A Novel Scheme for Discrete and Secure LoRa Communications

In this paper, we present a new LoRa transceiver scheme to ensure discrete communications secure from potential eavesdroppers by leveraging a simple and elegant spread spectrum philosophy. The scheme modifies both preamble and payload waveforms by adapting a current state-of-the-art LoRa synchronization front-end. This scheme can also be seen as a self-jamming approach. Furthermore, we introduce a new payload demodulation method that avoids the adverse effects of the traditional cross-correlation solution that would otherwise be used. Our simulation results show that the self-jamming scheme exhibits very good symbol error rate (SER) performance with a loss of just 0.5 dB for a frequency spread factor of up to 10.


Introduction
In the past few years, LoRa has become a front-runner in low-power wide-area network (LPWAN) solutions applied to low-energy/low-cost Internet of Things (IoT) transceivers and is increasingly implemented to achieve practical solutions in areas such as agro-informatics [1], smart home design [2] and air-quality monitoring systems [3]. The increasing number of LoRa transceivers creates increased opportunities for malicious entities to disrupt or eavesdrop LoRa communications. Many studies have been conducted by the research community to evaluate the impact of jamming on performance and countermeasures have been proposed to tackle these threats. Below, we briefly review relevant studies that consider LoRa jamming schemes.

Previous Work on LoRa Jamming
In [4], the authors investigated the impact of traditional jammers, such as band and tone jamming, on the LoRa demodulation process and highlighted the sub-optimal energy efficiency of these jamming schemes. Other research has considered smarter and more efficient jammers involving jamming LoRa nodes with LoRa signals. In [5][6][7][8], LoRa reactive jammers (the jamming signal is only sent on detection of an incoming legitimate LoRa signal) and random jammers with a frequency hopping scheme were implemented and assessed on real-world devices. The authors concluded that jammer efficiency is obtained if the LoRa signal detection scheme is well-designed with good detection capability, and has a latency as low as possible to align the jamming signal in time with the signal of interest. In other studies, investigation of jamming where the jammer seeks to prevent a legitimate LoRa node to access the network was considered. In [9], a jammer was designed to reduce received signal strength indicator (RSSI) variations at the legitimate LoRa node, leading to an almost constantly obtained DevNonce key ID and preventing network access. The authors of [10] proposed a simple jammer detection scheme based on this philosophy, while [11,12] evaluated the jamming impact but on the global LoRa WAN network, with, for example, gateway occupancy or dropping probability metrics. 2

of 27
The eavesdropping case has, however, attracted less attention by the research community. To ensure secret communications, most of the proposed solutions rely on cryptographic schemes. For example, a frequency-hopping scheme was proposed in [13], while [14] introduced a reduced complexity advanced encryption system (AES) solution for the key management of LoRa WAN. Finally, recently in [15] a physical layer encryption method leveraging the randomness of the channel was presented to bypass the use of AES that imposes a burden on complexity for low-cost LoRa nodes.

Novelty and Contributions
In this paper, we propose a cooperative scheme between the transmitter and the receiver that further enhances [15] the scheme by improving the capacity for discrete LoRa transmission. The central notion is to leverage the well-known LoRa interference impact on demodulation but constructively by spreading the useful signal energy in the frequency space with a fixed power constraint. This can be seen as self-jamming with an added layer of spectrum spreading on top of LoRa. As the receiver is cooperative, the latter can then demodulate successfully. However, in realistic conditions, time and frequency synchronization between the transmitter and the receiver must be satisfied. We therefore propose a modified and adapted version of current state-of-the-art LoRa synchronization techniques as a solution.
The key contributions of the paper are as follows: • Proposal of an enhanced scheme ensuring discrete and secure communication. • A refined current LoRa synchronization front-end. • Two variants of the scheme are proposed to adapt to power/complexity constraints of both uplinks and downlinks.
The remainder of the paper is organized as follows. In Section 2, we introduce the system model and some LoRa modulation basics. Section 3 presents a first approach to combatting an eavesdropper by modifying the preamble waveforms (introducing a self-jamming scheme). A modified synchronization front-end based on state-of-the-art techniques is proposed in Section 4. In Section 5, we investigate a possible threat where, in certain circumstances, an eavesdropper may synchronize itself. In Section 6, we enhance our initial self-jamming solution by proposing a modified payload demodulation scheme. Finally, we provide simulation results in Section 7 to evaluate the self-jamming method. Table 1 lists the most relevant notations used throughout the paper. We consider the eavesdropping scenario presented in Figure 1. There are three entities, Alice, Bob and Eve, denoted with A, B and E characters, respectively. A and B communicate with each other (Alice-Bob direction in the figure) in a cooperative way and exchange sensitive data that must be kept secret from eavesdroppers such as E. B has the role of the gateway and both uplink and downlink links are taken into account, depending on the A role. If A is a pure LoRa sensor, the uplink is much more critical than the downlink as the latter mainly consists of signaling traffic. However, if A is an actuator driven by incoming commands from B, for example, the downlink must be protected from E. We are then interested in securing both up-and downlinks and also ensuring discrete communication, reducing the intercept capability of E. E is, in this context, a fully passive receiver located role of the gateway and both uplink and downlink links are taken into accounts, depending on A role. Indeed, if A is a pure LoRa sensor, the uplink is much more critical than the downlink as the latter mainly consists of signaling traffic. However, if A is an actuator driven by incoming commands from B for example, downlink must be protected from E. We are then interested in securing both up and down links and also ensuring discrete communication, reducing intercept capability of E. E is in this context a fully passive receiver located sufficiently close to A and B to be able to detect both A or B LoRa signals. In this scenario, all channels separating entities are flat with Additive White Gaussian Noise (AWGN) and they are assumed to be symmetric. Frequency selective channels may be considered in the future as an extension of this study.

