Lightweight Physical Layer Aided Key Agreement and Authentication for the Internet of Things †

: In this paper, we propose a lightweight physical layer aided authentication and key agreement (PL-AKA) protocol in the Internet of Things (IoT). The conventional evolved packet system AKA (EPS-AKA) used in long-term evolution (LTE) systems may suffer from congestion in core networks by the large signaling overhead as the number of IoT devices increases. Thus, in order to alleviate the overhead, we consider cross-layer authentication by integrating physical layer approaches to cryptography-based schemes. To demonstrate the feasibility of the PL-AKA, universal software radio peripheral (USRP) based tests are conducted as well as numerical simulations. The proposed scheme shows a signiﬁcant reduction in the signaling overhead, compared to the conventional EPS-AKA in both the simulation and experiment. Therefore, the proposed lightweight PL-AKA has the potential for practical and efﬁcient implementation of large-scale IoT networks.


Introduction
In recent years, the application of the Internet of Things (IoT) has become a part of our daily life, and the number of IoT devices is growing rapidly, accordingly. The number of connected devices is expected to reach 500 billion by 2030, which is approximately 59 times the projected global population [1]. Moreover, the growth is expected to continue with massive IoT (MIoT) developments as fifth-generation (5G) wireless communications are deployed in a variety of applications. For this reason, wireless security has also become one of the major concerns, due to the broadcast nature of radio signals. For example, they are vulnerable to spoofing attacks, where a malicious user impersonates a legitimate user.
For this reason, an evolved packet system authentication and key agreement (EPS-AKA) protocol has been widely used for mutual authentication between a cellular network and a mobile device in long-term evolution (LTE) systems [2]. However, MIoT systems with hardware and resource limitations can introduce large signal overheads and long delays. Thus, lightweight AKA algorithms have been studied for a large number of IoT devices in [3][4][5]. In [5], group-based AKA (G-AKA) protocols that enable simultaneous authentication of a good deal of IoT devices are proposed, but G-AKA schemes are difficult to overcome the single secret key agreement limitation caused by the simultaneous authentication and susceptibility to identified attacks. Instead, physical layer authentication (PLA) has been studied for the authentication of IoT devices with low complexity and fast authentication [6,7]. In particular, a physical layer challenge-response authentication mechanism (PHY-CRAM) [8][9][10] exploits characteristics of the physical channel to conceal the authentication key, preventing eavesdroppers from impersonating based attacks. However, PLA is inherently difficult to guarantee authentication performance in poor communication environments. As in [11][12][13][14], cross-layer authentication schemes integrate PLA to cryptography-based authentication in order to compensate PLA, but simply cascading both layer schemes might be inefficient to apply in practical application due to the limited resources of the networks.
In this paper, we consider a lightweight physical layer aided authentication and key agreement (PL-AKA) protocol for MIoT environments, providing a favorable balance between the signal overhead and reliability by selectively applying conventional cryptography-based authentication along with PLA and preliminary PLA decisions. To demonstrate the effectiveness of the proposed protocol, an experimental analysis is performed with a universal software radio peripheral (USRP). The main contributions of this paper are summarized as follows:

•
For sophisticated cross-layer authentication, we propose a novel integration strategy based on the test statistic result of the PHY-CRAM. By using this integration strategy, a proposed protocol can reduce the signaling overhead, while providing a competitive authentication performance. This is the main difference with existing cross-layer authentication protocols based on simple concatenation and encapsulation operations [11][12][13][14]. • For the performance analysis, we analyze the authentication error probability and signaling overhead of the proposed protocol. • For the validation of PLA in the proposed protocol, an RF experiment is conducted with USRP transceivers.
Regarding notation, upper-case and lower-case boldface letters are used for matrices and vectors, respectively. CN (µ, σ 2 ) represents the distribution of the circularly symmetric complex Gaussian (CSCG) random variable with mean µ and variance σ 2 .

