Physical Layer Authentication Based on Channel Polarization Response in Dual-Polarized Antenna Communication Systems

This study presents a novel approach for physical layer authentication based on channel polarization response (CPR). CPR is sensitive to variation in the physical properties of scatterers, and the CPR difference between various channels is higher than the channel frequency response (CFR) under rich scattering scenarios. Additionally, the estimation of CPR is continuous, the authentication interval can be adjusted according to the channel coherence time, then the proposed scheme can be applied to any rich scattering scenarios, including highly dynamic scenarios. Since the received polarization state is fixed during the channel coherence time, we can coherently stack the received polarization state to improve the signal to noise ratio (SNR) and the estimation accuracy of CPR, thereby achieving high authentication accuracy under ultra-low SNR. Moreover, since the transmitted polarization state of various transmitters is different, because of their unique hardware deficiencies, and since the CPR is dependent on the transmitted polarization state, the CPR of other transmitters is different, allowing the resolution of co- located attacks. We theoretically drive the false alarm probability, detection probability, optimal discriminant threshold, computational complexity, optimal stacking numbers, and optimal CPR points for authentication. Furthermore, extensive simulations and experiments are performed to verify the validity and effectiveness of the proposed scheme.

Abstract-This study presents a novel approach for physical layer authentication based on channel polarization response (CPR). CPR is sensitive to variation in the physical properties of scatterers, and the CPR difference between various channels is higher than the channel frequency response (CFR) under rich scattering scenarios. Additionally, the estimation of CPR is continuous, the authentication interval can be adjusted according to the channel coherence time, then the proposed scheme can be applied to any rich scattering scenarios, including highly dynamic scenarios. Since the received polarization state is fixed during the channel coherence time, we can coherently stack the received polarization state to improve the signal to noise ratio (SNR) and the estimation accuracy of CPR, thereby achieving high authentication accuracy under ultra-low SNR. Moreover, since the transmitted polarization state of various transmitters is different, because of their unique hardware deficiencies, and since the CPR is dependent on the transmitted polarization state, the CPR of other transmitters is different, allowing the resolution of co-located attacks. We theoretically drive the false alarm probability, detection probability, optimal discriminant threshold, computational complexity, optimal stacking numbers, and optimal CPR points for authentication. Furthermore, extensive simulations and experiments are performed to verify the validity and effectiveness of the proposed scheme.
Index Terms-Physical layer authentication, channel polarization response, highly dynamic scenarios, ultra-low SNR, co-located attacks.

I. INTRODUCTION
T HE broadcast nature of wireless channels makes them vulnerable to spoofing attacks, as both legitimate and illegitimate transmitters have the ability to access them. Conventional wireless communication systems resort to upper-layer authentication algorithms that relies on a symmetric or asymmetric key shared between the legitimate transmitter and receiver [1]. However, this paradigm suffers from security vulnerabilities in the key generation, distribution, and management processes, and the assumption of limited computational power for the adversary is becoming increasingly invalid with advancements in computational power and cryptanalysis algorithms [2].
According to the authentication parameters used, channel based schemes include schemes based on statistical channel information (SCI), instantaneous channel information (ICI), and multiple physical layer attributes. In terms of schemes based on SCI, [8], [9] proposed using RSS to provide secure pairing between devices. Reference [10] proposed using both the PSD and the generalized likelihood ratio test for authentication.
In terms of schemes based on ICI, there are CIR based schemes, CFR based schemes, and AOA based schemes. Among the CIR based schemes, [11] initially proposed to use the gain of CIR for authentication in the time-invariant channel. Then, [13] extended it to the time varying channel. In order to improve the authentication performance, [14], [15] proposed to use the gain of CIR and multipath delay for authentication, and a two-dimensional quantizer was proposed to simplify the calculation. However, this introduced quantization errors, which negatively impacted the authentication performance. To overcome this limitation, [2]  schemes. Reference [28] proposed using machine learning to further improve authentication performance. Among the CFR based schemes, [18], [20] initially proposed using the amplitude of CFR for authentication in the time-invariant channels. Then, it was extended to time varying channels [19], mobile scenarios [21], and frequency-selective Rayleigh channels [22]. In order to improve the authentication performance, the amplitude and phase of CFR were used to make an authentication in the OFDM [23] and CDMA systems [24]. Moreover, phase differences between the two CFRs were used for authentication in a multi-carrier transmission systems [12]. Among the AOA based schemes, [26] proposed using AOA for authentication, where a deep autoencoder was trained to learn the features from a training dataset.
In terms of schemes based on multiple physical layer attributes, [16], [17] proposed to use channel gain and phase noise for authentication in Multiple Input Multiple Output (MIMO) and massive MIMO systems. Reference [29] proposed to use CIR, CFO, RSS, and IQI for authentication. Moreover, the fuzzy theory was explored for modeling multiple physical layer attributes with imperfection and uncertainty, and a hybrid learning-based adaptive authentication algorithm was proposed to update system parameters. Reference [30] proposed to use CFO, CIR, and RSS for authentication, and a kernel machine was used for combining multiple physical layer attributes.
Here, we analyze and compare the channel based authentication schemes in table I. We can see that the existing schemes have some limitations under highly dynamic scenarios, co-located attack scenarios, and ultra-low signal to noise ratio (SNR) scenarios.

A. Highly Dynamic Scenarios
All the ICI based schemes rely on the pilot to estimate channel parameters and assume the channel is invariant in the pilot interval. When the channel is rapidly fluctuates, the channel parameters vary during the pilot interval, and the correlation between successive pilot intervals with the same transmitter is extremely low. Then, the authentication performance of ICI based schemes will significantly degrade, which is unacceptable for industrial applications. Reducing the pilot interval may seem like a solution, but this is not practical as the pilot, which is primarily designed for channel equalization and demodulation, instead of authentication, can only occupy limited channel resources. Although schemes based on SCI do not require a pilot signal, but they only depict path loss and shadow fading of the wireless channel, making it easier for attackers to duplicate and rendering their authentication performance inferior to that of ICI based schemes, as noted in [31].

