Physical Layer Security - from Theory to Practice

—A large spectrum of technologies are collectively dubbed as physical layer security (PLS), ranging from wiretap coding, secret key generation (SKG), authentication using physical unclonable functions (PUFs), localization / RF ﬁngerprinting, anomaly detection monitoring the physical layer (PHY) and hardware. Despite the fact that the fundamental limits of PLS have long been characterized, incorporating PLS in future wireless security standards requires further steps in terms of channel engineering and pre-processing. Reﬂecting upon the growing discussion in our community, in this critical review paper, we ask some important questions with respect to the key hurdles in the practical deployment of PLS in 6G, but also present some research directions and possible solutions, in particular our vision for context-aware 6G security that incorporates PLS.


I. INTRODUCTION
In 1949, Shannon introduced the concept of perfect secrecy [1] and demonstrated that xor-ing a message m with a uniform random key k of the same length to obtain a ciphertext c = m ⊕ k, provides perfect secrecy, i.e., for one-time pad schemes it can be shown that H(m|c) = H(m), where H(•), denotes entropy.Although the one-time pad is impractical, it showcases that randomness to induce equivocation is a cornerstone of confidentiality, i.e., given enough confusion at the adversarial end, provably unbreakable crypto systems can be developed.
This idea forms the basis of PLS and in particular of the wiretap coding.In Wyner's pioneering work [2], it was demonstrated that excess noise in the link to an eavesdropper can be exploited for keyless transmission of confidential messages, while guaranteeing reliability.For additive white Gaussian noise (AWGN) channels [3] and the general class of symmetric channels [4], the maximum rate at which both reliability and confidentiality can be simultaneously guaranteed, referred to as the secrecy capacity, is equal to the excess capacity of the legitimate link with respect to the eavesdropper's link.A few years later this idea was generalized to the broadcast wiretap channel by Csiszár and Körner [5].
Since then, the idea of exploiting entropy sources at PHY to achieve specific security goals has been extensively researched [4], [6], [7]; apart from confidentiality using wiretap coding, opportunities for key generation and distribution, user and device authentication and resilience to PHY denial of service attacks have been identified.
A mature research direction is that of secret key generation (SKG) from a common random source.Given the observations of this source both by authorized users and by an eavesdropper, the fundamental limits on the key generation rates were derived in [7].In communications, especially wireless, the propagation channel itself can be such a random source, allowing it to be used to distill secret keys, which can be used for pairing and encryption.The corresponding procedures are well studied and numerous practical demonstrators have been developed [8] along with and concrete countermeasures in the case of active attacks [9], [10].
With respect to authentication, key approaches include physical unclonable functions (PUFs), localizationbased authentication and RF fingerprinting.PUFs exploit the unclonable variability in hardware manufacturing processes for authentication, while localization and RF fingerprinting are widely used soft authentication factors [11].
Integrating the above mentioned technologies into communication systems comes with the promise of a new breed of lightweight, quantum resilient, low-latency, low-footprint and scalable security schemes.However, after decades of research, the deployment of practical PLS solutions is still in its infancy and has met significant resistance.In this paper, we first discuss whether a fundamental change in security is actually necessary in order to ensure trustworthy future generations and will try to show the importance of PHY when evaluating trust in future wireless networks.Then, we will discuss some of the key reasons behind the lag between theory and practice in PLS, and propose a roadmap to bridge the gap between theoretical analysis to products.Finally, we will present our more general vision for an intelligent, context-aware 6G security, incorporating the physical layer for the first time.
The rest of the paper is organized as follows.In Section II we discuss the reasons why PLS is pertinent to 6G.Section III presents the current state-of-the-art in PLS, along with open research issues, while Section IV presents future perspectives and concludes the paper.
Until recently, trust for the autonomous agents has primarily focused on the trustworthiness and explainability of the artificial intelligence algorithms that govern them, e.g., using coalitional game theory tools such as Shapley values, evidence theory, etc. [12].At the same time, reputation-based and crowd-vetting approaches have been widely investigated, e.g., [13], [14].
