**3. Protocol of keyless Dean and Goldsmith system elaborated for secure message transmission through fading channels with executing MIMO technology**

Cryptosystem proposed by Dean and Goldsmith in [12] belongs also to the class of keyless cryptography because it may provide a security of message transmission without a secret key sharing in advance. The main difference in the knowledge of legitimate users and eavesdroppers is only their different locations in space. But such cryptosystems can be used not in all possible scenarios but only in those ones where messages are transmitted over fading channels and with the use of a *massive multipleinput, multiple-output* (MIMO) technology.

For brevity, we denote such cryptosystem by abbreviation DGC. First, we consider the model with the main steps of its implementation for the particular case where the number of legal user receiving antennas *nr* and eavesdropper antennas *n*<sup>0</sup> *<sup>r</sup>* are equal to each other. (Later we consider more general case *nr* 6¼ *n*<sup>0</sup> *r*).

Legitimate channel between Alice (A) and Bob (B) is described by equation:

$$z = Ay + \mathfrak{e},\tag{12}$$

where *z*∈ *<sup>n</sup>* is vector received by B, *y*∈ *<sup>n</sup>* is vector transmitted by A, *e*∈ *<sup>n</sup>* is additive noise vector at the receiver B, *A* ∈ *<sup>n</sup>*�*<sup>n</sup>* is legitimate channel matrix. It is assumed that *e* are i.i.d. *Gaussian* vectors: *N* 0, *σ*<sup>2</sup> *e* . *<sup>A</sup>* <sup>¼</sup> *aij* ,ð Þ *<sup>i</sup>* <sup>¼</sup> <sup>1</sup> … *<sup>n</sup>*, *<sup>j</sup>* <sup>¼</sup> <sup>1</sup> … *<sup>n</sup>* are also matrices with i.i.d. Gaussian matrix elements: *<sup>N</sup>* 0, *<sup>σ</sup>*<sup>2</sup> ð Þ. For Eavesdropper channel from A to E (Eve) holds the equation:

$$z' = By + e',\tag{13}$$

where *z*<sup>0</sup> ∈ *<sup>n</sup>* is vector received by E, *e*<sup>0</sup> ∈ *<sup>n</sup>* is additive noise vector at the receiver E, *B*∈ *<sup>n</sup>*�*<sup>n</sup>* eavesdropper channel matrix. It is assumed that *e*<sup>0</sup> are also i.i.d. vectors based on Gaussian distribution *N* 0, *σ*~<sup>2</sup> *e* , *<sup>B</sup>* <sup>¼</sup> *bij* , *<sup>i</sup>* <sup>¼</sup> 1, … , *<sup>n</sup>*, *<sup>j</sup>* <sup>¼</sup> 1, … , *<sup>n</sup>* with *bij* which are i.i.d. Gaussian values *N* 0, *σ*<sup>2</sup> *w* . All entries of matrices *A* and *B* are assumed to be mutually independent. Next three conditions are very important for further discussion:


It is worth to note that the model described above is more or less valid in practice for fading channels based on *MIMO technology* if space distance between legitimate users and eavesdropper is at least several wavelengths of communication. Encoding procedure in line with [12] is the following:

$$\mathbf{y} = \mathbf{V}\mathbf{x},\tag{14}$$

where *V* ∈ *<sup>n</sup>*�*<sup>n</sup>* is orthogonal matrix taken from *singular value decomposition* (SVD) of matrix *<sup>A</sup>* <sup>¼</sup> *USV<sup>T</sup>*, *<sup>x</sup>*<sup>∈</sup> *<sup>n</sup>* with binary entries *xi*, *<sup>i</sup>* <sup>¼</sup> 1, … , *<sup>n</sup>*. Predecoding procedure in line with [12] is the following:

$$\mathbf{z}' = \mathbf{U}^T \mathbf{z} = \mathbf{U}^T \mathbf{A} \mathbf{y} + \mathbf{e}' = \mathbf{U}^T \mathbf{U} \mathbf{S} \mathbf{V}^T \mathbf{V} \mathbf{x} + \mathbf{U}^T \mathbf{e} = \mathbf{S} \mathbf{x} + \mathbf{e}',\tag{15}$$

