Dynamic shielding to secure multi-hop communications in vehicular platoons

Vehicular platoons are among the most advanced driving assistance systems that may generate considerable fuel savings and increase traffic efficiency. However, communication between vehicles in a platoon is always vulnerable to eavesdropping due to the broadcast nature of wireless channels. To address this issue, we investigate security issues from the physical layer perspective for multi-hop vehicular platooning. The dynamic shielding secured transmission scheme is proposed to guarantee the confidential transmission of private information. Specifically, the neighboring vehicles can alternately act as friendly shielders, which transmit jamming signals to interfere with the eavesdroppers without knowing the channel state information, and thus the secrecy capacity would increase. The mathematical derivation of secrecy capacity is obtained for performance analysis. Meanwhile, the numerical results verify the properties, efficiency, and adaptability of the proposed scheme.


Introduction
As 5G commercial applications become popular, autonomous driving, a key technology for ensuring road safety and alleviating traffic congestion, has received extensive attention and rapid development. Platooning is an important traffic strategy based on autonomous driving technology that can achieve improved traffic efficiency and reduced fuel consumption [1,2]. Vehicular platoons operate a group of vehicles in a closely linked pattern, where vehicles communicate through a the multi-hop mechanism [3]. Driving status information and private information (e.g., location, speed, acceleration, and identity) are transmitted in real time between vehicles in the same platoon. Since these messages are crucial to driving safety and user privacy, they should be exchanged with confidentiality and be deciphered only by the vehicles within the platoon to ensure information security. However, vehicle-to-vehicle (V2V) communications are particularly vulnerable to eavesdropping due to the broadcast nature of wireless channels [4,5].
Addressing security issues of vehicular platoons involves many challenges. First, in driving scenarios, a complex and changing surrounding environment can have an impact on the communication performance of the platoon. Various obstacles and multipath fading can make the wireless channel unstable, leading to difficulties for channel estimation. Second, data in vehicular platoon communication are timesensitive; hence, vehicles should communicate using algorithms with high processing capability and low complexity. Third, since vehicles join or leave at any time during the driving of the platoon, the transmission scheme should be able to adapt to this dynamic system.
Many researchers focus on detecting and mitigating attacks at the network and application layers to address communication security issues [6][7][8]. Additionally, recent studies on physical layer security, which emerges as a promising means of protecting wireless communications against eavesdropping attacks, have received considerable attention.
Existing studies on physical layer security can be divided into two types: key-based and keyless technologies.
Shannon [9] first introduced the theory of secure communication and the classic model of cryptosystems. It was pointed out that, when the key entropy is not less than the information entropy, the perfect secrecy of the one-time pad can be achieved. In key-based technologies, the characteristics of short-term reciprocity, space-time uniqueness, fast time-varying and unpredictability of wireless channels are used as random sources to generate the shared secret key. It is then used to encrypt the information through dynamic coordinate interleaving or constellation phase rotation.
Physical layer security achieves confidential communications without using keys, which was proposed by Wyner [10]. He introduced a discrete memoryless eavesdropping channel comprising the source, destination, and eavesdropper. He also proved that, provided the capacity of the legitimate link between the source and the target is higher than that of the eavesdropping link between the source and the eavesdropper, absolutely secure communication can be achieved through coding.
The condition of secure transmission in a Gaussian eavesdropping channel was further investigated in [11], and the authors proposed the concept of secrecy capacity, that is, the difference between the capacity of the legitimate link and the capacity of the eavesdropping link. Therefore, improving the secrecy capacity is one goal of designing a physical layer security scheme [12]. In keyless technologies, which mainly include beamforming and artificial noise (AN) technologies, the widely considered idea is to generate information signals that can only be decoded by a legitimate receiver or to generate jamming signals that can cause severe interference to the eavesdropper. However, most typical beamforming and AN technologies rely on accurate knowledge of channel state information (CSI) of the legitimate or the eavesdropping link. In fact, the transmitter has the difficulty in obtaining the perfect CSI of a wireless link, especially in a dynamic environment such as a vehicular platoon. Furthermore, the eavesdropper definitely not feeds back the CSI knowledge of the eavesdropping link to the transmitter.
In this work, we propose a keyless physical layer security scheme, called the dynamic shielding secured transmission (DSST) scheme; here, adjacent vehicles alternately function as legitimate transmitters and friendly shielders to ensure that critical messages can be transmitted confidentially within the platoon with a multi-hop mechanism. In this scheme, the jamming signal is not sent together with the information signal at the transmitter, but is sent by the legitimate receiver or the vehicle outside the communication range of the legitimate receiver. Hence, the jamming signal can be generated without resorting to the CSI of the eavesdropping and legitimate links and will not cause severe interference to the legitimate receiver. Additionally, a detailed derivation is conducted for the ergodic capacity of the legitimate and the eavesdropping links. On this basis, the secrecy capacity is carried out to evaluate the performance of the proposed scheme wherein its effectiveness is verified through numerical analysis.
The remainder of this paper is organized as follows. Section 2 presents the review of existing relevant literature on physical layer security issues is presented. In Sect. 3, we introduce a toy example of the DSST scheme for a multi-hop vehicular platoon and explain its basic principle. In Sect. 4, we provide the mathematical derivation of the ergodic capacity and the secrecy capacity for the confidential communication model of vehicular platoon. We also present the numerical results and conduct a detailed analysis in Sect. 5. Finally, the conclusion is made at the end of this paper.

