Tag Generation Using Chaotic Sequences for Physical-Layer Authentication

We consider in this work a physical layer authentication method in which a message authentication code, referred to as a tag, is transmitted along with the data message to provide a robust authentication method. This work diverges from previous work in the area when it comes to the tag generation method. While the previous works use methods based on cryptographic hash functions, our system employs unidimensional chaotic maps to generate these tags. Due to the loss of information about the initial condition of chaotic maps, we show that they are strong candidates for the tag generation process. We employ an information-theoretic approach to show that chaotic tags provide a positive lower bound on the unconditional security of the system even in a noiseless environment. To the best of our knowledge this is the first work where unconditional security is obtained independently of the noise power. Additionally, we calculate the probability of success for two active attacks to the authentication system: impersonation, substitution.


I. INTRODUCTION
Message authentication, which confirms that a received message comes from its stated sender, is relevant for secure communication systems. These operations are usually performed at several layers of the network. In particular, a physical layer authentication (PLA) scheme allows nodes to promptly reject fraudulent messages and reduces the complexity of higher layer authentication protocols.
One approach for PLA is to employ tag signals embedded in the source messages (called active PLA) that are usually generated based on the knowledge of a secret key [1], [2], [3], [4]. The receiver uses a tag detection approach to authenticate the transmitter. The security metric considered is the uncertainty of the secret key given the observations of noisy tags (equivocation). The effects of the authentica-The associate editor coordinating the review of this manuscript and approving it for publication was Engang Tian . tion approach on the outage probability and bit error rate are analyzed. The vulnerability of the PLA system against active attacks is discussed, but an analytical expression for the probability of a successful attack is missing. A generalization of this scheme using multiple keys is proposed in [3]. The analysis of tag-based PLA has been conducted for Internet of Things scenarios [5], [6], [7], non-orthogonal multiple access systems [8], Massive MIMO unmanned aerial vehicle (UAV) systems [9], reconfigurable intelligent surfaces [10], multi-user communication [11]. The optimization problem for the power allocation between the message and tag signals is considered in [12].
Another approach to PLA (called passive PLA) is to explore the uniqueness of the channel impulse response under multipath fading channels between the legitimate users [16], [17], [18]. In this scheme, the security performance is evaluated based on the probability of detecting a fraudulent message. Some practical limitations of passive PLA schemes are discussed in [1]. The proposition of PLA schemes based on machine learning techniques have been considered in [19], [20], and [21].
Regarding the tag generation process in active PLA, the majority of works employ a hash function whose inputs are the message and a secret key [1], [2], [3], [4], [7], [8], [9], [11], [12], [13]. In [5], and [10] the tag is generated in a similar way, using a hash function whose inputs are a secret key and either a reference signal [5] or a channel-based signal [10]. Both [14], [15] do not use a secret key, and the tag is generated by computing a hash with inputs being the message and a parameter based on the channel response. A hash function to generate the parameters of a weighted fractional Fourier transform is employed in [6] for tag generation. This work proposes a new tag generation method based on chaotic sequences.
The previously mentioned tag generation methods have a drawback: in a noiseless scenario, there is no secret key equivocation. However, this security weakness can be remedied by utilizing an iterative tag generation method that naturally loses information about its seed as it evolves. Chaotic maps can be employed to generate the tags, resulting in a more secure solution. Although the equations that generate chaotic dynamics are deterministic in nature, chaotic systems exhibit a stochastic aspect due to their sensitivity to initial conditions. In a finite precision system, predicting the future states of a chaotic system becomes a probabilistic task when there is no exact knowledge of its initial state [22]. There is an equivalent mechanism in the opposite direction, which refers to the unpredictability of a past state from the present state. The loss of information in the information flow can be characterized by the decay of statistical correlations between the entire past and a point σ steps ahead into the future. The evolution of a conditional entropy characterizes this loss for σ = 1, this is the Kolmogorov-Sinai entropy (KS), which is a global way of specifying the stochastic property of a chaotic system and measuring the mean amount of lost information. Information loss about the initial state of a chaotic system occurs due to a local mechanism known as contraction and a global mechanism referred to as folding [23]. In our analysis, we focus on the central role played by the initial state information loss due to folding. By generalizing KS for σ > 1 [24], which characterizes the asymptotical initial state information loss on chaotic systems with increasing σ , it becomes feasible to generate tags with positive equivocation in lossless scenarios.
In this work, we consider a tag-based PLA scheme with a new method to generate the tags and quantify the unconditional security of the proposed system using an informationtheoretic approach. Prior tag-based PLA schemes do not provide information-theoretic security (unconditional security) in the regime of high tag to noise ratio, since the equivocation approaches zero when this ratio increases. The main objective of this work is to fulfil this gap. The contributions of this work are threefold.
• We employ sequences generated by unidimensional chaotic maps as authentication tags for PLA systems.
• We proof that the proposed scheme provides informationtheoretic security even in the noiseless channel. This is due to the imposed structure on the chaotic orbits by suitably skipping the first points. So, the scheme provides some finite positive unconditional security (depending on the skipping factor) in noiseless channels. As a consequence, there is a drastic information loss of the initial values as the chaotic map iterates to higher orbits points and this is used to hide the secret key from the generated tags.
• We calculate a lower bound on the probability of success of two active attacks establishing a trade-off between the robustness against these attacks and the tag to noise ratio.
The rest of this paper is organized as follows. Section II introduces the considered PLA scenario. The chaotic tag generation process is presented in Section III and the unconditional security of the proposed system is analyzed in Section IV. In section V the probability of success of two security attacks, substitution and impersonation, is analyzed. Concluding remarks are provided in Section VI.

