This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts

for publication in the IEEE ICC 2009 proceedings

Physical-Layer Security: Combining Error Control

Coding and Cryptography
Willie K Harrison Steven W. McLaughlin
School of Electrical and Computer Engineering School of Electrical and Computer Engineering
Georgia Institute of Technology Georgia Institute of Technology
Atlanta, Georgia 30332 Atlanta, Georgia 30332–0284
[email protected] [email protected]

Abstract—In this paper we consider tandem error control many varying circumstances and channels that practical codes
coding and cryptography in the setting of the wiretap channel due exist which satisfy both design constraints of reliability and
to Wyner. In a typical communications system a cryptographic secrecy. For example, it has been shown in [5] that practical
application is run at a layer above the physical layer and assumes
the channel is error free. However, in any real application the low-density parity-check (LDPC) codes exist which achieve
channels for friendly users and passive eavesdroppers are not these two criteria for a noiseless channel cm and a binary
error free and Wyner’s wiretap model addresses this scenario. erasure channel cw . Similar results have been shown in [6],
Using this model, we show the security of a common crypto- also making use of LDPC codes as well as multilevel coding
graphic primitive, i.e. a keystream generator based on linear for the case of independent quasi-static fading channels cm
feedback shift registers (LFSR), can be strengthened by exploiting
properties of the physical layer. A passive eavesdropper can and cw . In this paper we address a practical scenario where
be made to experience greater difficulty in cracking an LFSR- both cm and cw are treated as BSCs with probabilities of
based cryptographic system insomuch that the computational a bit flip pm and pw , respectively. It is assumed that the
complexity of discovering the secret key increases by orders of wiretap channel quality is less than that of the main channel,
magnitude, or is altogether infeasible. This result is shown for that is pw > pm . This might be the case, for example, in
two fast correlation attacks originally presented by Meier and
Staffelbach, in the context of channel errors due to the wiretap a zoned-security application where the friendly parties are
channel model. inside a building and the eavesdropper is outside the building
monitoring communications.
I. I NTRODUCTION The rest of the paper is outlined as follows. First we give
Traditionally communication systems have implemented some discussion on the general setting. We focus our attention
security measures by cryptographic means. However, with the on linear feedback shift register (LFSR) cryptographic applica-
introduction of the wiretap channel model by Wyner [1], it tions because attacks against them have been well documented
became clear that security can also be achieved through means and we are able to quantify the increase in complexity that
of channel coding. The wiretap channel model portrays two the eavesdropper experiences due to errors in the wiretap
friendly users sharing information over a main communica- channel. Two well-known attacks originally given in [7] will
tions channel cm (e.g. a fading wireless channel [2]) and be considered, and it will be shown that an eavesdropper can
a passive eavesdropper observing a degraded version of the be made to fail in obtaining the secret key in an otherwise
information through a wiretap channel cw . As in [1], we will successful scenario by considering the effects of channel errors
assume that both channels are discrete and memoryless. Fig. 1 presented by some physical means. The background for the
portrays this scenario using binary symmetric channel (BSC) LFSR-based cryptography is given in section II, while the
models for both cm and cw . If the communication over cm is of attacks are presented briefly in section III. Afterwards, section
a private nature, it then becomes necessary to accomplish two IV provides evidence of a physical-layer of security under the
seemingly conflicting tasks of reliability between the friendly conditions of the attacks presented in the previous section.
users and security against the eavesdropper through some Theoretical results as well as simulation output for the two
encoding technique. The purpose of this paper is to quantify attacks are also included in this section. Finally conclusions
the additional complexity that the eavesdropper faces when of these findings are provided in section V.
the security problem is addressed with channel errors at the
physical layer in mind. II. BACKGROUND
The existence of codes providing reliability to friendly par- It has been shown by Shannon and others that a one-time
ties while maintaining some level of confidentiality is crucial pad can achieve perfect secrecy as a cryptographic encoding
to increasing necessary computations for an eavesdropper, and technique [8], meaning that knowing the codeword or encoded
has been proven by Wyner in [1] as well as Csiszar and sequence gives no information on the value of the original
Corner in [3]. Practical codes of this kind, however, were not message. However, implementation of a one-time pad relies
discovered until much later [4]. It has since been shown for on a perfectly random key sequence. Assuming that a user is