B. Co-Located Attacks Scenarios
Since all the ICI and SCI based schemes assume that transmitters are located at different locations, they cannot handle the co-located attacks. Although schemes based on multiple physical layer attributes can use device features to authenticate transmitters at the same location. However, those devices with the same brand and model can have insufficient feature differences, leading to the possibility of misjudgment and reduced authentication performance.
To overcome the above shortcomings, we propose a scheme based on channel polarization response (CPR) under dual-polarized antenna systems. CPR describes the fading of the channel to signal polarization state, reflects the physical properties of the scatterers in the channel, e.g., material, orientation, attitude, etc. [32], and changes with the physical properties of the scatterers. Compared with CIR and CFR, which describe the fading of the channel to signal amplitude and phase, reflect spatial fading of the channel, and change with the distance between the transmitter and receiver, CPR is more sensitive to the change of the channel, and the difference between various channels is greater.
Since the polarization state of the signal does not carry information [33], the transmitting polarization state can be used as a "continuous pilot" to estimate CPR. The continuity of the transmitting polarization state enables continuous CPR estimation. On the one hand, we can adaptively adjust the authentication interval of the CPR based scheme according to the coherence time, allowing it to be applied to any rich scattering scenarios, including highly dynamic scenarios. So as to solve the authentication problem in highly dynamic scenarios. On the other hand, we can coherently stack the received polarization state according to the SNR and the required authentication performance to improve the accuracy of the CPR estimation. This is feasible as the transmitted polarization state of the signal is fixed. The problem of authentication with ultra-low SNR can thus be solved.
Under the influence of transmitter hardware deficiencies, the transmitting polarization state will deviate from the expected polarization state, making the polarization states transmitted by different transmitters slightly different [34]. The CPR is dependent on the transmitted polarization state [35], [36], resulting in differing CPR values for different transmitters located at the same location. The CPR difference caused by channel polarization fading is larger than the discriminant threshold, enabling the proposed scheme to distinguish between even two transmitters located at the same location.
To the best of our knowledge, we are the first one to utilize the CPR for physical layer authentication. Such an introduction of CPR to the physical security is not a straightforward effort, where the challenge is lack of the fundamental study, including the theoretical analysis on the CPR characteristic and the performance of the corresponding authentication scheme. The main contributions of this paper are summarized as follows: • A physical layer authentication scheme based on CPR is proposed, which can solve the problems of authentication  in highly dynamic scenarios and co-located attacks, while maintaining good authentication performance under ultralow SNR.
• The false alarm probability, detection probability, optimal threshold, optimal stacking numbers, optimal CPR points for authentication, and computational complexity are theoretically derived for the proposed scheme. Additionally, co-located attacks and Doppler effect on authentication performance are evaluated.
• Extensive simulations and experiments are performed to verify the theoretical correctness and feasibility of the proposed scheme. The rest of this paper is organized as follows. Section II introduces the communication network model and channel model. Section III presents the proposed authentication scheme based on CPR. The performance of the proposed scheme is analyzed in section IV. The numerical simulations and experiments are carried out in section V. Finally, section VI concludes this paper.

II. SYSTEM MODEL A. Network Model
Consider the traditional secure communication scenario, shown in Fig. 1. There are three entities in the communication network, in which Alice is the legitimate transmitter and Bob is the intended receiver, whereas Eve is the spoofer, attempting to impersonate Alice and sending false messages to Bob. It is assumed that Eve possesses some publicly known and repetitively used information, such as training sequences, pilot symbols [37], and the type of polarization used by the transmitting antennas.
The goal in this work is to construct authentication between Alice and Bob, in the presence of an adversary, Eve, who seeks to impersonate Alice and send false messages to Bob. To this end, consider the scenario where Bob receives signals at the tth and (t + 1)th intervals, with a time interval T ≤ T c , where T c is the channel coherence time. Through pre-sharing secret, physical measures (e.g., by manually executing the setup phase) [28], or communication on a parallel and secure channel [38], [39], Bob authenticates that the transmitter of the tth interval is Alice. The pre-sharing secret can be a key used one time for initial authentication or the channel information stored by Alice and Bob before the communication is interrupted. Then, Bob stores the CPR at the tth interval. Since CPRs from the same transmitter are highly correlated during the coherence time, CPRs from different transmitters are independent. In (t + 1)th interval, Bob can distinguish the unknown transmitter by comparing the similarity of CPRs at (t + 1)th and tth interval.

