include IEEE 802. 15  applications may work in a device-to-device communication mode where there is no secured public key infrastructure (PKI) for the distribution of public keys. Finally, with the development of quantum computing, the concept of PKC will be fundamentally challenged [18].
Conventional upper layer-based cryptography also leaves the transmission vulnerable to many passive and active attacks. For example, the MAC header is sent in plaintext and attackers can perform traffic analysis by observing the MAC header. In addition, the physical packet header is also sent in plaintext and can reveal side-channel information (SCI) such as data rate, packet length, mapping schemes, etc. [19]. Eavesdroppers can perform various attacks based on the observed SCI, such as analysis of users' activities and selective jamming. Therefore, the design of a low cost and robust cryptosystem for IoT is vital. While the main security streams have focused on the upper layers, the physical layer can also be leveraged to enhance security. In fact, reusing the physical layer features can decrease additional energy cost for security. As shown in Figure 2, security enhancement at the physical layer can be twofold. Firstly, information-theoretic security, also known as physical layer security (PLS), exploits the unpredictable features of wireless channels, such as fading; therefore, the system will not be compromised no matter how powerful the attackers are [20]- [23]. PLS transmission techniques achieve security through artificial noise [24], jamming [25], or beamforming [26], etc. However, many PLS transmission schemes are not practical yet because they require complex coding and/or the perfect/imperfect channel state information (CSI) of the receiver and/or eavesdroppers [13]. On the other hand, physical layer key generation, an active branch of PLS, is implementable because the legitimate users are able to agree on the same key from the noisy channel estimation [27], which can be used as an alternative to PKC in many circumstances.
Secondly, moving the encryption to the physical layer can protect the entire physical layer packet and thus the wireless connection is secured from many passive and active attacks.
Recently, a new hybrid approach considers how we can deploy cryptosystems directly into the physical layer and integrates information-theoretical security and computational security schemes, which are constructed by physical layer key generation and physical layer encryption (PLE), as shown in Figure 3. Alice and Bob carry out wireless transmission over the noisy channel using pilot signals. They are able to exploit common information of wireless channels and agree on the same cryptographic key through the key generation protocol consisted of channel probing, quantization, information reconciliation, and privacy amplification. The key is then fed to the PLE, which performs encryption operations at the modulation stages of the physical layer, and protects the IoT wireless transmission. Their integration offers a good example of how information-theoretic security schemes and computational security schemes can work together to protect IoT systems. Security countermeasures from the physical layer are lightweight and offer protection to the wireless transmission, and therefore are advantageous over conventional upper layer encryption-based security primitives.
There have been survey papers on the PLS transmission [28] and key generation [27], [29] to protect IoT. However, PLS transmission is limited in practical implementation and a survey on integration of key generation and encryption has never been reported. This article aims to provide an overview on the recent progress of this promising hybrid physical layer cryptosystem, with a focus on the practical implementation and algorithm prototyping.
The rest of this article is organized as follows. The wireless technologies used in IoT are introduced in Section II. We then describe the physical layer key generation in Section III and PLE in Section IV. Finally, we propose some future research directions in Section V that make securing IoT from the physical layer more robust and pervasive. Section VI concludes the article.

II. WIRELESS TECHNOLOGIES FOR IOT AND THEIR SECURITY COUNTERMEASURES
IoT aims to connect everything together and wireless communication is seen as the best option in order to avoid installation costs while enabling ubiquitous connection. IoT devices are normally tiny, embedded, and battery-powered, and thus communicate with each other through various lowpower wireless communication technologies. This section introduces several popular wireless technologies, including IEEE 802. 15 BLE, also known as Bluetooth Smart, was standardized in 2010 as Bluetooth Core Specification Version 4.0. BLE runs at 2.4 GHz frequency and uses frequency hopping spread spectrum (FHSS) to combat frequency interference. It supports short range communications (50 to 100 m) and a data rate of 1 Mbps. In addition, BLE consumes extremely low energy and can run for months on standard coin-cell batteries. It is suited for IoT applications such as wearable devices and it is predicted by the Bluetooth special interest group that more than 90% smartphones will support BLE by 2018 [30].
IEEE 802.11 families are the most popular wireless local area network (WLAN) standards working at 2.4/5 GHz. They include IEEE 802.11a/b/g/n and are supported almost by all smartphones, laptops, tablets, etc. IEEE 802.11 can be used in the smart home applications to provide large amounts of data transfer and as most houses are already covered by IEEE 802.11, installation costs can be avoided. Whilst legacy IEEE 802.11 standards may not be suitable for many lightweight IoT applications, IEEE 802.11ah was recently announced by the Wi-Fi alliance which has been developed explicitly for IoT. It works at sub 1 GHz bands and can cover large range communications. In addition, 802.11ah adopts narrower bandwidth and implements energy efficient protocols to extend the sensors' battery life. It is also optimized to support large groups of stations or sensors that cooperate to share the signals.
LoRaWAN is an emerging low power wide area network (WAN) technology with the first specification released in June, 2015 [31]. It also runs at sub 1 GHz and employs chirp spread spectrum. It supports long range coverage (> 15 km), millions of users, and low power consumption (up to ten years), and therefore is extremely suitable for low cost IoT devices.
IEEE 802.15.4, Bluetooth, and IEEE 802.11 systems usually handle the security at the data link/MAC layer. For example, an AES block cipher is used to protect the link layer of IEEE 802.15.4 and Bluetooth systems. In IEEE 802.11 systems, an MAC layer encryption scheme named WPA has been designed and implemented using AES. LoRa implements the security countermeasures by encryption at network and application layers.
A summary and comparison of the wireless technologies for the IoT is given in Table I.

