38 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 3, NO. 1, MARCH 2008
Physical-Layer Authentication
Paul L. Yu, John S. Baras, Fellow, IEEE, and Brian M. Sadler, Fellow, IEEE
Abstract—Authentication is the process where claims of identity
are verified. Most mechanisms of authentication (e.g., digital signa-
tures and certificates) exist above the physical layer, though some
(e.g., spread-spectrum communications) exist at the physical layer
often with an additional cost in bandwidth. This paper introduces
a general analysis and design framework for authentication at the
physical layer where the authentication information is transmitted
concurrently with the data. By superimposing a carefully designed
secret modulation on the waveforms, authentication is added to the
signal without requiring additional bandwidth, as do spread-spec-
trum methods. The authentication is designed to be stealthy to the
uninformed user, robust to interference, and secure for identity
verification. The tradeoffs between these three goals are identified
and analyzed in block fading channels. The use of the authenti-
cation for channel estimation is also considered, and an improved
bit-error rate is demonstrated for time-varying channels. Finally,
simulation results are given that demonstrate the potential appli-
cation of this authentication technique.
Index Terms—Authentication, modulation, superimposed sig-
naling, watermarking.
I. INTRODUCTION
T
HE concept of security encapsulates a set of ideas that in-
cludes authentication, integrity, and secrecy. This paper
focuses on the authentication aspect of security; namely, can
a node be identified solely by its transmission characteristics?
We show that the answer is yes, subject to specifically iden-
tified tradeoffs in the stealth, robustness, and security of the
system. For an authentication system, the uniqueness and non-
reproducibility of the identification signal are of the utmost im-
portance.
In conventional digital communications systems, a sender
uses a message signal to transmit message symbols to a receiver.
The sender and receiver agree upon a transmission scheme
such that the mapping between signals and symbols is unique
and known by both parties. The framework presented here
extends the conventional communications system to transmit
an additional authentication signal concurrently with messages.
The authentication signal is subject to the same constraints as
the message signal and, hence, unlike a spread-spectrum signal,
can avoid using extra bandwidth. The authentication provides
a security mechanism supplemental to those present at higher
layers. With programmable radios, these modifications can be
made at low cost.
Manuscript received July 27, 2006; revised October 16, 2007. The associate
editor coordinating the review of this manuscript and approving it for publica-
tion was Dr. Nasir Memon.
P. L. Yu and J. S. Baras are with the Institute for Systems Research, Univer-
sity of Maryland, College Park, MD 20742 USA (e-mail: paulyu@isr.umd.edu;
baras@isr.umd.edu).
B. M. Sadler is with the Army Research Lab, Adelphi, MD 20783 USA
(e-mail: bsadler@arl.army.mil).
Digital Object Identifier 10.1109/TIFS.2007.916273
This paper diverges from much of the previous work. Re-
search in authentication systems and mechanisms have mostly
focused above the physical layer. There are two paradigms of
adding authentication: multiplexing or embedding. Some exam-
ples of multiplexed authentication are message authentication
codes or authentication protocols that require a series of mes-
sages devoted to authentication. An overview of these methods
may be found in [1] and in [2, Ch. 9 and 10]. The advantage
of these methods is that the authentication is received with the
same quality as the data. However, data throughput is penalized
since some of the bits carry authentication instead of data.
In 1972, Cover [3] analyzed broadcast channels and demon-
strated that high joint rates of transmissions are best achieved
with simultaneous, as opposed to time-multiplexed, transmis-
sions. Digital watermarking follows the paradigm of embedded
signalling by modifying the data in a controlled manner that pro-
vides additional information to the receiver. Authentication may
be transmitted in this manner [4], [5] and the addition is stealthy.
Unlike the multiplexing approach, embedding additional infor-
mation degrades the data quality [6]. Much of the research in
digital watermarking has focused on watermarking multimedia
data and minimizing the distortion at the receiver in terms of
human perception.
