Robustness of physical layer security primitives against attacks on pseudorandom generators

1070 IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. 62, NO. 3, MARCH 2014

Robustness of Physical Layer Security PrimitivesAgainst Attacks on Pseudorandom Generators

Rajaraman Vaidyanathaswami and Andrew Thangaraj

Abstract—Physical layer security protocols exploit inviolablephysical laws at the signal level for providing guarantees onsecrecy of communications. These protocols invariably involverandomized encoding at the transmitter, for which an idealrandom number generator is typically assumed in the literature.In this work, we study the impact of using weak Pseudo RandomNumber Generators (PRNGs) in physical layer security protocolsfor coding and forward key distribution over Binary Symmetricand Gaussian wiretap channels. In the case of wiretap channelcoding, we study fast correlation attacks that aim to retrievethe initial seed used in the PRNGs. Our results show thatrandomized coset encoding, which forms an important part ofwiretap channel coding, provides useful robustness against fastcorrelation attacks. In the case of single-round or forward keydistribution over a Gaussian wiretap channel, the bits froma PRNG are nonlinearly transformed to generate Gaussian-distributed pseudo random numbers at the transmitter. In suchcases, we design modified versions of the fast correlation attacksaccounting for the effects of the nonlinear transformation andsoft input. We observe that, even for moderately high memory,the success probability of the modified fast correlation attacksbecome the same as that of a random guess in many cases.

Index Terms—Fast correlation, wiretap channel, key distribu-tion protocols, physical layer security.

I. INTRODUCTION

THE idea of using the physical layer communicationmodel for security was introduced by Wyner in [1]. The

basic scenario is this: two legitimate parties communicate asecret message, while an adversary listens on a noisy channel.Following [1], the wiretap channel model was studied in[2], [3], [4], [5], where coding and key agreement receivedattention. Recent research has led to the area of physical layersecurity summarized in [6]. A cryptographic flavor has beenprovided to security of wiretap encoding in [7].

Channel randomness plays a major role in physical layersecurity. Equally importantly, physical layer security protocolsinvolve random choices of symbols from a finite symbol set.The wiretap encoding process critically depends on choosingfrom a coset in a uniformly random manner. Very often, liter-ature on physical layer security assumes that an infinite sourceof perfect random numbers is available to the sender. However,in practice, any computational algorithm for generating arandom stream is bound to be a Pseudo Random Number Gen-erator (PRNG). There are very few random generators that are

Manuscript received April 15, 2013; revised October 16, 2013 and January9, 2014. The editor coordinating the review of this paper and approving it forpublication was A Khisti.

The authors are with the Department of Electrical Engineering, Indian Insti-tute of Technology, Madras, Chennai, India (e-mail: [email protected],[email protected]).

Digital Object Identifier 10.1109/TCOMM.2014.012514.130280

cryptographically robust offering strong resistance to patternanalysis attacks. RFC 1750 (Randomness Recommendationsfor Security) of the Network Working Group suggests in itsopening remarks that ‘the use of pseudo-random processes togenerate secret quantities can result in pseudo-security’ [8].

Sometimes hardware-based random number generators areused in cryptography. These generators use physical phe-nomenon to generate statistically random numbers. In general,they entail higher cost and need constant monitoring. Also, anyhardware still remains susceptible to side channel attacks [9].So, a possible approach for low-complexity environments isthe use of a PRNG. In this paper, we assume this setting.

In this work, we study the effects of using PRNGs with asecret initial key in two physical layer security protocols: (1)coset coding with low-density parity-check (LDPC) codes overbinary symmetric wiretap channels [10], and (2) key reconcili-ation over a Gaussian wiretap channel using LDPC codes [11].Both protocols are backed by asymptotic information-theoreticguarantees of security under ideal assumptions. We choosesimple PRNGs based on Linear Feedback Shift Registers(LFSRs) in our study, since they are well-studied and variousattack models exist for them in the literature. The goal ofthese attacks is the recovery of the initial seed of the LFSRsin the PRNG. Once the seeds are known, the random part ofthe wiretap encoding is fully revealed, and this knowledge isexploited to attack the encoded message in wiretap encoding.For forward or single-round key distribution, the knowledgeof the initial seeds by itself reveals the entire key.

For LFSR-based PRNGs, the main tool employed is FastCorrelation Attack [12]. These attacks exploit linear recursionsof the LFSR to find the initial random seed. Since physicallayer protocols use coding schemes, the LFSR output is notobserved directly. The attacker observes a noisy and codedversion of the LFSR output. In such scenarios, we followthe approach of [13], [14] and employ soft estimation anddecoding methods for noise removal. While we use LFSR-based PRNGs, the same approach and method can be used toexploit weaknesses in any PRNG.

To the best of our knowledge, ours is the first reportedstudy on the effect of PRNGs in physical layer security inthe context of wiretap encoding and key distribution. In thispaper, we expand upon our earlier work of studying the effectof LFSR-based PRNGs on wiretap coset encoding [15]1. Asignificant extension is the attack on key distribution protocolsusing soft-input versions of the fast correlation attacks.

The rest of the paper is organized as follows. In Section

1Part of this paper appeared in the Physical Layer Security Workshop inGLOBECOM 2011 [15]

0090-6778/14$31.00 c© 2014 IEEE

VAIDYANATHASWAMI and THANGARAJ: ROBUSTNESS OF PHYSICAL LAYER SECURITY PRIMITIVES AGAINST ATTACKS ON PSEUDORANDOM . . . 1071

Alicem (k bits) Encoder

MainChannel

x (n bits)

WiretapperChannel

Bob my

Eve

z

Fig. 1. Wiretap channel model.

II, we consider attacks on wiretap coset encoding over binarysymmetric wiretap channels. Section III describes a combinedattack involving multistage decoding and fast correlation ona key exchange protocol over Gaussian wiretap channels.We conclude in Section IV with a brief mention of futuredirections of study.

II. CORRELATION ATTACKS ON WIRETAP ENCODING

The wiretap channel model, proposed in [1] and generalizedin [3], is shown in Fig 1 for the case when the input is binary.A legitimate transmitter named Alice intends to send a k-bit message m through a binary-input main channel to thelegitimate receiver named Bob, while an eavesdropper Eve islistening in on a binary-input wiretapper channel. The goal ofencoding from m to x is to achieve Pr(m �= m) → 0 forBob, while having z reveal no information about m to Eve.For more details on the information-theoretic characterizationof secrecy and encoding methods, see [3][6].