A game changer in this area is that it has been recently shown that anomalies in the behaviour of cyberphysical agents can be actually inadvertently identified from behavioural aspects; first to be explored is naturally related to agent positioning.As an example in [15], the angle of arrival has been used to identify Sybil attacks in robotic systems, while in the same direction range estimation has been used in [11] to provide resilience against more general impersonation attacks.This direction of research, hinges to the potential incorporation of PLSbased authentication approaches in trust measures for autonomous agents in 6G.Opportunities to provide not only high data rates, but also high-precision ranging and localization to enhance trust need to be systematized by our community.
With respect to trustworthy computation, a key aspect has to do with decentralization, e.g., blockchain technologies, federated learning, crowd-sourcing, private computation [16], [17], [18] and private information retrieval are among the technologies currently explored [19], in conjunction with isolation and composability of hardware platforms.Up to now, evaluating the trustworthiness of computation is a task perceived to belong entirely to the digital domain.It remains to be seen whether hardware monitoring will in the future allow to identify untrustworthy computation and importantly help recognise the existence of backdoors in hardware originating from untrusted vendors.
Challenges also arise to securing the sensing layer itself and rendering it resilient to denial of service and man-in-the-middle attacks.Aspects related to distributed anomaly detection in software defined wireless sensor networks [20] have demonstrated that it is possible in large scale IoT networks to monitor hardware behaviour (memory usage, power consumption, Tx/Rx times, etc.) to identify compromised or faulty sensors.Exploring further aspects including passive and active attacks to sensing, along with related privacy concerns is paramount for a trustworthy 6G.
Finally, the links between autonomous cyberphysical agents will be vital to determine their behaviour, e.g., in the case of platooning.To this end, unarguably, the security protocols of fifth generation systems are a significant improvement with respect to LTE, resolving many, albeit not all, open issues in older generations of wireless.In particular, securing wireless links under overly aggressive latency constraints, scaling authentication and key distribution to massive numbers to accommodate massive Internet of things (IoT) while providing quantum resistance for constrained devices, persist as open challenges at present, despite recent standardization of four post-quantum cryptographic algorithms from NIST.To address all of these issues, PLS technologies emerge as competitive alternatives or complementary schemes to standard cryptography.
We have showcased that 6G trustworthiness needs to include trust of the physical world and infrastructure across the board.A glimpse towards some of the security features that PLS can bring into the 6G world is given in Fig. 1.The figure illustrates that physical aspects, e.g., hardware, location, link, behavior, sensing, could bring an additional (and important) asset of properties that could help in ensuring trustworthiness in 6G.In the following sections, we focus entirely on the trsutworthiness of the communications links.In particular, delving deeper in PLS, we provide an overview of the stateof-the-art and explain how current limitations can be overcome to fulfill the need, as well as the promise, for security controls at all layers, including at the physical layer, for the first time in 6G.

III. PLS -STATE-OF-THE-ART AND OPEN ISSUES
In this section, we will review only some of the key contributions in the PLS literature.More importantly, we will identify key open issues that should be addressed before practical deployment.

A. Keyless transmission of confidential messages
The interest in PLS research is motivated by two pioneering works by Shannon and Wyner who introduced the concepts of perfect secrecy and wiretap channel, respectively [1], [2].In [1], Shannon considered a noiseless system in which a transmitter -referred to as Alicesends a coded message to a receiver -referred to as Bob -under the constraint of keeping it confidential from an eavesdropper -referred to as Eve.He has proven that this is possible by a transformation that generates codewords in the null space of Eve's observations, a condition regarded to as perfect secrecy and which can be fulfilled by a one-time-pad scheme as long as the key entropy is larger than the message entropy.
