Towards a Cryptographic Model for Wireless Communication
Frederik Armknecht and Christian M
¨
uller
University of Mannheim, Mannheim, Germany
Keywords:
Wireless Communication, Attacker Model, Physical Properties, Distance Bounding, Friendly Jamming.
Abstract:
The Man-in-the-Middle Model (MitMM) is commonly used in cryptography for modeling an attacker in multi-
party scenarios. It essentially assumes that the attacker fully controls the communication between all parties,
i. e., can stop and modify messages at her discretion. We argue that this model is too strong for realistically
capturing the case of wireless communication. In consequence, schemes that exploit properties of wireless
communication such as friendly jamming or distance bounding, cannot be analyzed in a common frame-
work. Moreover, the lack of an appropriate model hinders the development of new schemes. Given the
ever-increasing importance of wireless communication, e. g., in the context of the Internet of Things, we pro-
pose a new formal model for wireless communication. Starting from the formal MitMM, we identify three key
aspects communication channels, signals, and locality that are not represented, explain how to extend the
model accordingly, and propose a tailored WCM. Based thereon, we explain how these limit the capabilities
of an attacker in the form of a WAM. Moreover, we demonstrate for an existing security mechanism, namely
friendly jamming, which is not covered by the MitMM how the new model allows for analyzing/formalizing
the security.
1 INTRODUCTION
Security models are fundamental for unambiguously
analyzing or proving the security of cryptographic
schemes by formalizing security goals and attacker
models. While the security goals may vary between
different use cases, the attacker model is usually more
universal. For typical scenarios involving two or
more communicating parties, the so-called Man-in-
the-Middle Model (MitMM) introduced by (Dolev
and Yao, 1983) is commonly utilized in which the at-
tacker is assumed to have full control over the com-
munication, e. g., message eavesdropping, delaying,
or modification.
This work at hand is motivated by the observa-
tion that the MitMM can be too strong in the case of
wireless communication. Without doubt, considering
a very strong attacker model is often necessary and
useful, i. e., if certain capabilities of an attacker can-
not be excluded, assume the worst case; if a mech-
anism provides security against a strong attacker, so
does it for weaker (and potentially more realistic) at-
tackers.
We claim, however, that the situation is differ-
ent for wireless communication. First, academic and
industrial research produced various security mecha-
nisms which, regarding the security, cannot be prop-
erly addressed in the MitMM. The probably best
known example are Distance Bounding (DB) proto-
cols (e. g., (Brands and Chaum, 1994; Hancke and
Kuhn, 2005)). But also other existing schemes can-
not be analyzed adequately in the model, e. g., the
shield for Implantable Medical Devices (IMDs) by
(Gollakota et al., 2011), or other friendly jamming
approaches (e. g., (Shen et al., 2013; Berger et al.,
2014)).
Second, the development of new schemes is hin-
dered: mechanisms may be rejected as they are in-
secure in the MitMM, while they may be secure in
practice. More precisely, some assumptions made
in the MitMM about the attacker’s capabilities typi-
cally do not hold in wireless networks due to physi-
cal laws. For instance, a transmitted message spreads
like a wave in every direction from the sender. Nor-
mally, an attacker cannot influence the wave which
is on the opposite side of the sender. Also, modify-
ing messages is not directly possible as all an attacker
can do is to send signals on her own which then in-
terfere with the other parties’ signals. For example,
(P
¨
opper et al., 2011) showed that, in wireless com-
munication networks, reliable and targeted manipula-
tion of messages is difficult in practice. (Avoine et al.,
Armknecht, F. and Müller, C.
Towards a Cryptographic Model for Wireless Communication.
DOI: 10.5220/0012809300003767
Paper published under CC license (CC BY-NC-ND 4.0)
In Proceedings of the 21st International Conference on Security and Cryptography (SECRYPT 2024), pages 249-261
ISBN: 978-989-758-709-2; ISSN: 2184-7711
Proceedings Copyright © 2024 by SCITEPRESS Science and Technology Publications, Lda.
249
2021) likewise criticize that existing formal models
make impractical assumptions.
1
Given these shortcomings, we see the benefits of a
model tailored to wireless communication as an alter-
native to the MitMM. This is particularly true given
the ever increasing relevance of wireless communi-
cation as, e. g., the Internet of Things (IoT), with a
forecast of 27.0 billion IoT devices by the end of
2025 (Mohammad Hasan, 2022), connects a plethora
of devices in wireless networks and over the Inter-
net. There is a strong demand for appropriate secu-
rity measures to protect IoT devices and users against
misuse and malicious behavior.
Our contributions and structure of the paper are:
In Sec. 2, we identify several properties of wire-
less networks that are not (or not correctly) cov-
ered by the MitMM and categorize these as com-
munication channels, signals, or locality.
Starting from the MitMM, we introduce a new
model for wireless communication, dubbed Wire-
less Communication Model (WCM), in Sec. 3.
In Sec. 4, we discuss how the WCM may impact
an attacker’s capabilities, resulting in the Wireless
Attacker Model (WAM).
We demonstrate how WCM and WAM can be
used for formalizing/analyzing several existing
security mechanisms that could not be properly
represented by the MitMM, namely DB protocols
and friendly jamming, in Sec. 5.
Sec. 6 summarizes related work and concludes
this work.
We hope the new model allows for founded and
comparable security research in this important area
and helps to develop novel security mechanisms that
would be unthinkable in the traditional model.
2 MOTIVATION
This section motivates the need for a dedicated se-
curity model for wireless networks. First, we recall
the established MitMM and highlight shortcomings
regarding peculiarities of wireless communication.
We categorize these as: communication channels
(Sec. 2.2), signals (Sec. 2.3), and locality (Sec. 2.4).
For each of these, we describe the situation in wire-
less networks, discuss why it is not represented in the
MitMM and why it needs to be integrated, and sum-
marize these findings as “lessons learned”. The latter
form the basis for our WCM introduced in Sec. 3.
1
More shortcomings of the MitMM in the case of wire-
less communication are discussed in Sec. 2.
2.1 The Man-in-the-Middle Model
In the following, we recall the MitMM introduced
by (Dolev and Yao, 1983), using the formulation as
given by (Katz, 2002). Note that we are only inter-
ested in modeling the capabilities of an attacker to in-
tercept and modify messages that are exchanged be-
tween communicating parties.
The system in the MitMM comprises a finite set
of parties Π that are modeled as Interactive Turing
Machines (ITMs). In a nutshell, an ITM extends the
classic probabilistic Turing machine by including (be-
sides the work tape, random tape, and auxiliary tapes)
an additional read-only communication-in (comm-in)
tape and an additional write-only communication-out
(comm-out) tape that allow for receiving messages
from and sending messages to other ITMs, respec-
tively. We refer to (Katz, 2002, Definition 2.1) for
a full definition. The MitMM assumes that all com-
munication between the parties in Π is under control
of an attacker A. This is captured by the notion of be-
ing linked via A. As a consequence, in the MitMM,
all communication between any of the parties in Π is
“routed” through A and she may decide for any in-
coming message whether it will be forwarded and, if
so, whether it is modified beforehand. We refer to
(Katz, 2002, Definition 2.2) for a full definition.
2.2 Communication Channels
2.2.1 Description
Wireless communication utilizes a shared and open
medium composed of one or several physical chan-
nels, i. e., ultimately, any communication channel is
realized through at least one physical channel.
Examples for systems using a single physical
channel for communication are Wireless Personal
Area Networks, e. g., based on IEEE 802.15.4 (IEEE,
2011), and Wireless Local Area Networks (WLANs),
e. g., WLAN with Direct-Sequence Spread Spec-
trum (IEEE, 1997). In contrast, mobile telephony net-
works, such as those based on GSM or 5G, and the
satellite telephony services based on Inmarsat, utilize
separate channels for sending and receiving data (El-
bert, 2008).