A. Coset Coding for Binary-input Wiretap Channels

Typically, wiretap channel encoders employ a randomizedcoset encoding scheme that works as follows. Let C ′ be an(n, k′) linear binary code with k′ ≥ k. Let C be a (n, k′ − k)subcode of C ′. Now, let G′ be a k′×n generator matrix for C ′

such that the first k′ − k rows of G′ form a generator matrixfor the subcode C, which is denoted G. Thus, we have

G′ =[GG′′

], (1)

where G′′ is a k × n matrix that generates the vector-spacecomplement of C in C′. The transmitted word x is formed as

x =[v m

] [ GG′′

]= vG+mG′′, (2)

where m is the k-bit message and v is a (k′−k)-bit uniformlyrandom vector. The message m chooses a specific coset of C(as determined by G′′) inside C′, while the random vector vselects a uniformly random word from the chosen coset.

The design of the code C′ and the subcode C is such thatthe secrecy and reliability objectives can be met. In this work,we are not concerned about the design of C′ and C, but aboutthe generation of the random vector v. So, we will supposethat a suitable G′ and G have been designed and are beingused in the encoder. It is to be noted that the wiretap encoding-decoding process assumes that Eve has full a priori knowledgeof the coding scheme and its parameters.

LFSR 1

LFSR m

Combiner ≈v LFSR 1

0

1

01− δ

δ

11− δ

v

Fig. 2. LFSR equivalent model for pseudo-random generators.

B. Model for random vector and fast correlation attacks

We will suppose that v is the output of a pseudo-randomgenerator of bits. Specifically, for the purposes of attacks,we will suppose that the pseudo-random generator is basedon Linear Feedback Shift Registers (LFSRs). Pseudo-randomgenerators based on LFSRs have the important advantage ofbeing easily implementable in hardware. In addition, they havebeen studied in detail for several years now, and new designsresistant to known attacks are continuing to be made [16][17].

1) LFSR-based pseudo-random generators: A Linear Feed-back Shift Register (LFSR) is described by its memory orlength L and the tap locations. For generating a sequence, alength-L LFSR is initially (time 0) loaded with an L-bit initialstate s = [s0 s1 · · · sL−1], which is also called the initial seedor key. The set of length-n sequences generated by the LFSRforms an (n, L) linear code. For an initial seed s, the generatedsequence can be written as sGLFSR, where GLFSR is an L× nbinary generator matrix for the LFSR. The generator matrixGLFSR is determined by the taps of the LFSR connections, andwill play an important role in our study. For more details onthe theory and applications of LFSR sequences, see [18].

In typical pseudo-random generators used in applications,multiple LFSR sequences will be combined as depicted in Fig.2 using a non-linear Boolean function. In such pseudo-randomgenerators, there still remains some correlation between anindividual LFSR sequence and the final output sequence[19][20]. This correlation is effectively modelled by a BinarySymmetric Channel (BSC) connecting the individual LFSRsequence and the output sequence, as shown in Fig. 2 [12][21].For well-designed pseudo-random generators, the transitionprobability of the BSC modelling the correlation could be0.4 or higher [22]. Correlation attacks exploit this correlationto find the initial seed of an individual LFSR in the LFSR-based generator. Using a divide-and-conquer approach, theother LFSR seeds can be found in ensuing attacks [12].

In summary, a model for the random vector v takes thefollowing form:

v = sGLFSR + b, (3)

where each bit in the vector b = [b1 b2 · · · bn] is i.i.d withPr{bi = 1} = δ. We refer to this δ as the obfuscationprobability for easy reference in the remainder of this paper.

2) Fast correlation attacks: Given the LFSR-based pseudo-random sequence v, as in (3), the goal of attacks is to findthe unknown initial seed s. Fast correlation attacks were firstproposed by Siegenthaler [23], and have been improved byseveral authors. We will briefly describe the improved fastcorrelation attack suggested by Johanesson and Jonsson [12].

The vector v is a noisy version of a codeword sGLFSR ofthe code C =< GLFSR > with generator matrix GLFSR. Thegenerator GLFSR is an L × n matrix and can be reduced by


elimination to a modified systematic form

GLFSR =

[IB+1 PB+1,n−B−1

0L−B−1,B+1 QL−B−1,n−B−1

], (4)

where the matrices Il and 0l,r are the l× l identity matrix andthe l×r all-zero matrix, respectively. The value B is a suitablychosen design parameter for controlling the complexity of theattack. Let gi,j denote the (i, j)-th entry of GLFSR. We seek inGLFSR column pairs i and j such that the bits falling withinQ are identical, but the bits in the (B + 1)-th position aredifferent, i.e. gl,i = gl,j for B + 2 ≤ l ≤ L, and gB+1,i �=gB+1,j . Each such column pair i and j implies that the vector

v = [g1 g2 · · · gB 1 0 · · · 0 1i 0 · · · 0 1j 0 · · · ],where gl = gl,i ⊕ gl,j , 1 ≤ l ≤ B, and 1l denotes a1 in position l is such that GLFSRv

T = 0. Therefore, weobtain a parity check equation satisfied by every codewordc = [c1 c2 · · · cn] ∈ C:

cvT = g1c1 + g2c2 + · · ·+ gBcB + cB+1 + ci + cj = 0. (5)

Since C is a code composed of LFSR sequences, (5) holds forall shifts of the code word [c1 c2 · · · cn].

If the attacker can find μ parity equations such as (5) withcorresponding matching column pairs (i1, j1), (i2, j2), · · · ,(iμ, jμ), she can construct a convolutional code with memorylength B and rate 1

μ+1 . This convolutional code is denotedC′. A codeword [c1 c2 · · · cn] ∈ C can be converted into μ+1output streams {c(l) : 0 ≤ l ≤ μ} of C′ by the followingre-encoding. The re-encoding, at time t, works as follows:

c(0)t = ct, (6)

c(l)t = ct+il−B−1 ⊕ ct+jl−B−1, 1 ≤ l ≤ μ. (7)

The above equations define the trellis of C′, and will bedenoted {c(l) : 0 ≤ l ≤ μ} = reencodeC′(c).

The fast correlation attack (FCA) to recover the initial seedfrom a noisy LFSR sequence runs as follows:

Algorithm: FCA(GLFSR,v = noised-version(sGLFSR)),s ∈ {0, 1}L.

1) Preprocessing: Find rate-1/(μ + 1) convolutional codeC′ with re-encoding equations reencodeC′(·).