Secret key technology
The authors in [13] proposed a physical layer key generation scheme based on channel estimation using zero-forcing (ZF) or minimum mean square error (MMSE) criteria. The scheme determines the optimal number of antennas for relays and legal nodes through algorithms and then selects the most suitable antenna for key generation to achieve a higher secret key rate than that of previous work. In [14], eavesdropping and message modification issues were considered in platoon-based V2V communications, and a security scheme was proposed where the vehicles generate a shared secret key according to the fading channel randomness. By recursively optimizing the quantization intervals of the channel quality indicator, the scheme can maximize the key agreement probability within a platoon, while the probability that eavesdroppers generate the same key is much lower. The key generation algorithms for multi-carrier systems were investigated in [15], where both the magnitudes of orthogonal frequency division multiplexing subcarriers and the indices/positions of subcarriers that correspond to the highest gains are used to generate secret bits. The proposed algorithms can provide extra dimensions for key generation and thereby enhance the overall key rate. The authors in [16] proposed a key-based algorithm that obscures information from eavesdroppers by mapping it to rotated reference signals. They further designed a key-based physical layer security protocol to connect the algorithm with modern cellular implementations.

Keyless technology
The authors in [17] proposed a secure precoding algorithm based on the concept of constructive interference (CI), which takes advantage of the constructive nature of multiuser interference to improve the signal power at the legitimate receiver and utilizes its destructive effects to degrade the performance of the eavesdropper. The algorithm can strike a better tradeoff between energy overhead and security. However, additional transmit power is required to prevent eavesdropping when the CSI of the eavesdropper is unavailable. A strategy of relay selection and cooperative jammer beamforming was proposed in [18], wherein one node is selected from the intermediate nodes as the relay, while the rest of the nodes as friendly jammers to maximize the secrecy rate. The scheme was proved to have a better performance than the conventional schemes under the same power constraint. For the MIMO-non-orthogonal multiple-access-based cognitive radio network, a transmit-zero-forcing beamforming technique with signal alignment was proposed in [19] for communication security when perfect CSI can be obtained. Additionally, for practical scenarios with partial CSI knowledge, the authors proposed an eigen beamforming technique, which can mitigate the impact of imperfect CSI and ensure that users at the center of the cell maintain a positive secrecy capacity. An AN-based secure transmission scheme for a multi-input single-output eavesdropping system was also proposed, wherein an optimal power allocation and an optimal transmission rate algorithm based on cyclic iteration were used to maximize the system security [20]. The authors in [21] investigated the AN scheme for coordinated multipoint transmission in frequency division duplex multi-cell systems with imperfect CSI. The secrecy performance analysis that is mathematically rigorous was conducted in detail, and an algorithm with low complexity was introduced to optimize the allocation of CSI feedback bits for the channels of the target signal link and inter-cell interference links.

