1. Secret from Muscle: Enabling Secure Paring with Electromyography
Lin Yang, Wei Wang, Qian Zhang
Hong Kong University of Science & Technology
Good morning, everyone.
Today it is my honor to be here to present our work, secret from muscle…. This is a joint work with my colleagues Wei Wang and supervisor Qian Zhang at HKUST.

2. Rise of Wearable Devices
Nowadays, we have witnessed the rise of wearable devices.
They have penetrated into every part of our life and enable many promising apps.
buy stuff via mobile payment, record physical training/daily activity with smart watch, or monitor our health states.
Mobile Payment
Physical Training
Daily Activity
Healthcare

3. Pairing is Everywhere Private, high-sensitive data Mobile Payment
Among these applications, pairing btw devices is an essential part. Since the data involved is private and highly-sensitive, it also poses some import security issues.
E.g., under the scenario of mobile payment, before we transmit our credit card information to the POS machine, we want to make sure the communication link btw them is secure.
Also, similar requirement is imposed when we upload our physical healthcare data from smart wristband to our phone or nearby laptop.
So, how to create a secure pairing btw these devices becomes an import problem.
Mobile Payment
Data Sharing

4. Solutions & Threats Powerful Attacker Wireless Sound Pin code
surveillance camera
To solve this problem, there are many existing works. However, they either don’t fit well in the scenario of wearable devices or are vulnerable to some power attackers.
Pin code: no convenient input method
wireless channel reciprocity: share nature  threated by predictable channel attacks.
Ambient environment-based solutions: can be sensed by nearby eavesdropper, active attacker manipulate the context.
Human movement: gait. Are exposed to the camera-based attack.
Vibration
Motion

5. EMG-KEY for Secure Pairing
EMG-KEY is a system that securely pairs wearable devices by exploiting the electromyogram (EMG) variations as random source to generate cryptographic key.
EMG = electrical activity caused by muscle contraction.
Random variation.
Bio-diversity over subjects and time.
Physical contact in close proximity.
To provide a better security, we propose EMG-KEY, which is a…
EMG is the electric activity…it has several promising characteristics.

6. Towards Better Security
Simple gesture, easy to use
Hard to eavesdrop
Robust to camera-based attack
An example application of EMG-KEY is the mobile payment.
Your smart watch knows your credit card number and security code and you want to transmit these information to the POS machine confidentially. To do this, you only need to put your arm on the POS machine and clenching your fist for 3 seconds.
There are several advantages of our system.
Low-cost EMG sensor and a simple gesture: clenching of fist…
Robust to eavesdropper/copy attacker
Dynamic key over time
Target at high-security scenarios, such mobile payment, transmission of sensitive data.
Dynamic Key over time
Low cost EMG sensor

7. EMG as Random Source
To build such system, there are several challenges. The very first one is that is the randomness of EMG sufficient enough for a secret key?

8. Generation of Muscle Contraction
Surface EMG
skin + -
Neuron 1
Electrodes
Muscle
fibers
Neuron 2
End-plates
Spinal cord
Motor
unit 1
Motor
Unit 2 …
Muscle fiber
action potential
Nerve
Firing
excitation
Muscle
To answer this question, we need some medical background.
Our body consists of many muscles. As shown in this figure, those muscles comprise dozens of muscle fibers. Each muscle fiber is innervated by a motor neuron and their contact region is termed the end-plates. The motor neuron and the set of muscle fiber it innervates forms the basic functional unit of EMG, which is called the motor unit. E.g., in this figure, there are two motor units.
So, how is EMG generated exactly? When we want to perform some movements, like clenching of fist, our neuron will fire an electrical excitation to the muscle fibers. This excitation, through a collection of complex bio-chemical reactions, will cause a local depolarization and initiates a muscle fiber action potential. Such action potentials will interact with each other and propagate along muscle fiber. Eventually, this electrical activity can be captured by the electrodes on the skin and that is so-called surface EMG.
Muscle
fibers
End plates

