Physical channel security

By increasing scrambling key sizes, introducing unique scrambling keys, and applying format-preserving operations, the security of 5G NR physical downlink control channels is enhanced, thwarting unauthorized access and reducing the effective RNTI search space, thus securing downlink control information.

WO2026135507A1PCT designated stage Publication Date: 2026-06-25TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
Filing Date
2024-12-18
Publication Date
2026-06-25

AI Technical Summary

Technical Problem

Existing 5G NR physical downlink control channels lack sufficient security measures, particularly in the scrambling key generation process, making them vulnerable to attacks that compromise the integrity of downlink control information (DCI) by reducing the effective RNTI search space and enabling unauthorized access to critical information.

Method used

Enhance physical channel security by increasing the size of the scrambling key components (RNTI and HID), introducing unique scrambling keys independent of RNTI and HID, deriving scrambling keys from existing access stratum keys, and applying format-preserving operations on control information to increase computational burden and complexity for attackers.

Benefits of technology

Significantly increases the computational burden on attackers, reduces the effective RNTI search space, and enhances the security of DCI by ensuring unique scrambling keys and format-preserving operations, thereby protecting the integrity of downlink control information.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure SE2024051107_25062026_PF_FP_ABST
    Figure SE2024051107_25062026_PF_FP_ABST
Patent Text Reader

Abstract

A method (1000) for improving physical channel security performed by a network node (100) The method comprising deriving (1002) a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method comprises performing (1004) a first operation on a first input using the first key. The first input is based on control information data. The first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or the first random number; and / or the first input is derived performing (1006) a second operation using a second key. The second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, the network identifier, the scrambling identifier, and / or a second random number.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] PHYSICAL CHANNEL SECURITY

[0002] TECHNICAL FIELD

[0003] The invention relates to a method for improving physical channel security, performed by a network node. Further, the invention relates a method for improving physical channel security, performed by a wireless device. The invention further relates to a network node, a wireless device, a system, computer programs, computer-readable media, carriers.

[0004] BACKGROUND

[0005] The fifth-generation new radio (5G NR) physical downlink control channel (PDCCH) carries critical information in the form of downlink control information (DCI). The DCI payload bits are scrambled by a sequence (scrambling key) initialized with user equipment (UE) unique identifiers: radio network identifier (RNTI) and a physical layer cell identity of a cell or by a UE specific scrambling identity. This scrambling operation provides interference randomization. The scrambling operation offers an additional opportunity to provide DCI protection, assuming secrecy of the corresponding scrambling key.

[0006] The article K. Takeda, H. Xu, T. Kim, K. Schober and X. Lin, "Understanding the Heart of the 5G Air Interface: An Overview of Physical Downlink Control Channel for 5G New Radio," in IEEE Communications Standards Magazine, vol. 4, no. 3, pp. 22-29, September 2020, doi:

[0007] 0.1109 / MCOMSTD.001.1900048, provides an overview of the 5G NR PDCCH by describing its physical layer structure.

[0008] SUMMARY

[0009] It is an object of the invention to further improve the security of physical channels. It is a particular object of the invention to further improve DCI protection.

[0010] A first aspect of the invention relates to a method for improving physical channel security performed by a network node. The method comprises deriving a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing a first operation on a first input using the first key, wherein the first input is based on control information data, wherein: the first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or the first random number; and / or the first input is derived performing a second operation using a second key, wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, the network identifier, the scrambling identifier, and / or a second random number. A second aspect of the invention relates to a method for improving physical channel security performed by a wireless device. The method comprises deriving a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing a first operation on a first input based on control information data, the format preserving operation being performed using the first key, wherein: the first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or a random number; and / or the first input is derived performing a second operation using a second key, wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, a network identifier, a scrambling identifier, and / or a second random number.

[0011] A third aspect of the invention relates to a network node for improving physical channel security comprising processing circuitry and a memory, the network node configured to perform operations according to the first aspect.

[0012] A fourth aspect of the invention relates to a tangible, non-transient computer-readable medium comprising instructions that, when executed by the network node, cause the network node to perform operations according to the first aspect.

[0013] A fifth aspect of the invention relates to a computer program, comprising instructions that, when executed by processing circuitry, cause the processing circuitry to carry out the method according to the first aspect.

[0014] A sixth aspect of the invention relates to a carrier containing the computer program according to the fifth aspect, wherein the carrier is one of an electronic signal, optical signal, radio signal, computer program product, or computer-readable medium.

[0015] A seventh aspect of the invention relates to a wireless device for improving physical channel security comprising processing circuitry and a memory, the wireless device configured to perform operations according to the second aspect.

[0016] An eighth aspect of the invention relates to a tangible, non-transient computer-readable medium comprising instructions that, when executed by the wireless device, cause the wireless device to perform operations according the second aspect.

[0017] A ninth aspect of the invention relates to a computer program, comprising instructions that, when executed by processing circuitry, cause the processing circuitry to carry out the method according to the second aspect. A tenth aspect of the invention relates to a carrier containing the computer program according to the ninth aspect, wherein the carrier is one of an electronic signal, optical signal, radio signal, computer program product, or computer-readable medium.

[0018] An eleventh aspect of the invention relates to a communication system comprising a network node according to the third aspect, and a wireless device according to the seventh aspect.

[0019] BRIEF DESCRIPTION OF THE DRAWINGS

[0020] Figure 1 illustrates an example of a physical channel encoding procedure.

[0021] Figure 2 summarizes ways in which the effective RNTI search space can be reduced.

[0022] Figure 3 illustrates examples of improvements of the physical channel security according to some embodiments.

[0023] Figure 4 illustrates embodiments of a method for improving physical channel security performed by a network node.

[0024] Figure 5 illustrates embodiments of a method for improving physical channel security performed by a wireless device.

[0025] Figure 6 illustrates the network node in accordance with some embodiments.

[0026] Figure 7 illustrates the wireless device in accordance with some embodiments.

[0027] Figure 8 illustrates an example of a communication system in accordance with some embodiments.

[0028] Figure 9 illustrates carriers, computer readable-media, and computer programs.

[0029] DETAILED DESCRIPTION

[0030] Figure 1 illustrates an example of a physical channel encoding procedure. In particular, Figure 1 refers to a Third-Generation Partnership Project (3GPP) Fifth Generation (5G) New Radio (NR) Physical Downlink Control Channel (PDCCH) encoding procedure.