where *<sup>U</sup>* <sup>∈</sup> *<sup>n</sup>*�*<sup>n</sup>* is orthogonal matrix taken from SVD of matrix *<sup>A</sup>*, *<sup>e</sup>*<sup>0</sup> <sup>¼</sup> *<sup>U</sup>Te*. Since *S* is diagonal matrix, we get from (15) the following optimal decoding rule:

$$\mathbf{x}' = \arg\min\_{\mathbf{x}\_i} \left| z'\_i - \boldsymbol{\varkappa}\_i \boldsymbol{\varsigma}\_i \right|, \ i = 1, \ldots, n,\tag{16}$$

where *si* is *i*-th element of diagonal matrix *S*, *xi* are binary entries of vector *x*. We can see from (16) that decoding procedure has linear complexity on the number of antennas *n*. Eavesdropper E following to strategy of legitimate users performs the optimal decoding procedure:

$$\mathbf{z}' = \mathbf{U}'^{T}\mathbf{z}',\tag{17}$$

where

$$\mathbf{z}' = \mathbf{B}\mathbf{V}\mathbf{x} + \mathbf{e}' = \mathbf{U}'\mathbf{S}'\mathbf{V}'^T\mathbf{V}\mathbf{x} + \mathbf{e}',\tag{18}$$

where *U*<sup>0</sup> , *V*<sup>0</sup> , *S*<sup>0</sup> are SVD of matrix *B*. Substituting (18) into (17), we get:

$$z'' = \mathbb{C}x + \tilde{e},\tag{19}$$

where *C* ¼ *S*<sup>0</sup> *<sup>V</sup>*0*TV*, <sup>~</sup>*<sup>e</sup>* <sup>¼</sup> *<sup>U</sup>*0*<sup>T</sup> e*0 . Since matrix C is not a diagonal one in this case, their optimal decoding be the following:

$$
\tilde{\mathfrak{X}} = \arg\min \| \mathbf{z}'' - \mathbf{C} \mathbf{x} \|, \tag{20}
$$

wherek k� is Euclidian norm in *<sup>n</sup>*. Solution of problem (20) is known as *hard CVP problem* and it was proved in [12] that it has exponential complexity with respect to the number of antennas *n* if the following condition holds:

*Advance in Keyless Cryptography DOI: http://dx.doi.org/10.5772/intechopen.104429*

$$
\sigma\_w^2 \bar{\sigma}\_e^2 > n^{1/2}
$$

But let us consider suboptimal decoding method after some transform, assuming that matrix *C* is non-singular:

$$\mathbf{C}^{-1}\mathbf{z}'' = \mathbf{x} + \mathbf{C}^{-1}\tilde{\mathbf{e}}$$

Thus suboptimal decoding method can be implemented as follows:

$$
\tilde{\mathbf{x}}\_i = \arg\min |\tilde{\mathbf{z}}\_i - \mathbf{x}\_i|, \ i = 1, \ldots, n,\tag{21}
$$

where ~*zi* is the *i*-th entry of vector *C*�<sup>1</sup> *z*00.

We can see from (21) that complexity of suboptimal decoding procedure is linear on the number *n* of antennas. The efficiency of DGC can be estimated by comparing the bit error rate (BER) for optimal decoding (16) and suboptimal decoding (21). In fact if for some chosen DGC parameters the first BER is satisfactory while the second one is close to ½, then DGC can be termed as secure. In **Table 1** are presented the results of simulation for BER's by (16) and (21) denoted as *p* and *p*<sup>0</sup> , respectively.

We can see from **Table 1** that for all five set of system parameters, DGC is looking as acceptable one because the case *p*<sup>0</sup> ≥ 0*:*3 does not allow to recover a meaningful text. In fact, let us consider 32-ary symmetric noisy channel (in line with 32-ary alphabet of Russian language). Then it is easy to see that *Shannon capacity* of such channel, if every letter is encoded by five bits with BER equal to *p*<sup>0</sup> , is:

$$C = \ $ + (1 - p')^5 \log\_2 (1 - p')^5 + \$  p'(1 - p')^4 \log\_2 \left( p'(1 - p')^4 \right) + \tag{22}$$

$$+ 10p'^2 (1 - p')^3 \log\_2 \left( p'^2 (1 - p')^3 \right) + 10p'^3 (1 - p')^2 \log\_2 \left( p'^3 (1 - p')^2 \right) +$$

$$+ 5p'^4 (1 - p') \log\_2 \left( p'^4 (1 - p') \right) + p'^5 \log\_2 p'^5$$

In **Table 2** are presented the values of channel capacity calculated by (22) for different values *p*<sup>0</sup> .