In reality however, wireless links are noisy.Thus, Wyner extended the scheme to a more realistic system model by considering a discrete memoryless channel [2].Based on this model, he derived the secrecy capacity for the case of degraded wiretap channels, which was later generalized to the non-degraded case by Csiszár and Körner [5].The secrecy capacity region, under the assumption of perfect CSI knowledge at the transmitter, has been characterized for different setups, including multiple input multiple output (MIMO) scenarios [21].
Furthermore, the concept of secrecy degrees of freedom (SDoF) has been introduced as an alternative metric to simplify calculations [22].Using the SDoF, another important conclusion was made: achieving perfect secrecy when only imperfect CSI is available is possible only when asymmetric statistical properties are present for the channels towards both receivers.In this sense, when the channels have symmetrical properties, positive SDoF can be ensured by paying the cost of additional overhead in terms of side information used to introduce asymmetry at the encoder [21].Having this result, it is clear that the quality of the CSI can play a vital role on the achievable secrecy.
In this regard, an important result has been published in [23] showing that even an outdated CSI at the transmitter can be used towards increasing the SDoF.The general idea is that, delayed CSI can be successfully incorporated towards interference alignment between users.While these are encouraging findings, further research is still needed to render such secrecy mechanisms possible in a more general context.We note in passing that the idea of artificial noise injection has attracted a lot of attention.However, it seems unlinkely that such approaches will be used in practice, at least in the near future, due to strict regulations for the levels of electromagnetic radiations and the need for lowering energy consumption across the board.
Another critical aspect is the availability of the eavesdropper's CSI at the transmitter, which is highly unlikely in many actual scenarios.To overcome such difficulties, one possible metric is the secrecy outage probability (SOP), which is given by where C S denotes the secrecy capacity and R denotes a target secrecy rate.Closely related, is the probability of nonzero secrecy capacity, defined as In [24] it was shown that even in THz systems, weak directivity results in large insecure areas, and while in [25] it is shown that although such areas can be minimized they cannot be fully eliminated.Therefore, at the moment even with ultra-massive MIMO systems and pencil sharp beamforming, it remains an open question how to guarantee zero information leakage without any assumptions regarding the adversarial position, the numbers of antennas, cooperation between distributed adversarial actors, etc. Partially controllable channels, e.g., using intelligent reflective surfaces, could be worth investigated in this aspect to facilitate channel engineering.
Furthermore, efficient CSI estimation is key for wiretap coding; an example using ray-tracing tools is depicted in Fig. 2.This could be propelled in 6G by online learning together with location-based channel estimation.Extensive related works have already appeared for mmWave and THz bands.
A further issue concerns the security guarantees in the finite blocklength [26], as opposed to asymptotic results or very special channel models [27], [28].In [26] the achievable secrecy rate was shown to be a function of (i) the blocklength, (ii) the error rate and (iii) the information leakage, i.e., at finite blocklengths it is impossible to guarantee zero information leakage.In Fig. 3, a comparison is provided between the lower bound on the achievable secrecy rates of Reed-Muller and polar codes for a semi-deterministic wiretap channel where the main channel is noiseless and the wiretap channel is a binary-erasure channel with erasure probability p = 0.4 and information leakage δ = 0.001, with the secondorder approximation secrecy rate [29].
Despite the above negative remarks, wiretap coding could be key among PLS security schemes for 6G.Although strong confidentiality guarantees seem to be unattainable in realistic propagation scenarios due to either radiation leakage in mMIMO arrays, imperfect CSI estimation, or information leakage in finite blocklengths, we can envision its use for privacy purposes, geofencing or for statistical based measures of trust in wireless links.Indeed, adaptive security controls are needed for future, highly heterogeneous systems.By adaptive security we describe a dynamic security engine, always aiming at delivering the best security possible in a given context.A framework for the development of related schemes is offered by quality of security (QoSec), which describes the "degree of security" in measurable manner [30].We argue that a more holistic view on QoSec is needed, incorporating wiretap coding for privacy.