B. Channel Model
Assuming the receiver is equipped with horizontal and vertical dual-polarized antennas, this paper considers the dual-polarized Rayleigh fading channel [40], which is modeled as where H x y (t, f ) represents the channel transmission function when the transmitting component is y-polarized and the receiving antenna is x-polarized. G(t, f ) represents the spatial fading, and varies with the distance of the transceiver, which is the CFR used in previous works. ⃗ S represents the polarization fading, and varies with the physical properties of the scatterers (e.g., attitude adjustment, azimuth change), which is defined as CPR. We can see that CPR is more sensitive to the change of channel than CFR, and the CPR difference between various channels is greater under rich scattering scenarios. L is the number of multipath. A l is the channel gain of the lth path. f is the carrier frequency. f m = V ·cos θ c · f is the Doppler shift, V is the velocity of the scatterer, c is the speed of the light, θ is the angle between the scatterer and the incident wave. ι l is the delay of the lth path. S lx y is the polarization fading of the lth path when the transmitting component is y-polarized and the receiving antenna is x-polarized, which is determined by the transmitted polarization state and communication signal frequency [35], [36].
Suppose the transmitting signal is where x v (t) = |x v (t)| e jφ xv (t) and x h (t) = |x h (t)| e jφ xh (t) are the vertical component and horizontal component of the transmitting signal, respectively; |·| is the modular operator; After the signal in (2) propagating through the channel given by (1), the received signal is where ⃗ h(t, ι) is the inverse Fourier transform of ⃗ H (t, f ) on f , * represents convolution. Hereafter, for convenience of notation, we will omit t, ι, and f in the signal or channel parameters and use uppercase letters for the frequency domain, and lowercase letters for the time domain. The time interval index t will be resumed in Section III-C. Sampling ⃗ r at N points to get ⃗ r = ⃗ r 1 , ⃗ r 2 , · · · , ⃗ r n , · · · , ⃗ r N , where ⃗ r n represents the nth sample of the received signal, N = S a · T s , S a is the sample rate, T s is the sampling period. We performed N point discrete Fourier transform (DFT) on ⃗ r to obtain where where X J = X v / X h e j X P is the polarization state of the transmitted signal, X F = X v / X h is the amplitude ratio, It can be observed that the transmitted signal experiences both spatial and polarization fading, with independence between each other. Existing research has predominantly focused on utilizing the spatial fading, however, this paper takes a different approach by leveraging polarization fading.

III. PHYSICAL LAYER AUTHENTICATION SCHEME
In this section, we present the details of the proposed CPR-based Authentication Scheme, which encompasses three key stages. The first stage aims to enhance the SNR by stacking the received polarization state over the channel coherence time. The second stage estimates the CPR, and the logarithmic amplitude and phase of CPR are used as authentication parameters. The final stage performs the authentication process according to a hypothesis testing model, where the logarithmic likelihood ratio test is used to determine the test statistic.

A. Polarization State Coherent Stacking
Suppose the vertical and horizontal components of the noise powers at the receiver are σ 2 v and σ 2 h , respectively. The received signal is represented aŝ where w v and w h represent orthogonal receiver noise after sampling; w v and w h follow a cyclic complex Gaussian distribution with a mean of 0 and variance of σ 2 v and σ 2 h , respectively. Then, the received polarization state iŝ wherer F = r v / r h is the amplitude ratio of the received orthogonally polarized components.r P = φr v − φr h is the phase difference of the received orthogonally polarized components, φr v is the phase ofr v , φr h is the phase ofr h . Since the transmitted polarization state is fixed, and the channel can be considered approximately time-invariant during the coherence time. The received polarization state within the the coherence time can then be uniformly segmented and stacked in the time domain to reduce the impact of noise.
Assuming that the received polarization state between tth and (t + 1)th interval is divided into C segments, and the sample point of each segment is M, Using coherent stacking to denoise the signal, the stacked polarization state becomeŝ The S N R after stacking is represented as where |r v | 2 + |r h | 2 is the power of the signal after stacking, is the power of the noise after stacking. It can be observed that the stacking process results in a direct transfer of the S N R to C times the original S N R 0 . How to optimally select C and M will be discussed in Section IV-C.

B. CPR Estimation
After stacking the received polarization state, Bob performs M points DFT onr J e to obtainR J e . Based on X J and R J e , which describe the polarization state of the transmitted signal and received signal, the CPR can be estimated as outlined in equation (10).It is worth noting that the form of ⃗ S in equation (10) is distinct from that in equation (1). This difference is due to the use of the polarization ratio here, rather than the Jones vector in (1), to represent the polarization state for the purpose of facilitating subsequent calculations. The Jones vector and polarization ratio are two representations of the polarization state. So both ⃗ S in (1) and (10) uniquely represent the polarization fading of the channel.
where the upper subscript −1 denotes inverse. BringR J e and X J in (5) into (10), we can obtain Here X J is the ideal transmitting polarization state. Actually, the transmitted polarization state is affected by the transmitter hardware deficiency and noise, and deviates from X J [34]. Then, S F and S P are affected by the deficiency and noise of transmitter and receiver hardware.
where S F and S P are true channel polarization fading. F W X and P W X are the estimation error of S F and S P caused by transmitter hardware deficiency and transmitter noise. F W R and P W R are the estimation error of S F and S P caused by receiver hardware deficiency and receiver noise. According to [41], under dual polarization Rayleigh channel, log(S F ) approximately follows normal distribution, that is, where ξ = R ve 2 / R he 2 represents the power ratio of the received signal; ρ = R ve ·R † he |R ve | 2 ·|R he | 2 represents the correlation between the orthogonal components of the received signal, and † represents conjugate. ρ = tan 2 ϑ·cos 2 ϕ−ξ −1 is the slant angle of receiving antenna, ϕ is the slant angle of the transmitting antenna [42].
Based on [43] and [44], the mean value of S P is determined by β vh = arg[σ ve,he ], where σ ve,he = R ve · R † he , arg(·) is phase operator, the variance of S P is determined by ρ. When ρ = 0, the orthogonal signal components are independent of each other, and S P follows uniform distribution, that is, S P ∼ U [0, 2π ). When ρ = 1, the orthogonal signal components are completely correlated, and S P follows delta distribution. When 0 < ρ < 1, S P follows normal distribution, that is, where 2 F 1 (·; ·; ·; ·) is the confluent hypergeometric functions.
To facilitate later derivation, the characteristics of CPR used for authentication is We use S l F to replace log(S F ), then, where F X and P X are the estimation error of S l F and S P caused by transmitter hardware deficiency and transmitter noise, which follow Gaussian distribution with a mean of µ F X and µ P X , and variance of σ 2 F X and σ 2 P X , that is, F X ∼ N (µ F X , σ 2 F X ), P X ∼ N (µ P X , σ 2 P X ). µ F X and µ P X are determined by transmitter hardware structure, is the measurement noise bandwidth per tone, F N X is the transmitter noise figure. F R and P R are the estimation error of S F and S P caused by receiver hardware deficiency and receiver noise, which follow Gaussian distribution with a mean of µ F R and µ P R , and variance of σ 2 F R and σ 2 P R , that is, For wireless communications, the relative movement between transmitters and scatterers results in correlated temporal variations of channels. Similar to [17], we use the first-order Gauss-Markov process to approximate the temporal channel variations. Then represented as (17) where S l F [t + 1] and S P [t + 1] represent S l F and S P at (t + 1)th interval. S l F [t] and S P [t] represent S l F and S P at tth interval. α F represents the correlation between S l F [t + 1] and S l F [t], α P represents the correlation between S P [t + 1] and S P [t]. A larger value of α F and α P results in a higher degree of correlation. Without losing generality, it is assumed that α F = α P = α. Since CPR is continuous, T can be adjusted adaptively according to channel coherence time, and a large α can always be obtained. u[t+1] represents a Gaussian random variable with mean of 0 and variance of 1, that is, As shown in Fig. 2, we demonstrate the estimation of CPR. The CPR estimation only needs to use the original baseband signal and can be completed only by embedding a digital signal processing module in the existing commercial systems. However, the extraction of CFR requires customization of the existing commercial baseband signal processing chips. Therefore, the CPR extraction is more compatible with current commercial systems than CFR.