Alice (A)
Eve

LoRa Modulation Overview
LoRa waveforms are of the type of Chirp Spread Spectrum (CSS) signals. These signals rely on sine waves with Instantaneous Frequency (IF) that varies linearly with time over the frequency range f ∈ [−B/2; B/2] and time range t ∈ [0; T) (T, the symbol period). This basic signal is called an upchirp or downchirp when IF increases or decreases with time, respectively. A Lora waveform is a M-ary digital modulation, constituted of M possible chirp modulations where the IF of the upchirp is shifted by the M possible values. The modulo operation is applied to ensure that frequency remains in the interval [−B/2; B/2]. The LoRa parameters are chosen such that BT = M with M = 2 SF and SF ∈ {7, 8, . . . , 12} is called the spreading factor, which also corresponds to the number of bits for a LoRa symbol. In the discrete-time signal model, the chip rate (R c = 1/T c = M/T) is usually used to sample the received signal, i.e., the sample period is T s = T c = T/M = 1/B. The signal has then M samples over one symbol period T. Each symbol a ∈ {0, 1, . . . , M − 1} is mapped to an upchirp that is temporally shifted by τ a = aT c period. We may notice that a temporal shift conducts to a change of initial IF. This behavior is the heart of the M-ary chirp modulation. An expression of discrete LoRa waveforms sampled at t = kT s (T s = T c ) has been derived by the authors in [16]: The upchirp is in fact the LoRa waveform with symbol index a = 0.

LoRa Modulation Overview
LoRa waveforms are a type of chirp spread spectrum (CSS) signal. These signals rely on sine waves with instantaneous frequency (IF) that vary linearly with time over the frequency range f ∈ [−B/2; B/2] and the time range t ∈ [0; T) (T, the symbol period). This basic signal is called an upchirp or downchirp when IF increases or decreases with time, respectively. A Lora waveform is an M-ary digital modulation, comprised of M possible chirp modulations where the IF of the upchirp is shifted by the M possible values. The modulo operation is applied to ensure that the frequency remains in the interval [−B/2; B/2]. The LoRa parameters are chosen such that BT = M with M = 2 SF and SF ∈ {7, 8, . . . , 12} is called the spreading factor, which also corresponds to the number of bits for a LoRa symbol. In the discrete-time signal model, the chip rate (R c = 1/T c = M/T) is usually used to sample the received signal, i.e., the sample period is T s = T c = T/M = 1/B. The signal then has M samples over one symbol period T. Each symbol a ∈ {0, 1, . . . , M − 1} is mapped to an upchirp that is temporally shifted by τ a = aT c period. We note that a temporal shift results in a change in the initial IF.
This behavior is the heart of the M-ary chirp modulation. An expression of discrete LoRa waveforms sampled at t = kT s (T s = T c ) has been derived by the authors in [16]: The upchirp is the LoRa waveform with symbol index a = 0.

LoRa Demodulation Scheme
The authors of [17] derived a simple and efficient solution to demodulate LoRa signals. In an AWGN flat-fading channel, the demodulation process is based on the maximum likelihood (ML) detection scheme. The received signal is: The signal-to-noise ratio (SNR) is defined as: SNR = |α| 2 P s /σ 2 = 1/σ 2 with P s the transmitted signal power and, without loss of generality, we assume |α| 2 = P s = 1.
The ML detector aims to select the frequency index n that maximizes the scalar product r, x n for n ∈ {0, 1, . . . , M − 1}, defined as: The demodulation stage proceeds with two simple operations: in this way, the dechirp process merges all the signal energy into a unique frequency bin a that can be easily retrieved by taking the magnitude (non-coherent detection) ofR[n]. The detected symbol is then:

LoRa Frame Structure
LoRa messages are transmitted in frames that follow the specific format depicted in Figure 2. The frame consists of a preamble followed by the payload symbols. The preamble is a critical component as it realizes the three following processes required to correctly demodulate the N d payload symbols: 1.
detecting the beginning of the frame by leveraging the N up upchirps.

2.
performing both frequency and time synchronization with the help of the N up upchirps and N down downchirps. 3.
detecting if the received frame is dedicated to the receiver by checking if the N ID = 2 consecutive network identification symbols correspond to its stored value.
LoRa transceivers generally use N up = 8, a variable N d value, and a fixed value N down = 2.25. The number of symbols in the preamble and the entire frame are denoted, respectively, N pre = N up + N down and N f rame = N pre + N ID + N d .
We choose to slightly change the frame format as depicted in Figure 3 with the following modifications: 1.
Without loss of generality, the two identification symbols and the last quarter downchirp are ignored. The latter is not leveraged in the synchronization front-end. The symbol number in the frame then becomes N f rame = N pre + N d .