B. Secret key generation (SKG)
Typically, the SKG process consists of three phases [7], [31], [32] as depicted in Fig. 4. In the first phase, referred to as shared randomness distillation, Alice and Bob observe a common random source, and their observations, denoted by Y A , Y B , respectively, are dependent random variables.An eavesdropper, referred to as Eve, observes Y E , which may be correlated or not to Y A and Y B .In wireless channels, a readily available source of shared randomness is the multipath fading, which is caused by reflections, diffraction and scattering from a random environment.In case the same frequency is used, then the equivalent baseband channel between two nodes is reciprocal during the coherence time [33].These observations are typically done by sampling the channel either in time, frequency or both, followed by a quantization process.Although the channel is reciprocal, transceivers at Alice and Bob will have different RF-chain impairments, different noise and interference realisations, and, in TDD systems, they will sample the channel at different instants.This means that their observations will not be exactly the same, and thus information reconciliation is performed with the exchange of side information V .This step has to necessarily be followed by privacy amplification, in which the key size is adjusted to take into account possible information leakage to the eavesdropper by estimating the conditional min entropy.
At the end of the SKG process, a common key K ∈ K is extracted at Alice and Bob, such that, for any > 0, the following statements hold [34]: where H(K) denotes the entropy of the key K and I(K; V ) denotes the mutual information between K and V .
The first inequality demonstrates that the SKG process can be made error free; (4) ensures that the exchange of side information through public discussion does not leak any information to eavesdroppers; while (5) establishes that the generated keys attain maximum entropy (i.e., are uniform).Under the three conditions, an upper bound on the rate for the generation of secret keys is given by [7] min Assuming rich multipath environments, the decorrelation properties of the wireless channel over short distances can be exploited to ensure that Eve's observation Y E is uncorrelated with Y A and Y B [35], [36], [37], [33], [32]; in this case, the SKG capacity is given by [34, Sec.II] However, this condition is rarely met in real life.In particular, correlations and dependencies in four domains, space, time, frequency and antenna between Alice's, Bob's and the Eve's observations have to be taken explicitly into account.While subsampling in the time, frequency and antenna domains can constitute simple approaches to re-create a memoryless channel, so that the observations between Alice and Bob are independent from the observations of Eve along these domains, correlations and dependencies in space need on the other hand to be taken explicitly into account.Preprocessing steps to address these issues have recently been reported in [38], [39].
Furthermore, active attacks have been addressed in [9], [10] and hybrid designs of authenticated encryption leveraging SKG along with symmetric block ciphers have appeared in [32].As a result, SKG emerges as one of the most mature and promising PLS technologies for 6G.Clearly, SKG will be helpful in use cases where key distribution is a major issue, such as massive IoT, addressing scalability in constrained devices that cannot run public key encryption handshakes (or their corresponding post-quantum counterparts).
SKG is a mature technique, but one of its major challenges is that the achievable key generation rate depends on the channel statistics.However, upper layers will require a minimum or at least a known rate.Understanding how the achievable rate depends on the channel parameters was the subject of several papers [40], [41], but is still an open issue.Furthermore, parts of the SKG algorithm itself, like the sampling rate in time and frequency, and the CSI quantizer should also be optimized according to the channel properties.
Another practical issue is that SKG depends on the availability of reliable CSI information.However, existing wireless chipsets usually do not provide this information, and, even, if they did, they would have to be trusted to provide the correct information.An alternative, using a separate encryption box was proposed in [42].
As a final note, other entropy sources can be exploited for key distillation, e.g., by leveraging the sensing layer and can be further exploited for device pairing.

C. Physical unclonable functions and biometrics
Some of the most prominent authentication techniques that come from the physical layer are physical unclonable functions (PUFs) and biometrics.The idea of PUFs is to authenticate devices using the unique properties of integrated circuits (ICs).Such properties appear due to unpredictable variations during their fabrication process.To build a protocol, such variations are typically used in a challenge-response manner.Depending on the PUF architecture, a challenge could refer to measuring gate delays, power-on state or other variable features.