III. PHYSICAL LAYER KEY GENERATION
Key generation from the randomness of wireless channels has been receiving much research interest [27], as it is wellsuited for establishing cryptographic keys as an alternative to PKC in IoT applications [32]. As shown in Figure 3, firstly, key generation exploits unpredictable but characteristic features of the wireless channel, and is thus informationtheoretically secure [33], [34]. Secondly, it can be carried out between a pair of users with no aid from a third user, while a secured PKI is always required for PKC. Finally, key generation is lightweight and uses limited resources as all of the operations are not complicated and thus meets the low computation capacity of IoT devices. Zenger et al. implemented their key generation scheme in a 32-bit ARM Cortex M3 processor (EFM32GG-STK3700) and an 8-bit Intel MCS-51 and showed the resource and energy consumption to be very low [35]. The authors also implemented a lightweight PKC, elliptic curves Diffie-Hellman key generation (ECDH), as a comparison. As shown in Table II, taking the implementation in 32-bit ARM processor as an example, the ECDH requires 5.73 times more code, 128.26 times more cycles, and consumes 41.52 times more energy, than that of the key generation protocol, respectively. Therefore, key generation from wireless channels is extremely suitable for low cost IoT devices.
Key generation works well in a dynamic wireless communication system, and is built on three principles.
• Channel reciprocity means the channel responses of the forward and backward links are the same, which is the basis for key generation. When two users measure the same channel parameters at the same frequency in a timedivision duplex (TDD) mode, the measurements at Alice and Bob are impacted by the non-simultaneous sampling and noise. However, a high correlation between channel measurements of Alice and Bob can still be maintained and eligible for key generation in a slow fading channel, as demonstrated in many practical experiments [36]- [39]. • Temporal variation indicates that there is randomness residing in the dynamic channel 3 , which ensures the extracted keys are random. A random key will make the cryptographic applications robust against attacks such as brute force. • Spatial decorrelation implies that when located a halfwavelength away from the legitimate users, the eavesdropper experiences an uncorrelated channel compared to that between Alice or Bob, guaranteeing the security of the key generation. When the system works at 2.4 GHz, a half-wavelength is about 6 cm, which is quite short. These principles have been theoretically modeled and analyzed in [43], [44] and experimentally validated in [38], [39].