978-1-4244-3435-0/09/$25.00 ©2009 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

Fig. 1. Portrayal of a known-plaintext attack on the wiretap channel model where two friendly parties share information over a main channel cm and
an eavesdropper observes communications through a wiretap channel cw . In practice the keystream generator is comprised of M LFSR output sequences
combined according to a function f . It is simplified from its true condition and modeled as a single LFSR with a BSC.

capable of generating this sequence of elements, the problem susceptible system to correlation methods [7], [11]. Despite
of communicating with absolute secrecy can be solved, but at the shortcomings of LFSR-based generators, they continue to
the expense of requiring distribution of a secret key which is be used in modern cryptographic systems, including E0 the
the same length as the original message [9]. system employed by Bluetooth [13]. This is the case due to
Due to the issue of key distribution inherent in the one- the relative ease in computations that an LFSR-based system
time pad encoding mechanism, other methods are used to provides. Many wireless and handheld technologies benefit
attempt to emulate the secrecy aspects of the one-time pad from LFSR-based cryptography.
while providing a more practical key length. One such system The attack of the LFSR-based cryptographic primitive as-
is given in [7], [10], [11], and [12]. The encoder for this system sumes that the keystream sequence (zn ) is correlated to
is comprised of a keystream generator that produces a pseu- the output sequence of the ith LFSR (an ) with correlation
dorandom key sequence (zn ) by combining M LFSR output value 1 − p1 , and thus can be modeled as a BSC with
sequences using a function f . The notation (zn ) = (z0 , z1 , . . .) Pr (aj = zj ) = p1 for j = 0, 1, . . . , N −1, where N is taken to
denotes a sequence or vector whose nth element is zn . be the length of an observed sequence. Fig. 1 shows this mod-
Assuming all data sequences to be binary, a ciphertext bit eling of the keystream generator. A known-plaintext attack is
sequence (sn ) is produced using a bit-wise exclusive or portrayed in the figure where an eavesdropper has some means
(XOR) operation between the message sequence (mn ) and the of obtaining N bits of the original message; therefore, if the
keystream sequence (zn ), as portrayed in Fig. 1. The sequence sequence (sn ) is observed without error, then the first N bits
(an ) is the output sequence of a single LFSR, say the ith one. of the keystream sequence (zn ) can be reconstructed exactly. It
The effective key of the system consists of the initial conditions is assumed that pw > pm implying more errors in the wiretap
of the M shift registers, and hence is fixed in length regardless channel than in the main channel; therefore, an encoding
of the length of (mn ). Decoding is accomplished using the technique is chosen to guarantee reliable communications
XOR operation with the same keystream sequence (zn ), which between friendly parties while maintaining some percentage of
friendly parties can duplicate once they know the key. If it is bit errors in the wiretap channel. The effective error rate after
assumed that the bits of (zn ) are random independent and applying error control coding (ECC) in the wiretap channel is
identically distributed (i.i.d.), and therefore that bits in the given as p2 , and the model considered for the eavesdropper
sequence cannot be predicted by an eavesdropper, then the is simplified to that shown in Fig. 2. This figure indicates a
system achieves the secrecy of the one-time pad. pair of BSCs, where the first models the correlation of the
This assumption is untrue, however, in many instances. For sequences (an ) and (zn ), and the second models bit errors
example, Siegenthaler showed using only ciphertext that the in the wiretap channel after channel decoding. The output
secret key (initial state) of a contributing LFSR can be obtained sequence of the final BSC (yn ) is obtained in practice by
by calculating a correlation metric for all possible initial applying the N known bits of (mn ) to the decoded sequence
conditions of the LFSR, and then comparing to a Neyman- as shown in Fig. 1. This sequence can be thought of as a
Pearson threshold determined by the statistics of the data noisy version of (an ), with a single BSC separating the two
[10]. While this particular attack requires 2k − 1 correlation sequences. The probability of a bit flip in this BSC is denoted
calculations, fast-correlation techniques exist where it is shown p and is calculated to be
that a low-weight connection polynomial of an LFSR, i.e.
one with a small number of feedback loops, produces a more p = p1 (1 − p2 ) + (1 − p1 )p2 = p1 + p2 − 2p1 p2 . (1)
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