A popular architecture, illustrated in Fig. 5, is the arbiter PUF.The scheme is based on the transmission of rising edge signals through two "identical" delay paths, each composed of series of switching elements.Due to variation properties the delay required for each signal to pass through the trace will be different.A challenge to this scheme, as illustrated in Fig. 5, is a bit sequence that defines the configuration of the switching elements; and a response is a single bit output that defines which signal arrives first at the end.Depending on the number of challenge-response pairs (CRPs) that a PUF can support, architectures are divided into two groups: weak and strong PUFs.The number of CRPs of a weak PUF increases linearly or polynomially with the component blocks (some architectures support only a single CRP) and the number of CRPs of a strong PUF increases exponentially with the component blocks.In this sense, arbiter PUF is considered to be a strong PUF.
Following from the discussion above, biometrics can be seen as a weak PUF structure that measures unique birthmarks of human users (as opposed to devices).Such features include voice, palm vein, iris, behavioral biometrics and more.Each of these features can produce a single CRP for user authentication.In this sense, building a PUF-based or a biometric-based authentication protocol requires identical steps: Enrollment -this step is carried out offline on a secure channel.During enrollment, a set of responses R 1 , . . . ,R i ∈ R (biometric or PUF) are collected by running a set of challenges C 1 , . . ., C i ∈ C. Additionally, the measurement noise of the process is characterized in order to generate helper data hd.An authenticator creates a database where CRPs and helper data are associated to a particular user/device.
Authentication -during the online authentication step, the authenticator sends a random challenge C i from its database to the corresponding user requesting to reproduce the response R i .The user then replies with its PUF or biometric measurement R i .Due to presence of noise the newly generated response will differ from the one generated during enrollment, i.e., R i = R i , therefore the helper data is used in a reconciliation decoder to regenerate R i , in which case authentication is successful.To prevent replay attacks a CRP pair should never be reused, or other measures should be taken, e.g., time stamps.Next, some key issues in the application of such authentication approaches are discussed.
First, a topic that is seeing growing interest is the privacy of biometric data.To perform biometrics-based authentication, the collected measurements are normally passed through third-party authentication servers.This may lead to privacy leakage, i.e., users are clueless about how and where their data is stored or used.Furthermore, as biometrics are permanent features, if adversaries get access to the collected data they could use it to build a human-digital twin.Therefore, it is important that biometric protection techniques are employed.One approach that can be used to avoid storing biometric data is through the use of homomorphic encryption [43].In such a scheme, performing an operation on the encrypted data is equivalent to performing the same operation on the plaintext.Hence, users can provide only encrypted biometric data to authenticate themselves without revealing sensitive content.However, homomorphic encryption requires complex and slow operations, i.e., it is not suitable for constrained devices and low-latency scenarios.In this sense, further research on lightweight and secure biometric protection is required.
Another important topic that has to be addressed concerns the unclonability and randomness of PUFs.First, due to the low number of CRPs supported by weak PUFs, they are susceptible to exhaustive search attacks.Strong PUFs, on the other hand, have large CRP space which makes exhaustive search attacks impractical.However, the interactive fashion of executing the authentication protocol described above can leak numerous CPRs and in specific cases helper data streams.It has been shown that an attacker can use the leaked information in machine-learning (ML) algorithms to successfully model a PUF [44].Some of the directions that can help solving this issue are the introduction of more complex structures, e.g., XOR-ing the outputs of multiple PUFs, as opposed to using their individual outputs, can already prevent multiple ML modelling attacks [45].This gives a shorter but unpredictable sequence.
