1
Foundations of Physical-Layer Security for 6G*

Matthieu Bloch

School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA, USA

Wireless connectivity has become a cornerstone of our modern societies, driving innovation and supporting an ever-growing range of services. With the increasingly sensitive nature of information transmitted over wireless networks, privacy and secrecy mechanisms have naturally become an integral part of new protocols and standards. While identified weaknesses of previous generation wireless protocols are typically addressed with the rollout of the next generation, challenges constantly emerge that must be proactively addressed. For instance, while 5G systems have addressed some of the security weaknesses identified in 4G systems, the attack surface of 5G networks has increased because of the heterogeneity of devices and the larger number of use cases [48], as exemplified by the growth of machine-to-machine communications [19]. Consequently, security has yet again already been identified as one of the main challenges that 6G networks must address [72].

Several security solutions have been considered to provide full-stack security, including lightweight cryptography for Internet of Things (IoT) devices [61], the use of post-quantum cryptography [3, 72], and physical-layer security (PLS) [11, 45], which has again re-emerged as a possible technology [32, 38, 49, 66, 74]. The key concept behind PLS is to exploit the random imperfections inherent to wireless channels and devices (noise, interference) to provide, e.g., secrecy or authentication, using physical-layer signal processing and coding algorithms [11, 56, 68]. While PLS may certainly not solve all 6G security challenges in isolation, its main benefits are (i) to provide a concrete framework in which security can be quantified, e.g., through the notion of secrecy capacity [68]; (ii) to treat security on par with other system-level metrics, such as power consumption, throughput, and latency, at the design stage; (iii) to reduce the attack surface at the physical layer by making eavesdropping extremely costly, if not ineffective; and (iv) to seamlessly integrate with security mechanisms in the upper layers of the protocol stack. In particular, ensuring confidentiality for ultralow-latency communications is a known challenge [1, 54] that PLS could help tackle [15, 58].

PLS was already discussed in the context of 5G networks [35, 66], and one should recognize that, with the exception of niche applications and use cases [73], PLS has not had much impact on deployed systems. This state of affairs can be attributed to a multitude of factors, both technological and conceptual, ranging from scientific challenges related to the foundation of PLS itself (e.g., how do we characterize and learn a passive eavesdropper’s channel?) to technological hurdles (e.g., how do we justify integrating new codes at the physical layer of a standard?). Nevertheless, 6G promises new unique features that may finally offer the opportunity to push PLS into widely deployed systems [16, 45]. In particular, the integration of sensing and communication, especially as it relates to enhancing the localization of devices, and the push toward higher frequencies in the mmWave region are offering new avenues to strengthen the case of PLS.

The objective of this chapter is twofold. First, we will review the seminal coding ideas behind PLS, which have been refined over the last two decades to provide a strong basis for discussing secrecy in a principled manner. Second, we will discuss how these principles may be used in the more specific context of 6G systems, with an eye toward engineering channels, developing dedicated hardware, and exploiting channel knowledge for security. Given the breadth of literature on the topic, this chapter does not do justice to many creative ideas, in particular those involving PLS in the context of networks of many devices for which the reader is referred to tutorial articles [46, 51, 66, 71]. The focus of the chapter is on point-to-point links, for they still capture the essence of the challenges that remain to address and the opportunities that have emerged and might represent the realistic use cases for which PLS could be deployed at scale.

1.1 Coding Mechanisms

The appeal of (PLS) can be largely attributed to the early work of Wyner [68], Csiszár and Körner [21], Ahlswede and Csiszár [2], and Maurer [43], that first established and analyzed the notion of secrecy capacity and secret-key capacity. We defer to Section 1.2 for exact definitions, suffice to say for now that these definitions are the counterparts of the traditional notion of channel capacity and that they quantify the maximum rate of information that can be transmitted or extracted reliably and confidentially over a channel that includes an eavesdropping adversary. While secrecy capacity and secret-key capacity therefore provide system-level metrics that can be optimized as a function of channel parameters to understand how much secrecy can be achieved in a network, the ability to operationalize them is fundamentally tied to the ability to design specific coding schemes to extract or encode information in signal. Said differently, in the same way that the notion of channel capacity is useful because good error-control codes exist, secrecy and secret-key capacity are useful because good secrecy codes exist. The objective of this section is to introduce four coding operations that shall enable PLS by providing operational meaning to what it means to enforce secrecy in Section 1.2.

1.1.1 Channel Coding

The problem of channel coding is illustrated in Figure 1.1. The objective consists in transmitting a uniformly distributed messages over uses of a discrete memoryless channel with known transition probability by encoding the message into a coded sequence . The set of coded sequences is called the codebook while is called the blocklength of the code. Upon receiving the corrupted signal , the receiver attempts construct a correct estimate of using its knowledge of the channel and the code. The performance of channel coding may be measured in terms of the rate of transmission and the probability of decoding error .

The seminal result established by Shannon [55] is that, asymptotically, reliable communication is possible as long as the rate does not exceed a channel-dependent quantity called the channel capacity. We state this result more formally as follows.

Theorem 1.1 Given a discrete memoryless channel with known transition probability , a distribution and any , there exists a blocklength and an encoder/decoder pair such that and where is the mutual information between the random variables and with joint distribution . The quantity is called the channel capacity since no higher such constant can be found.

Specific instances of such codes can be designed using low-density parity-check codes [24, 33, 34] or polar codes [4].

Figure 1.1 Channel coding over a discrete memoryless channel.

1.1.2 Soft Covering

The operation of channel coding can be interpreted as introducing structure in coded sequences that is resilient to the corruption of the noisy channel. A lesser known coding operation over channels consists in introducing structure in coded sequences that disappear when corrupted by noise. Formally, this coding operation called soft covering is illustrated in Figure 1.2. Consider a random variable with distribution transmitted over a discrete memoryless channel with known transition probability . The output of the channel is a new random variable with distribution obtained by taking the marginal of . Instead of transmitting the random variable , one can instead ask whether one can approximately simulate transmissions of the random variable using instead a uniformly distributed message encoded into sequences of length . The intuition is that -coded sequences might be sufficient to approximately cover all possible realizations of i.i.d. realizations of the random variable . The performance of soft covering may be measured in terms of the rate of transmission and the relative entropy , where is the distribution induced by the random choice of coded sequences while is the -fold product distribution of .

The fundamental result of soft covering, first identified by Wyner [67] but studied and refined later on by others [22, 26, 29, 30, 65], is that and are virtually indistinguishable as long as the rate does not fall below a quantity called the channel resolvability. We state this result more formally below.

Theorem 1.2 Given a discrete memoryless channel with known transition probability , a distribution , and any , there exists a blocklength and an encoder such that and , where is the mutual information between the random variables and with joint distribution . The quantity is called the channel...