It is well known that entropy *H* of Russian language lies within interval 1*:*5÷2*:*5 bit/ letter. This means that according to Shannon's theorem, if *H* >*C*, then a reading of meaningful text be impossible. In our case we get that if *p*<sup>0</sup> > 0*:*19 such text decoding cannot be done, that is exactly the thing for every set of parameters in **Table 1**. Moreover, we simulated transmission of Russian meaningful text over the channel


**Table 1.**

*The results of simulation for BER p and p*<sup>0</sup> *with different chosen parameters of DGC.*


#### **Table 2.**

*The values of channel capacity C for different p*<sup>0</sup> *.*

with BER equal to 0*:*19 and have got that only very short words could be readable. Thus we may conclude so far, that DGC is secure against eavesdropping at least for the condition *n*<sup>0</sup> *<sup>r</sup>* ¼ *nr* and the more *n*<sup>0</sup> *<sup>r</sup>* <*nr*. But the following question arises—if such conclusion is true for the case *n*<sup>0</sup> *<sup>r</sup>* >*nr*? In **Table 3** are presented the results of simulation BER's *p*<sup>0</sup> for eavesdropper by suboptimal decoding rule (21) in the case of typical parameters *<sup>σ</sup>*<sup>2</sup> <sup>¼</sup> *<sup>σ</sup>*<sup>2</sup> *<sup>w</sup>* <sup>¼</sup> 4, *<sup>σ</sup>*<sup>2</sup> *<sup>e</sup>* <sup>¼</sup> *<sup>σ</sup>*~<sup>2</sup> *<sup>e</sup>* ¼ 7, *nr* ¼ 100 and different *n*<sup>0</sup> *<sup>r</sup>*, where inverse matrix *<sup>C</sup>*�<sup>1</sup> for rectangular *nr* � *<sup>n</sup>*<sup>0</sup> *<sup>r</sup>* matrix *C* was calculated as *Moore-Penrose pseudo-inverse matrix* to *C*½ � 14 .

We can see from **Table 3** that even small increasing of *n*<sup>0</sup> *<sup>r</sup>* (on 9 antennas) compared to *nr*, results in a drastic degradation of DGC because the symbol error probability *p*<sup>0</sup> becomes for eavesdropper very close to the probability *p* for legitimate users. In order to find out that such "paradox" that contradicts to our intuition appears not due to *"ill-posed" inverse matrices* [13], let us consider a theoretical proof of the bounds for the symbol correct probabilities both for legitimate users and eavesdropper. It is easy to see that decision rule (16) for legitimate users when *xi* ∈ ð Þ 0, 1 is equivalent to the following relation:

$$x'\_i = \begin{cases} \mathbf{0} \text{ if } z''\_i \le \mathbf{S}\_i/\mathbf{2}, \\ \mathbf{1} \text{ if } z''\_i > \mathbf{S}\_i/\mathbf{2}. \end{cases}$$

Thus for the symbol correct probability we get the following lower bound:

$$P\{\mathbf{x}\_i' = \mathbf{x}\_i\} \ge P\{|e\_i| < \mathbf{S}\_i/\mathfrak{Z}\},\tag{23}$$

where *ei* is the *i*-th entry of additive noise vector *e* in (12). Because we assumed before that *ei* � *<sup>N</sup>* 0, *<sup>σ</sup>*<sup>2</sup> *e* we get from (23):