Motivation and Local Security
In 5G networks, supporting the high concurrent connections of many low-cost devices is very important. International mobile telecommunication (IMT) expects massive access of at least 1 million devices per squared kilometer to be supported in 5G networks [15]. As such, 5G should cover densely populated areas, such as residential buildings or business centers in urban environments [16], where a large signaling overhead induced by conventional cryptographic authentication mechanisms may cause inevitable delays. Furthermore, when massive devices access 5G networks simultaneously, severe signaling congestion can be incurred over the network nodes, such as mobility management entity (MME) and home subscriber server (HSS) because of the conventional centralized security managed at the core networks. Alternatively, a new security architecture, which imposes a burden of security (i.e., authentication) into radio access networks (RANs) in a distributed manner is considered in this paper, referred to as a local security. A base station (BS) in RANs authenticates IoT devices on its own to reduce the excessive network traffic to the MME in the local security. Meanwhile, PLA is suitable for IoT devices, due to its fast authentication with low computational complexity. So, PLA employs authentication between a BS and an IoT device to reduce burden at a BS. However, as mentioned earlier, PLA methods may have poor authentication performance under bad communication conditions (e.g., low signal-to-noise ratio (SNR) and correlated channels). Thus, a cross-layer authentication protocol that integrates PLA in RANs and cryptography-based authentication in core networks is considered. However, conventional cross-layer authentication protocols [11][12][13][14] cannot provide both reliable authentication performance and a small signaling overhead for 5G networks. For example, as mentioned earlier, the authentication protocol in [11], which supplements the computational security of cryptography-based authentication by using PLA (i.e., information theoretical security), has an excessive signaling overhead and would be limited for applications. In contrary, the cross-layer authentication protocols in [12][13][14] have limitations in terms of authentication performance, due to uncontrollable physical features in PLA. In addition, there is no theoretical analysis for the conventional cross-layer authentication protocols in terms of the authentication performance and signaling overhead. In 5G networks, both the authentication performance and signaling overhead should be considered. Consequently, it is necessary to design a sophisticated authentication protocol with a novel integration strategy to reduce network traffic in MIoT, while guaranteeing a reasonable authentication performance under poor communication environments.

Physical Layer Aided Authentication and Key Agreement (PL-AKA)
In this section, we present a novel authentication protocol, which integrates a PHY-CRAM scheme [8] and cryptography-based authentication (i.e., AKA) as a good candidate of cross-layer authentication protocol for MIoT systems. It is possible to employ other PLA schemes or a generalized PLA in the proposed protocol (i.e., generalization of the proposed protocol). However, it is out of scope in this paper.

Physical Layer Challenge-Response Authentication (PHY-CRAM)
In this subsection, we briefly introduce a PHY-CRAM, which utilizes channel phase information to encapsulate a secret key for authentication in multicarrier systems. The PHY-CRAM is integrated into a conventional AKA in the proposed protocol for which details will be discussed in the following Section 3.2.2. The PHY-CRAM [8] is divided into three steps: the physical layer challenge, response, and verification as follows.

Physical Layer Challenge
Suppose that a legitimate IoT device wants to be authenticated by a BS with a shared secret key, while an intrusion device that has no knowledge of the secret key tries implementing impersonation attacks. They use L subcarriers to communicate with each other. If the IoT device sends a request signal to the BS requesting authentication, the BS transmits a pilot signal to the IoT device to perform the channel estimation for the physical layer challenge. The challenge signal from the BS in a time domain can be represented as follows: where E s and T denote the energy per symbol and the symbol duration, respectively. In addition, it is assumed that sinusoids denoted by cos(2π f l t) are sufficiently separated so that the L sinusoids are all orthogonal to each other. Then, the channel phase of the received signal at the IoT device through the lth subcarrier is given by the following: where H( f l ) and n( f l ) are the lth channel coefficient, and noise term, respectively, which are assumed to be independent and identically distributed CSCG random variables, i.e., H( f l ) ∼ CN (0, σ 2 h ) (for Rayleigh fading) and n( f l ) ∼ CN (0, σ 2 ). Then, the channel phase can be obtained as follows: e jθ l = Y C ( f l ) |Y C ( f l )| , whereθ l is the lth estimated channel phase. The estimated channel phases are used for encapsulation of a secret key in the following physical layer response.

