Attacks on Fully Random 64QAM Sounding Signal in IEEE 802.11-20/0964r0

Attacks to Fully Random 64QAM Sounding Signal
Date: 20
20
-0
5
-
29
Slide 1
May 2020
Jiang and Li, Intel
Slide 2
11az LB249 CID 3911
Jiang and Li, Intel
May 2020
Background
In a previous presentation we demonstrated that the fully
random QPSK LTF is vulnerable to Viterbi equalizer
attacker [1]. 
 
The contribution [6] proposed fully random 64QAM LTF
for secured ranging. The main reason is the prohibitive
attack complexity.
In this submission, we present an attack method with a
implementable complexity, which employs sphere
decoding (SD) and successive interference cancellation
(SIC) to efficiently decode the fully random 64QAM LTF.
Slide 3
May 2020
.
 
Jiang and Li, Intel
Observation Window
Attacker observes the beginning portion and detects the phases
of the sinusoids for generating shifted attack signals
March 2020
Observation window
Attack window
Slide 4
Jiang and Li, Intel
Windowed FFT (1/2)
Time-domain window is applied to weight the input signal and
then FFT is performed on the weighted signal
May 2020
Slide 5
Jiang and Li, Intel
Windowed FFT (2/2)
The longer the window in time, the fewer the significant taps in
frequency
May 2020
Slide 6
Jiang and Li, Intel
Windowing in Time, ICI in Frequency
The time-domain windowing introduces inter-carrier
interferences in frequency domain
May 2020
Slide 7
Jiang and Li, Intel
Signal Model
ISI channel in frequency domain
Conventional equalization methods such as Viterbi
equalizer can be applied
Decision-feedback equalizer will be evaluated in this work
May 2020
Slide 8
Jiang and Li, Intel
Freq
Principle
― Sequential Vector Detection and SIC
Starting from band edge, detect QAM symbols jointly within a sliding window
Remove the detected signal and move the sliding window toward the band
center recursively
Slide 9
Jiang and Li, Intel
May 2020
Sphere Decoding
Slide 10
Jiang and Li, Intel
May 2020
Sphere Decoding (Cont’d)
Slide 11
Jiang and Li, Intel
May 2020
r
00
01
10
Recursive Detection and Cancellation
Attacker observes part of the time domain random LTF
symbols and transform to frequency domain.
The frequency domain signal is the circular convolution of
the frequency domain window function and the
constellation symbol on each tone.
Assume attacker decodes the constellation symbol from
edge tone,  an equivalent MIMO channel can be built.
Attacker can sequentially apply sphere decoding and
successive interference cancellation (SIC) in frequency
domain to decode the symbols on each tone.
Slide 12
Jiang and Li, Intel
May 2020
An Attacker Example
Slide 13
Jiang and Li, Intel
May 2020
Sphere Decoding with Sliding Window
Assume the attacker utilizes 4x4 sphere decoder, the equivalent MIMO
channel can be built on the spectrum of the Hamming window as
The corresponding observation signal is
The unknown vector is
Slide 14
Jiang and Li, Intel
May 2020
H=[Hm(255)  0        0       0
   Hm(256)  Hm(255)  0       0
   Hm(1)    Hm(256)  Hm(255) 0
   Hm(2)    Hm(1)    Hm(256) Hm(255)]
y=[y
F
(194) y
F
(195) y
F
(196) y
F
(197)
]
T
x=[LTF(68) LTF(69) LTF(70) LTF(71)
]
T
Successive Interference Cancellation and Decoding
After attacker decoding the symbol 
LTF(68
),
the corresponding interference
to the adjacent tones are cancelled and a second 4x4 sphere decoder is built
The observation signal is
        y=[y
F,IC
(195) y
F,IC
(196) y
F,IC
(197) y
F,IC
(198)
]
T
   
with   
 
y
F
,IC
(195)=y
F
(195)-
Hm(256)
*
LTF(68
)
         y
F
,IC
(196)=y
F
(196)-
Hm(1)
*
LTF(68
)
 
         y
F
,IC
(197)=y
F
(197)-
Hm(2)
*
LTF(68
)
         y
F
,IC
(198)=y
F
(198)-
Hm(3)
*
LTF(68
)
 