**Table 3.**

*Results of BER p*<sup>0</sup> *simulation for decision rule (21), nr* ¼ 100 *and different n*<sup>0</sup> *<sup>r</sup>* ≥*nr.* *Advance in Keyless Cryptography DOI: http://dx.doi.org/10.5772/intechopen.104429*

$$P\left\{\mathbf{x}\_{i}^{\prime} = \mathbf{x}\_{i}\right\} \ge 2\Phi\left(\frac{\mathbf{S}\_{i}}{2\sigma\_{\epsilon}}\right) \tag{24}$$

where <sup>Φ</sup>ð Þ¼ *<sup>a</sup>* <sup>1</sup>ffiffiffiffi <sup>2</sup>*<sup>π</sup>* <sup>p</sup> <sup>Ð</sup> *<sup>a</sup>* <sup>0</sup> exp � *<sup>t</sup>* 2 2 � �*dt*. The decision rule (21) for eavesdropper will be equivalent to the following one:

$$
\tilde{\boldsymbol{x}}\_i = \begin{cases} \mathbf{0} \text{ if } \tilde{\boldsymbol{z}}\_i \le \mathbf{1}/2, \\\mathbf{1} \text{ if } \tilde{\boldsymbol{z}}\_i > \mathbf{1}/2. \end{cases} \tag{25}
$$

From relation (25) we get the lower bound for correct symbol probability:

$$P\{\bar{\mathbf{x}}\_i = \mathbf{x}\_i\} \ge P\left\{ \left| e\_i'' \right| \le \frac{1}{2} \right\} = 2\Phi\left( \frac{1}{2\sqrt{Var\left\{e\_i''\right\}}} \right),\tag{26}$$

where *e*<sup>00</sup> *<sup>i</sup>* is the *<sup>i</sup>*-th entry of additive noise vector *<sup>e</sup>*<sup>00</sup> <sup>¼</sup> *<sup>C</sup>*�<sup>1</sup> ~*e*. In order to find *Var e*00 *i* � � let us accomplish some matrix transforms:

$$\mathbf{C} = B\mathbf{V} = \mathbf{U}'\mathbf{S}'\mathbf{V}'\mathbf{V},$$

$$\mathbf{C}^{-1} = \mathbf{V}^T\mathbf{V}'(\mathbf{S}')^{-1}\mathbf{U}'^T,$$

$$\mathbf{e}'' = \mathbf{C}^{-1}\tilde{\mathbf{e}} = \mathbf{V}^T\mathbf{V}'(\mathbf{S}')^{-1}\mathbf{U}'^T. \tag{27}$$

Taking into account that *U*<sup>0</sup> is orthogonal matrix and *S*<sup>0</sup> is diagonal one, we get from (27):

$$\operatorname{Var}\{e\_i^{\prime\prime}\} = \bar{\sigma}\_{\epsilon}^2 \sum\_{k=1}^{n\_r} \frac{V\_{ik}^2}{\mathbf{S}\_k^{\prime 2}} \tag{28}$$

where *Vik* are elements of matrix *VTV*<sup>0</sup> and *S*<sup>0</sup> *<sup>k</sup>* elements of matrix *S*<sup>0</sup> . Substituting (28) into (27) we obtain

$$P\{\ddot{\mathbf{x}}\_i = \mathbf{x}\_i\} \ge 2\Phi\left(\frac{1}{2\ddot{\sigma}\_\varepsilon \sqrt{\sum\_{k=1}^{n\_r} \frac{V\_{ik}^2}{S\_k^{r^2}}}}\right) \tag{29}$$

In order to compute theoretically the average value of symbol correct probabilities, it would be necessary to average relations (24) and (29) on the probability distribution of singular values *Sk*, and also on elements of channel matrices *VTV*<sup>0</sup> . Solution to this problem requires a very crude approximations. Therefore we used simulations by (24) and (29). In **Table 4** are presented such results for both legitimate users (*q*) and for eavesdropper (*q*<sup>0</sup> ) with channel parameters: *<sup>σ</sup>*<sup>2</sup> <sup>¼</sup> *<sup>σ</sup>*<sup>2</sup> *<sup>w</sup>* <sup>¼</sup> 7, *<sup>σ</sup>*<sup>2</sup> *<sup>e</sup>* <sup>¼</sup> *<sup>σ</sup>*~<sup>2</sup> *<sup>e</sup>* ¼ 4, *nt* ¼ *nr* ¼ 100 against different numbers *n*<sup>0</sup> *<sup>r</sup>* for eavesdropper antennas.