Physical Layer Response
In the physical layer response, a secret key for authentication is securely transmitted to the BS based on the estimated channel information from the challenge signal. In detail, a secret key denoted by κ = [κ 1 , κ 2 · · · κ L ] is shifted by the estimated channel phaseŝ θ 1 ,θ 2 · · ·θ L to prevent the intrusion device from capturing any knowledge of the secret key from the response signal. Note that the channel phases accounted in the proposed scheme provide more secure encryption, compared to the gain, due to their sensitivity and unpredictable nature to the locations of transceivers. Then, the transmitted signal in the physical layer response is represented as follows: Then, due to channel reciprocity, the received signal at the BS through the lth subcarrier is given by the following: whereθ l = θ l −θ l and n( f l ) are the estimation error for the lth channel phase and noise term, respectively.

Physical Layer Verification
In the conventional PHY-CRAM [8], it is decided whether a received signal is transmitted from a legitimate IoT device or an intrusion device in the physical layer verification step. To this end, two hypotheses are considered: H 1 is the alternative hypothesis that the received signal is transmitted by the legitimate IoT device with a legitimate secret key denoted by κ AB , and H 0 is the null hypothesis that the received signal is transmitted by the intrusion device with an arbitrary secret key denoted by κ E . In [8], the test statistics of ζ = |κ AB Y T R | are used for binary hypothesis testing. Here, is a received vector in the response stage. In this paper, based on the test statistics of ζ, a novel cross-layer authentication strategy integrating the PHY-CRAM scheme to the cryptographybased authentication is proposed, for which details are provided in the following subsection.

Proposed PL-AKA Protocol
In this subsection, we propose a PL-AKA, which prevents severe network congestion in core networks and minimizes the computational complexity for authentication of lowcost IoT devices in MIoT systems. To this end, the notion of local security is investigated, and the PHY-CRAM [8] is applied to a conventional AKA protocol with a novel integration strategy to resist impersonation attacks from malicious intruders. A BS plays a crucial role in authenticating an IoT device through the PHY-CRAM scheme, which is employed to alleviate traffic loads in core networks in the proposed protocol. Here, the PHY-CRAM can effectively protect the attacks by preemptively detecting a forged signal at a BS. Although the extra burden of a BS arises from the preemptive authentication, it is relatively small because the PHY-CRAM using channel state information (CSI) does not require high computational complexity. On the other hand, the PHY-CRAM itself may not provide acceptable authentication performance under bad communication environments (e.g., low SNR), whereas it enables fast authentication with low complexity. Therefore, it is crucial to design a novel integration strategy, which exploits advantages of both the PHY-CRAM and cryptography-based authentication.

Integration Strategy
In the conventional PHY-CRAM [8], a certain threshold is applied to the binary hypothesis testing for authentication decision. Then, the BS may make a wrong authentication decision with the test statistics of ζ, due to noise and interference. Therefore, a core of the integration strategy is how to define a statistical range that is prone to the preemptive authentication failure. To this end, the preemptive authentication result in the proposed protocol is divided into three cases: "Black", "Gray" and "White", instead of a binary decision for conventional PLA as to whether the received signal is legitimate or not. In "Black" and "White", the BS can be sure about whether the received signal is from an intruder or from a legitimate IoT device, respectively, with high probability. On the other hand, in "Gray", the BS is not sure about whether or not the signal is a legitimate one. Therefore, in the proposed protocol, we stipulate that "Gray" is an ambiguous result about which it is hard to make a firm decision in the physical layer, and put off the final decision to the upper layer cryptography-based authentication. Note that the result in the PHY-CRAM method is determined in accordance with test statistic ζ. Then, to determine a preemptive result in the PHY-CRAM method, two thresholds denoted by α 0 and α 1 are used in the physical layer verification, while a conventional PLA method uses a threshold to make a decision between "Black" and "White". Thus, if the preemptive result is "White" or "Black", the authentication is complete (i.e., cryptography-based authentication is not performed). On the other hand, if the result is "Gray", cryptography-based authentication is performed to make a final authentication decision at the MME.