[0031] Downlink control information (DCI) 10 carries downlink (DL) and / or uplink (UL) scheduling information and other critical control information such as the UL power control, hybrid automatic repeat request (HARQ) information, etc. Usually, the length of a DCI message IDCI ranges from 12 to 140 bits. A length in bits of a cyclic redundancy check (CRC), denoted as IcRC, is usually 24-bit. The CRC is generated from the DCI information bits and subsequently masked with a RNTI with a length in bits, denoted by IRNTI, of usually 16 bits. The masking process aids the UE in determining the relevancy of an intended DCI among the sets of DCIs that have the same payload size. The RNTI type depends on its usage and whether the DCI is intended for a specific User Equipment (UE) or a group of UE. In UE-specific communication the RNTI used is the cell-RNTI (C-RNTI). C-RNTI is linked to a Radio Resource Control (RRC) connection and corresponds to communications with that specific UE. A new C-RNTI is assigned every time an RRC connection is set up and is communicated to a UE during random access procedure. The RRC connection, and consequently the RNTI, is released by the network node after the UE transitions to the RRCidle state over a period configurable by the operator.

[0032] The CRC bits 12 are attached and interleaved with the DCI 10, resulting in a message of length 1CRC+1DCL

[0033] The interleaved DCI and CRC message 14 is subject to channel coding. For DL control channel, the channel coding comprising frozen bit insertion, polar encoding, and sub-block interleaving and rate matching. A polar code (N; KC) is adopted in the polar encoding step, where N is the code length and is limited to be of powers of two, and Kc = IcRC + IDCI is the number of information bits transmitted, and can take an arbitrary value. The parameters associated with rate-matching depend on the length of the DCI message and the aggregation level employed.

[0034] The rate-matched bits 16 are scrambled with a 31 -bit Gold sequence initialized with the RNTI IIR TI and a scrambling identity nuj. In particular, the 31 -bit Gold sequence is given by (IIR TI X 216+ nm) mod 231. For a UE-specific communication, nm is set to either the higher-layer parameter pdcch- DMRS-ScramblinglD if configured, or to cell ID, otherwise. If the corresponding identities were secret, the scrambling process offers a weak form of DCI protection.

[0035] The scrambled bits 18 are modulated and are mapped to resource elements based on the Control Channel Element (CCE) indexing and CCE-to-Resource Element Group (REG) mapping.

[0036] For PDCCH decoding, the UE receives the following parameters through higher layer, e.g., RRC, messages:

[0037] • Scrambling Key: The IIR TI and HID are used to initialize the Gold sequence which is used for generating the scrambling sequence / key.

[0038] • C-RNTI: C-RNTI is a 16-bit unique temporary identifier assigned to a UE during initial access upon completion of the random access (RA) procedure (msg 4). It can range in between 0001 and FFF2 (in hex).

[0039] • HID: is a 16-bit value used together with the RNTI for the generating of the scrambling sequence / key. For a UE-specific communication, HID is set to either the higher-layer parameter pdcch-DMRS-ScramblingID if configured, or to cell ID, otherwise. The pdcch- DMRS-ScramblinglD parameter is part of the control resource set (CORESET) parameters. • CORESET Configuration: The parameters such as the CORESET ID, duration, frequency resources, and search space parameters such as the maximum number of candidates, etc. are communicated to a UE through an RRC reconfiguration message.

[0040] Figure 2 summarizes ways in which the effective RNTI search space can be reduced.

[0041] An adversary attempting to decode the DCI of all UE assigned to a CORESET, and not just an individual UE, needs to know the starting point of the valid physical channel candidates. Given the CORESET, the adversary can use a demodulation reference signal (DMRS) correlation analysis to obtain the valid physical channel candidates 20.

[0042] Following are some of the ways in which the adversary can perform a DMRS correlation analysis:

[0043] • If the CORESET configuration has the maximum number of candidates for aggregation level L (ML) equal to 1 for any of the aggregation levels, then an adversary can try correlation analysis of DMRS signals starting at the following indices lk= L { 0,1, ... floorf-^^)}. The number of candidates can further be utilized to reduce the valid candidate search space.

[0044] • For other scenarios, for a chosen L, an adversary needs to scan for the physical channel DMRS sequence by correlating with pre-computed DMRS sequences for all values of HID.

[0045] The DMRS correlation analysis may also enable the adversary to determine the IIJD 22. The IIJD forms a part of the Gold sequence used for generating a scrambling key. HID is also used to initialize the pseudo-random sequence for generating the physical channel DMRS sequence.

[0046] As the adversary knows the valid physical channel candidates, the nnj can be determined by generating DMRS sequences corresponding to all scrambling IDs and correlating the generated DMRS sequences with the obtained DMRS signals, e.g. an adversary can stay close to a network node to obtain the DMRS signals. If successful, the correlation analysis yields a nnj, usually of 16-bit.

[0047] Correlation analysis does not require completing the entire DCI decoding chain, it may require a brute-force search, however such analysis is a computationally inexpensive operation relative to completing the entire DCI decoding chain and can be parallelized.

[0048] Upon knowing the valid physical channel candidates, the adversary can reduce the effective RNTI search space 24.

[0049] Following are some of the ways in which the adversary can reduce the effective RNTI search space:

[0050] • Operators often set configurations to certain manufacturer-specific defaults. For instance, the niD is often set to one of the following values: Cell ID, 1008 + Cell ID, and RNTI + Cell ID.

[0051] These settings compromise the IIJD and U NTI rather easily. Furthermore, certain operators limit the RNTI assignment to a subset of RNTI space, for example, {15000, , 25000}. Such side-information reduces RNTI search space at an adversary significantly.

[0052] • Rate-matching in the encoding process is a length-matching problem where the N polar coded bits undergo either puncturing, shortening (reduces the length of the mother code), or repetition to adjust it to a length of E bits. In a repetition scheme, E - N bits are repeated after channel coding (see Fig. 1), and this repetition introduces redundancy. It is possible to exploit this redundancy to determine the correct scrambling sequence by guessing the scrambling sequence that provides maximum likelihood between repeated bits after de-scrambling. As the niD is known, then the scrambling sequence is only a function of RNTI.

[0053] • It is possible to generate syndrome tables for all possible DCI message sequence, code word length, and payload length by performing an error-pattern matching of the frozen bits. A syndrome table consists of all possible RNTI scrambled error patterns for a given code word and payload length. While this approach is computationally complex, once the syndrome tables are generated, they can be used in perpetuity.

[0054] • The PDCCH hash function that a valid UE specific search space (USS) PDCCH candidate starting index depends on multiple CORESET parameters, such as the CORESET ID p, number of CCEs in the CORESET (NCCE), and maximum number of candidates ML, slot index t, and RNTI. If an adversary has access to the above-mentioned parameters, apart from RNTI, and finds a valid PDCCH candidate, then based on its starting location index an adversary can narrow down on the possible RNTIs that would have resulted in the mapping of the candidate to that particular starting index. If an adversary has no CORESET configuration, it has to brute-force search all possibilities of RNTI which is approximately

[0055] « 216combinations. On the other hand, if the above-mentioned parameters are known and the maximum number of candidates ML = 1, then the RNTI search space at an adversary get

[0056] 216 reduced to utmost « - For other values of ML, the effective RNTI search space

[0057] 3* / 7oor ^)

[0058] 216 216 ranges from between - T ?— — r and - combinations. Higher NCCE, lower L, and floor (-^j 3* floor (-^j lower ML leads to a maximum reduction in RNTI search space and vice-versa.