A. Procedure
Key generation involves channel probing, quantization, information reconciliation, and privacy amplification, as shown in Figure 3. Without loss of generality, Alice is selected as the initiator of the key generation process.
In the channel probing step, the randomness residing in the temporal [36], [37], [43], frequency [43], [45]- [47], and spatial [48]- [51] domains can be extracted by measuring the channel parameters such as the received signal strength (RSS) and CSI, etc. In particular, at time t A Alice sends a public pilot signal to Bob who will measure the channel parameter as X B . Then, at time t B = t A + τ , Bob also sends a public pilot signal to Alice who will measure the same channel parameter and store it as X A . Alice and Bob will repeat the above channel sampling until they get enough measurements to generate a full set of keys 4 . It is worth noting that in this step, users adopt a public pilot signal to measure the channel but do not try to exchange message secretly. It is possible that some of the probe packets are not successful because of the poor channel condition, which results in a mismatch between the pairing of the measurements of Alice and Bob. This can be solved by exchanging and comparing the timestamps of the measurements, and keeping the records with the common timestamps. In TDD mode, the common timestamp does not necessarily indicate the timestamps with the exact same value, but their difference should be the sampling delay τ . For example, Alice will send her recorded timstamps to Bob, who will compare his timestamps and keep the common ones. Bob 3 In the urban area, the interference may be chaotic, because of the densely deployed access points [40]. The interference will impact the channel measurements accuracy but will not affect randomness nature of the wireless link between users. In addition, the statistical features of the channel may be deterministic [41], [42], but key generation is exploiting the instantaneous channel variation, which is random in nature. 4 The key length is determined by the cryptographic applications. For example, the key length of AES can be 128-bit, 192-bit, or 256-bit.  will then send his censored timestamps to Alice and she will also only keep the common ones, which will finally enable Alice and Bob to have the paired measurements. The exchange does not reveal any useful information to eavesdroppers. In the second step, both Alice and Bob will convert the analog measurements into binary sequences using quantization schemes. Mean and standard deviation-based quantizer [36] (Algorithm 1) and cumulative distribution functions (CDF)based quantizer [52] (Algorithm 2) are two popular quantizers. In Algorithm 1, µ X u is the mean value of X u , σ X u is the standard deviation of X u , α is used to adjust the threshold, and n is the number of the channel measurements. The design of quantizer relies on the selection of threshold and quantization level (QL). CDF-based quantization is able to obtain the same proportion of 0s and 1s as it can adaptively adjust the threshold, which is at the cost of increased complexity. The computational complexity of calculating the mean and variance is O(n). When calculating CDF, one key step is sorting the measurements, whose complexity is O n log(n) , which requires more computation than the calculation of the mean and variance. A performance comparison of quantization schemes is reported in [53].
In practical measurements, due to the half-duplex nature of the most commercial hardware platforms and the independent hardware noise, channel measurements of Alice and Bob, i.e., X A and X B , will not be identical, thus resulting in a disagreement between K A and K B . In the information reconciliation stage, Alice and Bob will leverage the error correction code (ECC) to reach an agreement, which is achieved via public discussion by exchanging information such as the syndrome.

Algorithm 1 Mean and standard deviation-based quantization
INPUT: X u % Channel measurement, RSS or CSI OUTPUT: K u % Key 1: η u if X u (i) > η u + then 5: K u (i) = 1 6: else if X u (i) < η u − then X u (i) dropped 10: end if 11: end for Secure sketch [54] is a popular key reconciliation technique and is given as an example in Algorithm 3. A comprehensive survey on information reconciliation techniques can be found in [55]. Finally, privacy amplification is employed to eliminate the information revealed to eavesdroppers, which can be implemented using hash functions [27].

B. Application
Due to its lightweight feature, this form of key generation has strong potential to provide the security for IoT. It has been applied in many wireless technologies, such as IEEE if η u j−1 ≤ X u (i) < η u j then , with many prototypes/implementations reported, see [27].
IEEE 802.11 is the most popular technique for the key generation implementation as the technique is widely adopted in our daily life. The work in [36] is one of the first and important papers that implemented key generation protocol. The authors generated keys from the peak of channel impulse response (CIR) using an 802.11 compatible field-programmable gate array (FPGA)-based platform, and also from RSS with a commercial Wi-Fi network interface card (NIC). However, the key generation rate is rather limited, i.e., about 1 bps, since the authors only extracted keys from coarse-grained channel parameter. Orthogonal frequency-division multiplexing (OFDM) is employed by IEEE 802.11a/g/n/ah, which can provide fine-grained CSI in both time and frequency domain and significantly improve the key generation performance [43], [45].
A key generation system using wearable devices with IEEE 802.15.4 is implemented in [56]. Channel measurements are carried out along with data transmission, in other words, no dedicated transmission is incurred for key generation. This avoids the additional energy burden required by key generation, which can significantly save power consumption as the radio transmission is always the dominant [17]. In addition, a low cost filter is employed to improve the signal cross-correlation, which helps the system reach an agreement as high as 99.8% [56]. Since there is not much data transmission required by wearable devices, the system takes about half an hour to generate 128-bit keys. The duration is acceptable as it still meets the requirement. For example, Wi-Fi recommends to refresh the session key every hour.
Key generation has also been applied in Bluetooth systems [57]. The authors implemented their system in two Google Nexus One smartphones and sampled RSS with experiments in indoor and outdoor environments. Random frequency hopping was employed to combat the interference from other wireless networks running at the ISM bands. It has also been demonstrated by experiments that Bluetooth-based key generation can be carried out using much lower transmit power (3 dBm) with a performance comparable to that of Wi-Fi-based system, which is desirable for IoT devices.