2.2.2 Discussion
In the MitMM, each party has access to exactly one
comm-out tape and each of these is directly linked to a
comm-in tape of the adversary (cf. (Katz, 2002, Def-
inition 2.2)), thus forming the only available commu-
nication channel to any party.
SECRYPT 2024 - 21st International Conference on Security and Cryptography
250
A wireless communication channel is realized
through the use of at least one physical channel. Thus,
if more than one physical channel is available, sev-
eral communication channels may be established be-
tween two parties. In fact, techniques like Frequency-
Hopping Spread Spectrum (FHSS), as used for exam-
ple in Bluetooth (Bluetooth SIG, 2016) and WLAN
with FHSS (IEEE, 1997), cannot be expressed by us-
ing one communication channel only.
Moreover, these physical channels are open to
anyone. In principle, messages transmitted on these
channels can be received by any party that listens on
the same channel. As we detail further in Sec. 2.3.2,
this limits the possibilities of an attacker.
2.2.3 Lessons Learned
A wireless communication model should allow par-
ties to establish several communication channels
which are open to everyone.
2.3 Signals
2.3.1 Description
In wireless communication, messages are encoded
into sinusoidal waves, using different modulation
schemes. Moreover, these are sent with a certain
amount of power, which a receiver perceives as so-
called signal strength and which is often simply repre-
sented as Received Signal Strength Indicator (RSSI).
2.3.2 Discussion
Whenever two parties send messages at the same time
on the same physical channel, these messages can col-
lide. This can lead to cancellation, amplification, or
other modification of the resulting signal. In fact, this
is the only technical possibility for an attacker to mod-
ify messages.
In the MitMM, a user cannot detect whether mes-
sages sent to him have been blocked. This is no longer
true for wireless communication where jamming de-
tection is possible. A simple form of it relies on the
RSSI, e. g., if packet errors occur during reception but
the corresponding RSSI is high, then the transmission
was probably jammed. This form of jamming detec-
tion has been extensively studied, e. g., by (Xu et al.,
2005) or by (Grover et al., 2014) in the form of a sys-
tematic overview of jamming and detection methods.
Interestingly, jamming may also be employed for
providing message confidentiality (so-called friendly
jamming), e. g., as shown by (Gollakota et al., 2011).
In their paper, they use the proximity between two de-
vices to mitigate eavesdropping and, furthermore, uti-
lize jamming for achieving their goal. That is, delib-
erately sending another signal whenever a transmis-
sion is going on renders the original message unde-
codable for other parties except for the, in this case,
benign jammer, who, using the advantage of know-
ing the jamming signal, reconstructs the original mes-
sage after all. In Sec. 5.1, we use the proposed model
to formalize the security of such a friendly jamming
scheme.
2.3.3 Lessons Learned
The fact that messages are modulated onto physi-
cal signals affects an attacker’s capabilities, possi-
ble countermeasures, and the development of new
schemes. Thus, a wireless communication model
needs to cover physical signals, including signal col-
lisions and jamming.
2.4 Locality
2.4.1 Description
When a party sends a signal at some point in time,
it arrives at another party with a time delay that de-
pends on the distance between sender and receiver.
Moreover, the distance affects the signal strength
of the perceived signal which eventually determines
whether the recipient gets the message or not.
2.4.2 Discussion
In the MitMM, the concepts of time and space are
non-existent. However, for wireless communication,
the situation is different. For instance, while travel-
ing, signals may suffer from path loss and fading, es-
pecially when running through barriers in-between. If
the signal strength falls below the noise level, trans-
mitted data may become irretrievable. This impacts
the connectivity of parties and an attacker’s capabili-
ties to jam messages, e. g., the attacker might not re-
ceive the message she wants to jam, or the attacker’s
signal might be too weak to be received by the tar-
geted party. In fact, the properties of time and space
have been discussed for novel security measures in
wireless systems.
In the time domain, a compelling example is the
area of DB protocols, e. g., (Brands and Chaum, 1994;
Hancke and Kuhn, 2005; Tippenhauer and
ˇ
Capkun,
2009; Rasmussen and Capkun, 2010; Ranganathan
et al., 2012; Boureanu et al., 2015; Drimer and Mur-
doch, 2007). These build on ideas presented by
(Desmedt et al., 1988). DB protocols consider the
round trip delay of (two) communicating parties, thus,
providing an upper bound to their distance.
Towards a Cryptographic Model for Wireless Communication
251
The property of space can also be utilized as
a security measure. For example, ZigBee Light
Link (ZigBee Alliance, 2012) uses signal strength
measurements to determine proximity of two parties.
Besides the available power for sending and receiv-
ing, the RSSI is mainly influenced by physical quan-
tities, i. e., path loss and distance between sender and
receiver. In practice, the distance is easily measur-
able, while the path loss varies over time and is af-
fected by its environment and actual physical condi-
tions, even if the distance remains constant. That is,
when two parties establish a communication channel,
an eavesdropper’s view of that channel de-correlates
rapidly with distance (Zenger et al., 2016; Eberz et al.,
2012). (Hershey et al., 1995) proposed to use the
physical environment to establish common shared in-
formation between two parties, which is unique for
these two at that point in time and space.
2.4.3 Lessons Learned
In the MitMM, the attacker is omnipresent, i. e., she
controls all communication. This is not given in wire-
less networks where an attacker’s position in relation
to the other parties is relevant. Even if an attacker
comprises several parties at different locations, the
communication between these are likewise subject to
the restrictions discussed above. That is, a model
should integrate the concept of relative positions of
parties and the influence on the communication.
3 WIRELESS COMMUNICATION
MODEL
Next, we introduce a formal model for wireless
communication on the Physical Layer (PHY) of the
OSI model, dubbed Wireless Communication Model
(WCM). To this end, we explain how the model ad-
dresses each of the three identified aspects, i. e., chan-
nels (cf. Sec. 2.2), signals (cf. Sec. 2.3), and locality
(cf. Sec. 2.4).
We stress that the aim of the model is to repre-
sent wireless communication only, i. e., parties may
have further means to communicate, e. g., being di-
rectly wired. In some scenarios, it may be reason-
able to add further communication tapes to the model
to also cover non-wireless communication. However,
such communication channels can be modeled “clas-
sically” and are hence out of scope.
3.1 Communication Channels in the
WCM
We assume a set of parties Π and an attacker A.
Like in the MitMM, they are modeled as probabilis-
tic ITMs (see (Katz, 2002, Definition 2.1)). To model
the wireless communication between different parties
(including A), we likewise adopt the concept of com-
munication tapes. However, there are several differ-
ences:
Cells contain physical signals σ (cf. Sec. 3.2).
We assume (for unique referencing of parallel ac-
tivities and to capture the notion of time) a global
discrete timer that divides the flow of time into
time slots t N with t + 1 following t and so on.
We assume a system-wide parameter chs that de-
notes the total number of publicly available phys-
ical channels, and also an ordering on these chan-
nels.
Contrary to (Katz, 2002, Definition 2.2):
We assume that any party P (including any at-
tacker A) has exactly chs comm-in and chs comm-
out tapes, denoted by (CT
in
)
P
1
,...,(CT
in
)
P
chs
and
(CT
out
)
P
1
,...,(CT
out
)
P
chs
, respectively.
(CT
in
)
P
i
and (CT
out
)
P
i
are connected to the i-th
physical channel.
The number of the attacker’s comm-out tapes only
depends on chs.
For any communication tape CT (either in or
out), CT[ j] denotes the j-th cell of this specific tape.