[0059] The above-mentioned ways to reduce the effective RNTI search space are uncorrelated with each other. Hence, an adversary can combine all the above-mentioned ways to reduce the effective RNTI search space furthermore. Combining multiple such ways will reduce the effective RNTI search space significantly.

[0060] Once the RNTI search space has been reduced, the adversary can generate all the possible scrambling keys from the HID and the possible RNTIs from the reduced RNTI search space. The scrambling keys are used to de-scramble the PDCCH candidates and complete the DCI decoding chain. Knowledge of the DCI decoding would expose the physical resource allocations to one or more UE, thereby allowing an attacker to examine transmission patterns, information exposure, offer concentrated opportunities to jam, or allow spoofing of open information.

[0061] The scrambling key that passes the CRC would reveal the RNTI (that is both used for the CRC scrambling and for the scrambling key derivation) as well as the DCI corresponding to a UE.

[0062] The embodiments described below aim to improve the security of physical channels.

[0063] Figure 3 illustrates examples of improvements of the physical channel security according to some embodiments. The dot-dash lines represent the modifications, or additions, to the physical channel encoding procedure illustrated in Figure 1.

[0064] According to a first embodiment, it is possible to improve the physical channel security by increasing the size of the IIRNTI and HID. Such a solution increases the computational burden at an adversary to decode DCI. The increase in IIJD size increases the computational burden of finding the valid candidates at an adversary and subsequently finding nm which forms a part of the initializer of the Gold sequence, together with the RNTI, which in turn is used to generate the scrambling key. Increasing the size of IIRNTI increases the effective RNTI search space that an adversary has to try to figure out the possible RNTIs. The increase in size has the tradeoff of increasing the overhead in sharing IIRNTI and IIJD with the UE. As the RNTI is refreshed when the RRC connection is released and a new one is established, the adversary has limited time to identify the correct RNTI and use it. Thus, an increase in computational burden is a viable solution. As an example, the size of both IIR TI and IIJD is increased by 16 bits, i.e., both IIR TI and IIJD are 32 bits each. In this case the length of the scrambling key would be 63 bits. By having the size / length of IIJD and IIRNTI being equal to a power of 2 it is easier to initialize the scrambling key with Gold sequence. However, the size of IIRNTI and IIJD could be of any length. Further, a subset of the bits of IIRNTI and IIJD could be used to generate the scrambling key.

[0065] Some challenges are to be addressed in order to integrate this embodiment with the current physical channel encoding procedures. In the current design, a 24-bit CRC is generated based on the DCI information, and the last 16-bits of CRC is masked by a 16-bit IIRNTI- Assuming a 24-bit CRC (ncRc) is maintained, the following are some of the ways to mask a CRC with an increase in IIRNTI size. If the length of the RNTI in bits (IRNTI) is less or equal, e.g., 16 bits, 22 bits, 24 bits, than the length of the CRC in bits (ICRC), the same principle as the existing design applies, i.e., the last IRNTI bits of CRC is masked with nRNTI- If 1RNTI is greater than IcRC, the complete CRC, or a subset of the CRC, can be masked by a subset of the nRNTI bits. For example, using the least significant bits of nRNTI to mask CRC. A concern with such a design is that different UEs assigned with different URNTI may have the same subset and may result in false alarm / collision, i.e., the UE decodes the DCI successfully, but the obtained DCI is not the DCI intended forthat specific UE. However, the probability of such an event is very small. As an example, if IRNTI = 32 and IcRC = 24 and the complete CRC is masked by a subset of UR TI, then the collision can happen, e.g., by having the same subset of URNTI, at most with the probability of 2" . This estimate of the probability of collision, is assuming that the de-scrambled sequence is same and that the different UE having the same subset of nRNTI have the same payload size. The de-scrambling sequence may be the same if Cinit is the same, i.e., the two UE have the same IIJD = Cell ID (assuming 32 bits for HID), and the last 31 bits of nRNTI used in the initializing the Gold sequence is also same. If the initializer for the Gold sequence is 63 -bit long, e.g., 31 bits of nRNTI and 32 bits of IIJD. then the probability of such an event is 2 . As another example, if IRNTI = 32 and ICRC = 24 and a subset of the CRC is masked by a subset of nRNTI bits. The remaining nRNTI bits may be used to mask the DCI bits.

[0066] For example, assume IRNTI = 32 and ICRC = 24 and complete CRC is masked by a subset of nRNTI, the remaining 8 bits of nRNTI can mask the least significant bits of the DCI message. If IRNTI = 32 and the length of the IIJD in bits is I ID = 32. scrambling can be initialized as Cinit = (nRNTI 2 + IIJD) mod 2 to construct a 63 -bit Gold sequence. A similar approach can be maintained as long as the lengths of nRNTI and IIJD are equal to a power of two.

[0067] A major blockade for an adversary in decoding DCI is knowing the scrambling key. As discussed above, the scrambling key may get compromised due to dual use of identifiers, i.e., nRNTI is employed for both scrambling and the CRC. Whereas IIJD is employed for both scrambling and PDCCH DMRS generation. A second and a third embodiment provide possible solutions to increase the security of the scrambling key.

[0068] According to a second embodiment, it is possible to improve the security of the physical channel by introducing a unique scrambling key.

[0069] The unique scrambling key shall be independent of the nRNTI and the IIJD and used only as scrambling key. The base station, e.g., NodeB (NB), gNB, or eNB, would generate the secret key and share it with the UE. Then, both would use the shared secret key as the Gold sequence for generating the scrambling key. An advantage of this solution is that even after exploiting the existing vulnerabilities, an adversary has to exhaustively try all the scrambling keys to successfully de-scramble the DCI, and then find RNTI via the CRC de-scrambling. The solution proposed in the second embodiment increases the computational burden on an adversary to decode DCI.

[0070] As an example, the scrambling key length in bits (iKey) is 31 -bit long, similar to the existing design, but with the unique scrambling key. A unique scrambling key 31 -bit long would require an adversary to try all the 2 combinations to decode the DCI. As another example, to further increase the computational burden on the adversary h ey can be increased to 128 bits, or even 256 bits. A disadvantage of this approach is that the base station has to share unique scrambling key with each UE. This involves the overhead of generating and provisioning the keys and the burden of maintaining unique keys. In general, the scrambling key could be of any length, with the caveat that to a higher length, corresponds a higher computational burden on the adversary, but also a higher overhead to base stations and UEs. A way to overcome it is to derive a scrambling key based on the existing keys, as discussed next.

[0071] According to a third embodiment, it is possible to improve the security of the physical channel by deriving a scrambling key based on existing keys.