II. THE SCENARIO
We consider a classical scenario where three users share a common insecure channel. Alice and Bob are the legitimate users, meaning that they employ the proposed authentication protocol and share a secret key. Alice sends messages with their respective tags to Bob through a noisy channel. One method to send the tag to the receiver consists in allocating different power to the message and to the tag, summing them up and then sending it as a single transmitted packet [2]. Bob decides to accept or reject them based on the identification of legitimate tags. The tag extraction process is based on a binary hypothesis test [2]. Eve is a malicious user that knows the details of the authentication scheme, except the secret key. She is considered an active adversary being able to eavesdrop the messages sent by Alice and to send malicious packets to Bob.
A typical method to check the authenticity of a message consists in adopting a function g(·) with two inputs, the secret key k and the message s, and one output, the tag t = g(s, k). Bob is capable of generating the same tag as Alice (as long as he recovers the transmitted message), since he knows the secret key. We assume that the message is successfully recovered by Bob and Eve. Bob recovers the message and verifies if the locally generated tag matches the received one. Moreover, the information Eve has about the tag, comes from the noisy observation of the tag. We consider that k and s are binary vectors of length K and t is a vector of length L, with L < K .

III. CHAOTIC TAG GENERATION
The tag generation proposed in this work is based on chaotic maps. A unidimensional chaotic map is characterized by a dynamical system obtained by the iteration of a suitable VOLUME 11, 2023 noninvertible and nonlinear function f : A → A such that [22] x where x[0] is an initial condition and A is a finite interval over the real numbers. The time series ). The tags are segments of orbits generated by a chaotic map. Due to the sensitivity to the initial conditions of chaotic maps, arbitrarily close initial conditions generate diverging orbits. We take advantage of this feature by using the message and the secret key to determine the initial condition x[0], and from it generate the tag.
The set of all possible real-valued initial conditions is . This set is known by all users. Analogously, the set of all possible m-th iterations is X m be a one to one mapping between all binary sequences of length K and the elements of X 0 . Thus, the initial condition x[0] is written as where ⊕ is the modulo-2 addition. We consider that the key k is a uniform random variable, so the initial condition As the iteration in (1) evolves, the information about the initial condition that originated the orbit decreases [25]. This is due to two phenomena inherent to chaotic maps, stretching and folding [22], that produce an uncertainty on the region of the initial condition that generates an orbit. These limit the maximum amount of information about the initial condition, and hence about the key, that Eve acquires when she observes the tag. Thus, instead of creating a tag with the first L points of the orbit, the proposed system skips the first σ points, where σ is the skip parameter. Thus, the tag is generated from x[0] as a finite orbit of length L after a skip of σ points, thus ). It will be shown in the next section that the skip parameter σ characterizes the unconditional security of the system.