We can see from this Table that an increasing of the eavesdropper's antennas even till *n*<sup>0</sup> *<sup>r</sup>* ¼ 105 results in equality of values *q* and *q*<sup>0</sup> that is in line with our previous claiming. Thus we can conclude that a compromising of DGC after a small increment of the eavesdropper antenna numbers against legitimate user antenna numbers is the


#### **Table 4.**

*The symbol correct probabilities obtained by simulation of averaged bounds for q (24) and for q*<sup>0</sup> *(29).*

proved fact but not a consequence of an ill-conditioned matrix property. On the other hand, legitimate users executing DGC do not take for granted that the condition *n*0 *<sup>r</sup>* ≤*nr* holds. In the paper [14] it was proposed to change matrix *V* in "precoding" procedure to another matrix. In particular, authors of the current paper have proved that a choice of matrix *A*�<sup>1</sup> as precoding one has some advantages, namely a growth of some parameter "advantage" (introduced in [14]) for legitimate users proportional to *<sup>n</sup>*<sup>2</sup> if *<sup>n</sup>* <sup>¼</sup> *nt* <sup>¼</sup> *nr* <sup>¼</sup> *<sup>n</sup>*<sup>0</sup> *<sup>r</sup>*. Such approach means that a precoding procedure is simply "canceling of channel fading".

However in the case of such precoding we face with a growing of the transmitter power. In **Table 5** are presented the results of the average transmitter power calculated for the case of precoding with matrix *A*�<sup>1</sup> , and obtained by simulation for *n* ¼ *nt* ¼ *nr* ¼ *n*<sup>0</sup> *<sup>r</sup>* ¼ 100 on different sessions with 10,000 realizations for each session.

We can see from **Table 5** that the use of *inverse precoding* results in a drastic growing of the required transmission power and to a large fluctuations on each of sessions that makes such approach impracticable (we note that such power was equal to be *<sup>n</sup>*<sup>2</sup> <sup>¼</sup> <sup>10</sup><sup>4</sup> only for ordinary encoding by matrix *<sup>V</sup>*). It seems to be acceptable to use for a precoding *<sup>V</sup>* <sup>¼</sup> *<sup>A</sup>*�<sup>1</sup> only in the case with the required transmitter power *P*<sup>0</sup> ≤*Ptr* where *Ptr* is some reasonable threshold and ordinary matrix *V* otherwise. But such approach requires further investigations.

There is one more problem with practical implementation of DGC. It is a correct estimation of the channel matrix *A* by legitimate users. Of course, they may do it by a sending of special test signal from user A to user B and back from B to A during a coherent time of legitimate channel, when matrix *A* holds practically constant. But any way it will result in some matrix *A* corruption. In **Table 6** are given our simulation results for symbol error probabilities that obtain legitimate users if they estimate elements of the channel matrix *A* with Gaussian noise error having variance *σ*<sup>2</sup> *<sup>ε</sup>* . We can see from **Table 6** that a correctness of matrix element estimation affects very strong on the symbol error probabilities. It is possible to neglect such incorrectness


#### **Table 5.**

*Average transmitter power P*<sup>0</sup> *with precoding matrix A*�<sup>1</sup> *for different sessions.*


**Table 6.**

*Results of symbol error probabilities for legitimate users under the incorrect estimation of channel elements with variance σ*<sup>2</sup> *ε .*

only if signal-to-noise ratio for legitimate users is about 30-40 dB that is sufficiently high requirement.

Concluding the Section 3 we may say that theoretically would be interesting to develop further DGC in the direction of improving precoding algorithm. But according to our opinion, practical implementation of such approach is very sensitive to channel and system parameters (SNR for eavesdropper and their antenna numbers). It is worth to note also that it is not so dangerous to face with unfavorable parameters for DGC implementation as the fact that these parameters cannot be controlled by legitimate users and hence they are unable to match with parameters of DGC. In the Section 5 we consider protocol that is completely invariant to channel parameters.
