On Secure Communications Over a Wiretap Channel With Fixed-Rate ...

IEEE WIRELESS COMMUNICATIONS LETTERS, VOL. 4, NO. 4, AUGUST 2015

453

On Secure Communications Over a Wiretap Channel With Fixed-Rate Transmission: Protocol Design and Queueing Analysis Ahmed El Shafie, Student Member, IEEE, and Naofal Al-Dhahir, Fellow, IEEE

Abstract—In this letter, we consider a wiretap channel when a source node maintains two buffers (queues) to store its data and secret key packets. We propose two medium-access protocols. In the first proposed protocol, we assume that the legitimate source and its destination share random secret key packets when the main channel is better than either the channel between the eavesdropper and the source or the channel between the eavesdropper and the destination. These key packets are stored in a separate key queue at the source and its destination, and they are utilized to secure data packets whenever channel conditions favor eavesdropper channels over the main communication channel. In the second proposed protocol, the source employs a random-access scheme based on the link and queue states. Our numerical results demonstrate the gains of our proposed protocols in terms of the mean service rate of the data queue and the average queueing delay of the data packets. Index Terms—Wiretap channel, secrecy capacity, fading channels, secret keys queue, data queue.

I. I NTRODUCTION

T

HE seminal paper of Wyner [1] stimulated a large number of recent investigations (e.g., [2] and the references therein) on wireless physical-layer security techniques. However, only few studies investigated the interplay between the secrecy requirements and key functions at the higher networking layers such as scheduling and routing [3], [4]. In [5], the authors propose the idea of using a key queue in a single-user system. Different from the data queue at the source, a key queue is kept at both the legitimate source and destination and hidden from the eavesdropper. The main idea is to use a portion of the secrecy rate to send randomly-generated key bits instead of sending data bits. These stored key bits can be used later to achieve secure communication between the source and its destination when the source-destination link is not secured. Thus, even when the instantaneous secrecy rate is zero, which is the case when the source-eavesdropper channel has better gain than that of the legitimate source-destination channel, data bits can still be transmitted to the destination securely from the eavesdropper. Based on this idea, Gungor et al. [6] showed that a long-term constant secrecy rate is achievable. The authors of [6] addressed decoding delays but did not consider the dynamics of the data arrival process at Manuscript received April 13, 2015; accepted May 13, 2015. Date of publication May 19, 2015; date of current version August 20, 2015. This paper was supported by the NPRP under Grant 6-149-2-058 from the Qatar National Research Fund (a member of Qatar Foundation). The statements made herein are solely the responsibility of the authors. The associate editor coordinating the review of this paper and approving it for publication was I. Krikidis. The authors are with the Department of Electrical Engineering, Erik Jonsson School of Engineering and Computer Science, University of Texas at Dallas, Richardson, TX 75080 USA (e-mail: [email protected]). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/LWC.2015.2434948

the source. Mao et al. [7] assumed random data arrivals at the source node and illustrated through simulations that the use of a key queue reduces the queueing delay for the data packets. Unlike [5]–[7], we assume that the destination can also share secret keys with the source. We assume fixed-rate transmissions, where the data and keys are generated and communicated as fixed-length packets, which is a practical hardware constraint for transmitters using a fixed modulation scheme. Thus, our work does not assume adaptive modulation. Our contributions in this letter can be summarized as follows. We study the wiretap channel from a network layer point of view. That is, we assume that the source stores the data and key packets into specific buffers. For the secret keys, we assume that a similar buffer (mirror buffer) is located at the legitimate destination. We propose two protocols for secure communication between the source and its destination. For each of the two proposed protocols, we derive closed-form expressions for the mean service rate of the source’s data queue and the transition probabilities of the secret keys queue. Moreover, we derive closed-form expressions for inner and outer bounds on the source’s data packets queueing delay when the secret keys queue is infinite-length. In our simulations, we study the impact of the secret keys queue maximum size on the achievable data queue service rate. II. S YSTEM M ODEL We propose a queueing framework for the wiretap channel in which a source (S) wishes to communicate with a destination (D), privately from an eavesdropper (E). The secret keys are shared between the source and the destination. The time is partitioned into slots of length T seconds and the channel has a bandwidth of W Hz. We assume that the source has a data buffer (queue) where a data packet arrives with probability λd ∈ [0, 1] according to the Bernoulli distribution as proposed in, e.g., [8] and the references therein. The arrivals at a given time slot are independent and identically distributed Bernoulli random variables with mean λd packets per time slot. Note that the state of the keys queue depends on the state of the data queue and vice versa. For instance, if the data queue is empty, no packets are transmitted from the secret keys queue. The keys queue is denoted by Qs whereas the data queue is denoted by Qd . It is assumed that the data queue has unlimited capacity whereas the secret keys queue has a maximum capacity of D packets. The size of a data or key packet is B bits. In a given time slot, the source may either send one packet of keys or one packet of data. Hence, the spectral density per successful transmission is R = B/T/W. We assume that a data packet leaves the system when it is successfully received at the destination. We assume flat-fading channels where a channel coefficient remains constant during a time slot, but changes from one time slot to another identically and independently. All channel