Comm-out tapes are write-only and comm-in tapes
are read-only tapes. That is, a party can write to a
cell of any of its comm-out tapes and read from a cell
of any of its comm-in tapes. However, reading from
and writing to any cell but the current one are not pos-
sible, i. e., any party P (including A) can only read or
write to the t-th cell where t denotes the current time
slot.
2
The reason for this design decision is that the tapes
model the physical channels used for communication.
Reading or writing correspond to eavesdropping on
and demodulating signals or sending modulated sig-
nals on these frequencies. Once a signal passed a
party, it cannot be eavesdropped on anymore. Once
a signal is sent, this action cannot be taken back.
Furthermore, any party can only access one cell at
the same time, i. e., it can either read from or write
to a single communication tape. The motivation for
this design decision is as follows. In cryptography,
2
There are no restrictions on storing data read from a
tape in the past or preparing data to be written in the future.
SECRYPT 2024 - 21st International Conference on Security and Cryptography
252
parties are commonly modeled as Turing machines
which in turn model single task algorithms. For tech-
nical reasons, sending and receiving at the same time
or accessing several physical channels require sepa-
rate devices. Thus, a party in our model represents
the smallest processing unit that may operate on its
own. Note that we do not exclude that, in practice,
an attacker may have access to several physical chan-
nels at the same time. However, formally this would
be expressed by several parties that interact with each
other, possibly using some non-wireless communica-
tion channels. Like in the MitMM, this is not particu-
larly expressed within the model but it is straightfor-
ward to include this.
We stress that, in our model, we assume each
physical channel to be loosely synchronized with the
global timer in the sense that a communication tape’s
cell corresponds exactly to the duration of one signal
period of the underlying carrier frequency. In other
words, each communication channel moves forward
with the same speed as the others.
3.2 Signals in the WCM
Communication parties are usually oblivious to the
fact that, on the PHY, signals are used to transport the
messages. However, as discussed in Secs. 2.3 and 2.4,
physical signals may interfere or be delayed which
eventually impacts the messages received by the par-
ties. Given that the main intention of the proposed
model is to express the capabilities of an attacker to
impact wireless communication, we discuss the con-
nection between physical signals on the one hand, and
the messages sent and received by parties on the other
hand in the following.
3.2.1 Physical Signals
Physical signals are commonly represented by sinu-
soidal waves, e. g., formalized as
A(t) · sin(2π f t +ϕ(t)) (1)
with the following parameters: the amplitude A R
0
(correlated to the signal strength), the frequency f
R
>0
(1/ f gives the signal’s period), and the phase
shift ϕ with 0 ϕ < 2π (the phase shift of the signal
compared to a non-shifted sine signal). Consequently,
we model a signal σ by this triple of parameters.
Definition 1 (Signals and Signal Space). A signal σ is
defined as σ = (A, f ,ϕ) Σ where Σ = R
0
× R
>0
×
[0;2π) denotes the signal space.
The term 0 refers to the signal with A = 0.
In our model, σ refers to the information about a
physical signal stored in one slot of a communication
tape. That is, it represents the state of a signal during
a particular time slot. We consider all components
of σ to be constant for the duration of one time slot,
which is why the amplitude A and the phase shift ϕ
are represented as scalars rather than time-dependent
functions. Practically, 0 refers to the case that no sig-
nal is present. In particular, an empty cell contains
this term.
As signals are considered to be periodic, one can
phase-shift any signal by shifting the signal along the
time axis. Formally, we introduce the Shift operation
for for this.
Definition 2. The Shift operation changes the phase
of a given signal by a given parameter. It is defined
as Shift : [0;2π) × Σ Σ. Let ϕ
0
[0;2π) be a phase
shift value and σ = (A, f ,ϕ) Σ a signal, then,
Shift(ϕ
0
,σ) := Shift
ϕ
0
(σ)
:=
A, f ,ϕ + ϕ
0
ϕ + ϕ
0
2π

. (2)
3.2.2 Modulation and Demodulation
When two parties are communicating, they usually
exchange messages composed of message symbols
µ M where M denotes the message alphabet. Tech-
nically, this requires to transform message symbols
into physical signals (modulation) and vice versa (de-
modulation), being defined as follows.
Definition 3 (Modulation and Demodulation). The
modulation function Mod converts a message µ into
a sequence of ρ signals to be sent over the air. It
takes as input a message symbol µ M and the signal
strength parameter s R
>0
and encodes these into ρ
signals σ
1
,...,σ
ρ
. Note that this factor, ρ, is inherent
to and depending on the chosen modulation scheme.
That is, we have
Mod : M × R
>0
Σ
ρ
,(µ,s) 7→
σ
1
,...,σ
ρ
. (3)
Correspondingly, the demodulation function
Demod takes as input ρ signals σ
1
,...,σ
ρ
and
outputs a message symbol µ M (or, in case that
demodulation is not possible, it outputs ):
Demod : Σ
ρ
M
{
}
,
σ
1
,...,σ
ρ
7→ µ. (4)
Demod is the inverse function of Mod if the signal
strength is sufficiently strong. That is, it holds for all
µ M that
Demod(Mod(µ, s)) = µ (5)
if s τ for some threshold τ.
Depending on the specific modulation scheme, not
all signal parameters may influence the demodulation
Towards a Cryptographic Model for Wireless Communication
253
with regard to the extracted message, e. g., when us-
ing phase shift keying, the amplitude and frequency
are only needed to identify the signal, but have no
influence on the actual encoded information as this
only depends on the observed phase shift compared
to the underlying carrier frequency. A low amplitude,
however, may prevent a receiver from successfully
demodulating signals into messages.
3.2.3 Sending and Receiving Message Symbols
Sending a message symbol µ means to modulate it
into a sequence σ
1
,...,σ
ρ
of signals with respect to
some signal strength s, using the Mod function, and to
send these over one of the communication channels,
by writing each signal σ
i
on a comm-out tape. This
procedure is formally captured by the Send operation.
Definition 4 (The Send Operation). The Send oper-
ation takes as input a triple (CT,µ, s) where CT is
a comm-out tape of P , µ M is a message symbol,
and s R
>0
represents a signal strength. It involves
to execute first Mod(µ,s) to get a sequence of ρ sig-
nals σ
1
,...,σ
ρ
. These are written step-by-step onto
the tape CT. Note that Send does not specify the in-
tended recipient of the message symbol µ but the com-
munication channel. Recall that during one time slot,
a party P can only write to the t-th cell. That is, the
writing procedure is formally equivalent to setting ρ
consecutive cells of CT as follows:
CT[t] := σ
1
,...,CT[t + ρ 1] := σ
ρ
. (6)
Therefore, the Send operation influences the current
and the next ρ 1 cells of the comm-out tape CT,
which, in total, takes ρ time slots to perform.
We extend the notation to the case of sending
messages: for a message m = (µ
1
,...,µ
), we de-
fine by Send(CT,m, s) the sequence of operations
Send(CT,µ
i
,s), i = 1, .. ., .
Likewise, parties can receive message symbols
from their comm-in tapes and only from these.
Definition 5 (The Receive Operation). The Receive
operation takes as input a comm-in tape CT. It reads
out the current ρ entries of CT, i. e., CT[t],...,CT[t +
ρ1]. Given this, Demod(CT[t],. .. ,CT[t +ρ1]) is
executed to get a message symbol µ M {⊥}. Then,
µ represents the output of Receive.
Since the Demod function requires ρ signals for
extracting a message, and as there is no possibility to
receive future signals in advance, this definition im-
plies that Receive needs to wait for ρ time slots for
returning a message µ, i. e., until the demodulation
function received enough signals to return a message
symbol µ ̸= .