C. Authentication Based on CPR
Assuming that the transmitted signal frequency range is f min , f max ,Ŝ l F andŜ P that Bob stored areŜ l F = [Ŝ l F1 ,Ŝ l F2 , · · · ,Ŝ l Fm , · · · ,Ŝ l F M ] andŜ P = [Ŝ P1 ,Ŝ P2 , · · · , S Pm , · · · ,Ŝ P M ], whereŜ l Fm =Ŝ l F ( f m ),Ŝ Pm =Ŝ P ( f m ), Bob uses the logarithmic likelihood ratio test to determine the test statistic T that evaluates the difference of CPRs between adjacent time intervals [21]. Specifically, the logarithm likelihood ratio rule is: where P (·) denotes a probability density function; the null hypothesis, H 0 , denotes that the transmitter is Alice; the alternative hypothesis, H 1 , denotes that the transmitter is not Alice and we assume that the transmitter is Eve. According to (16) and (17),⃗ S l [t + 1] follows complex Gaussian distribution with mean of α A⃗ S l [t] and variance of where α A is the correlation coefficient of S l F (S P ) between Alice and Bob, σ 2 S F A (σ 2 S P A ) represents the variance of S l F (S P ) between Alice and Bob, σ 2 F X A and σ 2 P X A represent the estimation error of S l F and S P caused by the Alice transmitter noise. According to (16),⃗ S l [t + 1] follows complex Gaussian distribution with mean of µ S E = µ S F E + jµ S P E and variance of σ 2 represents the variance of S l F (S P ) between Eve and Bob, and σ 2 F X E and σ 2 P X E represent the estimation errors of S l F and S P caused by the Eve transmitter noise. Then, The location uncertainty of Eve makes σ 2 S F E ≫ σ 2 S F A and σ 2 S P E ≫ σ 2 S P A [14], then (19) can be simplified as Bring (15) into (20), we can obtain According to the typical statistical decision method, Bob uses a hypothesis test model to determine whether the transmitter at the (t + 1)th interval continues to be Alice. When T is less than or equal to the threshold δ, Bob accepts the hypothesis H 0 . Otherwise, Bob accepts the hypothesis H 1 .
We show the authentication process of the proposed scheme in Fig. 3. Combining Fig. 2 and Fig. 3, we can see that the proposed authentication scheme only needs to add a CPR estimation module and an authentication module to the existing dual-polarized antenna communication systems, which is easy to implement.

IV. PERFORMANCE ANALYSIS
In this section, we first derive the false alarm probability, detection probability, and optimal threshold. Subsequently, the computational complexity of the proposed authentication scheme is analyzed, and the optimal stacking numbers and the optimal CPR points for authentication are also given in a closed-form manner. Finally, the impact of co-located attacks and Doppler effect on the authentication performance is emphatically discussed.  (21) and (22), the false alarm probability (P F A ) of the proposed scheme is Proof: P F A refers to that under H 0 , T is greater than δ, Bob misjudges Alice as Eve, where F F A (δ) = P(T ≤ δ|H 0 ) is the cumulative distribution function of T under H 0 , which will be derived below. For the sake of analysis, T is represented as Under H 0 , the transmitter is still Alice at (t + 1)th interval. The CPR estimated at the (t+1)th interval can be characterized by the first-order Gauss-Markov model. Then, T F becomes: where , T Fm follows Gaussian distribution with mean of 0 and variance of 1. Then, T F follows the central chi-square distribution with M degrees of freedom, that is, T F ∼ F 1 χ 2 M . Under H 0 , T P becomes: where Since P X Am ∼ N (µ P X Am , σ 2 P X A ), P Rm ∼ N (µ P Rm , σ 2 P R ), T P follows the central chi-square distribution with M degrees of freedom, that is, T P ∼ P 1 χ 2 M . When a variable is the linear weighted sum of two chi-square variable, its cumulative distribution function can be approximated by Laguerre polynomials [45]. Therefore, according to (26) and (27), the cumulative distribution function of T is where β = 2·α 1 ·α 2 α 1 +α 2 , α 1 = F 1 , α 2 = P 1 . (·) is the gamma function. The proof is complete.
2) Detection Probability: Based on (21) and (22), the detection probability (P D ) of the proposed scheme is Proof: P D refers to that under the hypothesis of H 1 , T is greater than δ, and Bob correctly detects the existence of Eve, where F D (δ) = P(T ≤ δ|H 1 ) is the cumulative distribution function of T under H 1 , which will be derived below. Under H 1 , the transmitter is Eve. In this case, the CPRs estimated by Bob at the tth and (t + 1)th interval are independent of each other. Then, T F becomes Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. where where . Since S P Em ∼ N (µ S P Em , σ 2 S P E ), P X Em ∼ N (µ P X Em , σ 2 P X E ), T P follows the non-central chi-square distribution with M degrees of freedom, that is According to (25), (32), and (33), the cumulative distribution function of T is , and δ ′ 2 into (29-a)-(29-c), we can obtain m ′ k . The proof is complete.