2162-2337 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

454


coefficients are assumed to be known at all nodes, i.e., source, destination and eavesdropper. This assumption is reasonable when the eavesdropper is a non-hostile node that operates in the network and communicates with the same destination as the source (or with its own destination) from one time to another over another frequency band. Thus, the destination can estimate the channels (either blindly or using training bits) and feed them back to the source. In addition, we assume fixed-power transmissions and the additive noise at a receiver is modeled as a zero-mean circularly-symmetric Gaussian random variable with unit variance. For a given channel realization, the capacity of the i − j link, denoted by Ci,j , is given by Ci,j = log2 (1 + γ θi,j )

(1)

where γ is the received signal-to-noise ratio at node j when θi,j = 1, and θi,j is the channel gain of the i − j link. If node S wishes to communicate with node D in the presence of an eavesdropper E, the secrecy capacity for fixed channel realizations is given by s CS,D = max log2 (1 + γ θS,D ) − log2 (1 + γ θS,E ), 0 (2) where max{x, 0} denotes the maximum between 0 and x. If D wishes to share a key with S, the secrecy capacity is s CD,S = max log2 (1 + γ θD,S ) − log2 (1 + γ θD,E ), 0 (3) Assuming channel reciprocity, i.e., θi,j = θj,i , the maximum secrecy capacity for keys sharing is then given by C s = max log2 (1 + γ θS,D ) − log2 (1 + γ θm ), 0 (4) where θm = min{θD,E , θS,E }. This is the maximum length of a key that can be shared between the source and its destination in a given time slot. This can be achieved as follows: (1) if s }, then the destination generates {θS,E > θD,E } and {R ≤ CD,S and sends a new key to the source; (2) if {θS,E ≤ θD,E } and s }, the source generates and sends a new key packet {R ≤ CS,D to the destination. A. Non Random-Access (RA) Protocol In this subsection, we propose a simple non random-access (RA) protocol which is summarized as follows. • If {R > C s , R ≤ CS,D } and the keys queue, Qs , is nonempty, the source accesses the channel using a data packet XORED with one of the previously-shared secret key packets.1 • If {R > C s } and either {R > CS,D } or {Qs = 0}, the source and the destination remain silent. • If {R ≤ C s }, the source and the destination share one of the key packets based on the relation between θS,E and θD,E as explained earlier. • If the secret keys queue is full, the source sends a data s packet directly if {CS,D ≥ R} or XORED with a key s packet if {CS,D < R, CS,D ≥ R}. The dynamics of the secret keys queue can be modeled as follows. The transition probability from state m ∈ {0, 1, . . . , D−1} 1 The data is secured using a simple bit-by-bit XOR operation with the keys [6], [7]. Note that the key size must equal to the data size.

to state m + 1, denoted by am , is given by am = a = Pr{R ≤ C s |θS,D > θm } Pr{θS,D > θm }

(5)

The transition probability from state m ∈ {1, 2, . . . , D} to state m − 1 at Qs , denoted by bm , is given by bm = b˜ = bπd , b = Pr{R ≤ CS,D , R > C s }