2) Compute {r(l) : 0 ≤ l ≤ μ} = reencodeC′(v). This isthe received vector corresponding to v.

3) Viterbi decoding: Decode {r(l) : 0 ≤ l ≤ μ} on thetrellis of C′. The decoded message vector provides anestimate of the initial seed s.

3) Illustrative simulation results: For simulation, an LFSRof length 8 with connection polynomial X8+X7+X5+X3+1is chosen for the key stream generator. We choose n = 32,and the matrix GLFSR is the 8× 32 matrix given in Fig. 3.

We set B = 4 for the preprocessing step, which re-turned μ = 14 matching sets of columns (1,13), (2,6), (4,7),(5,19), (7,18), (8,15), (9,12), (10,12), (11,12), (12,22), (13,16),(15,21), (22,24), and (23,24) in Q with the columns of Q beingindexed from 1 to L−B − 1 = 27. Note that column i of Qcorresponds to column 5 + i in the generator matrix of Fig.3. So, we get a rate-1/15 embedded convolutional code C′.

The initial seed s is randomly chosen, and a correspondingLFSR sequence v = sGLFSR+b of length 32 is generated with

Fig. 3. Generator matrix for LFSR.

0.0 0.1 0.2 0.3 0.4 0.5Channel Error Probability

10-4

10-3

10-2

10-1

100

AttackSuccessProbability

OP=0.0

OP=0.1

OP=0.2

OP=0.3

Fig. 4. Fast Correlation attacks over a BSC wiretapper’s channel with nowiretap coset encoding.

a suitable obfuscation probability for generating b. The se-quence v is further transmitted across the wiretapper’s channelBSC(p) to obtain the received vector z. The eavesdropper runsthe fast correlation attack FCA(GLFSR, z) to obtain an estimates. The FCA succeeds if s = s. Plots of success probability ofthe FCA versus p are shown in Fig. 4 for different values ofobfuscation probability, denoted OP in the legend.

The attack success probability declines with channel errorprobability and floors at 1/256 ≈ 4 × 10−3, which is theprobability of success of a random guess. Also, as expected,the probability of success deteriorates with increase in obfus-cation probability, and the sensitivity of success probability tochannel error rate decreases for higher OP. No wiretap cosetencoding was involved while generating Fig. 4.

C. Binary Symmetric Wiretap Channel and Known PlaintextScenario

We now return to the setting of coset coding for wiretapchannels as in Section II-A. A general question that is askedin this work is whether the use of a pseudo-random generatorfor v results in weaknesses in the security of wiretap encoding.Another important related question is how to exploit theweaknesses (if present) and attack the encoding process. Animportant class of attacks in cryptography are the knownplaintext attacks [18], where the attacker is assumed to haveknowledge of the message that is being encoded. While this isjustified by the presence of preambles and header informationin packets, it is also widely accepted that a cryptographicsystem needs to be secure even in a known plaintext situation.


We consider the case when the wiretapper’s channel in Fig.1 is a Binary Symmetric Channel BSC(p). In this case, Eve’sreceived vector z can be written as

z = vG +mG′′ + e, (8)

where bits in e = [e1 e2 · · · en] are i.i.d with Pr{ei = 1} = p.Under the known plaintext scenario, m is known to the

eavesdropper. So, Eve subtracts mG′′ from z to obtain

z′ = vG + e. (9)

Given the model for v in (3), (9) reduces to

z′ = (sGLFSR + b)G + e, (10)

where s is the initial seed of the LFSR known only to Alice.Recover LFSR sequence by Learning Parity in Noise (LPN):To find the seed s, we first consider the problem of finding vfrom z′ = vG + e, where G is the generator matrix for thecode C used in encoding for the wiretap channel. In codingtheory, this is the decoding problem over a BSC, which forgeneral G is NP-hard [24]. In particular, if the decoding isperformed over the wiretapper’s channel whose capacity isknown to be lower than the rate of the code C, standarddecoding algorithms fail. However, in cryptographic systems,even a low probability of success for an attack is typicallyconsidered significant enough for analysis and study [18].

In cryptographic systems, decoding over a BSC is some-times called Learning Parity in Noise (LPN). Algorithms forLPN have been studied in the context of attacking the Hopper-Blum (HB) protocol [25]. The BKW algorithm [26] consid-ers a larger, lower-rate generator matrix consisting of linearcombinations of pairs of columns of G with a correspondinglonger codeword. This results in a higher overall probabilityof success because of the rate reduction, even though thenoise probability is increased by the combinations. The BKWalgorithm was further improved to the LF2 algorithm in [27].A short description of the LF2 algorithm, denoted LPN-LF2, isgiven in the Appendix. In scenarios where the LF2 algorithmis computationally infeasible, there are alternatives such as theCarrijo algorithm [28].

D. Two-stage attack and results

In summary, the overall goal of the eavesdropper in theknown-plaintext attack is to find the initial seed s from theobserved vector z′ = (sGLFSR + b)G + e, where G is agenerator matrix of the code C used in coset encoding ande, the error vector over the wiretapper’s channel, is i.i.d.Bernoulli(p). In addition, v = sGLFSR + b is the pseudo-random vector from the LFSR-based generator, where GLFSR

is a generator matrix for the LFSR and b is i.i.d. Bernoulli(δ)with δ referred to as the obfuscation probability.

The two-stage attack proceeds as follows:Algorithm: Two-stage(z′,G,GLFSR), s ∈ {0, 1}L.

1) LPN solution: v = LPN-LF2(G, z′).2) Fast correlation: s = FCA(GLFSR, v).

For simulations, we use a (3,6) regular low-density parity-check (LDPC) matrix of size 32 × 64 generated using thePEG algorithm [29], and we set the generator matrix G tobe equal to this matrix. Note that we set the code C used

0.00 0.05 0.10 0.15 0.20 0.25 0.30Channel error probability

10-3

10-2

10-1

100

Attacksuccessprobability

OP=0.0

OP=0.1

OP=0.2

OP=0.3

No coding

Fig. 5. Two-stage attack with wiretap coset encoding.

in wiretap encoding to be the dual of the LDPC code, whichis one of the methods for wiretap code construction availablein the literature. The main channel is assumed to be noise-free, and the matrix G′′ was chosen so that its row space isthe complementary space of C. The LFSR and the embeddedconvolutional code are same as in Section II-B3.