Procedures of Proposed Protocol
Based on the integration strategy, detailed procedures of the proposed PL-AKA [17] are illustrated in Figure 1. As shown in the chart, ten messages, which are divided in three steps-(i) initial attach (M 1 ∼ The BS sends the IoT device a response signal with a secret key, which is encapsulated with channel phases. • M 9 : If a feature score is in "Gray", the MME selects an unused AV, retrieves RAND and AUTN, and sends them to the IoT device. Here, RAND and AUTN mean random challenge and authentication token, respectively, in cryptography-based authentication. • M 10 : If a feature score is in "Gray", the IoT device authenticates the networks and transmits RES to the MME. Here, RES means response in cryptography-based authentication. The main difference between the proposed protocol and an existing AKA protocol (e.g., EPS-AKA) is that the PHY-CRAM scheme comes under the authentication step, whereas the steps of (i) the initial attach and (ii) the key generation and distribution steps are similar to those of the conventional AKA protocol. At this time, an important issue that arises is how to integrate PLA with cryptography-based authentication. To this end, as shown in Figure 1, the PHY-CRAM method is employed as preemptive authentication between the IoT device and the BS. After performing the PHY-CRAM method, it is determined whether to conduct cryptography-based authentication procedures (M 9 and M 10 ) in the protocol in accordance with a result of the preemptive authentication.  9 . , 10 .

Performance Analysis
In this section, the proposed PL-AKA is theoretically analyzed in terms of the authentication error probability and signaling overhead under a MIoT system scenario. In addition, an experiment using USRP is performed to demonstrate the benefits of integrating PLA with an AKA protocol.