B. Optimal Threshold
According to the Neyman-Pearson (NP) theorem, P D increases as P F A increases. Then, the optimal threshold can be obtained by solving P F A = ϵ, where ϵ is the maximum P F A that Bob can tolerate. However, when we take a closer look at (23), we find that the threshold δ exists multiple places of the closed-form expression of the P F A . Then, it is challenging to obtain the optimal threshold directly from (23). Thus, we first derive the approximated expression of P F A to replace (23) for calculating the optimal threshold.
Here, we adopt the Log-Normal distribution to approximate the chi-square distribution in (26) and (27). This approximation is based on the observation that the probability density function of the chi-square distribution is nearly identical to that of the Log-Normal distribution when the degree of freedom of the chi-square distribution is large [2], [47]. Thus, we obtain T ∼ F 1 Log N (µ F , σ 2 F ) + P 1 Log N (µ P , σ 2 P ), where µ F = µ P = log(M) − σ 2 F 2 and σ 2 F = σ 2 P = log 1 + 2 M . The log-shifted Gamma approximation is also employed to model the sum of two lognormally distributed random variables according to [48] and [49]. Then, the cumulative distribution function of T can be approximated as ϖ, ϱ, ς can be obtained by the following expressions where µ = µ P − µ F +log(P 1 ) −log(F 1 ), σ 2 = σ 2 F + σ 2 P . G 1 , G 2 , and G 3 can be represented as in (37-a)-(37-c), shown at the bottom of the next page, where Bring (23) and (35) into P F A = ϵ, we can obtain the optimal threshold where F −1 (ϖ,ς ) (1 − ϵ) is the inverse of the cumulative distribution function of (ϖ, ς ), which can be calculated by gaminv (1 − ϵ, ϖ, ς )) in Matlab.
Substituting (38) into (30), we can see that P D is determined by S N R 0 , ξ A , ξ E , α F A , α P A , C, M under specific P F A , where S N R 0 , C, M can be adjusted according to specific performance requirement and channel parameters of (ξ A , ξ E , α F A , α P A ). In the simulations, we analyze the impact of those factors on authentication performance.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
C. Computational Complexity and Optimal (C, M) 1) Computational Complexity: We use C C M and C AD D to represent the number of multiplications and additions of various schemes, and C O M = C C M + C AD D represents the total computation. The computation of the proposed scheme comes from three parts: authentication, CPR estimation, and coherent stacking.
According to (21), C C M required for authentication is (4M + 6) × τ , where τ = S t /T c represents the time varying speed of the channel, S t is the duration of a pilot, and T c = c/(V f c ). The reason for multiplying τ is that as the time varying speed of the channel increases, the number of authentications will also linearly increase. C AD D required for authentication is (4M +3) × τ . The total computation required for authentication is C O M au = (8M + 9) × τ .
According to (11), C C M required for CPR estimation is (7) and (8), C C M required for coherent stacking is (2C M + 1) × τ . C AD D required for coherent stacking is (C M + C) × τ . The total computation required for coherent stacking is Then, the total computation required for CPR based scheme is C O M C P R = (2M 2 + 9M + 3C M + C + 12) × τ . According to (7) in [2], the computation required for the CFR based scheme is C O M C F R = 4M. We can observe that for the same M, the proposed scheme requires more computation. For wireless communication systems such as IoT and 5G, these extra computations are acceptable.
2) Optimal C and M: In order to optimize C O M under the specific performance requirements (P F As ,P Ds ) and channel parameters (τ s , S N R 0 ). We need to select the appropriate C and M. The mathematical model is min C,M C O M C P R s.t. P D = P Ds , P F A = P F As , τ = τ s , S N R = S N R 0 , Since C O M C P R increases monotonically with the increases of C and M under certain τ . The above optimization problem can be simplified to solve C and M with P D (δ = e F −1 (ϖ,ς ) (1−P F As )+ϱ , S N R = S N R 0 ) = P Ds . Through exhaustive search method we can find the optimal C * and M * .
D. Impact of Co-Located Attacks and Doppler Effect 1) Impact of Co-Located Attacks: Assuming that Alice and Eve are located at the same position, and that Eve has perfect knowledge of the ideal transmitting polarization state that Alice wants to transmit. Alice and Eve complete the information transmission at tth and (t + 1)th interval, respectively. Since the receiver of both Alice and Eve is the same, µ P R and µ F R can be eliminated according to (21). Therefore, we only need to analyze the impact of transmitter hardware deficiencies and channel polarization fading on CPR. We denote that ζ ( f ) represents the polarization deflection difference between Alice and Eve owing to their different hardware deficiency, as shown in Fig. 4. We can then obtain the CPR of Eve using [50] ⃗ where ⃗ S A is the CPR between Alice and Bob. Substituting (10) and (11) into (40), we can get the CPR difference between Alice and Eve is Here ⃗ S represents the CPR difference caused by channel polarization fading under the specific polarization deflection difference ζ ( f ) between transmitters. To simplify the analysis, we assume that the transmitted polarization state of Alice is an ideal vertical polarization. Then (41) can be simplified as ⃗ S = S Fe A · e j S Pe A · (cosζ −sinζ −1) + (sinζ + cosζ − 1). (42) In Fig. 5, we show the impact of ζ and ξ on | ⃗ S| 2 at a frequency, such result is also valid at other frequency, which is the three-dimensional surface, the red line on the surface is δ of (38). We can see that | ⃗ S| 2 increases with the increase of ζ and ξ . We can also see that, the CPR difference is larger than the threshold when ζ ≥ 0.3 and ξ ≥ 3.25. According to [34], [42], [51], [52], ζ ≥ 0.3 and ξ ≥ 6 can always be obtained. Then, our proposed scheme can distinguish different transmitters at the same location.
Actually, the transmitter hardware deficiency can also cause CFO, which also affects the CFR under the frequency selective fading channels. However, the CFO is much smaller than the (−1) k (F(σ, µ, k) + F(σ, −µ, k + 1)) (37-c) Fig. 4. Polarization deflection of transmitter at a specific frequency, which is various at different frequency. channel coherence bandwidth [53], [54], and the CFR can be approximately regarded as constant. Then, the schemes based on CFR cannot distinguish the transmitters at the same location.
2) Impact of Doppler Effect: In time-varying scenarios, the presence of the Doppler shift can impact the authentication performance. While the CPR estimation shown in Fig. 2 does not involve the estimation of frequency offset, thus the effect of the Doppler effect on authentication performance is required to be carefully considered. Specifically, in the time domain, the Doppler effect causes time-varying channels, which leads to variation in α and τ . In the frequency domain, the Doppler effect causes spectrum extension, which results in the overlap of signals at different frequencies.
In our proposed scheme, T is adjusted according to T c to ensure that large α F and α P are always satisfied. This adjustment helps to eliminate the influence of the Doppler effect on the authentication performance in the time domain. In the following, we will analyze the impact of the Doppler effect on authentication performance in the frequency domain.
We consider two cases, where the relative velocity of scatterers in the channel is either constant or increases linearly.
1) Uniform motion. Under this case, the overlap of signal at tth interval and (t + 1)th interval are the same, that is, the CPRs are highly correlated in the coherence time, and the authentication performance is not affected by the Doppler effect.
2) Uniformly accelerated motion. Considering an acceleration of a and a velocity of scatterers in tth interval as V , the velocity of scatterers in (t + 1)th interval is V + a T . The maximum Doppler shift at tth interval is f m [t] = V ·cos θ c · f c , and the maximum Doppler shift at (t + 1)th interval is f m [t + 1] = (V +a T )·cos θ c · f c , then the Doppler shift difference between tth interval and (t + 1)th interval is f = a· T ·cos θ c · f c . In our paper T = T c , then f = a·T c ·cos θ c · f c . Under the worst case scenario (high-speed rail scenarios) with θ = 0, a = 7.78m/s 2 , T c = 500/ f c [55], we can obtain f = 1.297 × 10 −5 H z. According to polarization mode dispersion, the polarization state on the Poincare sphere spirally deflects with frequency, and the polarization states of adjacent frequencies are highly correlated. Since f is much smaller than coherence bandwidth [53], [54], the CPRs at the tth interval and (t +1)th interval are highly correlated, and the authentication performance is not affected by Doppler effect.