The unknown vector is
             
x=[LTF(69) LTF(70) LTF(71) LTF(72)
]
T
After solving the second sphere decoding, the 
symbol 
LTF(69
) will be decoded
This sequential interference cancellation and decoding procedure can be
iteratively applied until all the symbols are decoded. 
Slide 15
Jiang and Li, Intel
May 2020
Complexity Analysis
Slide 16
Jiang and Li, Intel
May 2020
Simulation Settings
20 MHz bandwidth, 2x LTF
Single antenna Tx and Rx
AWGN channel between attacker and sounding transmitter with 30 or 45
dB SNR
3/4 or 11/16  LTF symbol is observed by attacker
Attacker oversamples time domain LTF by 2 and applies the window
Hamming, Han and Blackman windows are evaluated
The CDF of the cross correlation between the full length LTF and
decoded LTF is plotted
For comparison purpose, the CDF of the cross correlation between the
LTF in the attack window and the decoded signal in the attack window is
also plotted
Slide 17
May 2020
Jiang and Li, Intel
Simulation Results (1)
Slide 18
Jiang and Li, Intel
May 2020
3/4 LTF observation and Hamming window
50% success rate
Simulation Results (2)
Slide 19
May 2020
Jiang and Li, Intel
3/4 LTF observation and Hamming window
25% success rate
Simulation Results (3)
Slide 20
May 2020
Jiang and Li, Intel
11/16 LTF observation and Han window
25% success rate
Simulation Results (4)
Slide 21
May 2020
Jiang and Li, Intel
11/16 LTF observation and Han window
20% success rate
Simulation Results (5)
May 2020
Slide 22
Jiang and Li, Intel
3/4 LTF observation and Hamming window
Simulation Results (6)
Slide 23
May 2020
Jiang and Li, Intel
3/4 LTF observation and Hamming window
Simulation Results (7)
Slide 24
May 2020
Jiang and Li, Intel
3/4 LTF observation and Blackman window
34% success rate
Simulation Results (8)
Slide 25
Jiang and Li, Intel
May 2020
3/4 LTF observation and Blackman window
31% success rate
Conclusions
Our results showed that fully random 64 QAM signal is not
secure enough against attacks.
 
Using a larger size sphere decoder 
e.g.
 6x6 or 8x8, the
attacker can improve the attack performance e.g. smaller
observation windows and lower SNR.
Window functions other than the evaluated ones may also
improve attack performance.
Slide 26
Jiang and Li, Intel
May 2020
On Attack Window Size
Discussions in [6] assume a constraint that the fake path is
within a certain dB e.g. 10 dB down from the main true path
This is impractical
The true paths may not even be received by the intended receiver
T
he attacker can pick up the weak sounding signal with directional antennas
and then send the attack signal to the intended receiver
Slide 27
Jiang and Li, Intel
May 2020
Example of Self-Interference
SNR -6 dB, BW 160 MHz, attack window 1/5
AWGN-like sounding signal
Matched filter is used as channel estimator
Slide 28
Jiang and Li, Intel
May 2020
Similar SINR level
Remarks
The detection of the SINR degradation due to small attack
window may not be reliable
It is hard to standardize the attack detection, which usually
depends on the receiver implementation
The overall ranging security relies on both of the ranging
parties instead one, where one party doesn’t have the full
control of the other
It is desirable to have a secure ranging scheme that
minimizes the requirement of attack detection
Slide 29
Jiang and Li, Intel
May 2020
Reference
[1] Q. Li, F. Jiang, X. Chen, and R. Stacey, “
Attacks to Fully Random QPSK
Sounding Signal,” doc: IEEE 802.11-20-0710r1.
[2] U. Fincke and M. Pohst. Improved methods for calculating vectors of short
length in a lattice, including a complexity analysis. Mathematics of
Computation, 44 (170):463–471, April 1985.
[3
] T. 
Kailath, H. Vikalo, and B. Hassibi, “MIMO receive algorithms”, Space-
Time Wireless Systems: From Array Processing to MIMO Communications,
pp. 302-321. Cambridge: Cambridge University Press, 2006.
[4] A. M. Chan and I. Lee, “A New Reduced-Complexity Sphere Decoder For
Multiple Antenna Systems”, pp. 460-464, 
IEEE International Conference on
Communications, 
May 2002.
[5] 
M. Mohammadkarimi, M. Mehrabi, M. Ardakani, and Y. Jing, “Deep
Learning-Based Sphere Decoding”, pp. 4368-4378, 
IEEE Transactions on
Wireless Communications
, vol. 18, no. 9, Sept. 2019.
[6] 
B. Tian, 
et al
., “11az Secure LTE Design,” 
doc: IEEE 802.11-20-0836r0
.
[7] 
J. Dogan, 
et al
., “
Computational Attacks on 11az PHY Secure Ranging
,” 
doc:
IEEE 802.11-19-0374r0
.
Slide 30
May 2020
Jiang and Li, Intel
Backup
Slide 31
May 2020
Jiang and Li, Intel
Slide Note