A. Attack A
The first attack in [7] is founded on the principle that bits
which satisfy the most checks are the most reliable. Using the
k bits which have the greatest values in (p∗n ), a system of
equations is determined and solved where the solution is the
Fig. 2. Wiretap channel model flow diagram relating sequences (an ), (zn ),
and (yn ) using a pair of binary symmetric channels. key or initial contents of the LFSR. This system of equations
is constructed using the fact that every output of an LFSR
is merely a linear combination of the bits in the initial state.
The cryptographic system is said to be compromised if an The key is obtained by solving the system using a method
eavesdropper can obtain the initial contents of the ith LFSR such as LU decomposition tailored to operations in GF(2) [15].
using (yn ) assuming knowledge of the LFSR connection Measures must be taken to ensure that the group of k bits
polynomial is public. chosen have linearly independent key bit combinations.
III. C RYPTOGRAPHIC A LGORITHMS In order to determine whether the obtained solution is the
key, a threshold for a correlation metric between (yn ) and a
Both attacks presented in [7] reconstruct the key of the
sequence generated by the solution to the system of equations
ith LFSR using checks which are derived from the feedback
must be formed [10]. If the solution is determined to be
polynomial g(x). This polynomial governs the structure of the
incorrect by the threshold comparison, the algorithm must then
LFSR, and guarantees a maximal-length output sequence be-
perform an exhaustive search on possible error combinations in
fore repeating if and only if g(x) = g0 +g1 x+g2 x2 +· · ·+gk xk
the k chosen bits. The calculations necessary to perform this
is primitive in GF(2), where gj ∈ {0, 1} for j = 0, 1, . . . , k
task dominate the performance of the algorithm, and hence
[14]. Define t to be the number of feedback loops in the
define the computational complexity of attack A. Variations
LFSR. For primitive g(x) of order k, g0 = gk = 1 and the
of the k bits with Hamming distance 1,2,. . . ,k are tried until
total number of nonzero coefficients of g(x) is odd [7], thus
a key is found which satisfies the correlation condition. In
providing an even value of t (gk does not feed back). Let
order to calculate a worst-case scenario, it is assumed that the
the indices of the nonzero coefficients in g(x) be denoted
eavesdropper is always able to detect a correct key.
j0 , j1 , . . . , jt ; then j0 = 0 and jt = k. Now consider the
jth bit of the sequence (an ). Due to the structure of g(x), B. Attack B
aj+j0 + aj+j1 + · · · + aj+jt = 0. This expression is calculated
in GF(2), and thus simplifies to The second attack presented in [7] also makes use of the
conditional probabilities (p∗n ); however, the iterative nature
aj = aj+j1 + aj+j2 + · · · + aj+jt . (2) of this attack alters these calculations slightly. Attack B is
Except for those within t bits of the end of the sequence, extremely comparable to Gallager’s LDPC decoding algorithm
every bit can be expected to contribute to t + 1 checks of this [16]. In the attack all conditional probabilities in the sequence
kind. Additional checks are generated using a rule sometimes (p∗n ) are calculated using (3). A threshold pthr is derived by
referred to as freshman exponentiation which states that for calculating the best possible increase in correct bits assuming
elements x and y in GF(2), (x + y)2 = x2 + y 2 [14]. Check that all bits with probability less than the threshold are flipped.
expressions given by (2) can then be repeatedly squared until This correction threshold is set to the value where any bit yj
limited by the length of the sequence N , providing additional with p∗j < pthr has a maximum likelihood of being incorrect.
check expressions with each squaring. Both attacks rely on If a certain predetermined number of bits Nthr have values
computing these checks using the bits of (yn ), and counting in (p∗n ) less than pthr , then those bits are flipped. Otherwise
checks which hold with equality. Of course a check can still the conditional probabilities p∗j for j = 0, 1, . . . , N − 1 are
hold if an even number of bits in a check expression have recalculated by exchanging the a priori probability p with
been flipped, hence bits are assigned conditional probabilities the previous value of p∗j in (3). After a few iterations of
of being correct given the number of satisfied checks. These probabilities, or once at least Nthr untrustworthy bits are
probabilities are stored in the vector (p∗n ). Let the number found, the bits are flipped and the algorithm continues in this
of satisfied checks containing yj be denoted as cjs , while the way until a solution is obtained.
number of total checks for which yj plays a role is expressed
as cjto . If cjs = h and cjto = m, then IV. P ROOF OF C ONCEPT WITH S IMULATION R ESULTS