2.
We also set the condition N down = N up . This enables a balanced noise immunity between the upchirps and downchirps as these are averaged during the synchronization procedure.
s up, f rame s down, f rame s data N up N down = N up N d Figure 3. The modified self-jamming LoRa frame format.
The transmitted frame is then the concatenation of the upchirp, downchirp and payload symbol waveforms:

Combat Basic LoRa Eavesdropper with Modified Preamble Waveform
A first approach to combat E is to only modify the preamble waveforms to disrupt its synchronization. A synchronization error will irredeemably lead to a demodulation error, preventing E from obtaining the critical data. The modified preamble waveforms are also designed to considerably increase the noise sensitivity for E and, thus, the discrete capacity of the scheme, while avoiding too much degradation of the performance of the link between A and B. The cooperative receiver leverages these modifications to improve its processing gain as much as possible.
The modified DFT preamble upchirp waveform in the preamble is illustrated in Figure 4. The green DFT bin depicts the legacy format. It consists of a unique DFT bin at known location n = a up = 0, containing all the signal power M √ P s . The basic idea of the discrete scheme is to spread the power over several DFT bins with a uniform distribution in respect of a fixed power constraint. This is represented by the DFT bins with a dashed line in the figure. The modified preamble can be written as: with: and U, the number of DFT bins present, P J , the power level of each DFT bin with P J = P s /U, m u up and m u down , the u-th relative delay of the preamble upchirp and downchirp, respectively. We also note m up , the associated delay vector that is sorted in ascending order, i.e., m 0 up = 0 and 0 < m u>0 up < M. Each m u up delay must be unique to prevent a DFT bin overlapping issue, leading to adding DFT magnitudes and, thus, reducing the discrete capacity of the scheme. Note that U = 1 and a up = 0 lead to the legacy format. The preamble downchirps follow the same structure but with a down and m down different from a up and m up to improve privacy.
Neglecting noise, the i-th received dechirped preamble upchirp or downchirp DFT is: Note that each DFT bin has a null imaginary part. The DFT bin locations must remain secret from E to prevent its correct synchronization. a up , m up , a down and m down must then be random values that must be perfectly known by both A and B. That is, a specific procedure needs to be performed to satisfy this constraint. Possible solutions include the physical layer security schemes that leverage the randomness and reciprocity of the channel to enable both A and B to extract a pseudo-random bit sequence. These methods rely on the random received signal strength indicator (RSSI) variations, as LoRa transceivers have a built-in RSSI read-out feature, a solution chosen in [15], or using random channel path phase variation [18]. In practice, the A and B extracted sequences do not match perfectly and a reconciliation procedure is then necessary. This step requires the sequences exchange and may be vulnerable to eavesdroppers. The use of the Chinese remainder theorem (CRT), as in [15], or a code-word approach as in [19], are possible solutions to tackle this issue.

Self-Jamming Synchronization Front-End
In this section, we introduce desynchronizations that a receiver undergoes in practice, their effects on the LoRa demodulation, and the synchronization front-end designed to address these issues.

Time Desynchronization Model-Sampling Time Offset (STO)
In real conditions, the receiver continuously collects chunks of M samples that are not necessarily aligned with the receiver, i.e., the sampling times are different between the transmitter and the receiver. This produces a temporal window shift τ up to a symbol period T, as depicted in Figure 5. This effect, referred to as the sampling time offset (STO), introduces inter-symbol interference (ISI) if the previous symbol is different from the current symbol, i.e., a − = a and a = a + in the figure. The higher the value of τ, the greater the ISI, with maximum signal deformation when τ ≈ T/2.
The preamble structure prevents ISI that could degrade synchronization performance, as consecutive upchirps and downchirps are identical (see Equations (8) and (9)). τ is modeled based on the LoRa sampling frequency F s = B and can then be converted to a certain number of sampling periods as: , the integer number of sampling periods plus a fraction of a sampling period STO f rac = STO − STO int ∈ [−0.5; 0.5). . denotes the rounding operation to the nearest integer.

Frequency Desynchronization Model
Due to hardware imperfections, other desynchronizations may occur in the frequency domain, such as the carrier-frequency offset (CFO) and the sampling-frequency offset (SFO).

Carrier-Frequency Offset (CFO)
As a reminder, the CFO is the residual carrier frequency present in the base-band signal at the receiver side. The local oscillators of the transmitter and the receiver are not perfectly centered to the desired carrier frequency F c . A residual frequency appears, then: with F t c (resp. F r c ), the carrier frequency used by the transmitter (resp. the receiver). By analogy to the STO, ∆ f can be converted to a number of frequency bins: with , the integer number of DFT bins plus a fraction of a DFT bin CFO f rac = CFO − CFO int ∈ [0; 1). . denotes the floor operation.

Sampling-Frequency Offset (SFO)
The SFO is a mismatch between the current and the desired sampling frequency at the receiver side: In hardware implementation, and especially for low-cost IoT transceivers, such as LoRa, the same oscillator is used to perform the sampling and the carrier transposition. That is, the CFO and SFO are generated from the same source and their relationship represented as follows [20]:

Time and Frequency Desynchronization Effects on LoRa
CFO int and STO int have the effect of shifting the DFT bin position (we consider U = 1 for the sake of simplicity) by a certain amount that is different when considering either upchirps: a up = (a up + CFO + STO ) mod M or downchirps: a down = (a down + CFO − STO ) mod M. The fractional part CFO f rac and STO f rac progressively spread the DFT bin of interest energy to its neighbor as CFO f rac or STO f rac gets closer to 0.5: n = a up + 1 and n = a down − 1 for CFO; STO has the opposite behavior.
The SFO has the consequence, over time, of progressively distorting the received signal; a discrete model for LoRa is derived in [21] (considering upchirp symbols, for example, neglecting noise and channel path gains): , the i-th received LoRa signal with symbol value a i .