3.2.4 Signal Collision
As the parties may share the same physical channel,
different signals might collide. Formally, this means
that parallel writing on communication tapes is possi-
ble, in contrast to the MitMM. This and the fact that
accessing communication cells “from the past” is not
possible, imply that the WCM is not message-driven.
For two signals σ,σ
Σ, we denote by
σ + σ
(7)
the resulting signal. That is, if two different signals
σ and σ
are simultaneously received on the same
tape CT, then σ + σ
appears on the tape instead (see
Sec. 3.3 for more details).
The concrete working of the collision depends on
the underlying physical channel and the selected mod-
ulation/demodulation procedures.
Nonetheless, some properties hold in all cases.
For instance, it holds that
σ + 0 = 0 + σ = σ (8)
for all signals σ. Furthermore, collision is commuta-
tive and associative:
σ + σ
= σ
+ σ and σ + (σ
+ σ
′′
) = (σ + σ
) + σ
′′
.
(9)
Collision is also commutative with respect to Shift,
i. e.,
Shift
ϕ
(σ + σ
) = Shift
ϕ
(σ) + Shift
ϕ
(σ
) .
In some special cases, the signals amplify or an-
nihilate each other, depending on their relative phase
shift. More precisely, it holds
(A, f ,ϕ) + (A
, f ,ϕ) = (A + A
, f ,ϕ) (10)
(A, f ,ϕ) + (A
, f ,ϕ + π)
=
(
(A A
, f ,ϕ), if A A
(A
A, f , ϕ + π), else.
(11)
In particular, (A, f , ϕ) + (A, f , ϕ + π) = 0. Conse-
quently, we define for a given signal σ = (A, f ,ϕ) its
inverse as
σ := (A, f ,ϕ + π) . (12)
Channels are characterized by signals that share
the same frequency f within a certain bandwidth.
These are usually chosen such that the interference
between different channels is as small as possible.
3
For these reasons, we focus on collisions of signals
that occur on the same channel. Moreover, for a given
frequency f , we use the term Σ
f
to refer to the set
3
For instance, in IEEE 802.15.4 the channels in the
2.4GHz band are non-overlapping as they are 5 MHz apart
with a bandwidth of 2MHz (IEEE, 2011).
SECRYPT 2024 - 21st International Conference on Security and Cryptography
254
of signals that have f as frequency (approximately).
That is, signals belong to the same channel if and only
if they are elements of the same space Σ
f
for a se-
lected frequency f . It holds for any frequency f that
σ,σ
Σ
f
σ + σ
Σ
f
. (13)
Formally, this means that Σ
f
is closed under +. To-
gether with the properties mentioned above, it follows
that (Σ
f
,+) forms a commutative group. This view
is for example helpful when describing the effects of
jamming, e. g., see Sec. 5.1.
3.3 Locality in the WCM
In wireless communication, signals are physical ob-
jects. This has a number of consequences that are
not covered by the MitMM, e. g., multiple signals
can collide, yielding different resulting signals (cf.
Sec. 3.2.4). Further relevant aspects are:
1. Once a party sends a signal, it takes time until it
reaches another party.
2. During transmission, the signal strength may de-
crease.
To represent these aspects, we adopt and extend the
notion of being linked (cf. (Katz, 2002, Definition
2.2)). Due to the fact that all parties rely on public
physical channels, any two parties are linked in the
sense that, potentially, messages can be exchanged.
Here, we also have to take into account their relative
locations. To this end, we propose the following for-
mal definition of linkage:
Definition 6 (Linkage between two parties). Con-
sider two parties P , P
Π {A} with P ̸= P
. The
linkage from P to P
, denoted by Link(P ,P
), is de-
fined by a tuple
Link(P ,P
) = (δ; λ
1
,...,λ
chs
) (14)
where
δ N
0
is a non-negative integer, representing the
time delay, and
λ
i
: Σ Σ is a probabilistic procedure, dubbed
linkage procedure, that expresses how a signal
sent by P (using the i-th comm-out tape) arrives
at P
on the i-th comm-in tape.
The linkage between two parties expresses when
and what kind of signal arrives at P
if P sends some
signal. As an example, the expected path loss due
to the distance between sender and recipient could be
expressed by λ
i
(A, f ,ϕ) = (A
, f ,ϕ) with A
< A.
Another example is a channel-induced phase shift
on transmitted signals. Assume that P and P
have
a physical distance d to each other which has the
form d = δ ·
c
f
i
+ r = δ ·
c
f
i
+ ϕ
i
·
c
2π f
i
, with an inte-
ger δ 0, the speed of light constant c, the i-th com-
munication channel’s carrier frequency f
i
, and the re-
mainder r with 0 r <
c
f
i
. That is, d is not a mul-
tiple of the carrier frequency’s wavelength. Then,
λ
i
(A, f ,ϕ) = (A
, f
,ϕ + 2π ϕ
i
) = (A
, f
,ϕ
).
Recall that we have one linkage procedure λ
i
per
channel with a total of chs available channels and a
fixed order (cf. Sec. 3.1). Now, assume that some
party P writes a signal σ on one of its comm-out tapes
(CT
out
)
P
i
, i. e., (CT
out
)
P
i
[t] := σ. Writing on CT auto-
matically affects all comm-in tapes of parties that are
linked to P . That is, let P
̸= P be some other party
and let Link(P , P
) = (δ;λ
1
,...,λ
chs
) be the linkage
between P and P
. The procedure of P writing σ into
the cell (CT
out
)
P
i
[t] impacts the content of the corre-
sponding comm-in tape (CT
in
)
P
i
for party P
̸= P as
follows:
(CT
in
)
P
i
[t +δ] := λ
i
(σ) + (CT
in
)
P
i
[t +δ] . (15)
That is, the signal which is already existing on
(CT
in
)
P
i
, expressed by (CT
in
)
P
i
[t + δ], is updated to
λ
i
(σ) + (CT
in
)
P
i
[t + δ]. This definition allows to
cover the aspects mentioned above:
1. When party P sends a signal σ at some point in
time t, σ reaches P
only with some time delay
δ. That is, P writes on cell (CT
out
)
P
i
[t], i. e., with
index t, but this affects (CT
in
)
P
i
[t +δ], i. e., δ time
slots later.
2. σ physically traverses the space between P and P
and arrives as λ
i
(σ) at P
.
3. If there is already a signal present on the tape’s
targeted cell (CT
in
)
P
i
[t + δ], then it collides with
λ
i
(σ) (cf. Eq. (15)).
A schematic overview is depicted in Fig. 1.
Finally, we introduce two notions with respect to
the time delay:
Definition 7 (Time Delay Symmetry and Triangle In-
equality). Consider a set of parties Π and their link-
ages Link(P , P
) for any P ̸= P
Π. We denote by
δ
P ,P
the time delay in Link(P ,P
).
We say that the time delay parameter is symmetric
with respect to these linkages if it holds for any P ̸=
P
Π that
δ
P ,P
= δ
P
,P
. (16)
Moreover, we say that the time delay parameter ful-
fills the triangle inequality if it holds for any pairwise
distinct P ,P
,P
′′
Π that
δ
P ,P
′′
δ
P ,P
+ δ
P
,P
′′
. (17)
Towards a Cryptographic Model for Wireless Communication
255
t
σ
(CT
out
)
P
i
t +δ
λ
i
(σ)
(CT
in
)
P
i
+δ
Figure 1: Linkage from (CT
out
)
P
i
to (CT
in
)
P
i
with delay δ.
If not stated otherwise, in the following, we as-
sume that the delays of the different linkages are sym-
metric and fulfill the triangle inequality.