An initial seed s was generated at random, followed bythe generation of z′ as per (10). The two-stage attack withLPN-LF2 is then run with z′ as input. If the estimated s = s,we declare success. Plots of success probability versus thewiretapper’s channel error probability p are shown for differentobfuscation probabilities (‘OP’) in Fig. 5.

When wiretap encoding is used, success probability quicklydrops to the level of a random guess. Beyond a channel errorprobability of about 0.04, the probability of success of the two-stage attack is the same as that of a random guess. In fact, theOPs do not provide any improvement beyond p ≈ 0.04. Forcomparison, the success probabilities without coset encodinghave been shown. From the figure, it is clear that wiretap cosetcoding provides useful robustness against correlation attacks.Remark 1: In this work, we have focussed on attacks thatrecover the initial seed of a pseudo-random generator usedin wiretap encoding. After a successful attack, a wiretapperknows the vector v in future encodings vG + mG′′. So,in future encodings, the received vector for the wiretapperbecomes mG′′+e, and the message m can be recovered afterdecoding the code generated by G′′. This decoding might stillbe computationally hard, depending on the properties of G′′

and the channel error probability of the wiretapper.Remark 2: If a hardware random number generator withstrong randomness properties is used in the coset encoding,correlation attacks do become infeasible. In fact, as shownin this work, use of sufficiently strong pseudo-random gen-erators should be good enough because of the protectionprovided by wiretap coset coding. However, in the design ofa cryptographic system, one needs to look at all possible trap-doors and vulnerabilities. For instance, side-channel attacksare feasible even for hardware random number generators.Therefore, exploring wiretap coset coding with a weak orcompromised random number generator is useful in practicalimplementations of physical layer security protocols.


Alice AWGN(σ2)

AWGN(σ2w)

Eve

Bob

PublicChannel

Fig. 6. Gaussian wiretap channel with a parallel side channel.

III. PHYSICAL LAYER KEY EXCHANGE PROTOCOLS

In cryptographic systems, the goal of key exchange pro-tocols is for two legitimate parties to agree on a commonbit string called the key, which is unknown to anyone elselistening to the protocol. In the area of physical layer security,a popular key distribution method is based on the early workof Maurer et al [4],[5]. This protocol between two legitimateparties Alice and Bob involves three main steps: CorrelatedRandomness Generation, Key Reconciliation and Privacy Am-plification. We will assume that Alice and Bob use a Gaussianwiretap channel for achieving correlated randomness, andmultilevel low-density parity-check (LDPC) codes for keyreconciliation. These choices are well-motivated and explainedin more detail, for instance, in [6]. In this study, as a startingpoint, we restrict ourselves to a single-round protocol withone-way public communication for key exchange. Interactiveprotocols over multiple rounds are known to be better [30][31].However, attacks on them are likely to be more complicated,and they are reserved for future study.

Our focus is on the possibility of attacks because of the useof a pseudorandom generator in the generation of commonrandomness. For completeness, we begin by briefly describingthe main steps in creating correlated randomness and keyreconciliation. For details, please see [6].

A. Correlated Randomness over a Gaussian Wiretap Channel

For generating correlated randomness, we assume that aGaussian wiretap channel is available to Alice and Bob, asshown in Fig. 6. Alice and Bob are connected by a Gaussianchannel with noise variance σ2. The channel between Aliceand Eve is Gaussian with noise variance σ2

w and σw > σ.To create correlated randomness, Alice transmits a

Gaussian-distributed random variable X ∼ N(0,Σ2) withzero mean and variance Σ2 to Bob, whose received valueis Y = X + W , where W ∼ N(0, σ2) is the additivenoise in the channel. Alice quantizes X into an r-bit vectorU = [U1 U2 . . . Ur]. For an r-bit vector b, the quantizationinterval corresponding to b is denoted Q(b). For illustrationand future use with Σ = 1 and r = 2, we set Q(00) =(−∞, 0.93), Q(01) = (−0.93, 0), Q(10) = (0, 0.93) andQ(11) = (0.93,∞).

This process is repeated n times, independently, with thej-th instance Yj = Xj + Wj resulting in quantized vectorUj = [U1,j U2,j . . . Ur,j ] for Alice. These bit strings are split

into r levels with level i consisting of the n-bit vector Ui =[Ui,1 Ui,2 . . . Ui,n].

To emphasize a point made in the introduction, we considerattacks on single-round or forward key distribution in thewiretap channel setting of Fig. 6 with a parallel channel.The general secret key capacity of key distribution (withpossibly multiple rounds or some other coding method) overthe Gaussian wiretap channel, which we will denote Csk , isknown to be

Csk =1

2log

(1 +

Σ2

σ2+

Σ2

σ2w

)− 1

2log

(1 +

Σ2

σ2w

). (11)

This is obtained by evaluating I(X ;Y |Z) with X ∼ N(0,Σ2)and Z denoting Eve’s received value. See [6] for a moredetailed discussion. In comparison, the secrecy capacity ofthe Gaussian wiretap channel, which we denote Cs, is givenby

Cs = max

{0,

1

2log

(1 +

Σ2

σ2

)− 1

2log

(1 +

Σ2

σ2w

)}.

(12)Clearly, wiretap coding requires that σ < σw, while secretkey agreement over the Gaussian wiretap channel works forall pairs of values of σ and σw, in general.

B. Key Reconciliation Using Multilevel LDPC Codes

During key reconciliation, Alice sends parities to Bob andenables decoding for the vectors Ui using his received vectorY = [Y1 Y2 · · ·Yn]. We suppose that Alice and Bob use multi-level coding (MLC) and multi-stage decoding (MSD) for keyreconciliation. In our experiments, we use a set of r LDPCcodes (one for each of the r levels) with parity check matricesH1, H2,. . ., Hr for computing parities. Alice computes rsyndromes si = HiU

Ti , 1 ≤ i ≤ r, and these syndromes

are transmitted to Bob over the error-free public channel. Bobuses r decoders, one for each level. The level-i decoder isfor the coset of the LDPC code defined by {c : Hic = si},and suitable modifications are necessary in the check nodeupdate to account for the non-zero syndrome. For every level,a suitable rate and degree distribution is determined and aLDPC matrix is generated using standard methods such asPEG [29]. Note that the matrices Hi are public.