Synchronization Scheme
The adapted state-of-the-art LoRa synchronization front-end of our self-jamming scheme is presented in Figure 6. The front-end starts with a first pre-processing block which involves sampling the received signal at an over-sampled rate R × F s , dechirping N up blocks of M samples (downsampled by R factor), estimating and correcting CFO f rac for these N up blocks, and computing the N up corrected DFTs. The receiver continues with the preamble detection as, in practice, the latter operates in real time.  CFO f rac can be estimated and compensated in this step. Indeed, the CFO f rac estimator found in [22] has low sensitivity to the presence of multiple DFT peaks and operates blindly, we decide then to use this estimator. To ensure correct CFO f rac estimation, no energy other than AWGN must be present in the left and right adjacent DFT bins of each of the U DFT Figure 6. Illustration of the LoRa synchronization front-end adapted to the self-jamming scheme. Once the preamble is detected, the receiver re-aligns the symbols in the detected frame by CFO f rac and estimates the other synchronization parameters, i.e., CFO int , SFO, STO int and STO f rac . The estimation of both CFO and STO is not trivial. As their effects are not independent of each other, the pipeline must then be designed wisely. It finally performs a frame correction to re-align itself in time and frequency. The over-sampling by the R rate is required to mitigate STO f rac .

Fractional CFO Correction and Preamble Detection
CFO f rac can be estimated and compensated in this step. As the CFO f rac estimator found in [22] has low sensitivity to the presence of multiple DFT peaks and operates blindly, we choose then to use this estimator. To ensure correct CFO f rac estimation, no energy other than AWGN must be present in the left and right adjacent DFT bins of each of the U DFT peaks. We set the constraint of choosing delays with a minimal gap of DFT positions between each. This is also valid for proper STO f rac estimation. Satisfying the constraint , the maximum number of virtual paths U value is: giving U max = 25 for = 5 and SF = 7, for example. In [22], the authors proposed an estimator that relies on the well-known three spectral lines (TSL) scheme by deriving CFO f rac over N up consecutive symbols. Each N up received desynchronized symbol y i [k] is then corrected: The preamble detection relies on detecting the presence of consecutive demodulated symbols. With very low AWGN and a well-aligned received signal, N up identical and consecutive symbols should be detected but the noise progressively introduces errors and, in practice, it is very difficult to detect this specific pattern. To improve the detection performance at the cost of an increased false alarm rate, we set the constraint to detect at least L consecutive symbols having a maximum value difference of ±1.
Due to the presence of multiple DFT peaks of the same magnitude, the classic demodulation scheme in (4) is not suitable as the detected DFT peak location will change over the N up upchirps. To tackle this issue, we propose a cross-correlation approach. As the relative delays m up are perfectly known by the receiver, the latter can rebuild locally the expected dechirped preamble upchirp with assumed transmitted power P s = 1. This is denotedS re f up [n]. Then, for L consecutive received dechirped symbols, it computes the circular cross-correlation and extracts the maximum argument: . Note that p max is the last block of L demodulated symbols until preamble detection. Equation (20) can be efficiently computed with a fast Fourier transform (FFT) algorithm as: The preamble is detected if (n p+i + j) mod M = n p for i = {1, 2, . . . , L − 1} and j = {−1, 0, 1}. Once the preamble is detected, the rest of the symbols in the frame are corrected by CFO f rac .

Half Fractional STO Detection
As previously stated in Section 4.3, as STO f rac gets closer to 0.5, the neighbor DFT bin energy progressively increases, leading to higher noise sensitivity. When STO f rac ≈ 0.5, two DFT peaks with almost the same magnitude are present, creating detection uncertainty and preventing correct CFO int and STO int estimation. That is, STO f rac must be mitigated before, independently from CFO int and STO int . The authors in [23] proposed a solution by performing an initial STO f rac mitigation, albeit partial, to remove this uncertainty.
We propose a different approach with a binary statistical test by detecting if STO f rac ≈ 0.5. We define the hypotheses H 0 , H 1 as STO f rac = 0.5 and STO f rac = 0.5, respectively. The basic idea is to evaluate the DFT magnitude difference between the peak of interest and its neighbor bin. The less the difference, the closer to 0.5 STO f rac . Below a certain difference threshold, the receiver decides H 1 , otherwise H 0 . The detector is designed as follows: 1.
The N up preamble upchirp DFTs are averaged to reduce noise sensitivity: 2.
The following cyclic cross-correlation is computed and normalized: 3.
We extract the left and right neighbor DFT bin magnitudes of the maximum DFT peak and compute the criterion δ: 4. STO f rac ≈ 0.5 is finally detected as: The frame contaminated by STO f rac is then corrected with STO f rac = 0.5 (if detected) by discarding the first R × (M − STO f rac ) samples. There are then N up − 1 upchirp symbols in the preamble. We can see from the figure that δ progressively decreases as STO f rac gets closer to 0.5 with the minimal point reached for STO f rac = 0.5. δ has a symmetric pattern with STO f rac = 0.5. The noise has the effect of flattening the curve, reducing the contrast between STO f rac values. The threshold λ STO f rac ≈0.5 must be chosen wisely. A low value will increase the non-detection probability, a situation that must be avoided as far as possible. A very high value will lead to almost constant detection; the corrected frame will then have as many as STO f rac residuals with no STO f rac ≈ 0.5 detection enabled.
In simulations, λ STO f rac ≈0.5 = 0.3 is a balanced value for the LoRa SNR range of interest SNR dB = {−15, −14, . . . , −5}. We note that adjacent values STO f rac = {0.4, 0.6} are almost constantly detected as STO f rac = 0.5, but the residual is ±0.1, a value that has a negligible impact on demodulation performance.  We note that the δ statistic follows a near-Gaussian distribution as the computed cross-correlation is a sum of Rayleigh random variables (RV). With extensive simulation results, we note that this distribution is slightly U dependent. Furthermore, increasing SF results in similar histograms but for lower SNRs, and the derived histogram for STO sym f rac = 1 − STO f rac is nearly the same as for STO f rac (symmetry).