System model
Some assumptions should be given initially before introducing the system model. The power constraint for each vehicle member in a platoon should be seriously considered to avoid severe interference to the surrounding traffic.
Moreover, the communication distance for each vehicle is limited locally within its neighboring vehicles. Under this premise, for a platoon with its length to be N, there will be N − 1 hop links to complete after transmission from the head vehicle to the tail vehicle. The store-and-forward mode is used for the relay transceiver; that is, the messages containing driving status and commands are generated at the head vehicle and forwarded to the following vehicle all the way toward the tail vehicle [22]. Fig. 1 presents the system model of the proposed scheme, where the private messages are exchanged within the platoon according to the multi-hop mechanism, with each vehicle broadcasting the information to its neighboring vehicles. An eavesdropping vehicle, denoted by V e , appears next to the (n − 1) th hop. Here V n−1 , V n and V n+1 refer to the (n − 1) th vehicle, the nth vehicle and the (n + 1) th vehicle, respectively. For the (n − 1) th hop, V n−1 broadcasts the information signal to the surroundings, and V n , serving as both the legitimate receiver and friendly shielder, broadcasts the jamming signal to protect the information from eavesdropping. Under this case, V e will receive the signal from V n−1 and V n Assume that the eavesdropper V e is attempting to eavesdrop on the private messages from the (n − 1) th and the nth hops, where n (n = 1, ⋯ , N − 1) refers to the index of the nth vehicle simultaneously and will be unable to decode the information signal due to the existence of the jamming signal. Then, for the nth hop, V n will become a relay to extend the communication link to V n+1 , with V n−1 serving as a friendly shielder to broadcast the jamming signal. In this hop, V n+1 is out of the communication range of V n−1 , and thus it can avoid interference from the shielding action taken by V n−1 . For convenience, the symbol definitions used in this paper are given in Table 1.

Performance derivation
This section presents the mathematical derivations associated with the ergodic capacity of the legitimate link, ergodic capacity of the eavesdropping link, and secrecy capacity, respectively, to illustrate the proposed scheme in detail. Not all of the N − 1 hop links are taken into our design; instead, we only address the vulnerable links allocated within an eavesdropper's range. For illustration purposes, the communication process of the (n − 1) th hop and the nth hop is considered without loss of generality.

Ergodic capacity of the legitimate link
In the system model presented in Fig. 1, let the transmit power of V n−1 and V n , yielding the information signal and jamming signal, be P n−1 and P ′ n , respectively. Specifically, the signal to interference plus noise ratio (SINR) at the side of V n can be calculated as where the complex gain of the (n − 1) th hop link, between V n−1 and V n , is defined as h n−1 ≜ |h n−1 |e j n−1 (n = 2, ⋯ , N) , where |h n−1 | follows the Rayleigh distribution and n−1 follows the uniform distribution in [− , ] . Each vehicle is equipped with a full-duplex transceiver. Self-interference is defined as I n , and is used to denote the self-interference factor, defined as ≜ I n ∕P � n [23]. The channel gain of the self-to-self loop for a full-duplex transceiver is represented by h .
Consequently, the transmit power involved in each hop, denoted by P n , should be taken comprehensively to utilize the power generated both by V n−1 and by V n . In addition, the transmit power regarding each hop is assumed as a constant; that is, P 1 = ⋯ = P n = ⋯ = P N−1 = P . Take the constraint here; we have where is the power ratio in terms of P n−1 and P ′ n . The ergodic capacity for the (n − 1) th hop can be calculated using The nth vehicle in the platoon n = 1, ⋯ , N V e Eavesdropper Self-interference factor for a full-duplex transceiver ∈ (0, 1)

n
Variation of h n ; that is, 2 n = (h n h * n ) Power of the Gaussian noise P n Constraint of the transmit power in the nth hop P 1 = ⋯ P n = P N−1 = P P � . Further, the exponential integral function is employed in (3) for derivation purposes, which is mathematically defined as For the next hop shown in Fig. 1, V n broadcasts the information signal to surrounding vehicles, and hence both V n+1 and V e are within the communication range. To protect the information from eavesdropping, V n−1 takes its turn to perform the shielding task. The SINR at the side of V n+1 can be obtained as in which P n denotes the transmit power of V n . Hold the power constraint of the nth hop link here; that is, where P � n−1 is defined as the transmit power of V n−1 in the nth hop, and is the power ratio between P n and P � n−1 . The ergodic capacity for the nth hop can be expressed by