Another approach is the combination of different PLS schemes, e.g., PUFs and SKG [11].During the authentication procedure both parties can generate a shared secret key.The key can then be used to encrypt and hide the transmission of CRPs and/or helper data, avoiding leakage to adversaries.Another issue concerning the uniqueness of PUFs is their initial min-entropy, i.e., the randomness of their outputs.A low min-entropy of a PUF (i.e., there is tendency to produce more 0s or 1s) opens up the chance for statistical inference attacks.Therefore the design of high-entropy PUF architectures is another important research topic.
Finally, it is important to identify appropriate use cases for both, biometrics and PUFs.There are already a variety of commercial products for both PUF [46] and biometric authentication [47], however, as noted above, when either of the techniques is used as a single authentication factor there might be serious concerns.Therefore, the combination of PUF, biometrics and other authentication factors can be used towards building a secure and reliable multi-factor authentication.Scenarios where such approach might be beneficial include eHealth (e.g., for accessing medical records), smart factories (e.g., for access control) and commercial applications (e.g., online banking).What is important to mention is that these schemes are not here to replace authentication handshakes but to contribute for their efficient and lightweight implementation.

D. Location-based authentication and RF fingerprinting
Apart from PUF authentication, there are other PHYbased authentication techniques which can be categorized into two types, i.e., RF-based and location-based.
RF-fingerprinting is the process of measuring the unique, stable and long-term imperfections of analog front-ends in wireless transceivers and wireless communication links [48].Unlike PUFs, however, there is no guarantee of unclonability.Some of the typically considered imperfections include in-phase quadraturephase (IQ) imbalances, oscillator drifts, digital-to-analog conversion, power-amplifier non-linear characteristics, carrier frequency offset, etc..The general idea of RFbased authentication is illustrated in Fig. 6, it is also explained briefly below.
An RF-fingerprint based authentication protocol consists of two phases.First, an offline processing is carried out, where an authenticator captures a set of signals, extracts representative features and creates a classification function that maps features to a particular class, e.g., legitimate and not (optimally, the estimated features would perfectly describe all RF-imperfections of the transmitter).Next, during the online authentication phase, features of the received signals are measured and subsequently passed through the classifier (typically implemented as a hypothesis test).
Location-based authentication relies on relating more specifically a node to a particular location.In detail, an authenticator should first obtain reliable information concerning the position of other nodes (e.g., a map that contains coordinates of other users).Next, the authentication process is based on online localization of users and comparing their estimated location to earlier stored coordinates.Authentication is successful if the estimated position passes a hypothesis test.
As an example the angle of arrival (AoA), time of arrival (ToA) and RSS-based methods [49] have all been used for localization-based authentication.In AoA based systems, receivers are expected to measure the angle of arriving signals, and, hence, must be equipped with an array of antennae.Depending on the number of available reference points, the angle information can be used towards direction or position finding.In ToA systems, to allow receivers measuring the distance to the transmitter time stamps are appended to the transmitted packets.To obtain accurate measurements, devices must have synchronized clocks.Finally, in RSS-based techniques, location can be determined by RSS measurements (i.e., channel fingerprints).
A major advantage of both RF and location based authentication is that they enhance trust.Naturally, there are still challenges that must be addressed.Some of which are listed below.A major challenge comes from the increasing complexity in wireless systems, i.e., the chain of transmitter, channel and receiver.The two main approaches currently used to describe and optimize the system parameters are: i) model-based approach (e.g., using communication theory) where end-to-end communication is modelled as a set of blocks and each block can be parameterized and optimized independently, and, ii) model-free based approach (e.g., using machine learning techniques) where the whole system can be modelled and optimized as a single block [50].The former approach is typically static, and, hence, performs well in stable environments.However, it could hardly capture the changes in dynamic environments.The latter approach have shown more success in complex environments but it usually requires great amount of training data and more computational power, hence, it is not well-suited for lightweight devices.
The observations above indicate that a trade-off must be identified.First, the complexity of the environment (including number of devices, mobility, etc.) must be taken into account, i.e., devices should be able to adaptively switch between static and dynamic approaches.Recent practice leverages an initial approximate model and only uses training data to fine tune the representation.