(6)

where πq = Pr{0 < Qq < Fq } for q ∈ {s, d} and Fq is the maximum buffer size of Qq . Closed-form expressions for the probabilities used in computing a, b and the other quantities presented in this letter under Rayleigh fading channels are derived in the Appendix. Based on the above protocol description, the mean service rate of Qd is given by s μd = πs b + Pr{Qs = D} Pr R ≤ CS,D s (7) + Pr R ≤ CS,D , R > CS,D Next, we derive inner and outer bounds for the case of infinite-buffer-size secret keys queue. Since the queues are interacting with each other [8] (i.e., the state of one queue depends on the state of the other queue), we cannot compute the steady-state probabilities analytically. To make the problem analytically tractable, we derive inner and outer bounds on the system performance. Henceforth, whenever necessary, we append a superscript i or o for a quantity in the inner or outer bound, respectively. 1) Inner Bound on System Performance: Assume that the data queue is always nonempty while computing the transition probabilities of the secret keys queue Markov chain (MC). In this case, the probability that Qs is empty increases since most of the keys are used without actual contribution to the service rate of the data queue except for time slots where the secret keys queue is physically nonempty. Hence, this assumption underestimates the performance of the system. Since the queues are now decoupled, we can analyze their MCs. The MC model of the keys queue is shown in Fig. 1. Let νm denote the probability of having m packets at Qs . The local balance equations of the MC are given by νm am = νm+1 bm+1 , 0 ≤ m ≤ D − 1

(8)

Using the balance equations successively, the stationary distribution of νm for Qs occupancy is given by −1 m−1 D m−1 an an νm = ν0 , where ν0 = 1 + (9) bn+1 bn+1 n=0

m=1 n=0

Note that ν0 is obtained using the normalization condition

D m=0 νm = 1. For infinite-length secret keys queue, πs = min{a/b, 1} and hence a (10) μid = πs b = b min , 1 = min{a, b} b The queueing delay of the source packets is then given by Di =

1 − λd 1 − λd = i min{a, b} − λd μd − λd

(11)

with the data queue stability condition μid = min{a, b} > λd , which is obtained by analyzing the data queue MC assuming D → ∞.

EL SHAFIE AND AL-DHAHIR: ON COMMUNICATIONS OVER WIRETAP CHANNEL WITH FIXED-RATE TRANSMISSION

455

probability β = 1 − β or sends/receives a secret key packet with probability β. For the same conditions but with Qs = D (i.e., secret keys queue is full), the source sends a data packet with probability 1. Fig. 1. MC model for the secret keys queue.

2) Outer Bound on System Performance: Assume that Qs is always nonempty while computing the MC steady-state distribution of the data queue. This decreases the probability of the data queue being nonempty which, in turn, increases the probability of Qs being nonempty obtained from analyzing its MC. In this case, the probability that a packet leaves the data queue is μod = b. The probability of the data queue being empty is upper bounded and is given by λd (12) Pr{Qd = 0} = 1 − o , λd < μod μd The transition probabilities of the MC of Qs are then given by am = a, and bm = b˜ = b Pr{Qd > 0} = b λbd = λd with b > λd . Remark: The inner and the outer bounds coincide if D → ∞, a ≥ b, and λd < b. The proof is omitted here due to its simplicity and lack of space. B. RA Protocol In this protocol, we assume that the legitimate nodes dedicate the time slot for data packets or secret key packets based on the queue state information and the channel state information . If the secret keys queue is full, the source and the destination will not share any new keys. Hence, if the S − D link is secured and supports R bits/sec/Hz, the source transmits a data packet directly with probability 1. If the S − D link is unsecured and the secret keys queue is nonempty, the source uses one of the key packets to send a data packet securely when the direct channel supports R bits/sec/Hz, i.e., {CS,D ≥ R}. If the S − D link is secured and Qs is not full, the source randomly selects either to transmit a packet from the data queue with probability 1 − β or to send a new secret key packet to the destination with probability β. If the S − D link is unsecured but D − S is secured and Qs is not empty, the source either transmits a data packet XORED with the key packet at the head of Qs or leaves the time slot for the destination to send a new key using the secured D − S channel. If S − D is unsecured, D − S is secured, and Qs is empty, the source cannot send a data packet; hence, it leaves the time slot with probability 1 for the destination to share a new key packet if the D − S link securely supports R bits/sec/Hz. In all of the above-mentioned cases, if the capacity is lower than the transmission rate, the transmitting node (i.e., source or destination) will remain silent because the packet will not be decodable at the respective receiver. The operation of the nodes is summarized as follows: • If {R ≤ CS,D , R > C s } and {Qd = 0, Qs = 0}, the source sends a data packet XORED with one of the previouslyshared secret key packets. • If {R > C s } and either {Qd = 0}, {Qs = 0} or {R > CS,D }, the source and the destination remain silent. • If {Qd = 0} and {R ≤ C s }, the source transmits/receives a key packet. s } or {R > C s , R ≤ • If {Qd = 0} and {R ≤ CS,D S,D s CD,S , R ≤ CS,D }, the source sends a data packet with