CFO and STO Integer Estimation
The next step in the synchronization front-end is to estimate CFO int and STO int . The process follows the same philosophy as so far applied to the cross-correlation approach. The receiver keeps the previously computed n up max in (26) and performs steps (23), (24), (26) for the preamble downchirps to derive n down max . CFO int and STO int are simply derived as: The SFO is simply derived as: As stated in [23], this synchronization scheme cannot correctly detect CFO int ≥ M/4 but, in practice, it is very unlikely to have such a high value.

Fractional STO Part Estimation
The final step is to estimate STO f rac in the case where STO f rac ≈ 0.5 has not been detected earlier. The scheme is based on the TSL approach proposed in [23] but with slight modifications to be functional with our self-jamming scheme. The main steps are summarized in what follows:

1.
The averaged preamble DFT upchirps Ỹ up [n] are re-aligned by removing CFO int and STO int shifts. This is simply effected by performing a left circular permutation.

2.
For each of the U DFT peaks in Ỹ up [n] , we extract its value and the left and right neighbor bins as: 3. STO f rac is finally averaged over U estimates as: with:

EVE Blind Synchronization Threat
With this modified preamble structure, E cannot synchronize itself correctly without the knowledge of a up , a down , m up and m down . The synchronization error heavily impacts the payload demodulation stage and then prevents E from eavesdropping. In this section, we evaluate the ability of E to blindly estimate synchronization parameters that would possibly threaten the sustainability of our scheme.
As previously stated, CFO f rac can be blindly estimated by both B and E. However, E cannot synchronize itself if CFO is still present after CFO f rac correction, i.e., CFO int = 0. That is, E has the ability to blindly estimate STO int only if CFO int = 0. This situation may happen if E is a higher-end device with low hardware impairments and, thus, CFO < 1.
In what follows, we present a blind method to extract STO int . The basic idea is to leverage the fact that the STO introduces ISI only between the last upchirp and the first downchirp in the preamble. Then, E can use a STO int candidate approach by computing an energy cost for each candidate and selecting the one that minimizes the cost function. We denote each STO int candidate by STO cand int ∈ {0, 1, . . . , M − 1}. The blind extraction method is designed as follows: 1.
E generates a temporary replica of the received frame and voluntarily simulates a STO with value STO cand int by discarding the first R × STO cand int samples, consequently modifying the time window process. It is denoted as y cand [k].

2.
It then dechirps, computes the DFT magnitude of the last preamble upchirp and the first preamble downchirp to derive the following quantities: To construct the minimum cost function point at STO cand int = STO int , E needs to add a left circular permutation of one position to γ STO cand int up . The cost function is simply derived as: 3. STO int is finally estimated as: This blind scheme has the drawback of being unable to correctly estimate STO int = M − 1 value, slightly increasing the STO int estimation error. Moreover, STO f rac progressively increases the estimation error as it gets closer to 0.5, as highlighted in Section 7. If E has correctly estimated STO int , it can easily estimate STO f rac even without a up and m up knowledge in (36). E can select the DFT bins that are above a given threshold ρ E in Ỹ up [n] (23) with: The derived DFT bin positions set A E should correspond to (a up − m up ) mod M and, thus, |A E | = U in high SNR conditions, then enabling an identical STO f rac estimation performance to the legitimate receiver if CFO < 1. In such conditions, E successfully passes the synchronization front-end and can demodulate and retrieve the information in the payload.
We conclude that modification of the preamble only is necessary but not sufficient to ensure a discrete communication. A solution to tackle this more advanced E is then to also modify the payload waveform and is presented in the next section.

Combat Advanced LoRa Eavesdropper with Modified Payload Waveform
The payload waveform is modified with the same structure as for the preamble. This has the advantage of reducing scheme knowledge leaks, i.e., preamble symbols a up , a down , and delays m up and m down . The modified payload waveform is then: with: with l d , a random shift (unknown by E) applied to the d-th payload symbol, m d,u data the u-th relative delay of the d-th payload symbol a data may be different between payload symbols to improve privacy. Again, the receiver may use the same legacy cross-correlation approach to demodulate the payload symbol. However, the latter has the drawback of increasing interference peak magnitudes in (20) as U grows. This reduces the AWGN immunity and degrades the symbol detection performance.
We propose a modified cross-correlation implementation, denoted as mod crosscorr, that considerably mitigates this detrimental effect. Considering perfect synchronization, it consists of dechirping the received symbol r The symbol is still estimated in the frequency domain: To compare the legacy and the modified cross-correlation, we define the following criterion for the modified cross-correlation: and for the legacy cross-correlation: This represents the average magnitude difference between the DFT peak of interest and the interference peaks (AWGN plus cross-correlation peaks). Figure 9 compares average η between the legacy and the modified cross-correlations as a function of SNR dB ∈ {−15, −14, . . . , −6} for several U = {1, 2, . . . , 10}. We assume perfect synchronization and delays chosen randomly, respecting the constraint. We can see from the figure that U = 1 has a maximum and same average η between cross-corr and mod cross-corr as it is equivalent to the LoRa legacy demodulation scheme (4). It behaves as an upper limit as the higher average η, the higher the magnitude difference, and the better the performance. We also note that mod cross-corr has much lower U sensitivity. The loss between U = 1 and U = 10 is 6.475 2.023 ≈ 3.20 for cross-corr against 6.475 5.525 ≈ 1.17 for mod cross-corr at SNR dB = −6. This solution is only sustainable if the STO has been correctly mitigated as would normally be the case when demodulating the payload. This modified cross-correlation is not suitable for synchronization parameter estimation as a candidate STO int approach is required (similar to the blind STO int estimation procedure) that gives poor synchronization performance. Table 2 summarizes the parameters of our complete self-jamming scheme that the legitimate and eavesdropper receivers know, do not know, or must be kept secret from E, estimated with self-jamming scheme knowledge and blindly estimated. The symbols used in the table are described in Table 3. For conciseness, parameters which depend on others are not shown, e.g., M = 2 SF .
Note that, from the table, the only parameter that is identically estimated by the legitimate receiver and the eavesdropper is CFO f rac . Furthermore, E can blindly estimate the STO and retrieve U under the right conditions (see Section 5). However, the critical payload parameters m (d) data and l d are almost impossible to retrieve for E without using a brute-force approach, making proper demodulation very difficult. Table 2. LoRa self-jamming scheme parameters supposed to be known, unknown, kept secret from E, estimated with self-jamming scheme knowledge and blindly estimated by the legitimate or eavesdropper receivers. Table 3. Symbols meaning of symbols used in Table 2.

