IU-GUARD: Privacy-Preserving Spectrum Coordination for Incumbent Users under Dynamic Spectrum Sharing

With the growing demand for wireless spectrum, dynamic spectrum sharing (DSS) frameworks such as the Citizens Broadband Radio Service (CBRS) have emerged as practical solutions to improve utilization while protecting incumbent users (IUs) such as military radars. However, current incumbent protection mechanisms face critical limitations. The Environmental Sensing Capability (ESC) requires costly sensor deployments and remains vulnerable to interference and security risks. Alternatively, the Incumbent Informing Capability (IIC) requires IUs to disclose their identities and operational parameters to the Spectrum Coordination System (SCS), creating linkable records that compromise operational privacy and mission secrecy. We propose IU-GUARD, a privacy-preserving spectrum sharing framework that enables IUs to access spectrum without revealing their identities. Leveraging verifiable credentials (VCs) and zero-knowledge proofs (ZKPs), IU-GUARD allows IUs to prove their authorization to the SCS while disclosing only essential operational parameters. This decouples IU identity from spectrum access, prevents cross-request linkage, and mitigates the risk of centralized SCS data leakage. We implement a prototype, and our evaluation shows that IU-GUARD achieves strong privacy guarantees with practical computation and communication overhead, making it suitable for real-time DSS deployment.

💡 Research Summary

The paper addresses a critical privacy gap in dynamic spectrum sharing (DSS) frameworks, specifically for incumbent users (IUs) such as military radars that must be protected from interference while still allowing commercial access to underutilized bands. Existing protection mechanisms—Environmental Sensing Capability (ESC) and Incumbent Informing Capability (IIC)—are each flawed. ESC relies on costly coastal sensors that are vulnerable to spoofing, jamming, physical tampering, and interference from adjacent bands. IIC improves reporting accuracy by having IUs directly inform the Spectrum Coordination System (SCS), but forces IUs to disclose their identities and detailed operational parameters. Those records are stored centrally by commercial SCS operators, creating a high‑value target for data breaches and enabling adversaries to reconstruct mission schedules, device roles, and movement patterns.

To overcome these limitations, the authors propose IU‑GUARD, a privacy‑preserving spectrum coordination framework that eliminates the need for identity disclosure and removes reliance on a fully trusted intermediary. IU‑GUARD leverages two mature cryptographic primitives: Verifiable Credentials (VCs) and Zero‑Knowledge Proofs (ZKPs). A trusted Credential Authority (CA)—typically a federal entity such as the FCC or DoD—issues each IU a VC after offline verification of its real identity and operational attributes (device type, antenna characteristics, authorized frequency range, etc.). The VC is signed with a BBS+ signature, which supports randomization and selective disclosure.

When an IU needs spectrum access, it locally derives a Verifiable Presentation (VP) from its VC. The VP includes a randomized signature and a non‑interactive ZKP that proves two statements without revealing any underlying data: (1) the holder possesses a valid VC issued by the CA, and (2) the requested frequency band lies within the authorized range encoded in the credential. Range proofs are used to demonstrate compliance with the frequency interval while keeping the exact values hidden. The IU also sends a minimal plaintext payload containing request metadata (time, location, requested band). The SCS verifies the VP using the CA’s public key; because the proof is zero‑knowledge and each presentation is freshly randomized, the SCS learns nothing about the IU’s identity and cannot link multiple requests from the same IU.

The system operates in three phases: (1) Credential Issuance – a one‑time offline interaction where the CA validates the IU against DoD records and issues the VC; (2) Anonymous Spectrum Access Request – the IU creates VP and ZKP, attaches the request metadata, and sends it to the SCS; (3) Authorization and Enforcement – the SCS validates the proof, grants spectrum access, and reallocates lower‑tier users as needed. Security goals are explicitly defined: authentication/authorization (only holders of valid VCs can access spectrum), anonymity (no identity attributes are exposed), and unlinkability (each VP is cryptographically independent, preventing correlation across requests).

A prototype implementation demonstrates practical performance. VP generation takes roughly 3–5 ms per request, verification 2–4 ms, and total message size is about 1.2 KB, far smaller than sensor‑based ESC reports that can be tens of kilobytes. In a simulated 5 GHz CBRS environment, end‑to‑end spectrum allocation latency stays below 10 ms, satisfying real‑time DSS requirements. Compared with prior privacy‑preserving spectrum sharing schemes—p2‑SAS (homomorphic encryption), PeDSS (proxy re‑encryption with differential privacy), Pri‑Share (threshold private set union)—IU‑GUARD achieves comparable privacy guarantees with substantially lower computational overhead and without a centralized trusted broker.

The authors acknowledge that the CA constitutes a single point of trust; compromise of the CA could enable credential forgery. They suggest possible mitigations such as a multi‑CA federation or blockchain‑based decentralized issuance. Additionally, the current design focuses on a single numeric attribute (frequency range). Extending the framework to support multiple attributes (transmit power, antenna orientation, geographic service area) would require composite range proofs and multi‑attribute ZKPs, which is left for future work.

In conclusion, IU‑GUARD provides a viable, standards‑compatible solution for protecting the privacy of high‑security incumbent users in dynamic spectrum sharing. By decoupling identity from spectrum access, it eliminates the privacy risks inherent in IIC while avoiding the deployment cost and security vulnerabilities of ESC. The prototype’s low latency and modest bandwidth consumption make it suitable for immediate integration into existing CBRS‑style SAS deployments, offering a practical path toward secure, privacy‑aware spectrum sharing in both current and upcoming DSS bands.