Papers
Topics
Authors
Recent
Search
2000 character limit reached

CovertAuth: Secure mmWave Beam Alignment

Updated 6 July 2026
  • CovertAuth is a secure beam alignment framework for mmWave systems that blends covert signaling with physical-layer authentication using mutual coupling as a device fingerprint.
  • The framework optimizes beam-training budget and transmit power to balance alignment reliability, covert rate, and authentication accuracy while mitigating detection risks by adversaries.
  • It leverages unique hardware-induced beam distortions and robust detection methods to defend against both passive eavesdropping and active impersonation during the beam alignment phase.

Searching arXiv for the cited CovertAuth paper and closely related covert-authentication references. CovertAuth is a secure beam-alignment framework for millimeter-wave systems that jointly addresses two threats during the beam alignment phase: passive eavesdropping or detection, and active identity impersonation. It is formulated around the observation that beam alignment, unlike highly directional mmWave data transmission, has quasi-omnidirectional exposure and broadcast characteristics because pilot or training sequences are transmitted repeatedly across many candidate directions. CovertAuth therefore integrates a covert communication design for beam alignment with a physical-layer authentication mechanism that exploits mutual coupling in antenna arrays as a hardware fingerprint, so that beam training is both harder for an adversary to detect and harder to spoof (Teng et al., 11 Jul 2025).

1. Security objective and system model

CovertAuth models a three-entity mmWave system consisting of a legitimate base station Alice with NtN_t antennas, a legitimate user Bob with NrN_r antennas, and an adversary Eve with NtN_t antennas. Uniform linear arrays with half-wavelength spacing are assumed. Alice and Bob perform exhaustive beam sweeping using predefined codebooks CT\mathcal C_T and CR\mathcal C_R, while Eve acts either as a passive warden or eavesdropper, or as an active impersonator (Teng et al., 11 Jul 2025).

The framework is motivated by the structural exposure of beam alignment. During beam sweeping, training sequences are broadcast across multiple directions, which allows Eve to listen to the training sequence, infer beam directions or frame timing, localize the transmitter, and potentially monitor subsequent communication. The same broadcast setting also makes identity impersonation plausible: an attacker can transmit deceptive alignment signals so that Bob aligns to the wrong source. CovertAuth accordingly targets three simultaneous goals: a high probability of successful beam alignment, a high covert communication rate, and a high authentication accuracy under a false-alarm constraint (Teng et al., 11 Jul 2025).

The beam-alignment signaling model is defined through the channel

H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},

with pilot x∈CN\mathbf x\in\mathbb C^N satisfying ∥x∥22=N\|\mathbf x\|_2^2=N. For beam pair ll, Alice transmits through wl\mathbf w_l, Bob receives through NrN_r0, and after matched filtering obtains

NrN_r1

where NrN_r2. Bob then selects

NrN_r3

This places beam alignment, covert signaling, and later authentication on the same received beam-training observations (Teng et al., 11 Jul 2025).

2. Covert beam-alignment design

The covert module optimizes the beam-training budget NrN_r4 and transmit power NrN_r5 to maximize average effective rate while satisfying a covertness requirement. The average effective rate after beam alignment is modeled as

NrN_r6

Using an idealized codebook model, the beamforming gain is quantized as

NrN_r7

with sector gains NrN_r8 and NrN_r9 for the matched beam pair. Assuming the optimal beam pair is NtN_t0, the statistic

NtN_t1

satisfies NtN_t2, where

NtN_t3

and NtN_t4 for NtN_t5. Successful beam alignment occurs when NtN_t6, and the paper gives a closed form for the corresponding success probability NtN_t7 (Teng et al., 11 Jul 2025).

The central covert beam-alignment performance metric is then

NtN_t8

which captures the core tradeoff. Larger NtN_t9 improves alignment reliability by increasing pilot energy, and larger CT\mathcal C_T0 improves both alignment and payload SNR. However, both parameters also increase the signal energy available to Eve, while larger CT\mathcal C_T1 directly reduces payload time through the overhead factor CT\mathcal C_T2 (Teng et al., 11 Jul 2025).

Covertness is imposed through Eve’s binary hypothesis test on the beam-alignment signals. With Eve’s received observations CT\mathcal C_T3, the paper uses KL divergence together with Pinsker’s inequality to lower-bound Eve’s minimum total detection error probability and adopts the constraint

CT\mathcal C_T4

where CT\mathcal C_T5 is the required covertness level. Under imperfect knowledge of Eve’s channel, the model assumes

CT\mathcal C_T6

which yields the robustified bound

CT\mathcal C_T7

The resulting robust design problem maximizes CT\mathcal C_T8 over CT\mathcal C_T9 and CR\mathcal C_R0, subject to power, training-budget, and covertness constraints (Teng et al., 11 Jul 2025).

The paper also extends the beam model to a side-lobe leakage case by replacing zero side-lobe gain with nonzero CR\mathcal C_R1 and CR\mathcal C_R2. In that setting, a lower bound on alignment success probability is written as

CR\mathcal C_R3

and the covert rate is approximated as

CR\mathcal C_R4

with the same optimization machinery applied after substituting CR\mathcal C_R5 by CR\mathcal C_R6 (Teng et al., 11 Jul 2025).