Ergodic capacity of the eavesdropping link and secrecy capacity
The (n − 1) th hop and the nth hop, which are both exposed to the eavesdropper, broadcast the same information through two separate time slots, respectively. Thus the eavesdropper can obtain the time diversity gain when decoding the data.
Here we investigate the capacity obtained by the eavesdropper according to the selective combination. At the eavesdropper side, the SINR can be expressed as in which e,n−1 and e,n are defined as where ℏ n−1 and ℏ n denote the channel gains of the eavesdropping links with respect to the (n − 1) th hop and the nth hop. Subsequently, the capacity at the eavesdropper side for the (n − 1) th hop can be obtained as in which ′ 2 n and � 2 n−1 stand for the variations of ℏ n and ℏ n−1 , respectively. Similarly, the capacity of the eavesdropping link in the nth hop can be derived as Therefore, according to the definition of secrecy capacity [11], secrecy capacities of the (n − 1) th hop and the nth hop can be achieved as where [x] + ≜ max{0, x} . These two equations can be specifically written into Eqs. (12) and (13), respectively. As the eavesdropper employs the selective combination scheme, it obtains the capacity C e ≜ max{C � n−1 , C � n } , while the overall capacity in this study of the two hops is defined as C ≜ min{C n−1 , C n } . Thus, the overall secrecy capacity of this two-hop local system can be calculated using

Numerical results and analysis
In this section, the numerical results based on Eqs. (11) and (14) are presented to verify the proposed scheme.
In Fig. 2, the influence of the self-interference factor, defined as , on the secrecy capacity of the (n − 1) th hop is investigated. It can be observed in Fig. 2 that the secrecy capacity increases with an increase in the signal-to-noise ratio (SNR), and a larger self-interference factor leads to a smaller secrecy capacity, which can be also known from Eqs.
(3) and (12). This is because full-duplex transceivers suffer from the self-loop interference caused by signal leakage Secrecy Capacity (bps) 10 8 between the transmitter and receiver, which is a drawback of the full-duplex relay system. Larger self-interference factor indicates larger self-interference on the legitimate receiver V n , resulting in a smaller ergodic capacity of the legitimate link and secrecy capacity of the (n − 1) th hop. In the following numerical analyses, the self-interference factor is set to 0.01, which is practically reasonable [24]. In Fig. 3, the performance of the overall secrecy capacity of the two-hop local system concerning the power ratio and is investigated. Here it is assumed that the qualities of all the communication links are the same. As shown in Fig. 2(a), the peak area of the surface can be reached under the condition that both and are approximately equal to one. The fundamental reasons can be summarized as follows. For the (n − 1) th hop, a low secrecy capacity under the case of small ratio is obtained due to the small transmit power of V n−1 . However, as becomes larger than one, the jamming signal power transmitted from V n to V e decreases with the continuous increase of , leading to a high capacity at the eavesdropper side, as described in (9). For the nth hop, a similar principle can be delivered, which has been discussed in (10). Additionally, since V n+1 does not require to transmit jamming signals in the nth hop, and hence there is no self-interference stepping in. It indicates that a higher channel capacity can be obtained under the same power ratio between information and jamming signals if compared with the (n − 1) th hop. Therefore, clearly to obtain the maximum overall secrecy capacity, can be set slightly larger than . The results also indicate that, with the identical link qualities, the powers of the information and the jamming signals should be averaged out to achieve an excellent secrecy performance.
In Fig. 4, the secrecy capacity for the (n − 1) th hop is compared under different ratios among � n−1 , ′ n , and , which denote the standard deviations of the eavesdropping, the jamming and the legitimate links, respectively. Evidently, larger SNRs always provide higher secrecy capacities. When the qualities of both the jamming and legitimate links are better than that of the eavesdropping link (i.e., , the capacity obtained by V e is much smaller than that at the V n side. Therefore, it exhibits the highest secrecy capacity among the six cases. As the eavesdropping link is relatively weak, the received information signal power by V e is small, whereas that of the jamming link is relatively strong. Thus, V n−1 poses significant interference to V e . Conversely, the case that the eavesdropping link is more robust than the legitimate link and the jamming link exhibits the lowest secrecy capacity. It can also be found that, for the cases with the ratios 2 , the curves completely overlap. For the former, the friendly shielder plays a crucial role in protecting the information from eavesdropping attacks, as the legitimate and eavesdropping links are relatively weak. Conversely, for the latter, the eavesdropping link is relatively powerful. Thus, V e can efficiently take eavesdropping although the legitimate link is not quite poor.