Secondly, the complexity of the approach should depend on the capabilities of the device.Overall, RF-based authentication would typically require high sensitivity at the receiver (e.g., spectrum analyzer) to identify the unique imperfections of the transmitter.Hence, RF-based authentication might be more suitable for unilateral authentication -access points to identify users.On the other hand, location-based authentication could be well suited for low-end devices, hence, when available could easily provide mutual authentication.Similarly, depending on the channel conditions (e.g., SNR, LoS or NLoS) and system parameters (number of subcarriers, antenae, etc.) RF-based authentication might be preferable over location-based, and vice versa.
Another important issue concerns the accuracy of the collected location and RF information.Some of the factors that affect accuracy are: choice of classification and loss functions, channel quality, choice of metrics and mobility of users.As discussed earlier both of the authentication approaches rely on pre-filled database (e.g., a channel model, a trained neural network or a downloaded map), however, during the authentication phase devices would observe noisy and time-varying features.
A promising research direction is online learning of the channel and feature selection aided by dimensionality reduction, to enable real-time analysis of multidimensional data [51].Furthermore, a combination of features could also be considered for particular scenarios.
Another topic that is gaining more attention due to the expected joint communication and sensing capabilities of 6G communication devices is waveform design.Finding a suitable waveforms that perform well for both communication and sensing would automatically improve authentication accuracy (e.g., of location-based methods) without causing additional overhead.Overall, continuous monitoring is required to adaptively change the authentication rules based on the variance of the collected features.
Next, one of the utmost important issues to be solved before adopting RF/location-based authentication approached is related to the threat model.While, all cryptographic based authentication protocols have a unified threat model, i.e., the well-known Dolev-Yao model1 , PHY-based techniques are typically based on different assumptions for the adversary.
For example, location-based authentication might falsely identify an attacker as a legitimate user if the former is in the close vicinity to the latter.Therefore, as noted in the previous subsection a multi-factor authentication must be considered.Instead of relying on a single features, devices should capture, combine and classify based on multiple, i.e., this will make an attack harder as the attacker would need to impersonate all features.For RF fingerprinting methods, it is also important to mention that the underlying security features must be carefully chosen.
Another issue is that studies would typically focus on a single attack, e.g., spoofing (multiple devices same ID), Sybil attacks (1 device multiple IDs), jamming or injection attacks, but there are only a few that consider all.This is a problem that clearly has to be addressed.It is important that a unified model that captures all threats present in wireless authentication is proposed.As noted earlier authentication should not be a static process and therefore, the model should involve variable parameters, e.g., depending on the frequency carrier and application different channel and location correlation should be assumed on possible eavesdroppers [51].
Finally, we discuss possible use cases where RF/location-based authentication could be beneficial for the system's security.Access points and base stations are static.As a result, location could be easily introduced as an additional authentication factor to counteract on false base station attacks by using inverse localization (user locating the BS) [11].
Furthermore, it could also allows APs and BSs to track devices, hence, an AP could easily predict the time when a device will leave a cell and enter a neighbouring one.Then, information could be transferred between APs to allow speeding up authentication for the device handover [48].
Another possible approach for identifying adversarial users could be through the uniqueness of antenna arrays in massive MIMO communication, e.g., the beam patterns from different devices will differ even if they are co-located.This can be used by authenticators to identify users in close proximity.A specific application is the sector level sweep (SLS) mechanism introduced in standards as IEEE 802.11ad for 60GHz mmWave WLAN.SLS is the technique that identifies the beam pattern with optimal channel gains.In fact, it has has already been shown that the sweeping patterns could be used as unique and reliable source to counter spoofing attacks [52].
One of the main advantages of RF/location based authentication is that, both can provide per packet authentication.In this sense, it is clear that both techniques could, apart from authentication, contribute to methods such as anomaly detection and trust building.