3. Mutual-coupling-based physical-layer authentication

The authentication component of CovertAuth uses mutual coupling in the transmit array as a device-specific feature. Without impairments, the transmit beam pattern is

CR\mathcal C_R7

whereas with mutual coupling it becomes

CR\mathcal C_R8

The mutual-coupling matrix is modeled as a symmetric Toeplitz structure,

CR\mathcal C_R9

with coefficient vector

H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},0

Because array geometry, material properties, and manufacturing tolerances differ across devices, the paper treats mutual-coupling-induced beam distortion as both unique and stable, making it a hardware fingerprint (Teng et al., 11 Jul 2025).

Authentication is posed as a binary hypothesis test on the beam-alignment observations generated under the optimized covert parameters H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},1 and H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},2. Under H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},3, the source is legitimate Alice; under H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},4, the source is impersonating Eve. The detector is a weighted-sum energy detector,

H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},5

where H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},6 are beam-dependent weights and H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},7 is the threshold. The point of the weighting is that different beam-pair observations carry different amounts of discriminative information because the mutual-coupling-distorted beam pattern and the spatial direction affect energies differently across beams (Teng et al., 11 Jul 2025).

The performance metrics are the false-alarm and detection probabilities

H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},8

Since H=α[Crar(θ)][Ctat(ϕ)]H,\mathbf{H}= \alpha[\mathbf{C_r}\mathbf{a}_r(\theta)][\mathbf{C_t}\mathbf{a}_t(\phi)]^{H},9 is a weighted sum of noncentral chi-square random variables, the paper uses an approximation summarized in Lemma 1: x∈CN\mathbf x\in\mathbb C^N0 where x∈CN\mathbf x\in\mathbb C^N1, with moments

x∈CN\mathbf x\in\mathbb C^N2

and

x∈CN\mathbf x\in\mathbb C^N3

derived from the cumulants x∈CN\mathbf x\in\mathbb C^N4. This approximation is then used in Theorem 2 to obtain integral expressions for x∈CN\mathbf x\in\mathbb C^N5 and x∈CN\mathbf x\in\mathbb C^N6, and to define a Neyman–Pearson-style weight optimization under a target false-alarm level x∈CN\mathbf x\in\mathbb C^N7 (Teng et al., 11 Jul 2025).

The weight-design problem is

x∈CN\mathbf x\in\mathbb C^N8

The paper describes this operationally as maximizing authentication accuracy, although the actual mathematical objective is maximizing x∈CN\mathbf x\in\mathbb C^N9 under fixed ∥x∥22=N\|\mathbf x\|_2^2=N0. Authentication accuracy is therefore governed by the pair ∥x∥22=N\|\mathbf x\|_2^2=N1, ROC curves, and miss detection probability ∥x∥22=N\|\mathbf x\|_2^2=N2 (Teng et al., 11 Jul 2025).

4. Optimization algorithms and computational structure

The covert design problem is non-convex and mixed over ∥x∥22=N\|\mathbf x\|_2^2=N3 and integer ∥x∥22=N\|\mathbf x\|_2^2=N4. CovertAuth addresses it through alternating optimization combined with successive convex approximation. The Lagrangian is written as

∥x∥22=N\|\mathbf x\|_2^2=N5

where ∥x∥22=N\|\mathbf x\|_2^2=N6, ∥x∥22=N\|\mathbf x\|_2^2=N7, and

∥x∥22=N\|\mathbf x\|_2^2=N8

The dual variable is updated by the subgradient step

∥x∥22=N\|\mathbf x\|_2^2=N9

for fixed ll0 and ll1 (Teng et al., 11 Jul 2025).

For the power update, the non-concave part ll2 is linearized at ll3, producing the surrogate

ll4

which is then maximized by CVX. The beam-training-budget update is handled analogously, with surrogate

ll5

followed by integer rounding

ll6

Algorithm 1 initializes feasible ll7, alternates these updates, and stops when the Lagrangian change falls below tolerance (Teng et al., 11 Jul 2025).

Convergence is argued from bounded iterates, consistency properties of the SCA surrogate, a non-decreasing objective, and the fact that any limit point is a KKT point of the original problem. The covert-design phase has complexity

ll8

where ll9 is the number of iterations and wl\mathbf w_l0 is the interior-point accuracy. The authentication decision contributes wl\mathbf w_l1, so the total complexity is

wl\mathbf w_l2

The weight-optimization problem for authentication is solved separately by sequential quadratic programming, initialized with uniform weights wl\mathbf w_l3 (Teng et al., 11 Jul 2025).