A. Simulation Setting
According to (30) and (38), Table II lists the primary system parameters that affect authentication performance. Here, ξ = |ξ E − ξ A | reflects the polarization power imbalance difference between various channels. Assume that Alice is equipped with a vertically polarized antenna and Bob is equipped with ±45 • dual polarized antennas. Considering a Rayleigh fading channel. We compare the authentication performance of the proposed scheme with that of CFR based scheme. The authentication model of the CFR scheme is based on the EMCP scheme proposed in [2], which is the same as this paper. So as to demonstrate the advantages of CPR over CFR in authentication.
We use Matlab for Monte Carlo simulations. Assume that the distance between Alice and Bob is d A , and the distance between Eve and Bob is d E . The channel gain is calculated by σ 2 Y = P 0 d −n Y , Y ∈ A, E, n is the path loss exponent, which is the same as the measured value of the experiments in section V-B. Based on (5), (13), and (14), we calculate the mean and variance of S l F and S P , where ξ is the same as the measured value of the experiments in section V-B. Additionally, we also need to consider the transmitter and receiver hardware deficiencies and noise, which are the same as the measured value of the experiments in section V-B. Then, based on (3) in [2] and (17), the CFR and CPR between Alice and Bob are generated by the "randn" function in Matlab. If the signal at (t + 1)th interval is still from Alice, the CPR is generated based on (17), and the CFR is generated based on (2) in [2], where α F and α P are the same as experiments. If the signal at (t + 1)th interval comes from Eve, the CFR and CPR are generated by independent "randn" function. If the signal at (t + 1)th interval comes from Eve and Eve modifies its transmitting signal to attack the authentication systems, the CFR and CPR are generated based on (19) in [56], where the channel correlation coefficient is obtained based on (55) in [57]. Based on the authentication process shown in Fig. 3, we conduct 10000 independent Monte Carlo simulations, and the average P F A and P D are counted.
Based on (23), (30), and (38), we use numerical simulation to obtain the theoretical P F A and P D of the proposed scheme.