According to the above description, queue Qs transits from state m to state m + 1 with probability s s s (πd β + πd ) + Pr R > CS,D , R ≤ CD,S a0 = Pr R ≤ CS,D s s s am = Pr R ≤ CS,D (πd β + πd ) + Pr R > CS,D , R ≤ CD,S × (πd β + πd ), ∀ m > 0

(13)

The transition probability from state m to state m − 1 is s s , R ≤ CD,S , R ≤ CS,D bm = πd β Pr R > CS,D + πd Pr{R > C s , R ≤ CS,D }, ∀ m < D s , R ≤ CS,D bD = πd Pr R > CS,D (14) Note that, under the Rayleigh fading channel model, the different terms in am , bm and μd in Equations (13)–(15) are derived directly from (20) in the Appendix. The mean service rate of the data queue is then given by s s + Pr R ≤ CS,D , R > CS,D μd = Pr{Qs = D} Pr R ≤ CS,D s +πs Pr R > C s , R ≤ CS,D +β Pr Qs = D} Pr{R ≤ CS,D s s + Pr R > CS,D (15) , R ≤ CD,S , R ≤ CS,D βπs For the case of infinite-length secret keys queue, we derive inner and outer bounds as in the previous subsection. We emphasize that in the RA protocol, we optimize β to either maximize μd or minimize the average queueing delay at Qd . Next, we investigate both cases by simulations. III. S IMULATIONS AND C ONCLUSION In this section, we evaluate the performance of the two proposed protocols. We assume the Rayleigh fading channel model. The mean of channel θi,j is σi,j . The parameters used to generate Fig. 2 are: σS,D = 0.5, σS,E = 1, σD,E = 1, γ = 10, D = ∞, and λd = 0.3 packets/slot. We plot the mean service rates of the proposed protocols versus R. The case of no keys, where the source transmits its data when the channel is secure and there are no shared keys, is also plotted for comparison. As shown in Fig. 2, our proposed protocols achieve higher mean service rates than the case with no keys. The inner and outer bounds are plotted to demonstrate their tightness as R changes. For the proposed protocols, with the assumed system parameters, the inner bounds are tight and coincide with the exact values at intermediate and high R levels. However, the outer bounds are tight at low R levels. The inner bounds of our proposed protocols are always better than the no-keys scenario. The impact of the secret keys queue maximum size is shown in Fig. 3. The parameters used to generate the figure are: σS,D = σS,E = σD,E = 1, R = 1 bits/sec/Hz, γ = 20, and λd = 0.3 packets/slot. As shown in the figure, the maximum mean service rate of the data queue is a nondecreasing function of D because as the keys queue size increases, the possibility of sharing more keys increases as well. Hence, more keys can be shared and used later when the S − D link is not secured. We note that the performance becomes constant with increasing D which means that we can adjust the buffer maximum capacity to

456


Fig. 2. Mean service rate of the source’s data queue versus R under the proposed protocols. In the figure’s legend, we denote non-RA and RA protocols by P1 and P2 , respectively.

1/σS,E . To simplify the notation, we let X, Y, and Z be three exponentially-distributed random variables with means 1/ x = σx , 1/ y = σy , and 1/ z = σz , respectively. We first compute Pr{X > min{Z, Y}}. Letting Y = min{Z, Y},

Y f (Y)dY Pr{X > Y} = exp − σx Y

σ˜ Y 1 Y σx dY = = exp − = σY Y σ˜ Y σY σY + σx (16) where σ˜1Y = σ1x + σ1Y . Next, we consider the computation of 1+γ X Pr R ≤ 1+γ |X > Y . Y 1 + γ X Pr{κ + 2R Y ≤ X} Pr 2R ≤ |X > Y = (17) 1 + γY Pr{X > Y} 2R −1 γ .