9. EMG Modeling 𝑬𝑴𝑮 𝒕 = 𝒒=𝟏 𝑸 𝑹 𝒒 𝒕 ∗ 𝒎=𝟏 𝑴 𝒒 𝜹 𝒕− 𝝉 𝒎 ∗𝒑 𝒕 ∗𝒆(𝒕) Neuron
[1] R. Merletti and P. A. Parker. Electromyography: physiology, engineering, and non-invasive applications, John Wiley&Sons, 2004
[2] S. R. Devasahayam. Signal processing and physiological systems modeling. Springer Science & Business Media, 2012.
EMG Modeling
Firing pattern of neuron is quasi-random [1].
motor unit is independent [2].
𝑅 𝑡 = 𝑞=1 𝑄 𝑅 𝑞 (𝑡)
Propagation velocity depends on muscle states
𝑝 𝑡 =𝐴𝑢𝑡 2−𝑢𝑡 𝑒 −𝑢𝑡
𝑬𝑴𝑮 𝒕 = 𝒒=𝟏 𝑸 𝑹 𝒒 𝒕 ∗ 𝒎=𝟏 𝑴 𝒒 𝜹 𝒕− 𝝉 𝒎 ∗𝒑 𝒕 ∗𝒆(𝒕)
Neuron
Firing
End-plates
Muscle fiber
action potential
Electrodes
EMG
In general, there are 4 parts involved in this process.
The first one the firing pattern of neurons. According to medical research, it is quasi-random process. i.e., the average firing rate increases with force requirement, but the occurrence of excitation is random in nature. Besides, each motor unit is independent and its firing pattern shows no correlation with the others.
When the excitation arrives at the end-plates, it will initiate the muscle fiber action potential. However, since geospatial locations of end-plates are different, there will be a time delay in their propagation. This can be formulated by the convolution of a delta function.
In addition, the propagation velocity of muscle action potential is determined by the muscle state, which can be modeled by p(t)
Last, the hardware will introduce some signal distortion and its transfer function is e(t).
Combine all these factors together, we can have the modeling of EMG signal. It is the convolution of all factors over all motor units involved in this process, which leads us to this equation.
End-plate distribution introduce delays in the propagation of action potentials.
𝐷 𝑡 = 𝑚=1 𝑀 𝛿(𝑡− 𝜏 𝑚 )
Hardware imperfection function introduces distortions
𝑒(𝑡)

10. EMG as Random Source
𝑬𝑴𝑮 𝒕 = 𝒒=𝟏 𝑸 𝑹 𝒒 𝒕 ∗ 𝒎=𝟏 𝑴 𝒒 𝜹 𝒕− 𝝉 𝒎 ∗𝒑 𝒕 ∗𝒆(𝒕)
The number of recruited motor unit is determined by force, which varies under same gesture.
The stochastic nature of firing pattern guarantees the randomness.
The user diversity in the end-plate distribution, conduction velocity, and muscle fatigue level, introduces additional discrepancies.
EMG is subtle and can only be sensed with physical contact in proximity.
Based on this model, we can make several observations:

11. Experimental Feasibility
Arduino UNO + Olimex EMG sensor
Clench fist 3 times for both user & attacker.
To further validate these observations, we build a prototype with Arduino…
We recruited 10 volunteers, 9 of them act as legitimate users, while the reset one is attacker. For both user and attacker, we ask them to perform a clenching of fist for 3 times. This is an example signal.
First, we notice
1. Different EMG among 3 clenching
2. High correlation btw legitimate devices, but also some discrepancies.
3. Amplitude is different btw legitimate & attacker.
4. The small-scale variation is different  random nature of firing pattern.
All of these suggest EMG can be used as an random source to generate secret key.

12. System Design
Now, we are ready to talk our system design.

13. System Overview How to generate secret bits?
How to alleviate discrepancies?
Secret
key … …
EMG Sensor
raw EMG
rectified signal
secret bits 𝛿
Our system consists of 4 parts: data collecting, pre-processing…
There are two challenges. The first one is how to generate the secret bits. The next is how to alleviate discrepancies caused by practical issues, like hardware imperfection. … …
EMG Sensor
Legitimate device
Pre-processing
Shape Coding
Reconciliation

14. Preprocessing Rectification High-pass filter ≥15𝐻𝑧 notch filter @50𝐻𝑧
Motion/friction noise ≤15𝐻𝑧.
Arm muscle frequency ≥20𝐻𝑧.
Root-mean square to magnify the firing pattern.
Rectification
𝑆 𝑡 = 1 𝑇 𝑡−𝑇 𝑇 𝑥 2 𝜏 𝑑𝜏
High-pass filter
≥15𝐻𝑧
notch filter
@50𝐻𝑧
Raw EMG
Rectified EMG
Before the
Power line 𝑜𝑟 60𝐻𝑧.