At the physical layer, there has been work in authenticating
the sender and receiver based on prior coordination or secret
sharing, where the sender is authenticated if the receiver can
successfully demodulate and decode the transmission. In this
light, spread-spectrum techniques, such as direct sequence and
frequency hopping, may be viewed as examples of physical-
layer authentication systems [7]. While these techniques are
covert and provide robustness to interference, they achieve this
at the cost of bandwidth expansion and allow only authenticated
parties with knowledge of the secret to participate in communi-
cations.
Suppose that we want to add authentication to a system in a
stealthy way so that users unaware of the authentication can con-
tinue to communicate without any modifications to the hardware
or protocol. The need for such stealth arises, for example, when
authentication is piggybacked onto an existing system. Our ap-
proach to authentication exists at the physical layer, and may be
used together with spread-spectrum methods or other security
schemes at the higher layers to provide a more secure system.
The idea of transparently adding information at the physical
layer has been discussed for some specific cases. Supangkat
et al. [8] proposed one such authentication scheme for tele-
phony where an encrypted hash of the conversation is added
back into the signal. Similarly, Kleider et al. [9] proposed a
scheme where a low-power watermark signal is added to the
data signal with spread-spectrum techniques. Wang et al. [10]
proposed a scheme for broadcast television where each trans-
mitter adds a unique low-power signal to its transmissions in
1556-6013/$25.00 © 2008 IEEE
YU et al.: PHYSICAL-LAYER AUTHENTICATION 39
order to prove its identity to the receivers. The transparent trans-
mission of data may also be realized by using multiresolution
transmissions, where varying levels of protection are guaran-
teed for multiple data streams [11]–[13]. With this idea, the data
symbols are sent with a high rate while the authentication is sent
with a lower rate. Multiresolution (also known as asymmetric or
nonuniform) constellations, where important data signal points
are far apart and less important signal points are close together,
can be used for this purpose.
Authentication at the physical layer may be viewed as a spe-
cial use of pilot symbols, since the authentication signal is ver-
ified and, therefore, known at the receiver. However, a subtle
difference arises since the authentication signal may or may
not be present. Pilots are either superimposed (SI) or time di-
vision multiplexed (TDM) with the messages. Dong
et al. [14]
showed that SI schemes can outperform TDM schemes when the
channel becomes sufficiently time varying. For a packet-based
multicarrier system, Kleider et al. [15] showed that SI pilots
can be utilized for channel acquisition while incurring only a
1-dB penalty when compared to a TDM training scheme. Thus,
the idea of superimposing the data for transparency is motivated
by previous work on channel estimation and authentication that
provides specific examples of success. Our work unifies and
generalizes many of the previous methods.
This paper introduces a broad analytical framework for de-
scribing physical-level authentication systems that do not re-
quire excess bandwidth. Using this setup, we analyze the stealth,
robustness, and security of the scheme. The stealth of a scheme
describes how covert the authentication is to a bystander. The
bystander should not be able to detect that the signal is anoma-
lous, nor should it detect any change in his or her own perfor-
mance as a result of the scheme. The robustness of a scheme
describes the resistance of the authentication to interference. Fi-
nally, the security of a scheme describes the inability of the ad-
versary to mount successful attacks. Fundamental performance
and tradeoffs are characterized between these desirable system
characteristics. We also consider how the authentication may
be used to improve channel estimation and demonstrate how
bit-error rates may be lowered in time-varying channels.
II. P
ROPOSED SCHEME
A. Scenario
In this paper, we consider the scenario depicted in Fig. 1
where four nodes share a wireless medium. Alice sends mes-
sages to Bob using reference signals while Carol and Eve listen.
This network has no privacy, so Carol and Eve can understand
what Alice is sending to Bob. Now suppose that Alice and
Bob agree on a keyed authentication scheme that allows Bob
to verify that the messages he receives are from Alice. In order
to authenticate, Alice sends a proof of authentication, called a
tag,
1
together with each message for Bob’s verification. We call
the transmitted signal under this scheme as the tagged signal.