IV. PHYSICAL LAYER ENCRYPTION
Modern communication systems employ a layered protocol stack to organize communication functions and most of the current security methodologies are applied at the MAC layer and above. The physical layer is the lowest layer of the protocol stack and was designed originally to modulate data for transmission but without any security considerations. This section introduces some recent ongoing encryption schemes implemented at the physical layer, which protects the entire physical layer packet. PLE schemes are lightweight as they do not introduce additional complexity, therefore are quite suitable for IoT applications.

A. Procedure
The data payload undergoes several physical layer modulation stages, such as channel coding, mapping, inverse fast Fourier transform (IFFT) operation (for OFDM systems), etc. PLE can be applied by encrypting the data flow in these physical layer modulation stages. Some PLE schemes applicable for OFDM systems are shown in Figure 4, including XOR encryption [58], phase encryption [58]- [60], and OFDM subcarriers encryption [61]- [67]. The user first generates the encryption information using the output of stream cipher or chaotic mapping. Based on the adopted encryption scheme, the encryption information is used to calculate phase rotation, dummy subcarrier locations, or subcarrier scrambling/interleaving permutation, etc., which is then used to protect the corresponding modulation stage. The detailed calculation step will shown in Section IV-B. The seed for the stream cipher or the initial state of the chaotic map can be shared between legitimate users using the key generation discussed in the last section.
The entire packet is protected. The encryption of the physical layer payload, i.e., the MAC layer packet, will secure the MAC layer content, including the MAC header. In addition, the protection of the physical layer header can prevent eavesdroppers from carrying out functions of synchronization and channel estimation, significantly increasing the processing overheads for the eavesdropper [67].

B. Algorithm Prototype
The PLE design is determined by the wireless technologies which employ different physical layer modulations. In this section, we introduce several PLE prototypes based on the modulation stage that they have encrypted.
XOR encryption is the most straightforward and lightweight scheme and can be implemented in hardware in a very efficient manner. As XOR is a bitwise operation, it usually happens before coding, as shown in Figure 4. This scheme is applicable to all the wireless technologies as the data passed from the MAC layer is always in binary form. However, it is implemented at the beginning of modulation stages and does not randomize the physical layer waveform, which results in a weaker protection [67].
Phase encryption can also be applied as long as phase-shift keying or quadrature amplitude modulation is used [58]- [60]. As shown in Figure 4, phase encryption occurs after symbol mapping and the constellation symbols are not in binary values any more. The encrypted constellation symbols m ′ k can be denoted as where m k is the constellation symbols, θ k is the rotation angle, and n k is the random noise. θ k is generated according to the key sequence and then used to rotate the constellation symbols.
In order to create a denser encrypted constellation, more key bits are required to generate rotation angles, which increases the key-to-data ratio 5 . Random noise, n k , can be deliberately added to the rotated symbols to make it even more difficult for the eavesdroppers to demodulate the ciphertext [59], [60]. The implementation of this technique is also efficient because the main resource is a multiplier and related control circuits. The OFDM technique modulates data onto multiple orthogonal subcarriers/frequencies and can significantly increase the data rate, providing an additional domain to protect the data. The parallel input data X can be scrambled in frequency domain before IFFT operation [61]- [63], which can be given 5 Key-to-data ratio is defined as the number of key bits needed to encrypt one bit plaintext, which is a key metric of PLE. as where S f is the frequency scrambling matrix, or the IFFT output data can be scrambled in the time domain [64] and written as where S t is the time scrambling matrix. Scramble-based schemes can bring a large search space. However, it may result in a high computational complexity as matrix operations are required, which may not be suitable for low cost devices [67]. Different from above OFDM schemes that scramble all the data subcarriers, the work in [65], [66] interleaves only part of the subcarriers. In particular, the scheme in [65] selects a subset of the subcarriers whose phase is larger than the threshold, and then interleaves their real and imaginary components of the symbols. The method in [66] selects a subcarrier subset based on the CSI, and then interleaves these subcarriers according to the descending order of their channel amplitudes. Encryption usually involves mathematical operations, e.g., XOR operation, between the plaintext and key sequence, but here the concept applies more generally to the data manipulation according to the common secret information. In addition, the authors use channel information as encryption information directly without resorting to stream ciphers, which requires a careful design of the interleaving pattern because of the channel estimation errors at transmitters and receivers.
While the standard OFDM systems use all the data subcarriers for data transmission, some subcarriers can also be reserved to transmit dummy data, i.e., rubbish information, for obfuscation [67]. Due to the introduction of dummy subcarriers, there is a trade-off between the security and data rate, but it has been demonstrated in [67] that it is worthwhile as there are many subcarriers and the data rate is usually only slightly reduced. In addition, the preambles are encrypted in [67] so the entire packet is protected.
The above schemes protect different physical layer modulation stages, which lead to distinctions on the security level, complexity, etc. For example, XOR and phase encryption are easier to implement but provide less strong protection. On the other hand, scrambling-based schemes may require matrix operations, including matrix multiplication and inversion, which result in a higher computation complexity. A detailed comparison in terms of search space to the brute force attack, key rate, and complexity of the above schemes can be found in [67].