The AN scheme based on the MIMO system [25] is adopted here for comparison purposes, wherein the case with restricted transmit antennas is considered. The scheme requires the accurate CSI of the legitimate channel to generate AN that the receiver can eliminate while the eavesdropper cannot. Here, we compare its secrecy capacity under three cases. The first case is based on an ideal assumption that the CSI is estimated accurately, and the number of antennas equipped on the transmitter is larger than that of the eavesdropper and legitimate receiver; that is, N t = 4 > N r = N e = 3 . Second, the secrecy capacity under the condition that 10% error occurs in the CSI estimation is studied. In the third case, the number of antennas equipped on the eavesdropper is equal to the number of transmit antennas; that is, N t = N e = 4 > N r = 3 . As shown in Fig. 5, as the SNR increases, the secrecy capacities achieved by the DSST and the MIMO-based AN schemes for the first case are both increasing as well. When the transmitter employs more antennas than the eavesdropper and the receiver on the premise that the perfect CSI is available, the MIMO-based AN scheme outperforms the DSST scheme. For the second case, it is observed that the MIMO-based AN scheme exhibits better performance than the proposed scheme in the low SNR region. The reason is that the selfinterference is considered in the proposed scheme, which decreases the secrecy capacity. As the CSI estimation error occurs, the AN signal is generated to interfere with the eavesdropper but inevitably affects the receiver. This effect is particularly significant when the transmit power is high and thus severely degrades the performance. Therefore, with an increase of the SNR, the DSST scheme gradually provides a higher secrecy capacity. Furthermore, once the eavesdropper owns as many antennas as the vehicles in the platoon, the eavesdropper is able to eliminate the AN signal with the help of the eavesdropping channel matrix [25]. In such a case, the MIMO scheme completely fails to secure communication.
In addition, the DSST and MIMO-based AN schemes are compared in the case where the desired SINR is imposed at the legitimate receiver to ensure the quality of service (QoS). Secrecy Capacity (bps) The noise power is assumed to be one (i.e., N 0 = 1 ), and the transmit power P can be expressed in decibels relative to the noise power. A power constraint P = 30 dB is considered in both schemes. In Fig. 6, the SINR at the eavesdropper with an increasing desired SINR at the legitimate receiver is exhibited. Evidently, with the SINR at the legitimate receiver increasing, an increased SINR can be also obtained by the eavesdropper. This is because, when more power is used on the information signal, less power will be available for the jamming signal with a transmit power constraint. The results show that, in the MIMO-based AN scheme, when the number of receive antennas is not less than the number of transmit antennas or the CSI is inaccurately estimated, the AN signal cannot be completely eliminated at the legitimate receiver and severely reduces its SINR. Conversely, the proposed DSST scheme achieves a better performance without CSI knowledge. This finding reveals that the DSST scheme has good adaptability and is not limited by various realization conditions. Further, under the same QoS requirement, the DSST scheme is more energy-efficient. This is because the DSST scheme fully uses the multi-hop mechanism in the vehicle platoon to minimize the negative impact of jamming signals on the legitimate receiver. It is also noticed that the performance of the (n − 1) th hop is slightly worse than that of the nth hop due to the existence of self-interference when the legitimate receiver transmits the jamming signal itself. When the jamming signal does not affect the legitimate receiver (i.e., the nth hop of the DSST and MIMO-based AN schemes with accurate CSI as well as N t > N r = N e ), the comparison scheme performs better than the proposed scheme. An advantage of the MIMO-based AN scheme is its ability to improve the SINR of the legitimate receiver through precoding. Fortunately, the proposed scheme does not contradict the MIMObased scheme, as the MIMO technique can be equipped in vehicles to achieve improved performance. From the analysis, we believe that the proposed DSST scheme can exhibit superiority in adaptability, especially due to the dynamics of the platoon and uncertainty of eavesdroppers.

Conclusion
In this work, we proposed a secure transmission scheme, called DSST, to protect the vehicular platoon communication against eavesdropping attacks. Considering a multihop communication mechanism in the vehicular platoon, the scheme used a similar concept to cooperative jamming and consequently makes the neighboring vehicles function as relays and shielders; hence, the impact of jamming signals on the legitimate receiver can be effectively minimized. Unlike typical technologies of physical layer security, the proposed DSST scheme does not require the transmitter to know the CSI of the eavesdropping or the legitimate link. We used the vulnerable link to derive the security performance of the local system under the DSST scheme. The performance of various scenarios was evaluated based on the numerical results, and comparisons with the MIMO-based AN scheme were presented. Specifically, numerical results verified the feasibility and effectiveness of the proposed scheme. When CSI cannot be accurately acquired, the proposed scheme can achieve higher secrecy capacity than the compared scheme. In our future research, we will focus on considering the specific design of jamming signals and attempt to enhance the DSST scheme by incorporating the MIMO technique to further improve the system performance.