doc.: IEEE 802.11-yy/xxxxr0

Month Year

Abramovsky, Ghosh, Segev & Li, Intel

Page

Embed
Share

Presentation by Intel demonstrates vulnerabilities in fully random QPSK and 64QAM sounding signals in IEEE 802.11-20/0964r0. Proposed attack methods, including Viterbi equalizer attacks, and solutions such as Secure LTF mechanism and windowed FFT are discussed to enhance security in ranging. The presentation also covers observations on attacker behavior and techniques like decoding and sphere decoding to counter attacks effectively.


Uploaded on Aug 27, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. May 2020 doc.: IEEE 802.11-20/0964r0 Attacks to Fully Random 64QAM Sounding Signal Date: 2020-05-29 Name Affiliat ions Intel Address Phone email 3600 Juliette Ln, Santa Clara, CA 95054 Feng Jiang Qinghua Li Xiaogang Chen Intel Robert Stacey Intel qinghua.li@intel.com xiaogang.c.chen@intel.com robert.stacey@intel.com Intel Slide 1 Submission Jiang and Li, Intel

  2. May 2020 doc.: IEEE 802.11-20/0964r0 11az LB249 CID 3911 CID Page/Line Clause Comment Proposed resolution 3911 153.00 11.22.6.4.6 The Secure LTF mechanism for TB and NTB ranging needs to be improved. A submission will be provided. As in comment. Submission Slide 2 Jiang and Li, Intel

  3. . May 2020 doc.: IEEE 802.11-20/0964r0 Background In a previous presentation we demonstrated that the fully random QPSK LTF is vulnerable to Viterbi equalizer attacker [1]. The contribution [6] proposed fully random 64QAM LTF for secured ranging. The main reason is the prohibitive attack complexity. In this submission, we present an attack method with a implementable complexity, decoding (SD) and successive interference cancellation (SIC) to efficiently decode the fully random 64QAM LTF. which employs sphere Submission Slide 3 Jiang and Li, Intel

  4. March 2020 doc.: IEEE 802.11-20/0964r0 Observation Window Attacker observes the beginning portion and detects the phases of the sinusoids for generating shifted attack signals Attack window Observation window Submission Slide 4 Jiang and Li, Intel

  5. May 2020 doc.: IEEE 802.11-20/0964r0 Windowed FFT (1/2) Time-domain window is applied to weight the input signal and then FFT is performed on the weighted signal Submission Slide 5 Jiang and Li, Intel

  6. May 2020 doc.: IEEE 802.11-20/0964r0 Windowed FFT (2/2) The longer the window in time, the fewer the significant taps in frequency Submission Slide 6 Jiang and Li, Intel

  7. May 2020 doc.: IEEE 802.11-20/0964r0 Windowing in Time, ICI in Frequency The time-domain windowing introduces inter-carrier interferences in frequency domain Submission Slide 7 Jiang and Li, Intel

  8. May 2020 doc.: IEEE 802.11-20/0964r0 Signal Model ISI channel in frequency domain Conventional equalization methods such as Viterbi equalizer can be applied Decision-feedback equalizer will be evaluated in this work Freq Submission Slide 8 Jiang and Li, Intel

  9. May 2020 doc.: IEEE 802.11-20/0964r0 Principle Sequential Vector Detection and SIC Starting from band edge, detect QAM symbols jointly within a sliding window Remove the detected signal and move the sliding window toward the band center recursively Freq MIMO channel with 4 streams Freq Sliding window Submission Slide 9 Jiang and Li, Intel

  10. May 2020 doc.: IEEE 802.11-20/0964r0 Sphere Decoding Sphere decoding is a well-developed algorithm for vector detection Popularly implemented in cellular and WiFi devices for MIMO receiver Sphere decoding solves the following integer least-square problem with polynomial complexity [2, 3] ??? ? ?? ? ?2 where the signal models are defined below: ? = ?? + ? Observed signal ?, unknown vector ?, observation noise ? generation matrix ? Submission Slide 10 Jiang and Li, Intel