Symbol
Symbol Meaning known + unknown • kept secret from E unknown and estimated with self-jamming scheme knowledge unknown and blindly estimated

Simulation Results
In this section, we present several simulation results to assess the self-jamming scheme. The following parameters are used, if not stated: We assume that CFO < 0.1 is very unlikely to happen in practice.

Preamble Detection Performance
As E does not have a up and m up knowledge, the only possible preamble detection scheme for E is to compute the cross-correlation between two consecutive symbols as: with p ≤ l ≤ p + (L − 1) and p = {0, 1, . . . , p max }. E also searches L consecutive symbols in n l,E with value difference ±1 to detect the preamble.
A and B also have the ability to use the modified cross-correlation to improve the preamble detection performance. However, as stated in Section 6, this approach does not demonstrate satisfactory performance if the STO is not mitigated. The preamble detection can only be performed in the presence of STO. That is, an STO int candidate approach must be leveraged with the same philosophy as the blind STO int estimation performed by E (see Section 5). To save computation resources, the candidate selection is only performed on the p-th received symbol and kept for the L − 1 remaining symbols. The modified preamble detection scheme is:

1.
A or B generates a temporary replica of the received frame and voluntarily simulates an STO with value STO cand int by discarding the first R × STO cand int samples, consequently modifying the time window process. It is denoted as y cand [k].

2.
It then computes the modified cross-correlation of the i-th received symbol and selects the maximum value for each STO int candidate as: 3.
The candidate is selected as:

4.
It then selects the maximum argument for each computed modified cross-correlation (p ≤ l ≤ p + (L − 1)) associated with the chosen candidate: Figure 10 presents the preamble detection performance comparison between the legitimate receiver and E as a function of SNR dB = {−15, −14, . . . , 0} for several U = {1, 2, 3, 4, 8, 10, 12} and SF = 7. We also add the comparison between the legacy and the modified cross-correlation methods.
We can see from the figure that the preamble detection performance progressively decreases when U increases, even when using modified cross-correlation. This is because the same chosen STO int candidate is used for all the symbols in the block of L received symbols. That is, increasing U increases the error probability to STO cand,sel int = STO int . This error propagates on all symbols and the probability of detecting L consecutive symbols with value difference ±1 then decreases.
For U ≤ 3, the legacy and modified cross-correlation schemes have similar preamble detection performance, with a slight advantage for the modified cross-correlation method. However, for higher U, the modified cross-correlation scheme progressively outperforms the legacy cross-correlation scheme as U grows, with a performance difference of about 2 dB and a detection probability of 0.5 and U = 12. Note that the modified cross-correlation performance is almost the same for U = {8, 10, 12}. E has much lower performance with a loss ≈4 dB between U = 1 and U = 12, with a detection probability of 0.5 and a loss ≥ 3 dB when compared to the legitimate receiver using the modified cross-correlation scheme, for a given U. E is much more prone to AWGN errors as the cross-correlation performed in (49) has two sources containing AWGN, while the reference upchirp in (20) is AWGN free.

Complexity Comparison between the Legacy and the Modified Cross-Correlation Methods
The considerably reduced U sensitivity of modified cross-correlation (see Section 6) is at the cost of increased complexity. The algorithms for both the legacy and the modified cross-correlation functions are provided in Algorithms 1 and 2.  This behavior is highlighted in Figure 11. We execute and report the execution times of C compiled versions of Algorithms 1 and 2 in a MATLAB environment, with SF = 7. .___, 1.5 " "' '""' .,.., ---+--payload dem. ---+--mod cross-corr payload dem.
� legacy cross-corr payload dem. In Figure 11a, the mod cross-corr/legacy cross-corr execution time ratios of the preamble detection and payload demodulation processes are presented for U = {1, 2, . . . , 12}. We can see for U = 1 and the payload demodulation considered that mod cross-corr is about 30% faster than legacy cross-corr (t r exec ≈ 0.7). Indeed, mod cross-corr with U = 1 is identical to the LoRa legacy demodulation scheme in (4). Then, computing the legacy cross-correlation for this case adds unnecessary complexity. Equally, when U = 1, the STO int candidate procedure for preamble detection presented in Section 7.1 is useless, considerably decreasing the complexity, leading to a ratio ≈1.04. Activating the necessary STO int candidate approach for U > 1 greatly increases the complexity cost, reflected in the high ratio transition from ≈0.7 to ≈2.8 between U = 1 to U = 2. Increasing U progressively increases the mod cross-corr complexity to reach a complexity increase factor of about 3 at U = 12.