[0072] As an example, the scrambling key is derived from one of the access stratum keys available to the base station, e.g. KgNB- KRRCCIIC, KRRCint, KuPenc, KuPin- According to the example, the scrambling key (Sk), or the Gold sequence, could be derived by a key derivation function (KDF) by concatenating the RRC encryption key, KRRCCIIC, with the RNTI, and / or the nny assigned to the UE and hashing the result, e.g., Sk = H(KRRCenc II HRNTl), Sk = H(KRRCenc II ), Sk = H(KRRCenc IInRNTI || nnj). A suitable number of bits, e.g., 31 bits, 63 bits, 255 bits, from the hash is chosen as the Gold sequence, or directly as the scrambling key. This way the scrambling key would be unpredictable by an attacker, while still being bound to the RNTI of the UE. As above, the length of Sk directly defines the protection level, the more bits the harder it is for the adversary to brute force it.

[0073] As another example, the scrambling key is derived from one of the non-access stratum keys available to the base station, e.g., KNASint, KNASenc-

[0074] As another example, the scrambling key is derived from one of the intermediated keys available to the base station, e.g., KNG-RAN * •

[0075] As another example, the scrambling key is derived from one of the internet protocol (IP) security keys available to the base station, e.g., KN3IWF- One consideration when selecting what base station key to use for generating the scrambling key is that the base station key should ideally be present at the base station where the base station needs to derive and use the scrambling key. As an example, if the base station key is stored and used in the central unit (CU) and the scrambling key is needed in the radio unit (RU) there are additional security consideration with regards to the key distribution CU to RU. Thus, a key which is lower in the key hierarchy has some benefits, as a key which is lower in the key hierarchy is closer to the radio unit. An additional benefit of selecting a key which is lower in the key hierarchy, is that key updates will typically happen more frequently for keys which are lower in the key hierarchy, giving the attacker a shorter amount of time to brute force the key and use it. Nonetheless, since the scrambling key may also be bound to the RNTI, the scrambling key itself will anyway be updated at least as frequently as the RNTI is being updated.

[0076] In a similar way, the UE would derive the corresponding Sk based on the used base station key and the RNTI. Both UE and base station could then use the scrambling key to scramble and descramble the DCI messages, while an attacker would have a harder time trying to brute force the scrambling key as it would no longer have any pre-known bits and its length could be longer than what it is today.

[0077] As discussed above the adversary might be able to deduce the scrambling key from the scrambled data, especially if the adversary knows some bits of the data being scrambled.

[0078] According to a fourth embodiment, it is possible to improve the security of the physical channel by changing the scrambling key generation process from what it is today, with something more secure, i.e., that gives a more random output of the scrambling key. A first way to improve the security of the scrambling key generation process it to generate multiple parts of a scrambling key with different inputs. As an example, Skpartl = H(KRRCenc II URNTI || 1), Skpart2 = H(KRRCenc II URNTI || 2) and so on.

[0079] As another example, Skpartl = H(KRRCenc II HRNTl), Skpart2 = H(KRRCint II HRNTl), Skpart3 = H(KNG- RAN *|| nRNTl) and so on. As another example, the scrambling key can be initialized with an additional time-dependent parameter such as the Sk = H(KRRCenc II KRRCenc II t), where t can be the slot number or other time-dependent parameter

[0080] As discussed above, for a UE-specific communication, HID is set to either the higher-layer parameter pdcch-DMRS-ScramblingID if configured, or to cell ID. pdcch-DMRS-ScramblingID is a CORESET specific parameter and may be shared by multiple UEs.

[0081] According to a fifth embodiment, n IIO is set to a unique key that may be derived similarly to the scrambling key according to the previous embodiment, or uniquely generated by the base station and shared with the UE. An advantage of this solution is that each UE would have a unique HID even if they share the same CORESET. In this way, even if the adversary knows the nm of one UE does not know the HID of the other UEs that share the same CORESET.

[0082] According to a sixth embodiment, it is possible to improve the security of the physical channel by increasing the K bits of the control information, e.g., DCI, UCI, by adding an additional padding to the data being scrambled. Padding could be appended to the control information, or the control information data could be expanded. The expansion of the control information data can be based on a data unknown to the attacker, e.g. the RNTI, an access stratum key, an intermediate key, etc.

[0083] According to a seventh embodiment, it is possible to improve the security of the physical channel by replacing the scrambling operation with some other format-preserving operations, e.g., permutation, rotation, shift. A format-preserving operation is an operation that preserves the length and the format of the input data. This new operation can be initialized as proposed in the previous embodiments, or as a currently done.

[0084] According to an eighth embodiment, it is possible to improve the security of the physical channel by masking the CRC scrambling operation with a unique scrambling key derived, or generated, according to the previous embodiments, instead of using the RNTI for the masking of the CRC scrambling operation.

[0085] According to a ninth embodiment, it is possible to improve the security of the physical channel by performing a format preserving operation on the control information. This enables an additional layer of protection on the control information by blocking the adversary to decode the control information even if the adversary manages to perform the CRC de-scrambling correctly. In particular, this solution, is not susceptible to any of the vulnerabilities in the physical channel encoding procedure. Further, by selecting a format-preserving operation compatibility with the current 5G NR architecture is maintained. However, if such compatibility is not a needed feature, this additional operation does not need to be restricted to a format-preserving operation and can be extended to operations that can change the length, and / or the format, of the data, as example by adding redundant bits, by padding zeros, etc.

[0086] As an example, the format preserving operation is the scrambling operation. In this case the control information bits are scrambled with a scrambling sequence. The scrambling sequence is initialized with an operation key, that may be different from the scrambling key. This operation key may be derived with existing method, or according to previous described embodiments. As an example, the operation key is derived from the U NTI and / or nnj. As another example the operation key may be a uniquely generated key according to the second embodiments, or may be derived as described in the third embodiment and / or in the fourth embodiment. The length of the operation key in bits (ZOf>) can be chosen based on the intended protection. In that case, even if the adversary manages to discover the nRNTI and nm by exploiting the previously described vulnerabilities, the adversary still has to exhaustively search 2l°pkeys to figure out the control information. Further, even after exhaustively searching all combinations the adversary does not have a means to verify whether the recovered control information is the correct control information as the CRC check at the receiver happens before this format-preserving operation.

[0087] As another example, the format-preserving operation is to permute the control information bits by multiplying them with a permutation matrix. This permutation matrix generation is initialized with the operation key. The reverse operation takes place at the UE, however, an adversary has to perform an exhaustive search of K! combinations, where K is the number of control information bits.

[0088] As another example, the format-preserving operation is a block permutation operation, a random rotation operation of control information bits, and / or an interleaving operation.

[0089] As another example, the format-preserving operation is a combination of several format-preserving operations, each of the format-preserving operation may share the same operation key, or each have an individual operation key in order to further enhance the protection of the control information.