Theoretical Analysis
To evaluate the proposed authentication scheme, we consider an authentication error probability, which is an incorrect decision probability at the BS and given by the following: where P M and P F are the miss and false alarm probabilities at the BS, respectively, and ρ is a weighting factor (0 ≤ ρ ≤ 1). Note that P E = 0 is assumed in the conventional cryptography-based authentication. P M is the probability that when the legitimate IoT device transmits, the BS decides that the signal is an intrusion signal; P F is the probability that when the intrusion device transmits, the BS decides that the signal is a legitimate signal. As shown in [8], the distribution of f ζ|H i (x) is the Rice distribution as follows: where ν i = E [ζ|H i ], σ 2 i = Var[ζ|H i ] and Q 1 (x, y) is the Marcum Q-function respectively [18]. For given target miss and false alarm probabilities denoted by P • M and P • F , respectively, the thresholds are determined as follows: Then, based on the target miss and false alarm probabilities, the authentication error probability can be obtained in the proposed protocol-that is, we can control the authentication performance with P • M and P • F . However, it should be noted that if P • M and P • F are too low, it can induce a large signaling overhead. We compare the proposed protocol with the conventional EPS-AKA protocol in terms of the signaling overhead. As mentioned in the previous subsection, the thresholds (α 1 and α 0 ) are determined with P • M and P • F , respectively. Then, the ranges of the three cases (i.e., "Black", "Gray" and "White") are determined as follows: Note that the lower the target miss and false alarm probabilities are set, the larger the distance between α 1 and α 0 , which determines the range that "Gray" becomes. Let λ denote the probability of "Gray" (i.e., p (α 1 ≤ ζ ≤ α 0 )). Thus, the probability is given by the following: From [19] and Table 1, the signaling overheads of EPS-AKA and PHY-PCRAS-AKA [11] are given as follows: (14) where N and U are the number of IoT devices and the number of authentication vectors, respectively. In addition, P denotes the number of authentication trials per IoT device. As shown in Figure 1, the M 9 and the M 10 messages associated with the cryptography-based authentication are exchanged with a probability ofλ = 1 − (1 − λ) 2 for the mutual authentication. Then, the average signaling overhead of the proposed protocol and signaling overhead at MME are given by the following: where M i is the ith message in the proposed protocol. Based on the related parameters in Table 1  Secret key for PHY-CRAM L AV Authentication vector 608 + L We present the simulation results to see the authentication and signaling overhead performance of the proposed protocol. For simulations, we assume the Rayleigh fading channel model and generate random phases, where H( f l ) ∼ CN (0, σ 2 h ) and define SNR as 10log 10 ( E s σ 2 ). Figure 2 depicts the probability density functions of ζ for legitimate and intrusion signals in which P • M = P • F = 10 −6 , L = 64, and SNR = 5 dB. As shown in Figure 2, the distribution of ζ|H 1 from the legitimate device is sufficiently distinguishable from that of ζ|H 0 , the intrusion one. In addition, the ranges of the three cases ("Black", "Gray" and "White") are determined by two thresholds (α 1 and α 0 ) with P • M and P • F . Here, "Gray" plays a role as a guard interval to prevent a wrong authentication decision of a BS caused by noise and interference. From Figure 2, it seems obvious that the probability that ζ is included in "Gray" is negligibly low, compared to "Black" and "White". It implies that the signaling overhead induced by cryptography-based authentication (i.e., M 9 and M 10 ) is insignificant. Figure 3 shows the simulation results for the signaling overhead over different target false alarm probabilities to compare the proposed PL-AKA with conventional EPS-AKA and physical layer phase challenge response authentication AKA (PHY-PCRAS-AKA) [11], where L = 64, P = 30, U = 20, N = 200, P • M = 10 −6 and SNR = 5 dB. In the simulation, the signaling overhead is divided into two types: (i) total signaling overhead, and (ii) signaling overhead at MME. As shown in Figure 3, although P • M = 10 −10 , the proposed PL-AKA has a small total signaling overhead, compared to the conventional methods. In particular, the PHY-PCRAS-AKA needs a larger signaling overhead than EPS-AKA because it simply cascades both layer authentication methods for the enhancement of security as described in (13) and (14). Furthermore, while the signaling overhead at MME is the same as the total signaling overhead in the conventional EPS-AKA, in the proposed PL-AKA, the signaling overhead at MME is significantly smaller than the total signaling overhead because the BS performs a preemptive authentication instead of the MME in the proposed PL-AKA protocol.

Experiment Analysis
In this subsection, we implement an experiment to demonstrate the practical performance of the proposed PL-AKA. To this end, a USRP based test-bed is designed in an LTE communication environment. In the experiment, phase sanitization introduced in [20] is employed to compensate for the effect of the carrier frequency offset (CFO) and sampling timing offset (STO) for channel reciprocity. Figure 4 shows the reciprocity of sanitized channel phase (θ) in our preliminary test [21]. From this result, we simply suppose that a BS transmits the challenge signal to an user equipment (UE) for PHY-CRAM. For the performance test of PL-AKA, the test statistics are defined and the probability of "Gray" (i.e., λ) is calculated to compare the signaling overhead with the conventional scheme.  Experiment Setup Figure 5 illustrates the experimental environment. The experiment is designed with 2 NI-USRP 2944R [22] and LTE application framework 2.0 [23] running on Labview NXG 4.0 [24] of National Instrument. The host-PC is Dell Insprion 3650 [25] with Intel Core i5, and having 16 GB of RAM. Each USRP is connected to PCI express port of the PC and one USRP is served as a BS, and the other is served as an UE. To measure CSI according to a physical location, the UE is settled onto i-ROBO PSA-125-S motion stage [26] with Autonics PMC-1HS-USB controller [27]. UE moves 50 locations that are 2 cm apart from each other, measuring the 1000 CSI frames in each location. In the given situation, BS and UE are remotely controlled by a laptop to avoid channel distortion and maintain the channel coherence time as long as possible. The experiment is operated for 10 h. Tables 2 and 3 indicate the USRP specifications and communication parameters, respectively.