The LDPC decoder in level i uses, as input, the LogLikelihood Ratio (LLR) for bit Ui,j , computed as

li,j = logPr(Ui,j = 0|Yj = yj)

Pr(Ui,j = 1|Yj = yj),

= log

∑b1:i−1,bi=0,bi+1:r

fY (yj |Uj = b)Pr(Uj = b)∑b1:i−1,bi=1,bi+1:r

fY (yj |Uj = b)Pr(Uj = b),

where b ∈ {0, 1}r, bs:t = [bs bs+1 · · · bt] and

Pr(Uj = b) =

(i−1∏s=1

Pr(Us,j = bs)

)1

2r−i+1,

where Pr(Us,j = bs), for s ∈ {1, 2, . . . , i − 1}, is computedusing the extrinsic soft outputs of the decoders in the previouslevels. Up to this point, the calculations are same as that of astandard MSD for MLC in 2r-PAM.


GaussianPRNG

2-bitQuantizer

Xi

H1 H2

Ui,2

Ui,1

AWGN(σ2)

Receiver

YiLevel 1Decoder

Level 2Decoder

Yi

Li,1

Yi

s1 s2

Li,1 Li,2

Fig. 7. Common randomness and reconciliation in a two-level system.

In key reconciliation, a major departure is in the com-putation of the conditional PDF fY (yj |Uj = b). SinceYj = Xj + Wj and Wj is independent of Xj , we havefY (yj |Uj = b) = fX(xj |Uj = b) ⊗ fW (w), wheref(w) = 1√

2πσe−w2/2σ2

is the PDF of noise and ⊗ denotesconvolution. Given Uj = b, Xj ∈ Q(b). So, we have

fX(xj |Uj = b) =

⎧⎪⎨⎪⎩

exp(−x2j/2Σ

2)∫u∈Q(b) exp(−u2/2Σ2)du

, xj ∈ Q(b),

0, otherwise.

The output LLR of the level-i decoder for the j-th bit, denotedLi,j , is used to decide the estimate of Ui,j at the receiver.The extrinsic LLR Li,j− li,j is passed on to all the remaininghigher levels (i+1, i+2, . . ., r) for use as a priori informationin computation of input LLR.

A complete schematic of the transmitter and receiver fora two-level system is shown in Fig. 7. Note that the 2-bit quantization of Xi is done at the transmitter, and thesyndromes si are sent over the public channel.

C. Gaussian Pseudorandom Generators

In this work, we assume that Alice uses a pseudo-randomgenerator for generating Xj , 1 ≤ j ≤ n, with an initial seedthat is known only to her. We next describe two differentLFSR-based Gaussian pseudorandom generators and brieflystudy their characteristics.

1) Box-Muller generator: In the first type of generator, wewill suppose that Alice uses an LFSR-based pseudo randomgenerator and generates a binary stream. The bit stream is splitinto fragments of length d bits each. Then each d-bit fragment[b1 b2 · · · bd] is converted to a fraction w ∈ (0, 1) as

w =

d∑i=1

bi/2−i. (13)

Two such successive pseudo-random fractions w1 and w2 arecombined using the Box-Muller transform [32] to produce twopseudo-random, approximately Gaussian-distributed values g1and g2 as follows:

g1 =√−2 lnw1 cos 2πw2, g2 =

√−2 lnw1 sin 2πw2. (14)

Longer LFSRs and larger fragment lengths will produce acloser approximation to the ideal Gaussian shape.

LFSR-basedPRBS

Boolean Functionsfi(b), 1 ≤ i ≤ r

b1b2

bM

Uj = f(b)

Fig. 8. Pseudo-random model for quantized bits.

2) CLT-based generator: In this method, we exploit theCentral Limit Theorem (CLT), and add t independent randomnumbers to obtain an approximately Gaussian sequence. The tindependent random numbers were taken to be the t fractionsgenerated as per (13) from an LFSR-based generator. As tincreases, the pseudo-random sequence is expected to becomeclose to iid Gaussian.

D. Pseudo-random model for quantized bits

At the end of key reconciliation, Alice and Bob share r com-mon bit strings Ui, 1 ≤ i ≤ r. These bits are obtained by r-bitquantization Uj , 1 ≤ j ≤ n, of n Gaussian pseudo-randomnumbers and, hence, the quantized bits are pseudo-randomas well. In both the Box-Muller and CLT-based generator,d consecutive bits from an LFSR-based pseudo-random bitsequence (PRBS) are converted into fractions. These fractionsare converted into approximately Gaussian-distributed valuesXj and quantized to obtain Uj = [U1,j U2,j · · ·Ur,j]. A modelfor the r quantized bits in Uj is shown in Fig. 8. In the figure,M bits b = [b1 b2 · · · bM ] from the LFSR-based PRBS areused as input to a set of r Boolean functions to produce thequantized bits Ui,j = fi(b), 1 ≤ i ≤ r. The vector Uj isgiven by Uj = f(b) � [f1(b) f1(b) · · · fr(b)]. We willhave M = 2d for the Box-Muller method, and M = td forthe CLT-based method.

The model in Fig. 8 is close to the generic model forLFSR-based generators shown in Fig. 2. Therefore, there is acorrelation between the output sequence of an individual LFSRin the LFSR-based PRBS generator and the quantized bits inUj . This correlation is exploited in fast correlation attacks tofind the initial seed of the LFSR.

E. Fast Correlation Attack

In the wiretap key distribution protocol, the legitimatetransmissions and the wiretapper’s observations are differentwhen compared to the wiretap encoding case considered inSection II. So, the fast correlation attack needs to be suitablymodified. For simplicity and clarity, we describe the attackfor the case of r = 2 below. The extension to general r isstraight-forward from the description.

Algorithm: KeyFCA(Z = [Z1 Z2 · · · Zn], s1, s2)Input: GLFSR, LDPC matrices H1, H2, Quantizationintervals Q(·).

1) Use Z, s1, s2 in a two-stage decoder with LDPCmatrices H1 and H2 as shown in Fig. 7. The outputof the decoder is the final LLR Li,j for the bit Ui,j ,i = 1, 2, 1 ≤ j ≤ n.

2) Run a soft-input fast correlation attack for i = 1, 2:Algorithm: SoftFCA(GLFSR, Li = [Li,1 · · · Li,n])

a) Preprocessing: Find rate-1/(μ + 1) convolutionalcode C′ with re-encoding equations reencodeC′(·).