B. Experiment Setting
In order to further verify the effectiveness of the proposed scheme, we performed experiments in real communication scenarios. Due to the limited space of the paper, we only show four typical experiments, including experiments on slow time varying channel, ultra-low SNR, co-located attacks, and fast time varying channel. The first three experiments were performed in the office with a maximum speed of 1m/s, as shown in Fig. 6(a). The last experiment was performed on a highway at a average vehicle speed of 50km/h, as shown in Fig. 6(b). The scatterers shown in Fig. 6(a) are composed of metal, paper boxes, etc., and there are people movement. The scatterers shown in Fig. 6(b) consist of trees, vehicles, etc.
We use ±45 • dual polarized antennas as the receiving antenna and a vertically polarized antenna as the transmitting antenna, both of which are placed at a height of 1.5m. USRP X310 and GNU radio are used to send wireless signals with 1.9GHz and 32MHz bandwidth, in which a frame consists of 140 OFDM symbols and the frame duration is 10ms. Moreover, the OFDM symbol comprises 64 subcarriers, and the pilot is located at the [-21,-7,7,21] subcarrier of the first OFDM symbol. The sample rate S a is 30.72MHz, which is the sample rate of Long Term Evolution (LTE) systems. According to [54], Fig. 6(a) is a low dynamic scenario with τ ≪ 1, and Fig. 6(b) is a highly dynamic scenario with τ > 1.
Based on the received signal, we can calculate ξ by |R v | 2 |R h | 2 , and calculate α I by is the variance of S I [t + 1]. By placing the transmitter next to the receiver, the hardware deficiency can be obtained by comparing the receiving polarization state with the ideal transmitting polarization state. Besides, the path loss exponent is calculated by n = log( P r P t ·K )/log( d 0 d ), where d 0 = 1m is the distance between transmitter and reference point, d is the distance between transmitter and receiver, P r , P t , and K are the received signal power, transmitted signal power, and signal power at distance of d 0 , which are measured by spectrum analyzer (ROHDE SCHWARZ FSH8), and the signal is transmitted by signal generator (ROHDE SCHWARZ SMW 200A). Bring F N X and F N R of the used transmitters and , we can obtain σ 2 F O and σ 2 P O . The above parameters are also used for simulations.
Based on Fig. 3, we collect the signal data and conduct authentication, where T s = T = T c , N and C are determined by (39). In order to eliminate the randomness introduced by the noise, we conduct 10000 repeated experiments for each test point, then take the average value as the result.

C. Impact of S N R 0
In Fig. 7, we show the simulation and experiment results of the proposed scheme under different S N R 0 . We can observe the following conclusions. First, the closed-form expressions of the theoretical results of various schemes perfectly match the corresponding simulation results as we expected. Second, the experiment results are slightly different from the simulation and theoretical results, which is caused by the fluctuation of S N R 0 during the measurement, with a maximum fluctuation of 0.2d B. However, the maximum performance difference is less than 4%, which is consistent with the simulation result. Third, the P D s of various schemes improve as the value of S N R 0 increases. This is because the effect of estimation error significantly decreases as the value of S N R 0 increases. Fourth, the authentication performance of the proposed scheme is better than that of the EMCP scheme. This is evident at low S N R 0 . For example, in the simulation, when S N R 0 = −4d B and C = 1, P D = 99.8% of the CPR based scheme, and P D = 61.5% of the EMCP scheme. This is because the CPR is more sensitive to the change of channel, and CPR difference between various channels is greater, then Eve can be easily detected. Fifth, the proposed scheme can still achieve good authentication performance when S N R 0 is very low. For example, when S N R 0 = −10d B and C = 20, P D = 99.7% of our proposed scheme, while P D = 9.8% of the EMCP scheme. This is because coherent stacking improves the estimation accuracy of CPR.