15. How to generate secret bits?
𝐵𝑖𝑡 𝑟𝑎𝑡𝑒= 1 w log 2 3
Rectified EMG
Segmentation
Shape templates
Shape matching
Codes
window size = 𝑤
3 basic shapes: rise/stay/drop
2-bit encoding for each segment
Raw EMG
Rectified EMG
Shapes of segment

16. Imperfection in Secret Bits
Imperfection of hardware
Legitimate
device a
𝑘 𝑎 = …
𝑘 𝑎 𝛿
Matched!
raw EMG
rectified signal
secret bits
Legitimate
device b
𝑘 𝑏 = …
𝑘 𝑏 ′
Propagation distortion btw devices

17. Reconciliation Error correction code 𝐶(𝑛, 𝑘, 𝑟):
𝑛→𝑘, 𝑟−𝑏𝑖𝑡 𝑒𝑟𝑟𝑜𝑟𝑠
Encryption =𝑓 ⋅ , decryption=𝑔(⋅)
𝑤 = Code word of 𝑘 𝑎 =𝑓(𝑔( 𝑘 𝑎 ))
If 𝑑≤𝑟, then 𝑘 𝑏 ⊕𝛿 is in the correction range of 𝑓 𝑔 𝑘 𝑎 .
𝑤=𝑓 𝑔 𝑘 𝑎
𝑘 𝑎 𝑟 𝛿 𝑑
𝑘 𝑏 ⊕𝛿
𝑘 𝑏

18. Imperfection in Secret Bits
Error Correction Code 𝐶 𝑛, 𝑘, 𝑟
𝑓(⋅) = encoding, 𝑔(⋅)= decoding
Imperfection of hardware
Legitimate
device a
𝑘 𝑎 = …
𝑘 𝑎
𝛿= 𝑘 𝑎 ⊕𝑓(𝑔( 𝑘 𝑎 ))
Matched!
raw EMG
rectified signal
secret bits
Legitimate
device b
𝑘 𝑏 = …
𝑘 𝑏 ′ =𝛿⊕𝑓(𝑔 𝑘 𝑏 ⊕𝛿 )
Propagation distortion btw devices
Information leakage = n-k,
Available bit rate = bit rate * k/n

19. Evaluation

20. Experiment Setup
Prototype wristband = Arduino UNO board + Olimex EMG sensors
10 Volunteers (7 males, 3 females)
9 users + 1 attacker(eavesdropper, copy attacker)
Key Generation
Security Level
Bit generation rate
Entropy
Bit mismatching rate
P-value of randomness
Mutual information

21. Bit Generation Rate 𝐵𝑖𝑡 𝑟𝑎𝑡𝑒=10.57∗ 12 23 ≈5.51𝑏𝑝𝑠
𝐵𝑖𝑡 𝑟𝑎𝑡 𝑒 ∗ = ∗ log 2 3≈10.57𝑏𝑝𝑠

22. Randomness of Secret key
Standard randomness test from NIST
P-value ≥0.01
Test
P-value
Frequency
Block frequency
Approximate Entropy
Runs
Longest Runs
Cumulative Sun
Serial

23. Simple gesture is sufficient
Confounding Factors
Secure Distance
Gesture Complexity
Secure distance ≤4 cm
Simple gesture is sufficient

24. Threat Model No prior knowledge btw A & B.
Attacker
No prior knowledge btw A & B.
Simple & easy to copy gesture
Attacker can
observe & copy user’s gesture
Get the packets over unencrypted link (𝛿)
Every details of our pairing system.
Copy attack
Record user’s gesture with camera.
Capture all the packets over wireless channel.
Posterior analysis via imitating the gesture
User
Device B
Device A
Device E

25. Information Leakage
Mutual info.
1.158 bits
0.290 bits
0.274 bits

26. Overall performance of Copy Attacker
𝐵𝑖𝑡 𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ𝑖𝑛𝑔 𝑟𝑎𝑡 𝑒 𝑢𝑠𝑒𝑟 =8.92∗ 10 −3
𝐵𝑖𝑡 𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ𝑖𝑛𝑔 𝑟𝑎𝑡 𝑒 𝑎𝑡𝑡𝑎𝑐𝑘𝑒𝑟 =0.298
For a 6-digit PIN code:
𝑃𝑟𝑜𝑏 𝑢𝑠𝑒𝑟 = 1− ∗log ≈83.64%
𝑃𝑟𝑜𝑏 𝑎𝑡𝑡𝑎𝑐𝑘𝑒𝑟 = 1− ∗log ≈0.09%

27. Conclusion Contribution
EMG-KEY is a system that securely pairs wearable devices by exploiting the electromyogram variations as random source to generate cryptographic key.
Contribution
First to explore the EMG to enable secure pairing.
Random & dynamic secret key.
Robust to strong attacks

28. Thank You! Lin Yang, Wei Wang, Qian Zhang
Hong Kong University of Science & Technology

30. Extensibility of Reconciliation

31. Placement of Electrodes