The discussion above gives some initial ideas on how RF and location information could contribute to the system's security.However, there are still open issues that need to be addressed before their full integration into the standards.Depending on the application different problems may arise.For example, if considering a humandevice the authentication would typically be end-to-end; if considering fully autonomous system authentication would be device-to-device [48].An important research topic, for both cases, is the development of cross-layer security protocols.In particular, how should upper layers access, process and use PHY information.Answering this question could pave the way for a new lightweight and cross-layer security solutions.

IV. FUTURE PERSPECTIVES: CONTEXT AWARE 6G SECURITY INCRORPORATING THE PHY
We are entering a new era of massive connectivity of autonomous cyberphysical agents, equipped with enhanced sensing, processing, and learning capabilities.In the respective networks, the devices involved will be highly heterogeneous (from RFIDs to autonomous vehicles), will be manufactured by different vendors without homogeneous processes and will operate under unprecedentedly diverse constraints (power, latency, computational and memory resources), all of which are challenging for security.Two further challenges that need to be taken into account include the introduction of AI and ML (6G will be the first native AI generation) and resistance against quantum computers.
Confidentiality, integrity, accountability, access control and privacy must be at the core of today's designs of future generations of intelligent networks.In the past, static security solutions were introduced as addons to earlier network design choices.A break from this paradigm is needed for the design of future security controls, primarily because: • Static security solutions cannot scale efficiently while meeting latency, computation, power con-  straints, heterogeneity and lack of homogeneous production procedures;

Context
• AI/ML introduces novel vulnerabilities, the full extent of which is yet unknown; • It seems feasible for quantum computing to become commercially available.The challenges ahead require a fundamentally different solution.To this end, looking beyond the current research horizon, a radically new, context-aware, AIempowered roadmap for the design of intelligent and adaptive security controls is needed.This concept offers solutions to pressing needs, such as securing lowend IoT systems in the QoSec framework, or latencyconstrained verticals, such as automotive and industrial IoT.In addition, privacy should be addressed by design; both by means of new engineering solutions (e.g., for sensing, localization, private computations, private information exchange) and of course through a new legal and regulatory framework.
In this framework, exploiting the characteristics of physical phenomena to provide security becomes pertinent.PLS can both complement conventional upperlayer security schemes and strengthen the overall trust and resilience of 6G.Different security solutions are attainable by exploiting novel opportunities such as in sub-GHz to THz frequency bands, intelligent reflective surfaces, joint communications and sensing, localization and RF fingerprinting.Furthermore, the interplay between PLS and advances in artificial intelligence and machine learning, the role of semantics and contextawareness in the deployment of PLS based solutions needs to be considered.
With this in mind, Fig. 7 showcases our vision towards a context-aware PLS.As discussed throughout this paper we do not believe that there exists a single PLS scheme that can be used in all possible scenarios.Instead, we think that a context-driven approach, which takes different PHY aspects into account, should be utilized.
Depending on the available contextual information, PLS schemes could be used as lightweight security solutions, towards insuring trust.It is clear that PLS is a set of useful tools which can greatly contribute towards the security of future networks.This article has presented our vision and some concrete examples on what PLS can do for the future generation of wireless networks.However, while there is a vast theory behind all PLS schemes, a generalized practical perspective is still missing.Along with all pros behind PLS we have also highlighted some of the major gaps in the area and hope that will stimulate further research.

Fig. 2 .
Fig. 2. Raytracing based received signal strength evaluation in an indoor environment (courtesy of Nokia Bell Labs Nozay).

Fig. 3 .
Fig. 3. Comparison of the lower bound on achievable secrecy rates of Reed-Muller and polar codes for p = 0.4 and δ = 0.001, with the second order approximation secrecy rate.

Fig. 4 .
Fig. 4. Secret key generation between Alice and Bob.Thanks to reciprocity, the quantizer outputs can be expressed as rA = d ⊕ eA, rB = d ⊕ eB.Using V Bob corrects the errors to obtain rA.