4
4 WIRELESS ATTACKER MODEL
Recall that in the MitMM, an attacker is mainly char-
acterized by her ability to stop, forward, and mod-
ify messages at her wish. In the following, we dis-
cuss if and to what extent this is still given in the
WCM. To this end, we introduce the Wireless At-
tacker Model (WAM). In Sec. 4.1, we explain an at-
tacker’s alleged capabilities. Based on this, we inves-
tigate the possibilities for jamming (tampering with)
signals in Sec. 4.2.
4.1 Capabilities
Analogous to the MitMM, for the WAM, we con-
sider an attacker who is completely characterized by
her abilities to access her communication tapes. This
means she can send signals by writing to her comm-
out tapes and receive signals by reading from her
comm-in tapes. Furthermore, the attacker is non-
invasive in the sense that she does not tamper with the
parties or the environment, but only sends or receives
signals. However, an attacker is not restricted in her
choice of signals. That is, the signals do not need
to be related to the modulation of a message symbol.
Of course, she may still choose to use Mod and Send
functions for communicating.
Moreover, we assume that the attacker has full
knowledge about the communication channels be-
tween her and other parties. Formally, thus, the at-
tacker A knows Link(A ,P ) and Link(P , A) for all
P Π. On the other hand, linkages between any two
parties P , P
Π not involving the attacker are only
4
In fact, we cannot think of any contradictory practical
scenario.
partially known to her. As motivated in Sec. 2.4.2,
A only knows the respective delay parameter δ of
Link(P ,P
), while the λ
i
remain secret.
4.2 Jamming (Modification) of Signals
In the field of wireless communication, jamming
refers to any intentional interference with signals and
possible modifications thereof. Hence, we use jam-
ming to express any change of the signal incurred by
an attacker. One important difference between tam-
pering in the MitMM and jamming in the WCM is
that, in the latter, messages are composed of message
symbols which are modulated into a sequence of ρ
signals. Thus, whether the alteration of signals results
in any changes in the message received by P
depends
at least on the demodulation procedure Demod and
how the semantic message is derived from the mes-
sage symbols. For example, a flip of a single bit might
render a message unreadable if this change violates
some checksum or have no effect if some error cor-
rection codes are used. So, we focus only on if and
how an attacker may change signals and leave the dis-
cussion on the impact on messages to the individual
scenarios.
For the discussion on jamming signals, consider
two parties P , P
. At time t, P sends a signal σ to P
,
i. e., writes σ on one of its comm-out tapes (CT
out
)
P
i
.
Let the linkage between P and P
be denoted by
Link(P ,P
) =
δ
P ,P
;λ
1
,...,λ
chs
. If no other signals
are present on the same channel, then,
(CT
in
)
P
i
[t +δ
P ,P
] = λ
i
(CT
out
)
P
i
[t]
(18)
represents the signal received by P
.
For A, the only option to influence σ is to send
her own signal such that it collides with the signal re-
ceived by P
. Let Link(A,P
) =
δ
A,P
;λ
1
,...,λ
chs
be the linkage between A and P
. Then, jam-
ming means to achieve a collision (CT
in
)
P
i
[t +
δ
P ,P
] = σ + σ
with σ = λ
i
(CT
out
)
P
i
[t]
and σ
=
λ
i
(CT
out
)
A
i
[t +δ
P ,P
δ
A,P
]
. Hence, A has to
write a signal on her comm-out tape no later than
t + δ
P ,P
δ
A,P
. Obviously, if δ
P ,P
< δ
A,P
, i. e.,
the distance between P and P
is smaller than the dis-
tance between P
and A, an attacker would have to
send her signal even before P sent σ. In certain cases,
this may be possible for instance, if σ is part of a
longer message and A can anticipate that σ (or some
signal) will be sent. Still, in such cases, A cannot re-
act to signals from P. The same holds if δ
P ,P
< δ
P ,A
.
Here, σ from P , i. e., the signal that A aims to jam,
would reach P before it reaches A.
SECRYPT 2024 - 21st International Conference on Security and Cryptography
256
Besides sending the jamming signal in time, an-
other challenge is to pick and send a signal that ef-
fectively jams. Recall that, in some special cases,
two signals can amplify or annihilate each other (cf.
Sec. 3.2.4). An amplified signal, however, does not
necessarily affect a modulated message. That is, the
effectiveness of a jamming signal strongly depends on
the chosen modulation.
Summing up, to manipulate signals received by
other parties, a wireless attacker has to decide when
and what signals she sends. Depending on her jam-
ming strategy, e. g., constant or reactive jamming, this
can be less or more challenging.
5
5 APPLICATIONS
To demonstrate the applicability of the proposed
model, in this section, we revisit friendly jamming
which cannot be represented in the MitMM, and
we explain how the WCM and WAM can be used
for analysis. We also shortly discuss how Distance
Bounding protocols and Frequency-Hopping Spread
Spectrum can be modelled, but omit the details here
to conserve space. Note that each of the different
components listed in Sec. 2 are required at least once,
showing that at least these three are required for a
comprehensive wireless communication model.
5.1 Friendly Jamming for
Confidentiality
Complementing the usually destructive jamming (cf.
Sec. 4.2), so-called friendly jamming (e. g., (Jin et al.,
2022; Jin et al., 2021; Jeon et al., 2022; Shen et al.,
2013; Berger et al., 2016; Berger et al., 2014; Li et al.,
2022; Li et al., 2020)) approaches turn the tables and
use deliberate jamming as a defensive measure. This
way, jamming is used to block unauthorized messages
(authorization) or to hide the content of communica-
tion from illegitimate parties (confidentiality).
An example is the protection of communication
to and from an Implantable Medical Device (IMD)
which is only capable of plain (unencrypted) com-
munication as presented by (Gollakota et al., 2011).
They propose an external device, the shield, which is
worn on the body near an IMD acting as a gateway.
Using a two-radio design, the shield utilizes friendly
jamming to enforce authorization and confidentiality
concerning the communication with the IMD. Due to
its design, the shield is capable of reconstructing the
5
For details on different jamming strategies, we refer to
(Xu et al., 2005; Grover et al., 2014).
original data signals, while any other party only re-
ceives jammed signals. However, (Gollakota et al.,
2011) do not provide any formal representation of the
security goals and analysis in their work.
5.1.1 Formalization of Friendly Jamming
The typical scenario of friendly jamming considers
two collaborating parties, the jamming party J and
the receiving party R. These two have an additional
private communication channel (cf. Sec. 3.1). The
overall goal of friendly jamming is to protect a sig-
nal σ. For example, in the use case of (Gollakota
et al., 2011), σ could either be a signal coming from
the IMD to hide its content or be a non-genuine sig-
nal going to the IMD to render it illegible. To this
end, J generates a jamming signal γ and sends it such
that it collides with σ. As a consequence, a potential
attacker only sees σ + γ. To reverse the jamming, J
shares with R all information necessary such that R
can create an appropriate antidote signal α. Colliding
α with σ + γ yields σ again.
Note that this approach requires J to send γ
in time, which can be challenging in practice (cf.
Sec. 4.2). As this depends on various aspects such as
the relative positions of parties, the reaction time of J,
etc., we consider this as a separate question and focus
on the generation of the jamming signal and its anti-
dote. Consequently, one can formalize such a scheme
as follows:
Definition 8 (Friendly Jamming Scheme).
6
A
friendly jamming scheme (Gen,Jam, Antijam,Σ
f
) is
composed of three algorithms and a signal space re-
stricted to some frequency f . Gen(χ) takes as input a
security parameter χ and outputs a seed κ. Jam(κ)
takes as input some seed κ and creates a jamming
signal γ Σ
f
. Antijam(κ) takes as input some seed
κ and creates an antidote signal α Σ
f
.