� -�--
In Figure 11b, mod cross-corr and legacy cross-corr schemes are compared to the LoRa legacy demodulation when used for the payload demodulation and preamble detection processes. We note that the burden of mod cross-corr on preamble processing is much higher than that of the payload process for low U values but progressively reduces to reach a turnover point at U = 11 where the latter increases the advantage beyond this value. Again, the STO int candidate approach is responsible for the high cost value at U = 2 but shows less increasing complexity with U. The complexity of mod cross-corr is progressively increased when U increases to reach a factor of about 4.3 at U = 12.
However, the cost of adding the legacy cross-correlation in the preamble section is very small with a constant ratio ≈1.05 as the legacy cross-correlation computation does not depend on U. We also note that using legacy cross-corr for the payload demodulation has higher relative complexity (≈1.45) than for the preamble detection although its absolute complexity is much lower.
Tables 4 and 5 summarize the advantages and drawbacks of the legacy and mod cross-correlation schemes.
From Table 4, we can conclude that mod cross-corr almost completely removes U sensitivity and, thus, improves the frame detection and payload demodulation performances, but at the cost of increased complexity. Table 5 shows the opposite behavior for legacy cross-corr, where it is more lowcomplexity compliant but has a high sensitivity with U which decreases the performances. That is, using mod cross-corr for the preamble detection mainly depends on performancecomplexity trade-offs.

Advantages
Mitigates U sensitivity Improves frame detection performance Improves payload demodulation performance Drawbacks Increases the complexity with U Table 5. Advantages and drawbacks of legacy cross-corr.

Adds low-complexity burden Does not increase the complexity with U Drawbacks
Leads to high sensitivity with U Reduces frame-detection performance Reduces synchronization performance 7.3. Integer STO Part E Blind Estimation Performance Figure 12 presents the blind STO int estimation performance of E as the average estimation rate (ER) over Monte Carlo trials, defined as: The figure plots the average ER as a function of STO f rac = {0, 0.1, . . . , 0.9} for random STO int ∈ U [0; M − 2], fixed U = 8, CFO int = 0, two CFO f rac estimation residuals CFO r = {0, 0.02} in the cases of no AWGN and several SNR dB = {−3, 0, 3, 6, 9}, SF = 7. We also add the legitimate receiver (B in the figure) performance as a comparison where the latter has the STO f rac ≈ 0.5 case detection activated (see Section 4.4.2), for SNR dB = −3 and CFO f rac = 0.02. We can see from the figure that, in a perfect CFO f rac estimation scenario, i.e., CFO r = 0, the average ER degrades progressively as STO f rac gets closer to 0.5. In the no AWGN case, ER is very good with ER ≥ 0.87 in the worst situation STO f rac = 0.5. Increasing the noise power progressively decreases ER performance with ER ≤ 0.15 at SNR dB = −3.
We can conclude that E only has synchronization capability for very high SNR environments, i.e., located very close to A or B for uplinks and downlinks, respectively. Interestingly, the CFO f rac estimation residual produces a slightly better performance in no/very low AWGN conditions, i.e., SNR dB = {∞, 9, 6}. With sufficiently low SNR, the noise finally overtakes this effect. Note that higher U values slightly reduce ER performance.
We also see that B has a perfect ER of 1 as the SNR value considered here is high with respect to the traditional SNR range (SNR dB < −8 usually for SF = 7) and then exhibits particularly good performance. Higher SNR values will exhibit identical performance and are not shown for the sake of figure clarity.

Legitimate Receiver SER Performance
Finally, we evaluate the legitimate receiver SER performance with a fully activated selfjamming scheme, i.e., modified preamble with complete synchronization and a modified cross-correlation method to demodulate payload symbols. The preamble is supposed to be detected already. Figure 13 presents the SER performance of the legitimate receiver as a function of SNR dB = {−15, −14, . . . , −6} for several U = {8, 10, 12, 14, 20} and SF = 7. We also add the maximum performance reachable as the perfectly synchronized case with no self-jamming, i.e., U = 1.  10, 12, 14, 20} and SF = 7 with the synchronization front-end activated. The perfect synchronization case is also considered as an optimal performance bound.
We can see from the figure that U = {8, 10} exhibit very good performance with a loss lower than 0.5 dB. Increasing U progressively degrades performance with a loss of about 3 dB for U = 20. This can be explained by the fact that the legacy cross-correlation is still used in the synchronization front-end with its U sensitivity (see Section 6), but also because of CFO f rac estimator limitation. If the preamble DFT peaks are too low, i.e., U ≥ 12, CFO f rac will not be correctly estimated in a relatively high SNR. That is, the preamble DFT averaging performed straight afterwards will not perform well; CFO int and STO int will then be incorrectly estimated, leading to a payload demodulation error. However, the U ≤ 10 value is more than sufficient to prevent E from correct demodulating, as explained in the next section.