0 50 100 150 200 250Connection Polynomial (as an integer)

0.000

0.002

0.004

0.006

0.008

0.010

0.012

0.014

0.016AttackSuccessprobability

Fig. 9. Fast correlation attacks on 8 bit LFSR.

b) Compute LLRs for {r(l) : 0 ≤ l ≤ μ} =reencodeC′(Ui) using Li, the LLRs for Ui.

c) BCJR decoding: Decode {r(l) : 0 ≤ l ≤ μ} onthe trellis of C′ using the soft-in, soft-out BCJRdecoder. The decoded message vector provides anestimate of the initial seed s.

After Step 1, the output of the multi-stage decoder is the LLRof the quantized bits Ui,j . To exploit the soft information, weemploy a soft-input fast correlation attack. The preprocessingstep is the same as for FCA. However, in the reencoding step(Step 2b), the input is the LLR of the bits. Therefore, the LLRsof the reencoded bits need to be computed. This is a standardcomputation using the tanh rule assuming that the incomingLLRs are from independent processes. Finally, in Step 2c,BCJR decoding is performed to exploit the soft input.

The soft FCA is run twice - for i = 1 and i = 2. If theoutput seed matches the actual seed used in the pseudorandomgenerator for any one of the levels, we declare success.

F. Simulation results

We now present simulation results for the keyFCA al-gorithm. In all simulations, we use r = 2 with two-bitquantization levels (unless mentioned otherwise) as in SectionIII-A. The rates of the LDPC codes used in level 1 and level2 were chosen to be 0.625 and 0.4, respectively. The degreedistributions were chosen to be 0.5X3+0.5X8 (for rate 0.625)and 0.5X3 + 0.5X5 (for rate 0.4) with a block length of3000. The channel noise variance was set as σ2

w = 0.1. Theprobability of success was numerically obtained over 10,000trial runs.

1) Box-Muller generator: We first consider the Box-Mullergenerator used with an LFSR of length L = 8 and a fragmentlength of d = 4. The probability of success is plotted againsteach of the 256 possible connection polynomials P (D) inFig. 9. The probability of randomly guessing the initial state,which is 2−8, is shown as the horizontal baseline. We seethat, for several connection polynomials, the fast correlationattack results in a probability of success only at the levelof a random guess. However, for some other choices ofP (D), the correlation attack succeeds with significantly higherprobabilities. For instance, a reducible connection polynomial

2 4 6 8 10 12 14 16 18 20Fragment Length (d)

0.0000

0.0001

0.0002

0.0003

0.0004

0.0005

0.0006

SuccessProb

Fig. 10. Success probability versus fragment length.

0123456SNR (dB)

0

1

2

3

4

5

Attacksuccessprobability(Norm

alized)

L=8,d=4

L=10,d=8

L=12,d=8

Fig. 11. Success probability versus SNR = 1/σ2e (in dB).

such as P (D) = 1+X2+X4 resulted in a much higher prob-ability of success, while the primitive connection polynomialP (D) = 1 + X3 + X7 resulted in a probability of successclose to 2−8.

For the L = 8, d = 4 case, the average success probabilitywas 0.00836214 (to be compared with 2−8 = 0.003906) witha standard deviation of 0.00488129. For L = 12 and d = 8,the results were similar with an average success probabilitywas 0.000317384 (compared to 2−12 = 0.000244141) with astandard deviation of 0.000338196.Effect of fragment length: Fig. 10 illustrates how the successof attacks varies with different fragment lengths used forconverting bits from the LFSR into fractions. A length-12LFSR with P (D) = 1 + X3 + X4 + X7 + X12 was usedin the Box-Muller generator. As expected, success probabilitydiminishes with fragment length.Effect of channel noise: The success probabilities normalizedby the random guess level (2−L) are plotted versus increasingchannel noise variance (σ2

w) in Fig. 11. The connectionpolynomials used were P (D) = 1 + X + X5 + X6 + X8

(L = 8), P (D) = 1 + X3 + X10 (L = 10) and P (D) =1 +X3 +X4 +X7 +X12 (L = 12). A normalized success


0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

Quantization threshold

0.0

0.2

0.4

0.6

0.8

1.0Bentindex(Norm

alized)

L=8, d=4

L=14, d=7

L=14, d=7(random)

Fig. 12. Bent index of Boolean function.

probability of 1 is considered low. From the figure, we observethat the chances of success in fast correlation decreases (asexpected) with increasing noise levels. Notice that longerLFSRs exhibit wider variations from the mean.Nonlinearity measure and quantization threshold: For aBoolean function f : Fn

2 → F2, the nonlinearity index [33],denoted nl(f), can be computed as

nl(f) = 2(n−1) − 1

2S(f), (15)

where S(f), the spectral amplitude of f , is defined as

S(f) = maxy∈Fn

2

∣∣∣∣∣∣∑x∈Fn

2

(−1)f(x)+x.y

∣∣∣∣∣∣ (16)

with x.y denoting the dot product over Fn2 . The maximum

attainable nonlinearity is given by Bmax = 2(n−1) − 2(n2 −1),

and the ratio nl(f)/Bmax is called the bent index of f .The nonlinearity index of the Boolean function in the model

for the quantized bits in Fig. 8 is a useful indicator of theresistance to correlation attacks. Fig. 12 shows the bent indicesof the Boolean function (for level 1) in a Box-Muller generatorplotted versus the magnitude of the non-zero quantizationthreshold for r = 2. For reference, the non-zero quantizationthreshold is 0.93 for the two-bit quantization given in SectionIII-A. The bent index of the function peaks at around 0.62 for aquantization threshold of 0.55. The best nonlinear index we getin the operational region seems to be around 0.5, irrespectiveof the LFSR length. For comparison, the bent index of arandomly generated Boolean function is also shown, and thisis seen to be close to 1. So, the Box-Muller combiner is nota strongly nonlinear combiner and is susceptible to attacks.However, the noise added in the wiretapper’s channel and thecoding done for reconciliation provide robustness against thecorrelation attack, as seen before.

2) CLT-based generator: Next, the probability of successof the fast correlation attack against a CLT generator with L =8, d = 4 and number of summands t = 12 is plotted againstthe choice of the connection polynomial P (D) in Fig 13. Forthe CLT-based method, the results are seen to be similar to thatof the Box-Muller method. The average success probability

0 50 100 150 200 250Connection Polynomial (as an integer)

0.00

0.01

0.02

0.03

0.04

AttackSuccessprobability

Fig. 13. Fast correlation attacks on CLT based random generator.

10 20 30 40 50

Number of summands

0.000

0.005

0.010

0.015

0.020

0.025

SuccessProb

Fig. 14. Success probability versus number of summands in a CLT-basedgenerator.