The scheme is correct if for all security parame-
ters χ and for all seeds κ Gen(χ), it holds that
Jam(κ) + Antijam(κ) = 0 . (19)
Correctness essentially means that Antijam(κ) =
Jam(κ) for all seeds (cf. Sec. 3.2.4). Besides cor-
rectness, a friendly jamming scheme should also be
sound. Depending on the application, different se-
curity goals may be considered, e. g., authenticity, or
confidentiality. In the following, we focus on confi-
dentiality.
Intuitively, confidentiality means that one cannot
reconstruct the original message from the jammed
6
For the sake of simplicity, here, we consider one sig-
nal only. The formalization can be extended easily to a se-
quence of signals.
Towards a Cryptographic Model for Wireless Communication
257
signals. To formalize this security goal, we adopt the
established security definition of IND-CPA (Indistin-
guishability under Chosen Plaintext Attack) and in-
troduce IND-CSA-n (Indistinguishability under Cho-
sen Signal Attack). The parameter n indicates the
main difference to IND-CPA: an attacker could be us-
ing n antennas, formally represented by n parties un-
der the attacker’s control.
Definition 9 (IND-CSA-n Game). The IND-CSA-n
game with respect to some friendly jamming scheme
(Gen,Jam,Antijam,Σ
f
) considers an oracle O =
{O
1
,O
2
} and an attacker A = {A
1
,...,A
n
}. Each
oracle has access to one comm-out tape and each at-
tacker to one comm-in tape. The tapes controlled by O
are linked to all tapes controlled by A. For i {1,2}
and j {1, .. ., n}, we denote by λ
i, j
the linkage pro-
cedure of the linkage between the comm-out tape of
O
i
and the comm-in tape of A
j
.
A chooses two signals σ
0
̸= σ
1
Σ
f
and sends
these to O. Then, O generates a (secret) seed κ
Gen(χ) and jamming signal γ Jam(κ). It samples
uniformly b
$
{0, 1} and, at time t, instructs O
1
to
write σ
b
on (CT
out
)
O
1
and O
2
to write γ on (CT
out
)
O
2
(simultaneously). Consequently, A
j
receives the col-
lided signal
σ
col
j
= λ
1, j
(σ
b
) + λ
2, j
(γ) . (20)
A outputs b
{0,1} and wins if b
=
b. A friendly jamming scheme is called IND-
CSA-n-secure with respect to the linkage proce-
dures {λ
i, j
}
i=1,2; j=1,...,n
if the attacker’s advantage
Adv(A) =
Pr[A wins]
1
2
is negligible in χ.
5.1.2 IND-CSA-2 Attacker
Given the formalization, the logical next step is to ask
if IND-CSA-n security can be achieved for any realis-
tic choice of {λ
i, j
}. While this might be possible for
the IND-CSA-1 case, (Tippenhauer et al., 2013) de-
scribe an IND-CSA-2 attacker. In the following, we
use the notation from Def. 9 with n = 2 to describe
this attack. The attack assumes a set of linkage pro-
cedures {λ
1,1
,λ
1,2
,λ
2,1
,λ
2,2
} such that
λ
1,1
= λ
2,2
= id and λ
1,2
= λ
2,1
= Shift
π
2
. (21)
(Tippenhauer et al., 2013) demonstrates that this can
be possible in practice if the locations for A
1
and A
2
are chosen such that the four parties O
1
,O
2
,A
1
,A
2
form an isosceles trapezoid, while the following prop-
erties must be satisfied:
1. The distance d between O
1
and O
2
is smaller than
half of the carrier frequency’s wavelength, while
the distance between A
1
and A
2
is greater than
half this wavelength (and d).
2. The delays between O
1
and A
1
, and between O
2
and A
2
, respectively, are equal. Likewise, the de-
lays between O
2
and A
1
, and between O
1
and A
2
,
respectively, are also equal.
3. A
2
(or A
1
) perceives signals from O
1
(or O
2
) with
a channel-induced phase shift of
π
2
relative to A
1
(or A
2
).
Due to the differing phase offsets (cf. Eq. (21)),
the signals received by A
1
and A
2
, respectively, are
σ
col
1
= λ
1,1
(σ) + λ
2,1
(γ) = σ + Shift
π
2
(γ)
σ
col
2
= λ
1,2
(σ) + λ
2,2
(γ) = Shift
π
2
(σ) + γ .
The attacker shifts and collides these two signals as
follows:
Shift
3π
2
(σ
col
1
) + Shift
π
(σ
col
2
)
= Shift
3π
2
(σ) + Shift
2π
(γ) + Shift
3π
2
(σ) + Shift
π
(γ)
= Shift
3π
2
(σ) + Shift
3π
2
(σ) .
That is, the attacker reconstructed an amplified variant
of σ, which immediately allows to reconstruct σ.
5.2 Distance Bounding Protocols
Distance Bounding (DB) protocols were introduced
by Brands and Chaum (Brands and Chaum, 1994).
Their purpose is for a prover P to authenticate him-
self to a verifier V and to demonstrate his proxim-
ity to V . To this end, the verifier measures the round
trip time and, based on the propagation speed of elec-
tromagnetic waves, calculates an upper bound to the
distance, such that the verifier is convinced that the
prover cannot be further away than this calculated
bound.
In our model, the timing aspect can be captured
by the delay parameter δ in the linkage between two
parties (cf. Def. 6). More concretely, consider the two
parties P , P
where P wants to determine the distance
to P
. Moreover, assume the linkages Link(P,P
) and
Link(P
,P ) with a symmetric delay δ (cf. Def. 7).
Then, the round trip time between P and P
is at least
2 · δ. Thus, measuring the round trip time gives a
lower bound on δ which in turn gives an upper bound
on the geographical distance between them.
5.3 Frequency-Hopping Spread
Spectrum
The basic idea of the Frequency-Hopping Spread
Spectrum (FHSS) technique is to not stick to one
physical channel during communication but to hop
across available channels (pseudo-)randomly. This
SECRYPT 2024 - 21st International Conference on Security and Cryptography
258
provides more robustness against interference on a
specific frequency and, at the same time, makes it
harder for an attacker to target the correct channel if
the hop sequence is secret. Our model naturally of-
fers to incorporate FHSS by switching between dif-
ferent communication tapes when sending messages,
whereas tapes essentially represent different channels
with different carrier frequencies.
We illustrate this for a variant of FHSS where the
messages sent by P are indexed, i. e., m
1
,m
2
,..., and
where, for each message, the communication chan-
nel is separately chosen. To this end, sender P and
receiver P
agree on a secret key k to initialize a pseu-
dorandom function f
k
: N {1,. .. ,chs}. For each
message m
i
, f
k
determines which communication tape
is to be chosen. More precisely, sending the i-th mes-
sage means that P executes
Send((CT
out
)
P
f
k
(i)
,m
i
,s) . (22)
Likewise, P
uses f
k
to determine the channel to listen
to next.
6 RELATED WORK AND
CONCLUSION
While several works discuss possible extensions of
the Dolev-Yao model, e. g., see (Mao, 2004; Herzog,
2005), we focus on these that address the connection
of the MitMM and wireless attackers.
(P
¨
opper et al., 2011) question the applicability of
the MitMM in the context of wireless communication.
They show the difficulties of symbol flipping and sig-
nal annihilation and that these succeed with a certain
probability only. In contrast to our work, the proposal
of an appropriate model is out of scope.