The tags reflect knowledge of the key shared between Alice
and Bob.
1
We use the term “tag” to refer to the authentication signal that is superim-
posed at the physical layer.
Fig. 1. Scenario with Alice, Bob, Carol, and Eve.
Carol does not know the scheme and cannot authenticate
Alice’s messages, but she still can recover the messages. Eve
knows the scheme, but without the secret key, she also cannot
authenticate Alice’s messages. We say that Bob and Eve are
aware receivers and Carol is an unaware receiver. A scheme has
stealth if it: 1) does not significantly impact unaware receivers
and 2) is not easily detectable. Note that we are not adding
any privacy to the transmissions because we allow unaware
receivers to continue message decoding.
Authentication is a security mechanism and we must there-
fore consider the possible attacks on it. Assume that Eve is an
adversary that is aware of the scheme but does not know the
secret key. Eve wishes to disrupt the authentication process by
causing Bob to either reject authentic messages or accept in-
authentic messages. We say that the authentication scheme is
defeated when Eve can achieve her goals above a certain small
probability
. Eve plays an active role and can inject her own
malicious signals into the medium. The tags are commonly de-
pendent on the message so that unauthorized modifications to
the message or tag can be detected. Authentication is useful only
when it is difficult for Eve to defeat the scheme by creating valid
tags for her messages (impersonating), modifying Alice’s mes-
sages without Bob’s knowledge (tampering), or corrupting the
tag so that Bob cannot verify authenticity (removing). When it
is difficult for Eve to defeat the scheme, the scheme is said to be
secure.
Since the transmissions are present in random fading envi-
ronments, it is highly desirable that the scheme be resistant to
channel and noise effects. A scheme that is able to continue op-
eration in the midst of interference is called robust.
B. Reference System
In this paper, we consider single-antenna transceivers trans-
mitting narrowband signals in flat fading channels. We introduce
the reference system as the baseline communications system
upon which we build our proposed scheme. We refer the reader
to Table I for a table of our notation.
1) Signal Model: The sender wants to transmit a message to
the receiver so that it can be recovered and understood. When
the message must pass through a random channel, the sender
codes and modulates the message to protect against errors.
40 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 3, NO. 1, MARCH 2008
TABLE I
T
ABLE OF
SYMBOLS
Messages are blocks of symbols denoted by
. We assume that the message symbols are
independent, identically distributed (i.i.d.) random variables.
The encoding function
encapsulates any coding, modula-
tion, or pulse shaping that may be used. The resulting message
signal is
. The transmitted signal is denoted by
; in the case where the sender only transmits
messages, we have
. We refer to this as the reference
signal and will compare it with the tagged signal in the sequel.
We assume that
(1)
(2)
(3)
Then, the message signal also satisfies
and
.
2) Channel Model: We assume a Rayleigh block fading
channel so that different message blocks experience indepen-
dent fades. The channel for the
th block is , a complex
zero-mean Gaussian variable with variance
. The receiver
observes the block
(4)
where
and is white
Gaussian noise. The average signal-to-noise ratio (SNR) is
, and the SNR experienced by each block is
Rayleigh distributed with density
(5)
When the SNR
falls below a certain threshold, say , the
th message block becomes unacceptably corrupted. The outage
probability is the fraction of time that this occurs. The outage
probability
is fixed by setting
(6)
(7)
3) Channel Estimation: A block diagram of the unaware re-
ceiver is found in Fig. 2.
We assume that the channel is constant for the duration of the
block. While this may not be strictly true, it is a reasonable as-
sumption for slow fading channels. Pilot symbols are typically
Fig. 2. Block diagram of the unaware receiver.
used to aid in channel estimation, and we insert them in the
middle of the block as in Global System for Mobile Commu-
nications (GSM). (We use this as a representative pilot scheme,
however, we emphasize that our framework is easily generalized
to other cases). For the pilot symbols
and their observations
, the MMSE channel estimate is simply
(8)
where
is the Hermitian transpose. We assume that
.