IV. UNCONDITIONAL SECURITY
The conditional entropy of the key given a noiseless observation of a message and its tag H (k|s, t) is used to quantify the unconditional security of the authentication system [26]. This quantity is called the key equivocation, which measures in a statistical way how near the average pair of message and tag is to a unique solution to the key; that is, how uncertain the adversary is of the employed key after intercepting a pair of message and tag, and so, it is measured in bits. A concept that is revisited in Section V for noisy tags.
Firstly, we consider H (x[0], k|s, t) and using the chain rule for entropies [27], it can be written as It follows from (4) and (5) that Since M (·) in (2) (6) that Analogously, we now consider H (x[0], s|t) As s and k are binary sequences of the same length and the distribution of probability of k is uniform, then H (k) ≥ H (s).
In the light of (2), this implies that for any pair x[0] and s there is one key k ′ , such that, gives no information about s. As s is independent of x[0] and t. Thus, , which associated to (7) allows to derive the following equality Given that x[σ ] is known, the knowledge of any x[i], for i > σ , gives no additional information about the initial condition. Thus, (10) can be rewritten as The tag is generated by a non-invertible function f (x) meaning that f −1 (x) maps one point to multiple points. Therefore, an exponential number of initial conditions is mapped in each possible x[σ ], from which the tag is generated. In order to formalize this idea, we define the set of i-th preimage of a point y under f (·) as S i (y) = {x|f i (x) = y}. Without lost of essential generality, we restrict our analysis to maps with constant binary preimages, that is, |S i (y)| = 2 i , i ≥ 0, for all y belonging to the image of f (·), except for a finite set of points. Several maps satisfy this property, such as the tent map [22], the logistic map [22], the tanh map [28]. As a consequence of this property, there are 2 σ distinct initial conditions that generates the same x[σ ], whose possible values form a set X σ of size 2 K −σ with equiprobable values, since the set of initial conditions has a uniform distribution. 1 Let X i 0 and X j σ be two specific values (indexed by i and j) of X 0 and X σ , respectively. The conditional probability 1 It follows from the analysis that σ < K , since the number of possible initial conditions is 2 K . If σ ≥ K , the same x[σ ] is generated from all initial conditions, and so there is a unique tag.

The conditional entropy H (x[0]|x[σ ]) is determined from (12) as follows
It follows from (13) and (11) that H (k|s, t) = σ . Thus, a positive unconditional security is provided by chaotic generated tags.

V. SECURITY ATTACKS
In this section, following a similar approach to [29], the probability of success of two security attacks to the authentication system is analyzed: substitution and impersonation. The necessary link between hypothesis testing and information theory used to determine lower bounds on substitution and impersonation attacks is found in [29], and [30].

A. SECURITY MECHANISMS AGAINST SUBSTITUTION ATTACKS
In this attack, Eve tries to insert legitimate pairs of message and tag on the channel. Assuming that Eve is able to correctly recover the message, she intercepts a pair (s, t), where t denotes a noisy version of the tag t = g(s, k). Based on the knowledge obtained with (s, t), Eve estimates the secrete key used to generate the tag and can send fraudulent pairs (s ′ , t ′ ), where t ′ is an estimated tag for s ′ . Let P S be probability that a substitution attack is successful, and it is the Eve's probability of guessing the correct key given the pair (s, t).
The security against substitution attacks depends on the difficulty Eve has in estimating the initial condition x[0] that originated the tag, as shown in Section IV. We identify two security mechanisms to decrease the information about x[0]. The first one comes from the noisy observation of the tag, t = t + w, where w is the additive white Gaussian noise. Secondly, as explained in Section III, after the skip of the first σ points of the orbit, Eve observes Using the lower bound on the probability distribution developed in [29, Section VI], we express P S as Substituting the noisy version of (10) into (15) gives Thus, a lower bound on P S depends on how much information Eve has about the initial condition given a noisy observation of the tag. We show in the Appendix A the following relation Therefore If the channel is noiseless, then H (x[σ ]| t) = 0. The tag generation method proposed in this work provides a lower bound on the conditional entropy H (x[0]| t) ≥ σ , with equality for the noiseless channel. It should be observed that in the method proposed in [2] and [4] there is no positive lower bound on H (x[0]| t) and the key is revealed when the tags are observed in a noiseless channel.