  11. May 2020 doc.: IEEE 802.11-20/0964r0 Sphere Decoding (Cont d) min ? ?? ? ?2 ?1,4 ?2,4 ?3,4 ?4,4 ?4 2 ?1,3 ?2,3 ?3,3 ?1,2 ?2,2 ?1 ?2 ?3 ?1 ?2 ?3 ?4 ?1,1 2+ ?3 2+ ?2 2+ ?1 2 = ?4 ?2 Calculate the distance from the received signal point to each constellation point within a chosen radius Declare the constellation point with the shortest distance as the solution r ?4= 11 10 01 00 y Submission Slide 11 Jiang and Li, Intel

  12. May 2020 doc.: IEEE 802.11-20/0964r0 Recursive Detection and Cancellation Attacker observes part of the time domain random LTF symbols and transform to frequency domain. The frequency domain signal is the circular convolution of the frequency domain window function and the constellation symbol on each tone. Assume attacker decodes the constellation symbol from edge tone, an equivalent MIMO channel can be built. Attacker can sequentially apply sphere decoding and successive interference cancellation (SIC) in frequency domain to decode the symbols on each tone. Submission Slide 12 Jiang and Li, Intel

  13. May 2020 doc.: IEEE 802.11-20/0964r0 An Attacker Example 20MHz bandwidth, 64 QAM random LTF 30 dB SNR and 2x oversampling Observe symbol and weight time domain samples by Hamming window Transforms the windowed signal into frequency domain ?? Submission Slide 13 Jiang and Li, Intel

  14. May 2020 doc.: IEEE 802.11-20/0964r0 Sphere Decoding with Sliding Window Assume the attacker utilizes 4x4 sphere decoder, the equivalent MIMO channel can be built on the spectrum of the Hamming window as H=[Hm(255) 0 0 0 Hm(256) Hm(255) 0 0 Hm(1) Hm(256) Hm(255) 0 Hm(2) Hm(1) Hm(256) Hm(255)] The corresponding observation signal is y=[yF(194) yF(195) yF(196) yF(197)]T The unknown vector is x=[LTF(68) LTF(69) LTF(70) LTF(71)]T Submission Slide 14 Jiang and Li, Intel

  15. May 2020 doc.: IEEE 802.11-20/0964r0 Successive Interference Cancellation and Decoding After attacker decoding the symbol LTF(68),the corresponding interference to the adjacent tones are cancelled and a second 4x4 sphere decoder is built The observation signal is y=[yF,IC(195) yF,IC(196) yF,IC(197) yF,IC(198)]T with yF,IC(195)=yF(195)-Hm(256)*LTF(68) yF,IC(196)=yF(196)-Hm(1)*LTF(68) yF,IC(197)=yF(197)-Hm(2)*LTF(68) yF,IC(198)=yF(198)-Hm(3)*LTF(68) The unknown vector is x=[LTF(69) LTF(70) LTF(71) LTF(72)]T After solving the second sphere decoding, the symbol LTF(69) will be decoded This sequential interference cancellation and decoding procedure can be iteratively applied until all the symbols are decoded. Submission Slide 15 Jiang and Li, Intel

  16. May 2020 doc.: IEEE 802.11-20/0964r0 Complexity Analysis It is a tree search algorithm, which can be parallelized As shown in the paper [4], the number of FLOPS required for solving a single 4x4 sphere decoder with 64QAM modulation could be as low as (103) For the 20MHz bandwidth, the LTF sequence includes 122 data symbols, and the complexity of sequentially solving the 4x4 sphere decoder by 122 times is (105), which is 100 times less than the (107) in [7] In a recent paper [5], with the assistance of a 3-layer deep learning network the complexity of sphere decoder can be significantly reduced compared with the legacy Submission Slide 16 Jiang and Li, Intel

  17. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Settings 20 MHz bandwidth, 2x LTF Single antenna Tx and Rx AWGN channel between attacker and sounding transmitter with 30 or 45 dB SNR 3/4 or 11/16 LTF symbol is observed by attacker Attacker oversamples time domain LTF by 2 and applies the window Hamming, Han and Blackman windows are evaluated The CDF of the cross correlation between the full length LTF and decoded LTF is plotted For comparison purpose, the CDF of the cross correlation between the LTF in the attack window and the decoded signal in the attack window is also plotted Submission Jiang and Li, Intel Slide 17