5. Simulation setup and reported performance

The default simulation parameters are wl\mathbf w_l4, wl\mathbf w_l5, wl\mathbf w_l6, wl\mathbf w_l7, hence wl\mathbf w_l8, with wl\mathbf w_l9. The Alice–Bob AoA/AoD pair is NrN_r00, and the Eve–Bob pair is NrN_r01. Channel gains are NrN_r02 and NrN_r03, while mutual-coupling variances are NrN_r04 for Alice and NrN_r05 for Eve. Evaluation uses 3000 Monte Carlo trials. Authentication baselines are a channel phase response-based scheme and a multiple channel responses-based scheme (Teng et al., 11 Jul 2025).

The reported numerical results can be summarized as follows.

Aspect Setting Reported result
Covert rate NrN_r06 dB, NrN_r07 NrN_r08 rises from NrN_r09 to NrN_r10 bps/Hz
BA success NrN_r11 dB NrN_r12
Convergence Reported example stabilizes after about 25 iterations
Weight optimization NrN_r13 dB NrN_r14 improvement over average weighting
Baseline comparison NrN_r15 dB NrN_r16 over channel phase response-based, NrN_r17 over multiple-channel-responses
Worst-case miss probability NrN_r18 NrN_r19: NrN_r20, NrN_r21, NrN_r22 for NrN_r23

On the covert side, the paper states that as the covertness requirement is relaxed, the optimal transmit power NrN_r24 increases, the optimal beam-training budget NrN_r25 decreases, and the covert rate NrN_r26 increases. This directly exposes the budget tradeoff between covertness and throughput. On the authentication side, the theoretical models for NrN_r27 and NrN_r28 match simulation well, with approximation error decreasing at higher SNR. The optimized-weight detector produces substantial ROC improvement over uniform weighting, especially in low-SNR conditions relevant to beam alignment (Teng et al., 11 Jul 2025).

The strongest coupling result is that authentication also improves when NrN_r29 is relaxed, because the covert module is permitted to choose stronger beam-alignment signals. In the worst-case geometry where Eve lies on the Alice–Bob path and shares the same AoA/AoD pair and channel gain, CovertAuth still reports practical performance if covertness is not too stringent: with NrN_r30, the miss probability NrN_r31 drops from NrN_r32 at NrN_r33 to NrN_r34 at NrN_r35 and NrN_r36 at NrN_r37, while the covert rates remain NrN_r38 bps/Hz for optimized NrN_r39 (Teng et al., 11 Jul 2025).

6. Relation to adjacent research and open limitations

CovertAuth belongs to a broader line of work combining covertness with communication security, but its emphasis is distinct. In contrast to covert communication papers that establish secrecy or secret-key expansion from undetectable signaling, such as the result that an NrN_r40-secure covert protocol implies NrN_r41-secure message secrecy and can support covert key expansion under explicit noise conditions, CovertAuth does not propose a key-expansion protocol; instead, it secures the beam-alignment stage itself through joint beam-budget design and physical-layer authentication (Arrazola et al., 2017, Tahmasbi et al., 2018).

It is also distinct from covert-channel-based authentication on legacy networks. TACAN authenticates CAN transmitters by hiding authentication information in inter-arrival times, least significant bits, or hybrid covert channels, using a centralized trusted Monitor Node and no CAN protocol modification or traffic overheads. CovertAuth uses the beam-alignment signal itself as both the covert object and the authentication carrier, with mutual coupling rather than hidden HMAC-bearing side channels as the main device feature (Ying et al., 2019, Ying et al., 2019).

At the protocol level, CovertAuth differs from event-driven covert communication systems for the Internet of Agents. The latter formalize covert signaling across storage, timing, and behavioral dimensions of observable agent events and use certified-key ECDH to obtain what is described as implicit mutual authentication. CovertAuth is narrower and more physical: it does not target agent dialogues or metadata privacy in software ecosystems, but beam training in mmWave links (Huang et al., 4 Aug 2025). Likewise, it is unrelated in objective to task-scoped authorization models such as PAuth, which derive exact server-side permissions from natural-language tasks through NL slices and provenance envelopes, or to AuthREST, which is a black-box automated tool for testing broken authentication in web APIs rather than an authentication mechanism (Sharma et al., 17 Mar 2026, Corradini et al., 12 Sep 2025).

The limitations of CovertAuth are correspondingly specific. Its deployment assumptions include phased-array hardware with sufficiently stable mutual coupling effects, a predefined beam codebook, bounded-error knowledge of Eve’s channel, and predominantly single-path line-of-sight propagation. The main analytical beam model uses zero side-lobes and is only later extended to side-lobe leakage. The authentication detector is intentionally simple and suboptimal compared to a full likelihood-ratio test when complete signal statistics are known. The paper itself suggests future extensions toward richer multipath channels, stronger adversaries, more advanced detectors, and greater robustness to model mismatch (Teng et al., 11 Jul 2025).

Within those assumptions, CovertAuth’s central contribution is to reframe beam alignment from a vulnerable initialization step into a joint security control surface. Mutual coupling, usually treated as an impairment, becomes a hardware fingerprint; beam-training budget NrN_r42 and transmit power NrN_r43, usually treated as link-establishment parameters, become security knobs that jointly regulate detectability, alignment reliability, and authentication performance (Teng et al., 11 Jul 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to CovertAuth.