Root Mean Square Distance (RMSD) Test Statistic
Utilizing the sanitized phase, RMSD can also be a simple alternative test statistic instead of [8]. Let us denote RMSD as η, which is defined with the following equation: where k and r are kth estimated frame and rth subcarrier of the frame, n is the number of subcarrier and L i and L j are the ith and jth location indices, respectively. Here, channel estimation of the 1st frame from a location i is selected for the reference frameθ

Effect of Spatial Correlation
In general, an eavesdropper in the vicinity of a legitimate receiver may obtain a legitimate CSI by exploiting spatial correlation. Thus, a measured RMSD within a halfwavelength distance from ith location is not regarded in order to simplify the analysis.

Effect of Intercarrier Dependency
Another constraint that arises in measuring test statistics is intercarrier dependency. Figure 6 describes two different channels: simulated Rayleigh independent fading channel, and measured channel from the experiment. In this situation, (a) can extract useful information as the number of subcarrier increases, but (b) provides no additional information, even if it exploits the entire CRS subcarrier to encapsulate the secret key. This result implies that however a number of subcarriers are used, there is no significant reliability increase, but it improves the secrecy ability with the extension of the key length. From the point of view of reliability and computational efficiency, the selective subcarrier benefits from the signaling overhead, but it has to sacrifice its secrecy ability.  Figure 7 is the histogram of the RMSD results of the experiment. For ease of comprehension, we assume that the profiles can be fitted as a log-normal distribution, i.e., ln(X) ∼ (ν i , σ 2 i ) that PDF and CDF are defined by the following:

Experimental Results
where and erf(x) is error function [28] respectively. From the above equations, P • M , P • F and λ can be induced by applying the concept in Equations (8)-(10), conversely. Then, in the case of RMSD, the thresholds are determined as follows: As shown in Figure 8, "Black", "Gray" and "White" are determined as follows:  In addition, we investigated not only the signaling overhead of total protocol, but also that of MME as described in (16). In terms of entire protocol, it alleviates the burden of MME, which can be desirable for the future in distributed networks. In addition, the proposed scheme achieves a computational predominance by sacrificing the target false alarm rate. Thus, the number of subcarrier and false alarms and the miss detection probability should be coordinated moderately as its application.
Target False Alarm Probability °S ignaling Overhead (bits) Figure 9. Signaling overheads of PL-AKA and EPS-AKA over various target false alarm probabilities (experiment results).

Conclusions
In this paper, we presented a lightweight PL-AKA protocol by applying PLA to conventional AKA protocol, preemptively. To this end, we considered the integration strategy of the PLA and conventional cryptography-based authentication, classifying the PLA results into three parts: "Authenticated", "Rejected" and "Gray". We derived the signaling overhead of the proposed PL-AKA protocol with a probability that the cryptographybased authentication is performed. Moreover, a USRP-based experimental analysis was conducted to demonstrate the proposed scheme in practical application for IoT. In this analysis, we installed BS and UE as the LTE communication system, and observed the CSI according to the physical location with the linear stage. Here, phase sanitization was introduced to neutralize the effect of CFO and STO, and RMSD was defined to separate the legitimate and intrusion channel. The proposed scheme can achieve a more efficient signaling overhead, compared to conventional schemes, in both the simulation and experimental results. Therefore, this study showed the feasibility of the proposed scheme; various approaches to reduce the "Gray" probability can be the basis of future work to further reduce authentication overheads.
Author Contributions: S.H. contributed toward the experimental analysis and data measurement. Y.L. helped in writing the introduction, investigation, resource, theoretical algorithms, review and editing, methodology. J.C. helped in the conceptualization, methodology, experimental analysis, validation, review and editing. E.H. aided in the proofreading, conceptualization, methodology, formal analysis, review and editing as the corresponding author, and provided guidance throughout the whole preparation of the manuscript. All authors have read and agreed to the published version of the manuscript. The data presented in this study are available on request from the corresponding author. The data are not publicly available because this data set will be used for future works.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript:

5G
Fifth-generation USRP Universal software radio peripheral IoT Internet of Things MIoT Massive internet of things AKA Authentication and key agreement EPS-AKA