  18. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Results (1) 3/4 LTF observation and Hamming window 50% success rate Submission Slide 18 Jiang and Li, Intel

  19. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Results (2) 3/4 LTF observation and Hamming window 25% success rate Submission Slide 19 Jiang and Li, Intel

  20. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Results (3) 11/16 LTF observation and Han window 25% success rate Submission Slide 20 Jiang and Li, Intel

  21. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Results (4) 11/16 LTF observation and Han window 20% success rate Submission Slide 21 Jiang and Li, Intel

  22. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Results (5) 3/4 LTF observation and Hamming window Submission Slide 22 Jiang and Li, Intel

  23. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Results (6) 3/4 LTF observation and Hamming window Submission Slide 23 Jiang and Li, Intel

  24. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Results (7) 3/4 LTF observation and Blackman window 34% success rate Submission Slide 24 Jiang and Li, Intel

  25. May 2020 doc.: IEEE 802.11-20/0964r0 Simulation Results (8) 3/4 LTF observation and Blackman window 31% success rate Submission Slide 25 Jiang and Li, Intel

  26. May 2020 doc.: IEEE 802.11-20/0964r0 Conclusions Our results showed that fully random 64 QAM signal is not secure enough against attacks. Using a larger size sphere decoder e.g. 6x6 or 8x8, the attacker can improve the attack performance e.g. smaller observation windows and lower SNR. Window functions other than the evaluated ones may also improve attack performance. Submission Slide 26 Jiang and Li, Intel

  27. May 2020 doc.: IEEE 802.11-20/0964r0 On Attack Window Size Discussions in [6] assume a constraint that the fake path is within a certain dB e.g. 10 dB down from the main true path This is impractical The true paths may not even be received by the intended receiver The attacker can pick up the weak sounding signal with directional antennas and then send the attack signal to the intended receiver Submission Slide 27 Jiang and Li, Intel

  28. May 2020 doc.: IEEE 802.11-20/0964r0 Example of Self-Interference SNR -6 dB, BW 160 MHz, attack window 1/5 AWGN-like sounding signal Matched filter is used as channel estimator Similar SINR level Submission Slide 28 Jiang and Li, Intel

  29. May 2020 doc.: IEEE 802.11-20/0964r0 Remarks The detection of the SINR degradation due to small attack window may not be reliable It is hard to standardize the attack detection, which usually depends on the receiver implementation The overall ranging security relies on both of the ranging parties instead one, where one party doesn t have the full control of the other It is desirable to have a secure ranging scheme that minimizes the requirement of attack detection Submission Slide 29 Jiang and Li, Intel

  30. May 2020 doc.: IEEE 802.11-20/0964r0 Reference [1] Q. Li, F. Jiang, X. Chen, and R. Stacey, Attacks to Fully Random QPSK Sounding Signal, doc: IEEE 802.11-20-0710r1. [2] U. Fincke and M. Pohst. Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Mathematics of Computation, 44 (170):463 471, April 1985. [3] T. Kailath, H. Vikalo, and B. Hassibi, MIMO receive algorithms , Space- Time Wireless Systems: From Array Processing to MIMO Communications, pp. 302-321. Cambridge: Cambridge University Press, 2006. [4] A. M. Chan and I. Lee, A New Reduced-Complexity Sphere Decoder For Multiple Antenna Systems , pp. 460-464, IEEE International Conference on Communications, May 2002. [5] M. Mohammadkarimi, M. Mehrabi, M. Ardakani, and Y. Jing, Deep Learning-Based Sphere Decoding , pp. 4368-4378, IEEE Transactions on Wireless Communications, vol. 18, no. 9, Sept. 2019. [6] B. Tian, et al., 11az Secure LTE Design, doc: IEEE 802.11-20-0836r0. [7] J. Dogan, et al., Computational Attacks on 11az PHY Secure Ranging, doc: IEEE 802.11-19-0374r0. Slide 30 Submission Jiang and Li, Intel

  31. May 2020 doc.: IEEE 802.11-20/0964r0 Backup Slide 31 Submission Jiang and Li, Intel

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#