For a given Y, we have Y κ exp − −R (18) Pr{κ + 2R Y ≤ X|Y} = exp − σx 2 σx

where κ =

Fig. 3. Mean service rate of the source’s data queue versus D.

Fig. 4. Average queueing delay of the source’s data queue versus R.

any of these levels without sacrificing system performance. The performance of the no-keys case is independent of D since there are no keys to use or share. Moreover, our proposed protocols always outperform the no-keys case. The performances of our proposed protocols are almost equal for D = 1. For D > 1, the RA protocol outperforms the non-RA protocol. The queueing delays under each of the proposed protocols are shown in Fig. 4. The parameters used to generate the figure are: σS,D = 0.5, σS,E = 1, σD,E = 1, γ = 10, D = 15 packets, and λd = 0.1 packets/slot. We select β that minimizes the queueing delay under the RA protocol. We conclude by noting that, with the assumed system parameters, the RA protocol achieves slightly lower queueing delay than the non-RA protocol. In addition, the two protocols achieve significantly lower queueing delay than the no-keys scenario. A PPENDIX Here, we derive closed-form expressions for the various probabilities used in this letter. Assuming Rayleigh-fading channels, θi,j is exponentially-distributed with parameter i,j = 1/σi,j . Since both θD,E and θS,E are exponentially-distributed random variables, their minimum is also an exponentiallydistributed random variable with parameter 1/σY = 1/σD,E +

1 Using the results in (16) with 1/σ˜ Y = 2−R + σ1Y , we get σx σx κ (19) Pr{κ + 2R Y ≤ X} = exp − R σx 2 σY + σx Following the above proofs (steps are omitted here due to lack of space), we can show that κ Pr R ≤ log2 (1 + γ X)|X ≤ Y = exp − σ˜ Y y z exp −( x + y )κ 1+γ Y R Pr X ≥ Y, Z < Y, ≥2 = 1+γ Z x + y ( x + y )2R + z y exp −( x + y )κ Pr{X > Y, Z < Y, Y > κ} = x + y x + y × 1− exp(− z κ) x + y + z (20)

R EFERENCES [1] A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, no. 8, pp. 1355–1387, Oct. 1975. [2] L. Wang, N. Yang, M. Elkashlan, P. L. Yeoh, and J. Yuan, “Physical layer security of maximal ratio combining in two-wave with diffuse power fading channels,” IEEE Trans. Inf. Forensics Security, vol. 9, no. 2, pp. 247–258, Feb. 2014. [3] X. Zhu, B. Yang, and X. Guan, “Cross-layer scheduling with secrecy demands in delay-aware OFDMA network,” in Proc. IEEE WCNC, 2013, pp. 1339–1344. [4] X. Zhu, B. Yang, C. Chen, L. Xue, and X. Guan, “Cross-layer scheduling for OFDMA-based cognitive radio systems with delay and security constraints,” IEEE Trans. Veh. Technol., to be published. [Online]. Available: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7012108 [5] K. Khalil, M. Youssef, O. O. Koyluoglu, and H. El Gamal, “On the delay limited secrecy capacity of fading channels,” in Proc. IEEE ISIT, 2009, pp. 2617–2621. [6] O. Gungor, J. Tan, C. E. Koksal, H. El-Gamal, and N. B. Shroff, “Secrecy outage capacity of fading channels,” IEEE Trans. Inf. Theory, vol. 59, no. 9, pp. 5379–5397, Sep. 2013. [7] Z. Mao, C. E. Koksal, and N. B. Shroff, “Achieving full secrecy rate with low packet delays: An optimal control approach,” IEEE J. Sel. Areas Commun., vol. 31, no. 9, pp. 1944–1956, Sep. 2013. [8] A. Sadek, K. Liu, and A. Ephremides, “Cognitive multiple access via cooperation: Protocol design and performance analysis,” IEEE Trans. Inf. Theory, vol. 53, no. 10, pp. 3677–3696, Oct. 2007.