(average over the choice of P (D)) was 0.008305882 with astandard deviation of 0.005668722.

In Fig. 14, the attack success probability is plotted versusthe number of summands. The connection polynomial wasfixed to be P (D) = 1 + X + X5 + X6 + X8 and thefragment length was taken to be d = 8. From the figure, wesee that about 20 summands are enough to reduce the successprobability of fast correlation to the level of a random guess.

To sum up, fast correlation attacks on the key distributionprotocol failed to show success significantly higher thanrandom guess even for moderate length LFSRs with goodconnection polynomials. So, the correlation in the pseudo-random sequence used at the transmitter is masked by thenoise and coding used in the physical layer security protocols.

IV. CONCLUSION

We studied attacks on weak Pseudo-Random Number Gen-erators (PRNGs) in two physical layer security algorithms,namely coset encoding in binary symmetric wiretap channelsand key agreement in Gaussian wiretap channels. While bothschemes are information-theoretically secure asymptoticallyunder the use of ideal random generators, their vulnerability


to attacks on weak PRNGs had not received attention in theliterature, so far. In this work, we constructed attacks onLFSR-based PRNGs using fast correlation and soft detection.

It is not surprising that any PRNG used in security needs tobe strong, and weak PRNGs are attackable. However, physicallayer security uses noise and additional coding in transmissionschemes. The role of noise and coset coding in the successof attacks was studied by simulations. Interestingly, in severalattacks that we considered in our work, the difficulty of decod-ing in the presence of noise provides additional protection androbustness to weak PRNGs. We observed that simple LFSR-based PRNGs at moderate memory lengths (12 or so) can-not be broken by message-passing decoders with probabilityof success significantly better than random guessing, if theconnection polynomials are chosen suitably. It is not clear ifideal decoders will fare better. An interesting avenue for futurework is the study of computational complexity of decodingand noise removal in wiretap channels, in conjunction withattacks on PRNGs.

V. ACKNOWLEDGEMENT

We thank the editor and anonymous reviewers for theircomments that helped to significantly improve the content andpresentation of this paper.

APPENDIX

In this appendix, we will briefly describe the LF2 algorithmfor the LPN (Learning Parity in Noise) problem. The goal ofthe LPN problem is to find a k-bit vector v given the observedvector y = vG+e, where G is an arbitrary k×n matrix, andthe error vector e = [e1 e2 · · · en] is such that each ei is ani.i.d random bit with Pr{ei = 1} = p.

The algorithm uses a parameter b, which is a small positiveinteger that divides k. The value b must be small enoughsuch that 2b � n, and all-zero rows can be padded to G,if needed for the divisibility constraint. However, a � k/btypically cannot be more than 3 or 4 for good performance.The two-dimensional array notation G(i1 : i2, j1 : j2) denotesthe (i2− i1+1)×(j2−j1+1) submatrix of G whose (i, j)-thentry is the (i1 + i, j1 + j)-th entry of G. All array indicesstart from 0.

We provide below an algorithm that estimates the first b bitsof v.

Algorithm: LPN-LF2-part(G,y)1) Let k and n denote the number of rows and columns of

G.2) Classify: For 0 ≤ x ≤ 2b − 1, let Ix = {j : G(k − b :

k − 1, j) = (x)2} be the set of columns of G withlast b bits equal to (x)2, the binary representation of x.Let nx = |Ix|. Since 2b � n, we expect nx to be areasonably high value for many x.

3) Reencode: For 0 ≤ x ≤ 2b − 1, form a k − b × (nx

2

)matrix Gx with columns [G(0 : k − b − 1, i) ⊕ G(0 :k− b−1, j) : i, j ∈ Ix, i �= j], where ⊕ denotes bitwisebinary XOR. Also, form the corresponding reencodedvector yx = [yi ⊕ yj : i, j ∈ Ix, i �= j]. Note that thelast b bits of every column of G are ignored in forming

Gx, since they are equal for a given x and result in zerosafter XORing.

4) Form the new matrix G = [Gx : 0 ≤ x ≤ 2b − 1] andvector y = [yx : 0 ≤ x ≤ 2b − 1] by concatenating thematrices Gx and the vectors yx, respectively. If the newG has more than b rows, repeat Steps 1 - 3.

5) The first b bits of v are estimated by exhaustive search asm = argminm∈{0,1}b dH(y,mG), where dH denotesthe Hamming distance.

Once the first b bits are estimated as m and assumed to becorrect, their effect can be undone to obtain the received vectory = y ⊕ mG(0 : b − 1, 1 : n). The vector y satisfies y =vG + e, where G = G(b : k − 1, 1 : n). Now, finding theremaining bits is another LPN problem and can be solvediteratively by calling LPN-LF2-part(G, y).

A. Glossary

BCJR: Bahl, Cocke, Jelinek and Raviv, BKW: Blum,Kalai, Wasserman, DMC: Discrete Memoryless Channel, LF2:Levieil and Fouque Algorithm-2, LPN: Learning Parity inNoise, MLC: Multi Level Coding, MSD: Multi Stage Decod-ing, PEG: Progressive Edge Growth, PRNG: Pseudo RandomNumber Generator.

REFERENCES

[1] A. D. Wyner, “The wiretap channel,” Bell System Technical J., vol. 54,no. 8, pp. 1355–1387, 1975.

[2] L. H. Ozarow and A. D. Wyner, “Wiretap channel—II,” Bell SystemsTechnical J., vol. 63, no. 10, pp. 2135–2157, Dec. 1984.

[3] I. Csiszar and J. Korner, “Broadcast channels with confidential mes-sages,” IEEE Trans. Inf. Theory, vol. 24, no. 3, pp. 339–348, May 1978.

[4] U. Maurer and S. Wolf, “Information-theoretic key agreement: fromweak to strong secrecy for free,” Lect. Notes Computer Science, vol.1807, pp. 351–368, 2000.

[5] U. Maurer, “Secret key agreement by public discussion from commoninformation,” IEEE Trans. Inf. Theory, vol. 39, pp. 733–742, May 1993.

[6] M. Bloch and J. Barros, Physical Layer Security: From InformationTheory to Security Engineering. Cambridge University Press, 2011.

[7] M. Bellare, S. Tessaro, and A. Vardy, “Semantic security for the wiretapchannel,” in Advances in Cryptology - CRYPTO 2012, ser. Lecture Notesin Computer Science. Springer Berlin Heidelberg, 2012, vol. 7417, pp.294–311.