4) Message Recovery: The unaware receiver uses its channel
estimate to estimate the
th message signal
(9)
It then uses
to recover the message symbols
(10)
C. Proposed System With Authentication
The proposed authentication system builds upon the reference
system introduced in Section II-B.
1) Signal Model: The sender wants to transmit the authen-
tication tag
together with the message so the receiver can
verify his or her identity. In general, the tag is a function of the
message
and the secret key
(11)
The tag is padded (if necessary) to the message length and si-
multaneously transmitted. The tagged signal is (see Fig. 3)
(12)
where
, .
As with the message signal, we assume the tags satisfy
and . We also assume that
so that we can interpret and as energy allocations of the
message and tag, respectively. Note that we are not forcing
each tag to be orthogonal to its corresponding message, but
YU et al.: PHYSICAL-LAYER AUTHENTICATION 41
Fig. 3. Construction of reference and tagged signals.
Fig. 4. Block diagram of the aware receiver.
rather that the pair be statistically uncorrelated.
2
An appropriate
would make the message and tag appear uncorrelated (but
not independent). We have the constraint
because
(3) must be satisfied for both tagged and reference signals. In
the case where
, the transmitted signal does not contain
any authentication tag and
.
We introduce the terminology message-to-interference ratio
(MIR) and tag-to-noise ratio (TNR) to facilitate future discus-
sion
(13)
and
(14)
The reference system devotes all of the signal energy to the mes-
sage [i.e.,
, , and, therefore, and
( dB]. The proposed system divides the
signal energy between the message and tag so that with
,
, , and dB.
2) Channel Model and Estimation: We assume the same
channel model as in Sections II-B2 and II-B3. Since the en-
ergy allocation is different for the proposed scheme, the pilot
symbols are modified so that decision regions remain valid.
Since
for our proposed scheme, the pilot symbols
should be scaled accordingly with
. For amplitude insensitive
modulations, such as 4-QAM or BPSK, this is not necessary.
3) Message Recovery: A block diagram of the aware receiver
is found in Fig. 4.
The aware receiver is an enhanced version of the unaware
receiver. Message recovery may proceed as in Section II-B4.
2
The effect of orthogonality on bandwidth is discussed in Section III-A1.
However, if we make some additional assumptions, the aware
receiver may do better. We see from Section II-B4 that the un-
aware receiver treats all observations the same way. This may be
suboptimal when two classes of signals may be observed. Since
the aware receiver knows that a tag may be present, it can re-
move the tag prior to message recovery and, hence, reduce the
error, provided that 1) it knows the tag exactly and 2) the tag is
present.
Recall from (11) that the tag is generated from the secret key
and the message. When the message is recovered without error,
Bob can generate the tag because he has the secret key. Even
if the message is recovered with errors, in some cases, the tag
can be correctly generated if the tag generating function
has some robustness against the message error. In the extreme
case, the tag is independent of the message and maximally ro-
bust in this sense. However, as we will discuss in Section III-C,
this is inadequate for security. A reasonable compromise can
be reached by having the tag depend on the message number
.
Since the message numbers are known, the receiver is always
able to generate valid tags using this scheme.
Section II-C4 details how the tag is detected. If the tag is
detected and estimated, then the aware receiver may choose to
remove it from the received signal [compared with (12)]
(15)
4) Authentication: In addition to recovering the message, the
aware receiver also decides on the authenticity of the signal. If
the receiver decides that the observation demonstrates knowl-
edge of the key, then it authenticates the sender. Otherwise, the
signal is not authenticated.
After estimating the channel, the receiver proceeds to perform
message estimation and obtains
. With the secret key, it can
generate the estimated tag
using (11) and look for it in the
residual
. The tag can be generated without error even when
contains some error when is robust against input error.