B. SECURITY MECHANISMS AGAINST IMPERSONATION ATTACKS
In this attack, Eve observes a pair (s, t), t = g(s, k), and creates a different pair (s ′ , t) that is accepted as legitimate.
In other words, Eve is successful if she is capable of finding an illegitimate message s ′ different from s that generates the same tag, that is, t = g(s ′ , k). The probability that an impersonation attack is successful is denoted by P I . Hypothesis testing is the adequate tool to deal with this scenario.  (20) where p t,k|s=S ( T, K) ≜ p t,k|S ( T, K) is the joint probability density function of the noisy tag and the key given the message, p t|S ( T) follow similarly, and P(K|S) is a conditional probability. The relative entropy is defined in [27] as where I ( t; k|s) is the conditional mutual information between the noisy version of the tag and the secret key given the message. It is expressed in terms of the system parameters as (22) where H (k|s) = H (k) = K follows from the random choice of the key, and H (k|s, t) = σ + H (x[σ ]| t) follows from the analysis in the previous subsection. It should be observed that β corresponds to the Eve's cheating probability for an impersonation attack, then The worst scenery to Eve is a noiseless transmission, as opposed to the substitution attack. In this scenario, H (x[σ ]| t) = 0, and thus P I ≥ 2 σ −K , which corresponds to the inverse of the number of tags. This means that for equally likely x[σ ], the best Eve can do is a random choice of a tag. We now analyze the asymptotic behavior of P I on a very noisy channel. The Shannon capacity of a Gaussian channel with power constraint P and noise variance is given by [27] where I ( t; t) is the mutual information between t and t and E[x 2 [n]] is the second moment of x[n] (the n-th tag sample).
Since t and s are independent random variables when k is unknown, see (2), then the mutual information of the noisy tag and key given the message is Thus, if P/ → 0 in (24) then I ( t; k|s) → 0, and from (20) it follows that β = 1.

C. SECURITY TRADE-OFF BETWEEN IMPERSONATION AND SUBSTITUTION ATTACKS
In order to illustrate the lower bounds on P S and P I given by (18) and (23), respectively, for a chaotic tag generation process and the uncertainty due to the Gaussian noise. The tent map [22] with domain A = [−1, 1] is used to generate the tag. This map is shown in Figure 1, and is defined as To illustrate the uncertainty relative to initial conditions of a chaotic map, as described in Section IV, we used the tent map to generate orbits, from two different initial conditions, that merge after eight iterations. These orbits are shown in Figure 2. It is possible to visualize that if a tag, defined in (3), is generated starting from the 8th iteration (σ = 8), then both initial conditions are possible, showing the existence of an uncertainty. The tag to noise ratio (TNR) is defined as where E[x 2 [n]] is obtained from the uniform invariant distribution of the tent map and is equal to 1/3. The simulations employing the chaotic tags use the parameters K = 24, σ = 8, and L = 16. The derivation of an expression for H (x[σ ]| t) used in (18) and (23) is presented in Appendix B. A Monte Carlo integration is used to calculate the integral in the expression of H (x[σ ]| t) in (33). For that, a random sample of size 2 L over the tent map domain is performed to generate the X σ set. After that, each X σ ∈ X σ is applied in (3) to generate a different tag of length L. Then, the Gaussian mixture distribution p GM ( T) is obtained from a weighted sum of 2 L multivariate Gaussians of dimension L, where each It should be noticed that dependence of H (x[σ ]| t) in (33) with is explicit, however, the numerator of TNR in (26) is fixed for a given chaotic map. So, we can evaluate (33) as a function of TNR. Figure 3 shows the lower bounds on P S and P I versus the TNR. For low TNR (say less than -10 dB) P I tends to 1 while for high TNR (say greater than 20 dB) it tends to 2 σ −K . The P S curve tends to 2 −K for low TNR and converges to 2 −σ for high TNR. These limits are in agreement with the analysis conducted in Subsections V-A and V-B. From the exponents of (18) and (23), we conclude that the crossover point occurs when H (x[σ ]| t) = (K − 2σ )/2. This is satisfied for TNR ≃ 6.12 dB. An extra security against substitution (resp. impersonation) attacks is observed for low (resp. high) TNR.
If the adversary can choose between a substitution and an impersonation attack, the probability of a successful attack P Success is defined as follows [29] P Success = max(P S , P I ) ≥ max(2 −H (k|s, t) , 2 −K +H (k|s, t) ).
A comparison is made, over the same Gaussian channel, between the lower bounds of P Success for our chaotic tag system (with the tent map) and the classical tag generation methods that use tags and secret keys [1], [2], [3], [4], [7], [8], [9], [11], [12], [13]. In the classical case, binary tags are obtained from k and s (where k is available only to the legitimate users and s is a signal that can be recovered without errors by any user, including an adversary) using a hash function. Thus, Eve can determine the conditional probability distribution over the tag space by using the bit-error probability of each tag bit. Thereafter, this probability distribution is used to calculate the key equivocation of the system (for more details about this calculation refer to Subsection 3.1 of [1]). Since this system has the restriction K ≤ L,  we conducted a Monte Carlo simulation with the parameters K = L = 24. The comparison on the lower bounds of P Success is shown in Figure 4. For low TNR, both systems have similar behavior (P Success is equal to P I , which tends to 1). In this scenario, the legitimate users are unable to distinguish between legitimate and fraudulent tags. The proposed system behaves a little worse in the approximate TNR range of −5 dB to 3 dB, but with a better tradeoff for all TNR values greater than 3 dB. For high TNR, the key equivocation of systems based on hash functions tends to zero (since the classical tag generation system does not have a positive lower bound for key equivocation), H (k|s, t) ≃ 0, and we conclude from (27) that P Success tends to 1, while for a chaotic tag, P Success tends to P S = 2 −σ .