(Schaller et al., 2009) (see also (Basin et al.,
2009; Basin et al., 2011)) developed a formal model
for wireless networks concerning physical properties
in the form of inductive, trace-based, symbolic ap-
proaches for use with a theorem prover. In fact, some
of the aspects identified for the WCM are also re-
flected there, e. g., the properties of communication
(transmission delays based on distance and propaga-
tion speed), location (of network nodes), and time (for
temporal dependencies). However, there are also nu-
merous differences. For example, messages are sent
in the form of events, transmission time is indepen-
dent of the message length. Modulation schemes,
the resulting signals, and different available commu-
nication channels are not considered. This means
that schemes like FHSS and (Gollakota et al., 2011)
(Sec. 5.1) cannot be fully represented by their model.
(Rocchetto and Tippenhauer, 2016) proposed
CPDY, an extended Dolev-Yao model for cyber-
physical systems, to allow for covering physical in-
teractions between components and the notion of dis-
tance. However, they propose and implement new
rules in a formal security specification language while
focusing on physical interactions in the literal sense,
e. g., an attacker physically manipulates a device,
while our focus lies on the communication between
parties.
(Avoine et al., 2021) review relay attacks and the
threat model of DB protocols in general. They also
consider effects existing in practice, e. g., provers’
processing delays, and relate these with theoretical
approaches to proving security for DB protocols.
They conclude that formal models for DB protocols
are inaccurate as these make impractical assumptions,
e. g., processing delays during the fast phase are as-
sumed to be non-existent, or colluding attackers are
disallowed to communicate during the fast phase.
However, they do this without proposing any formal
model.
We share the view of (Avoine et al., 2021) that
more realistic models are necessary. Our model im-
poses no further restrictions on the communication
between colluding attackers or other parties, neither
during the fast phase nor any other. The only require-
ment is that any (wireless) communication has to fol-
low the physical rules laid out by our model, e. g., sig-
nal properties and delays are still in effect. As our
model is focused on the communication between par-
ties, processing delays are not present in our model
either.
(D
¨
urholz et al., 2011) provide a formal (simulator-
assisted) analysis of DB Radio-Frequency Identifica-
tion (RFID) protocols. They propose formal models
for Mafia, terrorist, and distance fraud, which they ap-
ply on the RFID DB scheme by (Kim and Avoine,
2009) as an example. While D
¨
urholz et al. also con-
sider a global clock, their concept of time is message-
driven, i. e., a unit of time represents a complete pro-
tocol message and is thus independent of the mes-
sage’s length. On the one hand, they consider noisy
communication based on the constraints for RFID and
wireless communication, on the other hand, modula-
tion schemes, signals, and channels seem irrelevant
for the RFID scenario.
(Boureanu et al., 2021) developed a parameter-
ized cryptographic model for DB. Finally, they point
out possible attacks on existing DB schemes and im-
plement their (parameterized) model in an interactive
cryptographic prover which they apply on a contact-
less payment scheme to prove Man-in-the-Middle se-
curity. In their model, Boureanu et al. define notions
Towards a Cryptographic Model for Wireless Communication
259
of time, location, and distances, additionally, they de-
fine oracles to capture an attacker’s capabilities. Also,
the provided oracles bear some similarity to our de-
fined operations. However, modulation schemes, sig-
nal properties, and available channels remain uncon-
sidered. Furthermore, the provided replace oracle
allows for targeted replacing of select message bits
for an arbitrary subset of parties independent of their
relative positions, thereby ignoring the fact that differ-
ent parties may receive message bits at different times
based on their positions. Note that, in our model, an
attacker needs to actively send signals that overlap
with the original signals (as this is the only possibil-
ity to influence a received signal) and that she cannot
influence the time at which the original signals reach
the receivers.
Our proposed cryptographic model allows to rep-
resent existing mechanisms that build on the peculiar-
ities of wireless communication. We presented exist-
ing schemes that can only be represented using the
three aspects identified in Sec. 2, i. e., communica-
tion channels, signals, and locality. We hope that our
model will be useful for further analysis and design
of cryptographic schemes in the wireless area.
ACKNOWLEDGEMENTS
This research was supported by the project Physical
Guards funded by the Federal Ministry for Education
and Research of Germany (BMBF).
REFERENCES
Avoine, G., Boureanu, I., G
´
erault, D., Hancke, G. P.,
Lafourcade, P., and Onete, C. (2021). From relay at-
tacks to distance-bounding protocols. In Avoine, G.
and Hernandez-Castro, J., editors, Security of Ubiqui-
tous Computing Systems: Selected Topics, pages 113–
130. Springer International Publishing, Cham.
Basin, D., Capkun, S., Schaller, P., and Schmidt, B. (2009).
Let’s get physical: Models and methods for real-world
security protocols. In Berghofer, S., Nipkow, T., Ur-
ban, C., and Wenzel, M., editors, Theorem Proving in
Higher Order Logics, pages 1–22, Berlin, Heidelberg.
Springer Berlin Heidelberg.
Basin, D., Capkun, S., Schaller, P., and Schmidt, B. (2011).
Formal reasoning about physical properties of security
protocols. ACM Trans. Inf. Syst. Secur., 14(2).
Berger, D. S., Gringoli, F., Facchi, N., Martinovic, I., and
Schmitt, J. (2014). Gaining Insight on Friendly Jam-
ming in a Real-World IEEE 802.11 Network. In Pro-
ceedings of the 2014 ACM Conference on Security and
Privacy in Wireless & Mobile Networks, WiSec ’14,
pages 105–116, New York, NY, USA. Association for
Computing Machinery.
Berger, D. S., Gringoli, F., Facchi, N., Martinovic, I.,
and Schmitt, J. B. (2016). Friendly jamming on
access points: Analysis and real-world measure-
ments. IEEE Transactions on Wireless Communica-
tions, 15(9):6189–6202.
Bluetooth SIG (2016). Bluetooth core specification. Ver-
sion 5.0.
Boureanu, I., Dr
˘
agan, C. C., Dupressoir, F., G
´
erault, D.,
and Lafourcade, P. (2021). Mechanised Models and
Proofs for Distance-Bounding. In 2021 IEEE 34th
Computer Security Foundations Symposium (CSF),
pages 1–16.
Boureanu, I., Mitrokotsa, A., and Vaudenay, S. (2015).
Practical and Provably Secure Distance-Bounding. In
Desmedt, Y., editor, Information Security, pages 248–
258, Cham. Springer International Publishing.
Brands, S. and Chaum, D. (1994). Distance-bounding pro-
tocols. In Helleseth, T., editor, Advances in Cryptol-
ogy EUROCRYPT ’93: Workshop on the Theory
and Application of Cryptographic Techniques Lofthus,
Norway, May 23–27, 1993 Proceedings, pages 344–
359. Springer Berlin Heidelberg, Berlin, Heidelberg.
Desmedt, Y., Goutier, C., and Bengio, S. (1988). Special
uses and abuses of the Fiat-Shamir passport protocol
(extended abstract). In Pomerance, C., editor, Ad-
vances in Cryptology CRYPTO ’87: Proceedings,
pages 21–39. Springer Berlin Heidelberg, Berlin, Hei-
delberg.
Dolev, D. and Yao, A. C. (1983). On the security of pub-
lic key protocols. IEEE Trans. Information Theory,
29(2):198–207.
Drimer, S. and Murdoch, S. J. (2007). Keep your enemies
close: Distance bounding against smartcard relay at-
tacks. In 16th USENIX Security Symposium (USENIX
Security 07), Boston, MA. USENIX Association.
D
¨
urholz, U., Fischlin, M., Kasper, M., and Onete, C.
(2011). A Formal Approach to Distance-Bounding
RFID Protocols. In Lai, X., Zhou, J., and Li, H., ed-
itors, Information Security, pages 47–62, Berlin, Hei-
delberg. Springer Berlin Heidelberg.