p∗j = Pr (yj = aj |cjs = h, cjto = m) If a channel encoding technique can guarantee bit errors for
 h
p s (1−s)m−h (3) a passive eavesdropper regardless of ECC, then these errors
= p sh (1−s)m−h +(1−p )(1−s)h sm−h
,
can clearly contribute to the overall security of the system.
where s is defined as the probability that an even num- The questions then remain of how to quantify the amount
ber of errors occur in the bits of the check expression of security gained, and what value of p2 will prevent an
discounting yj [7]. This value can be calculated recur- eavesdropper from gaining advantage in a correlation-based
sively as s(j) = (1 − p )s(j − 1) + p (1 − s(j − 1)) where attack. To provide answers to these two questions, metrics used
s(1) = 1 − p and s = s(t). in [7] are analyzed. First in the case of attack A, suppose there
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

are exactly r errors in the k chosen bits. Then the maximum 10

10
Attack A: Bound on Expected Complexity
number of iterations in an exhaustive search is p2=0

 r   p2=0.05
k
A(k, r) = ≤ 2H(r/k)k . (4) 8
10 p2=0.1

i=0
i p2=0.15

Number of Trials
The inequality makes use of the binary entropy function H(x), 6
10
and is well known. Of course r is not readily available in
practice, but it can be estimated making use of (3) in the
expression r̄ = k(1 − Pr (yj = aj |cjs = h , cjto = m )), where 4
10
m is the average number of checks relevant to any one bit,
and h is the maximum integer such that k bits exist which 2
are expected to satisfy at least h checks. Therefore, given that 10

the best k bits are chosen, r̄ of them are still expected to be in

error. An estimate on an upper bound of the number of trials 0
10
required is then given as 2H(r̄/k)k . 0 0.1 0.2 0.3 0.4 0.5
p1
Fig. 3 shows this bound for varying p2 values in an example
featuring a length-32 LFSR while assuming that N = 32×106
bits of (mn ) are known by the eavesdropper. The greater the
Fig. 3. Expected bound on the number of trials required to find the secret
length of the observed data sequence, the easier the system key using attack A for k = 32, N = k × 106 , and t = 6.
will yield to a correlation-based attack. Simulations of the
attack are compared with this bound and can be seen in Fig. x 10
4 Attack A: Theory vs. Simulation
4, although for a shorter LFSR. Both the theoretical bounds 3.5
Theory: p2=0
and the simulations show channel conditions where attacks Simulation: p2=0
3
are expected to require a significant amount of additional Theory: p2=0.15
computations due to nonzero p2 . As shown in Fig. 4, the Simulation: p2=0.15
2.5
expected bound is much tighter for smaller p values. Clearly
Number of Trials