[0090] Each of the described embodiments enable an improved security of the physical channel, however the ninth embodiment provides the highest level of improved security of the physical channel compared to the other embodiments. Nonetheless, it is possible to combine multiple, or all, embodiments to achieve a higher level of improved security of the physical channel. Combining more embodiments increases the level of improved security of the physical channel. In other words, all of the embodiments are compatible with each other. However, by combining multiple embodiments, the complexity burden on the UE and on the base station increases.

[0091] The embodiments explained above are described from the point of view of the network node. The reverse of the operations described above, as example, scrambling operations, CRC addition and interleaving, format preserving operations, shall be performed by the wireless device to obtain the DCI. In this case some operations may be commonly known with other terms. As an example, the reverse of a scrambling operation is known as a descrambling operation. As another example, the reverse of an interleaving operation is known as a deinterleaving operation. As another example, the reverse of a modulation operation is known as a demodulation operation. And so on. Further, the wireless device may receive from the network node the scrambling key, or information on how to derive the scrambling key.

[0092] Figure 4 illustrates embodiments of method 1000 for improving physical channel security performed by a network node.

[0093] The method comprises deriving 1002 a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing 1004 a first operation on a first input using the first key. The first input is based on control information data. The first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or the first random number, and / or the first input is derived performing 1006 a second operation using a second key. The second key being derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, the network identifier, the scrambling identifier, and / or a second random number.

[0094] The first operation, and / or the second operation, may comprise a scrambling operation, a permutation operation, a rotation operation, a redundancy check operation, and / or a shift operation. The method may comprise providing 1008 the first random number, and / or the second random number, to a wireless device. The control information data may be padded and / or expanded, so as to increase the length of the control information data.

[0095] Below are exemplified some forms of the method 1000.

[0096] In a first version, the method 1000 comprises deriving 1002 a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing 1004 a first operation on a first input using the first key. The first input is based on control information data. The first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or the first random number. The first input is derived performing 1006 a second operation using a second key, wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, the network identifier, the scrambling identifier, and / or a second random number.

[0097] In this way, the method 1000 represent the ninth embodiment, that may be combined with any of the other embodiments. As an example, if the first key is derived from the first random number, then the second embodiment is represented. As another example, if the first key is derived from a first access stratum key, a first intermediate key, a first non-access stratum key, and / or a first internet protocol security key, then the third embodiment, the fourth embodiment, and / or the fifth embodiment is represented. As another example, if the first operation is a format preserving operation other than a scrambling operation, then the seventh embodiment is represented. As another example, if the first operation is a redundancy check, then the eighth embodiment is represented.

[0098] In a second version, the method comprises deriving 1002 a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing 1004 a first operation on a first input using the first key. The first input is based on control information data. The first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or the first random number.

[0099] In this way, the method 1000 represents the second, the third, the fourth, and / or the fifth embodiment, that may be combined with any of the other embodiments. As an example, if the first operation is a format preserving operation other than a scrambling operation, then the seventh embodiment is represented. As another example, if the first operation is a redundancy check, then the eighth embodiment is represented.

[0100] In a third version, the method comprises deriving 1002 a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing 1004 a first operation on a first input using the first key. The first input is based on control information data. Further, the first input is derived performing 1006 a second operation using a second key, wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, the network identifier, the scrambling identifier, and / or a second random number.

[0101] In this form, the method 1000 represents the ninth embodiment.

[0102] Figure 5 illustrates embodiments of method 2000 for improving physical channel security performed by the wireless device. The method comprises deriving 2002 a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing 2004 a first operation on a first input based on control information data. The format preserving operation being performed using the first key. The first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or a random number, and / or the first input is derived performing 2006 a second operation using a second key. The second key being derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, a network identifier, a scrambling identifier, and / or a second random number.

[0103] The first operation, and / or the second operation, may comprise a de-scrambling operation, a permutation operation, a rotation operation, a redundancy check operation, and / or a shift operation. The method may comprise receiving 2008 an indication related to the first random number, and / or an indication related the second random number, from the network node. The padding and / or an expansion applied to the control information data may be removed. In a first version, the method 2000 comprises deriving 2002 a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing 2004 a first operation on a first input based on control information data, the format preserving operation being performed using the first key. The first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or a random number. The first input is derived performing 2006 a second operation using a second key, wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, a network identifier, a scrambling identifier, and / or a second random number.

[0104] In this way, the method 2000 represents the ninth embodiment, that may be combined with any of the other embodiments. As an example, if the first key is derived from the first random number, then the second embodiment is represented. As another example, if the first key is derived from a first access stratum key, a first intermediate key, a first non-access stratum key, and / or a first internet protocol security key, then the third embodiment, the fourth embodiment, and / or the fifth embodiment is represented. As another example, if the first operation is a format preserving operation other than a scrambling operation, then the seventh embodiment is represented. As another example, if the first operation is a redundancy check, then the eighth embodiment is represented.

[0105] In a second version, the method 2000 comprises deriving 2002 a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing 2004 a first operation on a first input based on control information data, the format preserving operation being performed using the first key. The first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or a random number.

[0106] In this way, the method 2000 represents the second, the third, the fourth, and / or the fifth embodiment, that may be combined any of the other embodiments. As an example, if the first operation is a format preserving operation other than a scrambling operation, then the seventh embodiment is represented. As another example, if the first operation is a redundancy check, then the eighth embodiment is represented.

[0107] In a third version, the method 2000 comprises deriving 2002 a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number. The method further comprises performing 2004 a first operation on a first input based on control information data, the format preserving operation being performed using the first key. The first input is derived performing 2006 a second operation using a second key, wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, a network identifier, a scrambling identifier, and / or a second random number.

[0108] In this form, the method 2000 represents the ninth embodiment.

[0109] The following embodiments, described in this paragraph, are applicable to both the method 1000 and the method 2000. The second key and the first key may be the same. The first operation, and / or the second operation, may be a format preserving operation. The first key may be derived from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a scrambling identifier, and / or a first random number, and the network identifier, by a KDF; and / or the second key may be derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, a scrambling identifier, and / or a second random number, and the network identifier, by a KDF. The first key, and / or the second key, may have a length equal or bigger than the control information data. The first key, and / or the second key, may be further derived from a time-dependent parameter. The second random number may be equal to the first random number. The first access stratum key, and / or the second access stratum key, may be KgNB- KRRCCIIC, KRRCint, KuPenc, or KuPint- The first intermediate key, and / or the second intermediate key, may be KNG-RAN * • The first internet protocol security key, and / or the second internet protocol security key, may be KN3IWF. The first non-access stratum key, and / or the second non-access stratum key, may be KNASintor KNASCHC- The scrambling identifier may be derived from a third access stratum key, a third intermediate key, a third non-access stratum key, a third internet protocol security key, and / or a third random number. The first key may have been derived from the scrambling identifier.