D. Impact of C and M
In Fig. 8, we analyze the impact of C and M on the authentication performance.
In Fig. 8(a), we analyze the impact of C on the authentication performance of the proposed scheme. We can see that the P D of the proposed scheme increases with the increase of C. This is because the improvement of S N R is proportional to C. Besides, P D reaches saturation at C = 21 when S N R 0 = −10d B. This is because S N R reaches the value that is sufficiently accurate to estimate CPR. Since the computation of the proposed scheme is proportional to C, it is sufficient to select the value of C that makes the P D reach saturation. We can also see that, with the increase of S N R 0 , the required C is less to make P D reach saturation. This is because with the increase of S N R 0 , the required improvement of S N R is small under certain authentication performance.
In Fig. 8(b), we analyze the impact of M on the authentication performance. We can see that under the same P D , the CPR based scheme requires less M than the EMCP scheme. Specifically, when P D ≥ 98% and S N R 0 = 0d B, the CPR based scheme needs M ≥ 13, and the EMCP scheme needs M ≥ 24. This is because the CPR is more sensitive to the change of channel, and the difference between various channels is greater. In practice, we can select appropriate M according to the authentication performance requirements to reduce the computational complexity. We can also see that under the same P D , the increase of S N R 0 will reduce the required M. For example, under the condition of P D = 98%, our proposed scheme needs M = 43 when S N R 0 = −5d B, M = 13 when S N R 0 = 0d B, and M = 6 when S N R 0 = 5d B. This is because the effect of estimation error significantly decreases as the value of S N R 0 increases. From Fig. 8(a) and (b), we can learn that when S N R 0 = 0d B and C = 1, the P D reaches saturation. This means when S N R 0 ≥ 0d B, increase C cannot improve P D . This is because S N R 0 ≥ 0d B is sufficient for accurate CPR estimation. However, when S N R 0 ≥ 0d B, P D can still increase with the increase of M. This is because the available CPR frequency attribute increases with the increase of M. Since compared with the increase of C, the increase of M will bring more C O M increase. In practical applications, when the S N R 0 is small, we should first increase C to make the S N R 0 reach the S N R that can estimate CPR accurately. Generally, CPR can be estimated accurately when S N R = 0d B. Then, on the basis of this S N R, increase M to further improve authentication performance.
Under the sample rate of 30.72MHz, and the worst case (high-speed rail scenarios) with V = 603km/ h, the maximum available N is 325. When S N R 0 = −15d B, we only need N = 130 to make P D = 98% and P F A = 2%. Therefore, it is reasonable to analyze the impact of C and M separately, and we can always obtain the optimal C and M.
E. Impact of ξ In Fig. 9, we analyze the impact of ξ on the authentication performance of the proposed scheme. Since ξ is effected by ξ , the distance between Alice and Eve, which is represented by d AE , and the impersonation attack that Eve performed, i.e. Eve may modify its transmitting signal to make ξ as small as possible [56]. Next, we will analyze the impact of ξ from those three aspects.
In Fig. 9(a), we analyze the impact of polarization fading degree ξ on authentication performance with fixed position of transmitter and receiver. We can see that the performance of the proposed scheme improves with the increases of ξ . This is because ξ increases with the increase of ξ . The larger ξ is, the greater CPR difference between Alice and Eve, and Bob can easily detect Eve. Therefore, when Alice, Eve, and Bob fixed, the proposed scheme can achieve better performance in channel with obvious polarization fading. Such as, non-lineof-sight (NLOS) Macrocell and NLOS Microcell.
In Fig. 9(b), we analyze the impact of d AE and impersonation attack on authentication performance. We can see that the experimental results are basically consistent with the simulation and theoretical results, which verifies the effectiveness of the proposed scheme. We can also see that d AE has little effect on the authentication performance of the proposed scheme when Eve do not modify its transmitting signal. Even when d AE = 0, we can still achieve P D = 98.7%, which proves that the proposed scheme can well solve the problem of co-located attacks. The reason for this is that the polarization state transmitted by Alice and Eve are different due to their different hardware deficiencies, and CPR is depended on the transmitted polarization state. Then, the CPRs of Alice and Eve are different, and Bob can distinguish Alice and Eve. While the authentication performance of the EMCP scheme declines with the decrease of d AE . When d AE = 0, P D is less than 30%, which cannot be accepted by industry. In Fig. 9(b), we can also see that the authentication performance of the CPR based scheme and the EMCP scheme decrease under impersonation attack. This is because Eve can modify its transmitting signal to make the CPR or CFR between Eve and Bob is similar to that of Alice and Bob, then Bob may identify Eve as Alice [56]. However, under the same d AE , the performance degradation of CPR based scheme is smaller than that of EMCP scheme, and the CPR based scheme can better counter the impersonation attack. Even when d AE = 0, i.e. there is a co-located attack, our propose scheme can still achieve P D = 88.7%. The reason is that the probability of Eve's successful attack is proportional to the correlation between the channel of Eve-Bob and that of Alice-Bob. The polarization dependence of CPR makes the correlation of CPR between different channels being less than CFR. Even if Eve and Alice are co-located, there are still large differences between the CPR of Eve-Bob and Alice-Bob. In addition, we can see that the performance difference between impersonation attack and without attack decreases with the increase of d AE . This is because the correlation between the channel of Eve-Bob and that of Alice-Bob decreases with the increase of d AE [57].
F. Impact of α In Fig. 10, we demonstrate the impact of α on the authentication performance of various schemes. We can see that the performance of various schemes improves as α increases under a fixed T . This is because the correlation of the same channel at adjacent intervals increases as α increases, then δ becomes small, and Eve can be easily detected. Therefore, in order to achieve high authentication performance, T needs to be adjusted according to the channel coherence time to ensure that large α can always be obtained, which will be discussed in the next subsection. In addition, under the same α, the proposed scheme can achieve higher authentication accuracy. This is because CPR is more sensitive to change of channel, and the difference between various channels is more significant.

G. Impact of τ
In Fig. 11, we demonstrate the impact of τ on the authentication performance of various schemes.
In Fig. 11(a), we can see that the P D of our proposed based scheme remains unchanged with the increase of τ . This is because CPR can be estimated continuously, and the authentication interval can be adaptively adjusted according to the channel coherence time. The P D of the EMCP scheme rapidly declines as τ increases. The reason is that the estimation interval of CFR is equal to the pilot period, when T c < T , where T = S t , that is, τ ≥ 1, CFRs at adjacent interval are weakly correlated or even independent of each other. Although the computational complexity of our proposed scheme also increases with the increase of τ , the increased computation can be accepted by engineering practices.
In Fig. 11(b), we can see that the experimental results are basically consistent with the simulation and theoretical results, which verifies the effectiveness of the proposed scheme. We can also see that, the authentication performance of our proposed scheme can still achieve the same performance as Fig. 7 with C = 1, while the EMCP scheme has a significant performance degradation compared with Fig. 7 with C = 1. This is because our proposed scheme can adjust T according to T c , whereas T of the EMCP scheme is fixed as S t . Then, α F A = α P A = 0.924 can also be obtain, whereas α E MC P is only 0.415 under experiment.

VI. CONCLUSION
We propose a novel physical authentication scheme based on CPR. It can be applied to any rich scattering scenarios, including high dynamic scenarios, and can still achieve high authentication accuracy under ultra-low SNR. Besides, we skillfully solve the co-located attacks problem. We theoretically derive the false alarm probability, detection probability, optimal threshold, computation complexity, optimal stacking numbers, and optimal authentication points of the proposed scheme. In addition, through extensive simulations and experiments, we get that the authentication performance of CPR based scheme is better than that of CFR based scheme, also our proposed scheme can still achieve good authentication performance in high dynamic scenarios and ultra-low SNR, and can distinguish Alice and Eve even they are located at the same position. In the future, we will further study the authentication scheme in massive MIMO systems. How to counter Eve's various attacks is also the focus of our future research.