For example, robust hash functions [16], [17] are suitable for
this purpose
(16)
(17)
We perform a threshold test with hypotheses
is not present (18)
is present (19)
We obtain our test statistic
by match filtering the residual with
the estimated tag. When we assume perfect channel estimation
, message recovery , and tag estimation
, the statistic when the tagged signal is received is
(20)
42 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 3, NO. 1, MARCH 2008
where conditioned on , is a zero-mean Gaussian variable
with variance
. When the refer-
ence signal is received, the statistic is
(21)
and
since we assume .
The decision of authenticity
for the th block is made ac-
cording to
(22)
The threshold
of this test is determined for a false alarm
probability
according to the distribution of
(23)
where
is the standard Gaussian cumulative distribu-
tion function and we estimate the SNR
and
. The probability of detection for the th tag is
(24)
and the probability of detection of a randomly chosen tag with
a random channel realization is
(25)
where
is the probability density of given in (5).
III. P
ROPERTIES
We examine how the scheme proposed in Section II-C can
achieve the properties of stealth, robustness, and security. We
elaborate on the definitions and provide performance estimates.
A. Stealth
There are two aspects of a stealthy scheme. First, it should
be covert: the presence of the scheme should not be easily de-
tectable or obvious. Second, it should be unobtrusive: it should
not have a noticeable effect on the unaware receivers’ ability to
recover messages.
1) Covertness: Consider how the unaware receiver may
decide if the observed signal is anomalous. By definition, an
anomalous signal has characteristics that are deviant from the
reference signal. For example, signals are often constrained to
occupy a certain frequency band. If a signal leaks out of its
allocated band, then the receiver can identify it as anomalous.
Therefore, the tagged signal should respect the same bandwidth
constraints as the reference signal. In the proposed setup, the
tags are superimposed onto the messages (12), and we assume
that the tags and messages are uncorrelated. Note that we do not
enforce orthogonality for each (message, tag) pair. It is known
that the bandwidth efficiency (bits per Hertz) of orthogonal
Fig. 5. Wavelet tiling of the time–frequency plane.
signaling is low: for a given rate, the required bandwidth is
relatively high compared to nonorthogonal signaling [7]. A
slight bandwidth expansion that is dependent on
may be
observed. Since the tags are very low bit rate, the expansion
will be small. Also, by reducing the message energy, some
bandwidth becomes available for signaling the tag.
Rather than relying solely on the power allocation to con-
strain bandwidth, we can also use a basis decomposition (e.g.,
wavelets) to control the bandwidth of the tag. The wavelet
transform gives a constant-Q tiling of the time–frequency
plane, where every tile has bandwidth with constant propor-
tion to the others. Fig. 5 illustrates the concept. A common
implementation of the transform uses filter banks. We focus on
this particular approach as a concrete exposition. Consider the
sampled signal
. The wavelet transform
passes the signal through two filters simultaneously—one
highpass
and one lowpass , and then downsamples
the outputs by 2. The downsampled output of the highpass filter
is the level 1 detail coefficients, and the downsampled output of
the lowpass filter is the level 1 approximation coefficients. The
filter and downsampling is repeated with the approximation
coefficients to yield additional levels of detail and approxi-
mation coefficients. The further analysis of the approximation
coefficients is a characteristic of the wavelet transform and
provides multiresolution signal representation.
We refer to the coefficient level as the scale, and note that
large scales correspond to low frequencies. For a signal with
small bandwidth, most of the energy will reside in the large-
scale coefficients. For a signal with large bandwidth, however,
energy will be spread across the smaller scales as well. Thus, for
covertness, we place tag energy only in the appropriate scales
depending on the signal. The tag signal may be synthesized from
the coefficients by upsampling by 2 and filtering with impulse
responses
and . The details of
the analysis and synthesis filters are outside the scope of this
paper, but a good tutorial may be found in [18]. With any finite
support wavelet, some spectral leakage will occur. However, we
place tag energy only in the coefficients where the message has
energy also. Since we reduce the message energy and superim-
pose tag energy, the bandwidth should not be greatly perturbed
with appropriate power allocation.
The receiver may also flag the signal as anomalous if the
noise statistics are significantly different from what is expected.