Eberz, S., Strohmeier, M., Wilhelm, M., and Martinovic,
I. (2012). A Practical Man-In-The-Middle Attack on
Signal-Based Key Generation Protocols. In Foresti,
S., Yung, M., and Martinelli, F., editors, Computer
Security ESORICS 2012: 17th European Sympo-
sium on Research in Computer Security, Pisa, Italy,
September 10-12, 2012. Proceedings, pages 235–252.
Springer Berlin Heidelberg, Berlin, Heidelberg.
Elbert, B. R. (2008). Introduction to Satellite Communica-
tion. The Artech House Telecommunications Library.
Artech House, Inc, Boston, 3rd edition.
Gollakota, S., Hassanieh, H., Ransford, B., Katabi, D., and
Fu, K. (2011). They can hear your heartbeats: Non-
invasive security for implantable medical devices. In
Proceedings of the ACM SIGCOMM 2011 Confer-
ence, SIGCOMM ’11, pages 2–13. ACM.
Grover, K., Lim, A., and Yang, Q. (2014). Jamming and
anti-jamming techniques in wireless networks: A sur-
SECRYPT 2024 - 21st International Conference on Security and Cryptography
260
vey. Int. J. Ad Hoc Ubiquitous Comput., 17(4):197–
215.
Hancke, G. P. and Kuhn, M. G. (2005). An RFID dis-
tance bounding protocol. In First International Con-
ference on Security and Privacy for Emerging Areas
in Communications Networks (SECURECOMM’05),
pages 67–73. IEEE.
Hershey, J., Hassan, A., and Yarlagadda, R. (1995). Uncon-
ventional cryptographic keying variable management.
IEEE Transactions on Communications, 43(1):3–6.
Herzog, J. (2005). A computational interpretation of
Dolev-Yao adversaries. Theoretical Computer Sci-
ence, 340(1):57–81. Theoretical Foundations of Se-
curity Analysis and Design II.
IEEE (1997). 802.11-1997 - IEEE Standard for Wireless
LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications. IEEE Std 802.11-1997,
pages 1–445.
IEEE (2011). IEEE Standard for Local and metropoli-
tan area networks—Part 15.4: Low-Rate Wireless
Personal Area Networks (LR-WPANs). IEEE Std
802.15.4-2011 (Revision of IEEE Std 802.15.4-2006),
pages 1–314.
Jeon, G.-H., Lee, J.-H., Sung, Y.-S., Park, H.-J., Lee, Y.-
J., Yun, S.-W., and Lee, I.-G. (2022). Cooperative
friendly jamming techniques for drone-based mobile
secure zone. Sensors, 22(3).
Jin, R., Zeng, K., and Jiang, C. (2022). Friendly spectrum
jamming against mimo eavesdropping. Wireless Net-
works, 28(6):2437–2453.
Jin, R., Zeng, K., and Zhang, K. (2021). A reassessment on
friendly jamming efficiency. IEEE Transactions on
Mobile Computing, 20(1):32–47.
Katz, J. (2002). Efficient Cryptographic Protocols Pre-
venting “Man-in-the-Middle” Attacks. PhD thesis,
Columbia University.
Kim, C. H. and Avoine, G. (2009). Rfid distance bound-
ing protocol with mixed challenges to prevent relay
attacks. In Garay, J. A., Miyaji, A., and Otsuka, A.,
editors, Cryptology and Network Security, pages 119–
133, Berlin, Heidelberg. Springer Berlin Heidelberg.
Li, J., Lei, X., Diamantoulakis, P. D., Fan, L., and
Karagiannidis, G. K. (2022). Security optimiza-
tion of cooperative noma networks with friendly jam-
ming. IEEE Transactions on Vehicular Technology,
71(12):13422–13428.
Li, X., Dai, H.-N., Wang, Q., Imran, M., Li, D., and Im-
ran, M. A. (2020). Securing internet of medical things
with friendly-jamming schemes. Computer Commu-
nications, 160:431–442.
Mao, W. (2004). A structured operational modelling of the
Dolev-Yao threat model. In Christianson, B., Crispo,
B., Malcolm, J. A., and Roe, M., editors, Security
Protocols, pages 34–46, Berlin, Heidelberg. Springer
Berlin Heidelberg.
Mohammad Hasan (2022). State of IoT 2022: Number of
connected IoT devices growing 18% to 14.4 billion
globally.
P
¨
opper, C., Tippenhauer, N. O., Danev, B., and Capkun,
S. (2011). Investigation of Signal and Message Ma-
nipulations on the Wireless Channel. In Atluri, V.
and Diaz, C., editors, Computer Security ESORICS
2011, volume 6879 of Lecture Notes in Computer
Science, pages 40–59. Springer-Verlag Berlin Heidel-
berg, Berlin, Heidelberg.
Ranganathan, A., Tippenhauer, N. O.,
ˇ
Skori
´
c, B., Singel
´
ee,
D., and
ˇ
Capkun, S. (2012). Design and implemen-
tation of a terrorist fraud resilient distance bounding
system. In Foresti, S., Yung, M., and Martinelli, F.,
editors, Computer Security ESORICS 2012: 17th
European Symposium on Research in Computer Secu-
rity, Pisa, Italy, September 10-12, 2012. Proceedings,
pages 415–432. Springer Berlin Heidelberg, Berlin,
Heidelberg.
Rasmussen, K. B. and Capkun, S. (2010). Realization
of RF distance bounding. In 19th USENIX Security
Symposium (USENIX Security 10), Washington, DC.
USENIX Association.
Rocchetto, M. and Tippenhauer, N. O. (2016). CPDY: Ex-
tending the Dolev-Yao attacker with physical-layer in-
teractions. In Ogata, K., Lawford, M., and Liu, S.,
editors, Formal Methods and Software Engineering,
pages 175–192, Cham. Springer International Pub-
lishing.
Schaller, P., Schmidt, B., Basin, D., and Capkun, S. (2009).
Modeling and verifying physical properties of security
protocols for wireless networks. In 2009 22nd IEEE
Computer Security Foundations Symposium, pages
109–123.
Shen, W., Ning, P., He, X., and Dai, H. (2013). Ally friendly
jamming: How to jam your enemy and maintain your
own wireless connectivity at the same time. In 2013
IEEE Symposium on Security and Privacy, pages 174–
188.
Tippenhauer, N. O. and
ˇ
Capkun, S. (2009). ID-based se-
cure distance bounding and localization. In Backes,
M. and Ning, P., editors, Computer Security ES-
ORICS 2009: 14th European Symposium on Research
in Computer Security, Saint-Malo, France, September
21-23, 2009. Proceedings, pages 621–636. Springer
Berlin Heidelberg, Berlin, Heidelberg.
Tippenhauer, N. O., Malisa, L., Ranganathan, A., and Cap-
kun, S. (2013). On limitations of friendly jamming for
confidentiality. In 2013 IEEE Symposium on Security
and Privacy, pages 160–173. IEEE Computer Society
Press.
Xu, W., Trappe, W., Zhang, Y., and Wood, T. (2005).
The feasibility of launching and detecting jamming
attacks in wireless networks. In Proceedings of the
6th ACM International Symposium on Mobile Ad Hoc
Networking and Computing, MobiHoc ’05, pages 46–
57. ACM, New York, NY, USA.
Zenger, C. T., Pietersz, M., and Paar, C. (2016). Preventing
relay attacks and providing perfect forward secrecy
using PHYSEC on 8-bit µC. In 2016 IEEE Inter-
national Conference on Communications Workshops
(ICC), pages 110–115.
ZigBee Alliance (2012). ZigBee Light Link Standard Ver-
sion 1.0 – Document 11-0037-10.
Towards a Cryptographic Model for Wireless Communication
261