[0110] Figure 6 illustrates the network node 100 in accordance with some embodiments. As used herein, network node refers to equipment capable, configured, arranged and / or operable to communicate directly or indirectly with a wireless device, e.g., a UE, and / or with other network nodes or equipment, in a telecommunications network. In accordance with respective embodiments, network node 100 may be configured to operate in communication system 300 of Figure 8, like network node 302. Examples of network nodes include, but are not limited to, access points (APs) (e.g., radio access points), base stations (BSs) (e.g., radio base stations, Node Bs, evolved Node Bs (eNBs) and NR NodeBs (gNBs)), O-RAN nodes or components of an O-RAN node (e.g., O-RU, O-DU, O-CU), centralized digital units, distributed units (e.g., in an O-RAN access node), remote radio units (RRUs), multiple transmission point (multi-TRP) access nodes, core network nodes, etc. The network node 100 may be composed of multiple distinct network entities (e.g., aNodeB entity and a RNC entity, or a BTS entity and a BSC entity, etc.), which may each have or utilize their own respective physical components. The network node 100 may also include multiple sets of the various illustrated components for different wireless technologies integrated into network node 100, for example GSM, WCDMA, LTE, NR, 6G, Wi-Fi (e.g., according to an IEEE 802. 11 family standard), Zigbee, Z-wave, LoRaWAN, Radio Frequency Identification (RFID) or Bluetooth wireless technologies. These wireless technologies may be integrated into the same or different chip or set of chips and other components within network node 100. A network node 100 may be an Open-RAN (ORAN) network node. An ORAN network node is a network node that supports an ORAN specification (e.g., a specification published by the O-RAN Alliance, or any similar organization). A network node 100 may support 3GPP radio access technologies (RAT), such as LTE or NR, and additionally support non-3GPP RATs, such as Wi-Fi or a proprietary RAT.

[0111] A network node 100 may include a processing circuitry 102, a memory 104, and a communication interface 106.

[0112] The processing circuitry 102 may be operable to provide, either alone or in conjunction with other components, such as the memory 104, network node 100 functionality. The processing circuitry 102 may be configured to process instructions and data and may be configured to execute instructions stored as machine-readable computer programs in the memory 104. The processing circuitry 102 may be configured to communicate with an access network, a core network, or other network via or using the communication interface 106.

[0113] The memory 104 may comprise any form of volatile or non-volatile computer-readable memory that stores information, data, and / or instructions that may be used by the processing circuitry 102. The memory 104 may store any suitable instructions, data, or information, including a computer program, software, an application including one or more of logic, rules, code, tables, and / or other instructions capable of being executed by the processing circuitry 102 and utilized by the network node 100. The memory 104 may be used to store any calculations made by the processing circuitry 102 and / or any data received via the communication interface 106. The memory 104 may allow network node 100 to access instructions, programs and the like, stored on transitory or non-transitory memory media, to off-load data, or to upload data.

[0114] The communication interface 106 is used in wired or wireless communication of signaling and / or data with UEs, other network nodes, and / or any other network equipment.

[0115] Embodiments of the network node 100 may include additional components beyond those shown in Figure 6 for providing certain aspects of the network node’s functionality, including any of the functionality described herein and / or any functionality necessary to support the subject matter described herein.

[0116] Figure 7 illustrates the wireless device 200 in accordance with some embodiments. The wireless device 200 may be configured to operate in communication system 300 of Figure 8. The wireless device 200 may be alternatively referred to as a UE 200, like a UE 304 within the context of communication system 300, in accordance with some embodiments. As used herein, a wireless device refers to a device capable, configured, arranged and / or operable to communicate wirelessly with network nodes and / or other wireless devices. Examples of a wireless device include, but are not limited to, a smart phone, mobile phone, cell phone, tablet, laptop, smart device, wireless customerpremise equipment (CPE), vehicle, vehicle-mounted or vehicle embedded / integrated wireless device, and wireless terminal. Other examples include any type of UE identified by the 3rd Generation Partnership Project (3GPP), including a 4G UE, 5G UE, 6G UE, a narrow band internet of things (NB-IoT) UE, a machine type communication (MTC) UE, and / or an enhanced MTC (eMTC) UE. A wireless device 200 may support device-to-device (D2D) communication, for example by implementing a 3GPP standard for sidelink communication, Dedicated Short-Range Communication (DSRC), vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), or vehicle-to-everything (V2X). The wireless device 200 may be configured for operating in single- or multi-RAT or multi-standard mode. For example, a UE may operate with any one or combination of Wi-Fi, NR (New Radio) and LTE, i.e. being configured for multi -radio dual connectivity (MR-DC), such as E-UTRAN (Evolved- UMTS Terrestrial Radio Access Network) New Radio - Dual Connectivity (EN-DC).

[0117] The wireless device 200 may include processing circuitry 202, a memory 204, and a communication interface 206.

[0118] The processing circuitry 202 may be operable to provide, either alone or in conjunction with other components, such as the memory 204, wireless device 200 functionality. The processing circuitry 202 is configured to process instructions and data and may be configured to execute instructions stored as machine-readable computer programs in the memory 204. The processing circuitry 202 may be configured to communicate with an access network, or other network via or using the communication interface 206.

[0119] The memory 204 may comprise any form of volatile or non-volatile computer-readable memory that stores information, data, and / or instructions that may be used by the processing circuitry 202. The memory 204 may store any suitable instructions, data, or information, including a computer program, software, an application including one or more of logic, rules, code, tables, and / or other instructions capable of being executed by the processing circuitry 202 and utilized by the wireless device 200. The memory 204 may be used to store any calculations made by the processing circuitry 202 and / or any data received via the communication interface 106. The memory 204 may allow wireless device 200 to access instructions, programs and the like, stored on transitory or non-transitory memory media, to off-load data, or to upload data.

[0120] The communication interface 206 is used in wired or wireless communication of signaling and / or data with other UEs, network nodes, and / or any other network equipment. Embodiments of the wireless device 200 may include additional components beyond those shown in Figure 7 for providing certain aspects of the wireless device’s functionality, including any of the functionality described herein and / or any functionality necessary to support the subject matter described herein.

[0121] The memory as described in some embodiments of the network node 100 and the wireless device 200, may comprise any form of volatile or non-volatile computer-readable memory including, without limitation, persistent storage, solid-state memory, remotely mounted memory, magnetic media, optical media, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), mass storage media (for example, a hard disk), removable storage media (for example, a flash drive, a solid-state drive (SSD), or a hard-disk drive (HDD)), and / or any other volatile or non-volatile, non-transitory device-readable and / or computer-executable memory devices that store information, data, and / or instructions that may be used by the processing circuitry.