D. KEY EQUIVOCATION
We now conduct a comparison of the key equivocation (17) over the same Gaussian channel between the chaotic tag system (with the tent map) and the classical tag generation method [1], [2], [3], [4], [7], [8], [9], [11], [12], [13] to show the advantage of the proposed approach. The key equivocation versus TNR for the two systems is shown in Figure 5. The  equivocation in both cases starts at K = 24 for low TNR, and decreases as the TNR increases. Since the classical tag generation system does not have a positive lower bound for key equivocation, it approaches zero quickly with increasing TNR. As expected, the key equivocation of the proposed system agrees with the bounds presented in (19), ensuring that it never reaches zero because of the lower bound σ = 8. Take note of the more sharper fall in key equivocation when utilizing hash tags, ranging approximately from K to zero. In contrast, chaotic tags exhibit a range from around K to 2 −σ over a similar TNR interval. This distinction can be explained by the expressions for P S and P I in (18) and (23), respectively. The crossing of the P S and P I curves takes place at a lower TNR value in the case of the hash tag, compared to the chaotic tag method. Subsequent to the crossing, P S becomes the dominant factor in determining the success threshold of an attack, reaching a value of one in the hash tag method and 2 −σ in the chaotic tag method. This process is visually depicted in Figure 4. VOLUME 11, 2023

VI. CONCLUSION
A novel method to generate PLA tags based on chaotic maps is proposed in this work. The method has a lower bound on the information leaked about the secret key even in a noiseless channel and admits considerable control of the security levels for different attacks by choosing the appropriate parameters σ (skip) and K (length of the secret key). The availability of circuits that implement the dynamics of chaotic maps [31] contributes to the relevance of the proposed method. The results in Figures 3-5 are illustrated for the tent map. We considered other maps as well and noticed that the overall behavior of the curves is unchangeable. An interesting future research is to analyze the impact of different hardware implementations of chaotic maps on the PLA performance.

APPENDIX B DERIVATION OF H (x [σ ]| t)
The conditional entropy of mixed random variables is Applying the Bayes' law for the conditional probability in (29) for x[σ ] uniformly distributed, P(X σ ) = 2 −(K −σ ) , ∀ X σ ∈ X σ , then and (29) becomes then the right-hand side of (31) is split into two parts As described in Section V-A, the tag is transmitted over an additive white Gaussian noise channel, thus for a fixed value of x[σ ], p t|X σ ( T) is a multivariate Gaussian distribution of dimension L, with mean given by (3) and diagonal covariance matrix with all entries equal to , where is the variance of the noise. The determinant of the diagonal covariance matrix is L , Thus, the closed form of the differential entropy for a Gaussian distribution [27] replaces the first term on the right-hand side of (32), and let p GM ( T) = 1 2 K −σ X σ p t|X σ ( T) be a Gaussian mixture distribution generated by the composition of normal distributions with the same covariance matrix and distinct means. Then