[8] Standards, “RFC 1750,” http://www.ietf.org/rfc/rfc1750.txt, [Accessedon 03 Dec. 2012].

[9] Y. Zhou and D. Feng, “Side-channel attacks: ten years after its publica-tion and the impacts on cryptographic module security testing.” IACRCryptology ePrint Archive, vol. 2005, p. 388, 2005.

[10] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, andJ. Merolla, “Applications of LDPC codes to the wiretap channel,” IEEETrans. Inf. Theory, vol. 53, no. 8, pp. 2933–2945, 2007.

[11] M. Bloch, “Physical layer security,” Ph.D. dissertation, Georgia Instituteof Technology, 2008.

[12] T. Johansson and F. Jonsson, “Improved fast correlation attacks onstream ciphers via convolutional codes,” in Proc. 1999 EUROCRYPT,pp. 347–362.

[13] T. K. Moon, “Maximum-likelihood binary shift-register synthesis fromnoisy observations,” IEEE Trans. Inf. Theory, vol. 48, no. 7, pp. 2096–2104, 2002.

[14] J. Dingel and J. Hagenauer, “Parameter estimation of a convolutionalencoder from noisy observations,” in Proc. 2007 IEEE InternationalSymposium on Information Theory, pp. 1776–1780.

[15] V. Rajaraman and A. Thangaraj, “Known plaintext attack on the binarysymmetric wiretap channel,” in Proc. 2011 Global CommunicationsConference Workshops.

[16] W. Meier, “Fast correlation attacks: Methods and countermeasures,”in Fast Software Encryption, ser. Lecture Notes in Computer Science.Springer, 2011, vol. 6733, pp. 55–67.


[17] M. Robshaw and O. Billet, Eds., New Stream Cipher Designs - TheeSTREAM Finalists, ser. Lecture Notes in Computer Science. Springer,2008, vol. 4986.

[18] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of AppliedCryptography, ser. Discrete Mathematics and Its Applications. Taylor &Francis, 2010.

[19] T. Siegenthaler, “Correlation-immunity of nonlinear combining func-tions for cryptographic applications,” IEEE Trans. Inf. Theory, vol. 30,no. 5, p. 776-780, Sept. 1984.

[20] W. Meier and O. Staffelbach, “Fast correlation attacks on certain streamciphers,” J. of Cryptology, vol. 1, no. 3, pp. 159–176, Oct. 1989.

[21] T. Johansson and F. Jonsson, “Theoretical analysis of a correlation attackbased on convolutional codes,” IEEE Trans. Inf. Theory, vol. 48, no. 8,pp. 2173–2181, 2002.

[22] A. Canteaut, “Fast correlation attacks against stream ciphers and relatedopen problems,” in Proc. 2005 IEEE Workshop on Information Theoryand Practice in Information-Theoretic Security, pp. 49–54.

[23] T. Siegenthaler, “Decrypting a class of stream ciphers using ciphertextonly,” IEEE Trans. Computers, vol. C-34, no. 1, pp. 81–85, Jan. 1985.

[24] E. R. Berlekamp, Algebraic Coding Theory. McGraw-Hill, 1968.[25] N. J. Hopper and M. Blum, “A secure human-computer authentication

scheme,” Carnegie Mellon University, Tech. Rep., vol. CMU-CS-00-139,2000.

[26] A. Blum, A. Kalai, and H. Wasserman, “Noise-tolerant learning, theparity problem and the statistical query model,” J. ACM, vol. 50-4, pp.506–519, July 2003.

[27] E. Levieil and P.-A. Fouque, “An improved LPN algorithm,” Proceed-ings of SCN, ser. LNCS, vol. 4116, pp. 348–359, 2006.

[28] J. Carrijo, R. Tonicelli, H. Imai, and A. C. A. Nascimento, “A novelprobabilistic passive attack on the protocols HB and HB+,” IEICETrans., vol. 92-A, pp. 658–662, 2009.

[29] X.-Y. Hu and E. Eleftheriou, “Regular and irregular progressive edge-growth Tanner graphs,” IEEE Trans. Inf. Theory, vol. 51, no. 1, pp.386–398, Jan. 2005.

[30] U. Maurer, “Secret key agreement by public discussion from commoninformation,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733–742, 1993.

[31] S. Watanabe and Y. Oohama, “Secret key agreement from correlatedgaussian sources by rate limited public communication,” IEICE Trans.

Fundamentals of Electronics, Commun. and Computer Sciences, vol. 93,no. 11, pp. 1976–1983, 2010.

[32] G. E. P. Box and M. E. Muller, “A note on the generation of randomnormal deviates,” Annals of Mathematical Statistics, vol. 29, no. 2, pp.610–611, 1958.

[33] O. S. Rothaus, “On “bent” functions,” J. of Combinatorial Theory, SeriesA, vol. 20, no. 3, pp. 300–305, 1976.

Rajaraman Vaidyanathaswami received his B.Sc.degree in Mathematics from the University ofMadras, Chennai, India in 1980, M.Sc. degreein Mathematics from Annamalai University, Chi-dambaram, India in 1990, M.E. degree in electronicsand communication engineering from the IndianInstitute of Science, Bangalore, India in 1994. Heobtained an Associate Membership of the Institute ofElectronics and Telecommunication Engineers (In-dia) in electronics and communication engineeringin 1986. He was a Junior Telecom Officer with the

Department of Telecommunications, India from 1982 to 1989, a DeputyDirector with All India Radio and Doordarshan, Delhi from 1989 to 2000.Since 2002, he has been with Verizon, Chennai, where he is currently a SeniorPrincipal Architect. Since 2005, he has been a doctoral student in the electricalengineering department at the Indian Institute of Technology, Madras.

Andrew Thangaraj (S’00–M’03–SM’11) receivedthe B.Tech. degree in electrical engineering fromIndian Institute of Technology (IIT), Madras, India,in 1998, and the Ph.D. degree in electrical engineer-ing from Georgia Institute of Technology, Atlanta,in 2003. He was a Post doctoral Researcher atthe GTL-CNRS Telecommunications Laboratory atGeorgia Tech Lorraine, Metz, France, from August2003 to May 2004. From June 2004, he has beenwith the Department of Electrical Engineering, IITMadras, where he is currently an Associate Pro-

fessor. His research interests are in coding theory, information theory andphysical layer security.

Robustness of physical layer security primitives against attacks on pseudorandom generators

Technology

Transcript of Robustness of physical layer security primitives against attacks on pseudorandom generators