[0122] Communication functions of the communication interface as described in some embodiment may include cellular communication, Wi-Fi communication (e.g., according to an IEEE 802.11 family standard), LPWAN communication, data communication, voice communication, multimedia communication, short-range communications such as Bluetooth, near-field communication, locationbased communication such as the use of the global positioning system (GPS) to determine a location, another like communication function, or any combination thereof. Communications may be implemented according to one or more communication protocols and / or standards, such as IEEE 802.11, Code Division Multiplexing Access (CDMA), Wideband Code Division Multiple Access (WCDMA), GSM, LTE, New Radio (NR), UMTS, WiMax, Ethernet, transmission control protocol / intemet protocol (TCP / IP), synchronous optical networking (SONET), Asynchronous Transfer Mode (ATM), QUIC, Hypertext Transfer Protocol (HTTP), and so forth.

[0123] Figure 8 illustrates an example of the communication system 300 in accordance with some embodiments. In the example, the communication system 300 includes one or more network nodes 302 (as example network nodes 100 according to Figure 6), and one or more wireless devices 304 (as example wireless devices 200 according to Figure 7). The network nodes 302 may facilitate direct or indirect connection of wireless devices 304, also referred to as user equipments (UEs), to one or more networks (e.g., 3GPP network, 3GPP 5G network, 3GPP 6G network, Wi-Fi network, Bluetooth network), over one or more wireless connections. Example wireless communications over a wireless connection include transmitting and / or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and / or other types of signals suitable for conveying information without the use of wires, cables, or other material conductors. Moreover, in different embodiments, the communication system 300 may include any number of wired or wireless networks, network nodes, UEs, and / or any other components or systems that may facilitate or participate in the communication of data and / or signals whether via wired or wireless connections. The communication system 300 may include and / or interface with any type of communication, telecommunication, data, cellular, radio network, and / or other similar type of system.

[0124] The UEs 304 may be any of a wide variety of communication devices, including wireless devices arranged, configured, and / or operable to communicate wirelessly with the network nodes 302 and other communication devices. Similarly, the network nodes 302 are arranged, capable, configured, and / or operable to communicate directly or indirectly with the UEs 304 and / or with other network nodes to enable and / or provide network access, such as wireless network access, and / or to perform other functions.

[0125] Network nodes 302 may be access network nodes, core network nodes, etc. Example core network nodes provide functions of one or more of a Mobile Switching Center (MSC), Mobility Management Entity (MME), Home Subscriber Server (HSS), Access and Mobility Management Function (AMF), Session Management Function (SMF), Authentication Server Function (AUSF), Subscription Identifier De-concealing function (SIDF), Unified Data Management (UDM), Security Edge Protection Proxy (SEPP), Network Exposure Function (NEF), and / or a User Plane Function (UPF).

[0126] The communication system 300 may be configured to operate according to predefined rules or procedures, such as specific standards that include, but are not limited to: Global System for Mobile Communications (GSM); Universal Mobile Telecommunications System (UMTS); Long Term Evolution (LTE), and / or other suitable 2G, 3G, 4G, 5G standards, or any applicable future generation standard (e.g., 6G); wireless local area network (WLAN) standards, such as the Institute of Electrical and Electronics Engineers (IEEE) 802. 11 standards (Wi-Fi); and / or any other appropriate wireless communication standard, such as the Worldwide Interoperability for Microwave Access (Wi-Max), Bluetooth, Z-Wave, Near Field Communication (NFC) ZigBee, Li-Fi, and / or any low-power wide- area network (LPWAN) standards such as LoRa and Sigfox. Moreover, the communication system 300 may be configured to support multiple different standards, protocols, or other rule sets, with individual components supporting all of the relevant rule sets or with different components or subsystems within the communication system 300 supporting different standards, protocols, or rule sets.

[0127] The communication system 300 may support multiple generations of related communication standards (e.g., 4G and 5G 3GPP communication standards) and, as a result, may include a network nodes 302 that supports multiple different standard generations.

[0128] Figure 9 illustrates carriers 402; 404, computer readable-media 406; 408, and computer programs 410; 412.

[0129] According to an embodiment, a first computer program 410 comprises instructions that when executed by processing circuitry and / or by the network node, cause the processing circuitry to carry out the method performed by the network node. According to an embodiment, a first carrier 402 may contain the first computer program 410, wherein the first carrier is one of an electronic signal, optical signal, radio signal, computer program product, or computer-readable medium.

[0130] According to an embodiment, a second computer program 412 comprises instructions that when executed by processing circuitry and / or by the wireless device, cause the processing circuitry to carry out the method performed by the wireless device.

[0131] According to an embodiment, a second carrier 404 may contain the first computer program 410, wherein the first carrier is one of an electronic signal, optical signal, radio signal, computer program product, or computer-readable medium.

[0132] According to an embodiment, a first tangible, non-transient computer-readable medium 406 comprises instructions that, when executed by the network node, cause the network node to perform operations according to the method performed by the network node.

[0133] According to an embodiment, a second tangible, non-transient computer-readable medium 408 comprises instructions that, when executed by the wireless device, cause the wireless device to perform operations according to the method performed by the wireless device.

[0134] The processing circuitry may comprise a combination of one or more of a microprocessor, controller, microcontroller, central processing unit (CPU), digital signal processor, application-specific integrated circuit, field programmable gate array, system on a chip (SOC), or any other suitable computing device, resource, or combination of hardware, software and / or encoded logic.

[0135] Examples of non-transient computer-readable media are a universal serial bus (USB) memory, a plugin card, an embedded drive, or a read-only memory.

[0136] Although the computing devices described herein (e.g., UEs, network nodes, hosts) may include the illustrated combination of hardware components, other embodiments may comprise computing devices with different combinations of components. It is to be understood that these computing devices may comprise any suitable combination of hardware and / or software needed to perform the tasks, features, functions, and methods disclosed herein. Determining, calculating, obtaining or similar operations described herein may be performed by processing circuitry, which may process information by, for example, converting the obtained information into other information, comparing the obtained information or converted information to information stored in the network node, and / or performing one or more operations based on the obtained information or converted information, and as a result of said processing making a determination. Moreover, while components are depicted as single boxes located within a larger box, or nested within multiple boxes, in practice, computing devices may comprise multiple different physical components that make up a single illustrated component, and functionality may be partitioned between separate components. For example, a communication interface may be configured to include any of the components described herein, and / or the functionality of the components may be partitioned between the processing circuitry and the communication interface. In another example, non-computationally intensive functions of any of such components may be implemented in software or firmware and computationally intensive functions may be implemented in hardware.

[0137] In certain embodiments, some or all of the functionality described herein may be provided by processing circuitry executing instructions stored on in memory, which in certain embodiments may be a computer program product in the form of a non-transitory computer-readable storage medium. In alternative embodiments, some, or all of the functionalities may be provided by the processing circuitry without executing instructions stored on a separate or discrete device-readable storage medium, such as in a hard-wired manner. In any of those particular embodiments, whether executing instructions stored on a non-transitory computer-readable storage medium or not, the processing circuitry can be configured to perform the described functionality. The benefits provided by such functionality are not limited to the processing circuitry alone or to other components of the computing device, but are enjoyed by the computing device as a whole, and / or by end users and a wireless network generally.