Theory: p2=0.25

as p approaches 0.5, attack A reverts to a brute-force at- 2

Simulation: p2=0.25

tack which is expected to require 2k−1 iterations, while the

bound approaches 2k . For smaller p the difference between 1.5
the bound and the simulation results is not as pronounced.
Regardless of this difference, when k is large and p is close to 1
0.5 the task of finding the secret key becomes overwhelmingly
expensive, and not feasible in many cases. Physical-layer 0.5

considerations can be addressed in the choice of channel codes

which can then drive p to 0.5 by increasing p2 , and thus obtain 0
0 0.1 0.2 0.3 0.4 0.5
this extra level of security. p1
A similar analysis can be conducted for attack B; however,
the attack has an underlying bipartite graph which connects
check nodes to probabilities in (p∗n ). Since the graph con- Fig. 4. Results from simulations of attack A showing necessary computations
tains many cycles, after a few iterations probabilities become to crack the LFSR-based cryptographic system. Here k = 15, N = k × 100,
and t = 4.
difficult to track; thus numbers of computations are likewise
difficult to estimate. The strength of this attack is instead
calculated by determining the effect of the first iteration of have no correction capability. While this would be impossible
the algorithm. Recall that a threshold pthr was determined to to guarantee under every scenario, we say that attack B has
maximize the probability that yj = aj given that p∗j < pthr . correction capability zero if Ni < 0, i.e. Nv > Nw . The ratio
Let Nw be the expected number of bits such that both aj = yj
Ni
and p∗j < pthr , and let Nv be the expected number of bits such C= (5)
that aj = yj and p∗j < pthr , for j = 0, 1, . . . , N − 1. Also Nw + N v
let Ni = Nw − Nv . If Nc0 represents the total number of bits is used to scale the value of Ni to a real number in the range
such that aj = yj prior to iteration, then the toggling of all [−1, 1] while maintaining its sign. Fig. 5 shows the value of
bits with p∗j < pthr will result in an expected Nc0 +Ni correct the correction ratio C for several BSC parameters p2 , over a
bits. Obviously if Ni is negative, then the expected outcome range of p1 values. It should be noted that while a negative
of the first iteration will leave more bits in error than were value of C implies a correction capability of zero, conditions
originally so. yielding positive C values still may not converge on the correct
The only way to ensure that the algorithm does not eventu- sequence. Simulations of attack B have been consistent in a
ally converge on the correct sequence is to insist that attack B lack of convergence for cases where C ≤ 0.
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

Attack B: Correction Capability TABLE I

1 S IMULATION RESULTS OF ATTACK B COMPARING SCENARIOS WITH AND
p2=0 WITHOUT ADDED SECURITY DUE TO THE PHYSICAL LAYER . F OR THESE
p2=0.05 SIMULATIONS , k = 31, N = k × 100, t = 6, AND p1 = 0.2.
0.8
p2=0.1
p2=0.15 Case 1: p2 = 0 Case 2: p2 = 0.1
0.6 Number of Total Number of Total
(Nw−Nv)/(Nw+Nv)