E Blind Payload Demodulation Ability
In this subsection, we investigate the ability of E to blindly estimate the payload symbols with the modified payload waveform scheme (see Section 6). We assume that E passed the synchronization front-end successfully with the advantageous but restrained conditions SNR dB ≥ 6 and CFO < 1 with low CFO f rac residual, as seen in Section 7.3.
Since m (d) data is unknown by E, the latter can only randomly choose one of the DFT magnitude bins that are above a given threshold ρ data . The set of selected DFT bins and its length are denoted with A data and U = |A data |, respectively. For a chance for E to detect correctly a (d) data , the latter must be in A data . We denote the probability that a (d) data / ∈ A data as p A data . This necessary condition depends on the λ data value that also drives U. Then, λ data must be chosen appropriately . Figure 14 presents the impact of λ data on average U (denoted as U ) and p A data , respectively. We consider U = 8 (a value giving very good SER performance for the legitimate receiver, as seen in Section 7.4), SNR dB = {6, 7, 8, 9}, CFO < 1 with CFO estimation residual CFO r = 0.02 and random STO f rac ∈ {0, 0.1, 0.2, 0.8, 0.9}. These STO f rac values are the range in which E exhibits very good STO int ER performance, as seen in Figure 12. In the simulation, E blindly estimates STO int ∈ [0; M − 2] with the scheme presented in Section 5, and next performs the extraction of the DFT peaks with λ E threshold to estimate STO f rac . The estimated STO is compensated and E can finally proceed to the payload section of the frame.
From Figure 14a,b, we can see that setting λ data = 0.1 leads to very low p A data as most of the DFT bins are selected, leading to a very high U ≈ 70 at SNR dB = 6. Increasing λ data up to 0.3 decreases U a great deal to reach a floor level U ≈ U = 8. Interestingly, 0.2 ≤ λ data ≤ 0.7 does not impact p A data so much with 0.02 ≤ p A data < 0.1. λ data > 0.7 exhibits relatively high p A data up to ≈0.6 because of the benefit of a reduced U ≈ 4.57 at λ data = 0.9 and SNR dB = 6. In this example, λ data = 0.3 is a good value to ensure high payload symbol capture in the DFT window of interest, i.e., a (d) data ∈ A data and U ≈ U. Nevertheless, the demodulation brute-force complexity for E is still prohibitively high. If we consider U = U, assuming that a (d) data is always in A data , i.e., p A data = 0, and For U = 8 and N d = 100, we have U N d ≈ 2.037 × 10 90 combinations and FDP ≈ 4.909 × 10 −90 . At an optimistic speed of 10 9 combination trials per second, this would require 6.455 × 10 73 years of trials. Therefore, it prevents E from efficient correct demodulation.

Conclusions
In this paper, we introduced an enhanced LoRa transceiver that ensures discrete and secure communications by leveraging a simple and elegant spread spectrum philosophy. This involved first modifying the preamble LoRa waveforms to prevent eavesdropper synchronization leading to incorrect payload demodulation.
We proposed a modified synchronization scheme based on current state-of-the-art techniques that estimates and mitigates the major synchronization impairments, such as the CFO, SFO and STO. We added a synchronization refinement by considering the pessimistic case STO f rac ≈ 0.5, previously identified in [23], and proposed an approach based on a statistical test.
We also adopted the point of view of the eavesdropper by developing a blind STO int estimation scheme. It exhibits good estimation performance provided that the SNR is much higher than the standard LoRa SNR range, the CFO is low and the received signal is well-aligned with sampling periods. Under these conditions, the eavesdropper is able to perform effective synchronization and finally retrieves the payload information. That is, modification of the preamble waveforms is necessary but not sufficient to ensure a discrete communication.
We then introduced the same modified waveform scheme to the payload but with a modified cross-correlation demodulation scheme to reduce the negative effects of the presence of multiple peaks in the LoRa DFT when using the LoRa legacy cross-correlation, at the cost of increased complexity for the legitimate receiver but much lower than that of the eavesdropper for an arbitrary small frame demodulation error. With the complete transmission scheme enabled, the SER performance loss for the legitimate receiver is less than 0.5 dB for a frequency spread factor up to U = 10 at SF = 7. Table 6 summarizes the advantages and drawbacks of our LoRa self-jamming scheme. The main contribution of this scheme compared to other schemes described in the literature is the enablement of both discrete and private LoRa communications by considerably decreasing the eavesdropper's ability to correctly identify an outgoing LoRa transmission and preventing them from proper demodulation. The potential eavesdropper will also have great difficulty in blindly synchronizing itself and collectingthe most critical system design parameters, i.e., (U, m U , etc.) will only be possible with brute-force approaches. The proposed scheme is, however, not perfect and all of the advantages described are at the cost of higher implementation complexity and SER performance loss that is, however, reasonably small. Table 6. Advantages and drawbacks of the LoRa self-jamming scheme.

Advantages
Enables more discrete LoRa communications Hides sensitive information from eavesdroppers Makes design parameter collection difficult for eavesdroppers Drawbacks Higher implementation complexity Reasonably small SER performance loss Software modifications required on existing LoRa transceivers Note that this scheme does not interfere with other LoRa physical processing such as coding (e.g., Hamming and Gray coding), whitening and interleaving processes, or with the application layers, such as higher-level encryption mechanisms and LoRaWAN architecture.
From a practical implantation perspective, this scheme would require, at minimum, software modifications of existing LoRa transceivers having higher capabilities (higher computation and memory resources). This scheme may not be suitable for all applications but rather may be used for specific applications (e.g., securing a military area) where complexity constraints are not a priority but the preservation of good AWGN LoRa resilience is desired.
This analytic investigation has generated promising results for a LoRa self-jamming scheme with an adapted synchronization procedure that capitalizes on state-of-the-art LoRa synchronization algorithms. In [22], the authors evaluated the CFO f rac , CFO int and STO int estimators, as well as a variant of our STO f rac estimator with universal software radio peripheral (USRP) equipment, and obtained good synchronization performances.
However, this scheme needs to be assessed on real-world equipment. It will be of interest to evaluate the impact of this modified waveform on the different components of the hardware front-end. For example, as this scheme adds multiple LoRa waveforms that are not necessarily coherent with each other, it may result in an increase in the peak-toaverage power ratio (PAPR) and, thus, lower the performance. This may be investigated, offering interesting research opportunities for the design of modified LoRa self-jamming waveforms that can mitigate potential PAPR increase.