Claims

CLAIMS1. A method (1000) for improving physical channel security performed by a network node (100), the method comprising: deriving (1002) a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number; performing (1004) a first operation on a first input using the first key, wherein the first input is based on control information data, wherein: the first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or the first random number; and / or the first input is derived performing (1006) a second operation using a second key, wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, the network identifier, the scrambling identifier, and / or a second random number.

2. The method (1000) of claim 1, wherein the second key and the first key are the same.

3. The method (1000) of any one of claims 1 to 2, wherein the first operation, and / or the second operation, is a format preserving operation.

4. The method (1000) of any one of claims 1 to 3, wherein the first operation, and / or the second operation, comprises a scrambling operation, a permutation operation, a rotation operation, a redundancy check operation, and / or a shift operation.

5. The method (1000) of any one of claims 1 to 4, wherein the first key is derived from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a scrambling identifier, and / or a first random number, and the network identifier, by a key derivation function (KDF); and / or wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, a scrambling identifier, and / or a second random number, and the network identifier, by a KDF.

6. The method (1000) of any one of claims 1 to 5, wherein the first key, and / or the second key, has a length equal or bigger than the control information data.

7. The method (1000) of any one of claims 1 to 6, wherein the first key, and / or the second key, is further derived from a time-dependent parameter.

8. The method (1000) of any one of claims 1 to 7, comprising providing (1008) the first random number, and / or the second random number, to a communication device.

9. The method (1000) of any one of claims 1 to 8 wherein the second random number is equal to the first random number.

10. The method (1000) of any one of claims 1 to 9, wherein the first access stratum key, and / or the second access stratum key, is KgNB, KRRCCIIC, KRRCint, KuPenc, or KuPint-11. The method (1000) of any one of claims 1 to 10, wherein the first intermediate key, and / or the second intermediate key, is KNG-RAN * •12. The method (1000) of any one of claims 1 to 11, wherein the first internet protocol security key, and / or the second internet protocol security key, is KN3IWF.

13. The method (1000) of any one of claims 1 to 12, wherein the first non-access stratum key, and / or the second non-access stratum key, is KNASint or KNASCHC-14. The method (1000) of any one of claims 1 to 13, wherein the scrambling identifier is derived from a third access stratum key, a third intermediate key, a third non-access stratum key, a third internet protocol security key, and / or a third random number.

15. The method (1000) of claim 14, wherein the first key has been derived from the scrambling identifier.

16. The method (1000) of any one of claims 1 to 15, wherein the control information data is padded and / or expanded, so as to increase the length of the control information data.

17. A method (2000) for improving physical channel security performed by a wireless device (200), the method comprising: deriving (2002) a first key from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a network identifier, a scrambling identifier, and / or a first random number; performing (2004) a first operation on a first input based on control information data, the format preserving operation being performed using the first key, wherein: the first key has been derived from the first access stratum key, the first intermediate key, the first non-access stratum key, the first internet protocol security key, and / or a random number; and / or the first input is derived performing (2006) a second operation using a second key, wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, a network identifier, a scrambling identifier, and / or a second random number.

18. The method (2000) of claim 17, wherein the second key and the first key are the same.

19. The method (2000) of any one of claims 17 to 18, wherein the first operation, and / or the second operation, is a format preserving operation.

20. The method (2000) of any one of claims 17 to 19, wherein the first operation, and / or the second operation, comprises a scrambling operation, a permutation operation, a rotation operation, a redundancy check operation, and / or a shift operation.

21. The method (2000) of any one of claims 17 to 20, wherein the first key is derived from a first access stratum key, a first intermediate key, a first non-access stratum key, a first internet protocol security key, a scrambling identifier, and / or a first random number, and the network identifier, by a key derivation function (KDF); and / or wherein the second key is derived from a second access stratum key, a second intermediate key, a second non-access stratum key, a second internet protocol security key, a scrambling identifier, and / or a second random number, and the network identifier, by a KDF.

22. The method (2000) of any one of claims 17 to 21, wherein the first key, and / or the second key, has a length equal or bigger than the control information data.

23. The method (2000) of any one of claims 17 to 22, wherein the first key, and / or the second key, is further derived from a time-dependent parameter.

24. The method (2000) of any one of claims 17 to 23, comprising receiving (2008) an indication related to the first random number, and / or an indication related to the second random number, from a network node.

25. The method (2000) of any one of claims 17 to 24 wherein the second random number is equal to the first random number.

26. The method (2000) of any one of claims 17 to 25, wherein the first access stratum key, and / or the second access stratum key, is KgNB, KRRCenc, KRRCint, Kupenc, or Kupint-27. The method (2000) of any one of claims 17 to 26, wherein the first intermediate key, and / or the second intermediate key, is KNG-RAN * •28. The method (2000) of any one of claims 17 to 27, wherein the first internet protocol security key, and / or the second internet protocol security key, is KN3IWF.

29. The method (2000) of any one of claims 17 to 28, wherein the first non-access stratum key, and / or the second non-access stratum key, is KNASint or KNASCHC-30. The method (2000) of any one of claims 17 to 29, wherein the scrambling identifier is derived from a third access stratum key, a third intermediate key, a third non-access stratum key, a third internet protocol security key, and / or a third random number.

31. The method (2000) of claim 30, wherein the first key has been derived from the scrambling identifier.

32. The method (2000) of any one of claims 17 to 31, wherein a padding and / or an expansion applied to the control information data is removed.

33. A network node (100) for improving physical channel security comprising processing circuitry and a memory, the network node configured to perform operations according to the method of any one of claims 1 to 16.

34. A tangible, non-transient computer-readable medium comprising instructions that, when executed by a network node, cause the network node to perform operations according to the method of any one of claims 1 to 16.

35. A computer program, comprising instructions that, when executed by processing circuitry, cause the processing circuitry to carry out the method according to any of claims 1 to 16.

36. A carrier containing the computer program of claim 35, wherein the carrier is one of an electronic signal, optical signal, radio signal, computer program product, or computer- readable medium.

37. A wireless device (200) for improving physical channel security comprising processing circuitry and a memory, the wireless device configured to perform operations according to the method of any one of claims 17 to 32.

38. A tangible, non-transient computer-readable medium comprising instructions that, when executed by a wireless device, cause the wireless device to perform operations according to the method of any one of claims 17 to 32.

39. A computer program, comprising instructions that, when executed by processing circuitry, cause the processing circuitry to carry out the method according to any of claims 17 to 32.

40. A carrier containing the computer program of claim 39, wherein the carrier is one of an electronic signal, optical signal, radio signal, computer program product, or computer- readable medium.

41. A communication system (300) comprising: a network node (100) according to claim 33; and a wireless device (200) according to claim 37.