C. Practical Implementation
To the best of the authors' knowledge, there has been only one paper which has implemented a physical layer phase encryption IEEE 802.15.4 transceiver and RC4 to generate the key sequence [68]. The work in [68] first validated the design using FPGA technology and then implemented the system in application-specific integrated circuit (ASIC) using UMC 0.18 µm complementary metal-oxide-semiconductor (CMOS) technology. The security enhancement, including the RC4 and phase encryption/decryption, results in a 26% increase on the gate counts compared to a standard 802.15.4 transceiver, which is a reasonable overheard for security.

V. FUTURE WORK SUGGESTIONS
Although there have been prototypes/demonstrations of the above physical layer-based security countermeasures, research is still needed to make these schemes more robust and pervasive. In this section, we suggest some future research directions in securing the IoT from the physical layer.

A. Physical Layer Key Generation
Most current commercial platforms work in half-duplex mode, and the keying nodes have to measure the channel alternately in different time instances. Key generation in this setting is only applicable to slow fading channels in order to get a highly correlated measurements between users. Therefore, key generation in fast fading channels is very challenging, which limits its application, e.g. in vehicular communications. Work in [69] and [70] designed key generation systems with the maximum vehicle speed tested as 20 mph and 50 mph, respectively, but their key generation rates are limited, e.g., 5 bit/s in [70]. In addition, work in [71] tested their algorithms in indoor environment only. There is also some simulation work, e.g., [72], [73]. Their performance in the practical fast fading channels remains unknown. This topic is thus still require more efforts, e.g., by using full-duplex hardware [74].
Efficient group and pairwise key generation are essential to assist secure broadcast and unicast transmission in a large scale IoT network. A fusion center broadcasts signals to the network users, which requires a pre-establishment of a common session key. The devices may also exchange unicast packets between each other, and private keys between pairs of users are required. In ad hoc IoT, many users may join and leave the network frequently, therefore robust and efficient schemes to update the session key and private keys are required. There have been several group key generation protocols reported, e.g., a time-slotted round-trip phase-based scheme [75], RSSbased protocols for star and chain topologies [76], and group key generation for mesh topology [77]. However, the scalability (with the size of the group) and efficiency of the above protocols are limited and more research effort is required.
Although key generation is able to achieve informationtheoretic security, in practice the security performance requires special attention. For example, when there is a strong line-ofsight, the spatial decorrelation may not hold any more, which makes the system vulnerable to passive eavesdropping [39], [78]. Key generation is also subject to active attacks [79], [80], which will result in less efficient or even unsuccessful key generation. It is thereof very important to design key generation techniques secure from passive eavesdropping and robust to active jamming. In addition, the majority of the research focuses on the indoor and/or mobile channels, while in an outdoor or static environment, the channel randomness is rather limited. A less random key will expose the cryptographic systems to brute force attack and should be always avoided.

B. Physical Layer Encryption
PLE applies encryption at the physical layer, and entails additional operations and hardware resources. No hardware implementation for PLE schemes has been reported except for those in [68]. The additional operations will introduce latency in the critical path and may not meet the timing requirements of the current MAC protocol. Therefore, a cross-layer design between the physical and MAC layer is necessary.
The keys generated are usually fed to a stream cipher to produce pseudo random numbers to encrypt plaintext. In scenarios where keys can be generated fast or only very small amount of data exchange is required, the keys generated can be used to encrypt the data directly, rather than be used as the seed for stream cipher. Key generation and PLE is then integrated as a one-time pad scheme to offer perfect Shannon secrecy, which can provide strongest protection ever. However, the practical security performance and implementation requires further investigation.

VI. CONCLUSION
This article has provided an overview on securing wireless communications of IoT applications from the physical layer. We have introduced two security techniques, namely, physical layer key generation and physical layer encryption. For each, we have discussed their features and applications by a special consideration of IoT devices' low power and low cost features. The remaining challenges of how to make these schemes more robust and pervasive have also been proposed. Unlike previous work, this article has focused on practical prototypes/implementations, thus offering insights for their applications in the IoT to enhance wireless security.