Round bits flipped correct bits bits flipped correct bits

0.4 1 30 2487 1 2276
2 91 2526 3 2277
3 122 2586 6 2277
0.2 4 42 2628 8 2275
5 50 2676 11 2268
0 .. .. .. .. ..
. . . . .
14 43 3075 2 2204
−0.2 15 23 3098 100 2164
16 2 3100 4 2164
−0.4 .. .. ..
0 0.1 0.2 0.3 0.4 0.5 . - - . .
p1 34 - - 1 2079
35 - - 0 2079
..
. - - 0 2079
Fig. 5. Correction capability of attack B for k = 32, N = k × 106 , and
t = 6. Negative values give a correction capability of zero indicating an
inability to converge on the correct sequence.
different attacks that channel coding can be used to either
increase the difficulty of the attack or make it altogether
An example is in order. Let the primitive connection poly- impossible, thus providing a physical layer of security to the
nomial for the ith LFSR be written as g(x) = x31 +x21 +x12 + system.
x3 +x2 +x+1 [17], and the correlation between (an ) and (zn )
be 0.8, implying p1 = 0.2. In the first of two cases p2 = 0, R EFERENCES
meaning the eavesdropper is able to decode all channel errors [1] A. D. Wyner. The wire-tap channel. Bell System Technical Journal,
in the wiretap channel using ECC, thus p = p1 = 0.2 and the 54:1355–1387, Oct 1975.
[2] J. Barros and M. R. D. Rodrigues. Secrecy capacity of wireless channels.
correction ratio C is calculated using (5) to be 0.826. Case two Information Theory, 2006 IEEE International Symposium on, pages 356–
assumes that p2 = 0.1 indicating an error rate of 10 percent 360, July 2006.
in (yn ) which yields p = 0.26 by (1), and C = −0.034 by [3] I. Csiszar and J. Korner. Broadcast channels with confidential messages.
Information Theory, IEEE Transactions on, 24(3):339–348, May 1978.
(5). Due to these values of C, it is expected that attack B [4] V. K. Wei. Generalized hamming weights for linear codes. Information
will succeed in case one and fail in case two. Comparisons Theory, IEEE Transactions on, 37(5):1412–1418, Sep 1991.
of the attacks are shown in Tab. I, where it is seen that case [5] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J-M.
Merolla. Applications of ldpc codes to the wiretap channel. Information
one converges on the correct output sequence in 16 rounds. Theory, IEEE Transactions on, 53(8):2933–2945, Aug 2007.
Case two, however, requires 34 rounds before the algorithm [6] M. Bloch, J. Barros, M. R. D. Rodrigues, and S. W. McLaughlin.
stagnates and fails, a majority of rounds resulting in more bits Wireless information-theoretic security. Information Theory, IEEE
Transactions on, 54(6):2515–2534, June 2008.
in error than the previous round. Clearly an eavesdropper has [7] W. Meier and O. Staffelbach. Fast correlation attacks on certain stream
been made to fail in an otherwise successful scenario due to ciphers. Journal of Cryptology, 1:159–176, 1989.
the increased security inherent in the system which can be [8] C. E. Shannon. Communication theory of secrecy systems. Bell System
Technical Journal, 28(4):656–715, 1949.
produced by wise implementation of channel coding. [9] D. Welsh. Codes and Cryptography. Oxford University Press, Walton
Street, Oxford OX26DP, 1988.
V. C ONCLUSION [10] T. Siegenthaler. Decrypting a class of stream ciphers using ciphertext
only. Computers, IEEE Transactions on, C-34(1):81–85, Jan 1985.
In conclusion, the wiretap channel model has been used [11] V. V. Chepyzhov and B.J.M. Smeets. On a fast correlation attack on
to show security enhancements for wireless applications by certain stream ciphers. In EUROCRYPT, pages 176–185, 1991.
considering the channel coding problem and the cryptography [12] T. Johansson and F. Jonsson. Theoretical analysis of a correlation attack
based on convolutional codes. Information Theory, IEEE Transactions
problem in tandem. These enhancements occur due to effects on, 48(8):2173–2181, Aug 2002.
in the physical layer of a communications system. For a variety [13] Promoter Members of Bluetooth SIG. Specification of the Bluetooth
of applications where an eavesdropper experiences worse System - Core Version 2.1 + EDR. Bluetooth SIG, Inc., July 2007.
[14] T. K. Moon. Error Correction Coding: Mathematical Methods and
channel conditions than those between friendly parties, proper Algorithms. John Wiley & Sons, Inc., Hoboken, NJ, 2005.
implementation of channel coding can ensure an increased [15] T. K. Moon and W. C. Stirling. Mathematical Methods and Algorithms
difficulty in cracking cryptographic systems by preserving for Signal Processing. Prentice-Hall, Inc., Upper Saddle River, NJ
07458, 2000.
bit errors in the wiretap channel due to the physical layer. [16] R. G. Gallager. Low-Density Parity-Check Codes. MIT Press, Cam-
This principle was shown using an LFSR-based cryptographic bridge, MA, 1963.
system which is susceptible to correlation attacks in some [17] Frank Ruskey. The combinatorial object server (COS).
http://www.theory.cs.uvic.ca/ cos/gen/poly.html, Sep 2008.
cases. It has been shown using theory and simulations for two