SHARED SECRET KEY ESTABLISHMENT USING

WIRELESS CHANNEL MEASUREMENTS

by

Jessica Erin Dudley Croft

A dissertation submitted to the faculty ofThe University of Utah

in partial fulfillment of the requirements for the degree of

Doctor of Philosophy

Department of Electrical and Computer Engineering

The University of Utah

July 2011

Copyright c© Jessica Erin Dudley Croft 2011

All Rights Reserved

THE UNIVERSITY OF UTAH GRADUATE SCHOOL

SUPERVISORY COMMITTEE APPROVAL

of a dissertation submitted by

Jessica Erin Dudley Croft

This dissertation has been read by each member of the following supervisory committeeand by majority vote has been found to be satisfactory.

Chair: Neal Patwari

Sneha K. Kasera

Rong-Rong Chen

Cynthia Furse

John Regehr

ACKNOWLEDGEMENTS

Very rarely does a project like this come together based solely upon the work of

the author. Here is where I get to say thank you:

Neal Patwari has put a great deal to time into explanations, editing and encour-

agement. He is unfailingly optimistic and patient and I feel very fortunate to have had

him as an advisor. The SPAN lab he created produces exciting ideas and inventions

and he has fostered a distinctly collegial and collaborative spirit among its members.

I am grateful to have found friends among my colleagues within the SPAN lab: Yang,

Dustin, Piyush, Joey and Merrick.

My parents, Jerry and Diana Croft, gave me a love of learning and a solid place

to rest. They taught me that building or growing or creating something useful can

be a source of great joy and satisfaction. Thank you.

For a hug, or a laugh or a push when I need it, I thank my partner, Todd Bailey.

He listened to me explain the same problem in different ways (some much better

than others) a thousand times in the last few years and never stopped trying to

understand.

ABSTRACT

Secret key establishment (SKE) is a method that allows two users, Alice and

Bob, to obtain shared secret keys using randomness inherent in the wireless channel.

Alice and Bob sample the channel many times, extract bits from those measurements

and then use the bits to encrypt further communications. Even if an eavesdropper,

Eve, were to overhear Alice and Bob measure the channel, she would still have

no knowledge of the secret key because she does not measure the same channel

as Alice and Bob. While the channel is reciprocal and random, measurements of

the channel are temporally correlated and can include non-reciprocities caused by

differing transceiver characteristics and the inability of Alice and Bob to measure the

channel simultaneously. The thesis aims to reduce or remove the non-idealities and

noise of the reciprocal channel measurement process in order to increase secret key

bit rate while maintaining an uncorrelated bit stream.

The first contribution of this thesis addresses correlated received signal strength

(RSS) measurements and differing transceiver characteristics in the context of sensor

nodes. Because typical sensor nodes are constrained both by available energy and

computational power, balancing the decorrelation method with node resources and

changing wireless environments is also addressed. Ranking and fractional delay inter-

polation are used to mitigate non-reciprocities associated with differing transceiver

characteristics and the inability of the two nodes to measure the channel at identical

points in time.

Second, bit extraction is applied to channel impulse response (CIR) measure-

ments. We develop a novel, inexpensive switching system that allows existing single

receiver/single transmitter channel sounding equipment to make bi-directional mea-

surements. With this system it is possible to investigate non-reciprocal interference

and experimentally evaluate bit extraction for CIR that takes advantage of both the

time and spatial diversity of the wireless channel.

Finally, non-uniform sampling caused by non-deterministic packet delay when

sharing a wireless channel with other users is detrimental to bit extraction yet very

common in practical wireless networks, especially for IEEE 802.11-based devices.

Interpolation and regression are used to estimate the reciprocal fading signal given

the non-uniform samples at Alice and Bob and the non-reciprocities caused by non-

simultaneous channel measurements.

iii

CONTENTS

ACKNOWLEDGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

CHAPTERS

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Three General Extraction Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Channel Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.2.0.1 Received Signal Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2.0.2 Channel Impulse Response . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2. ROBUST UNCORRELATED BIT EXTRACTION METHODOLOGIESFOR WIRELESS SENSORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.3 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.4 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.4.1 Interpolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.4.2 Ranking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.4.2.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.4.2.2 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.4.3 Decorrelation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.4.4 Quantization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.5 Experimental Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.6 Enabling Channel Adaptation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.6.1 Previous Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.6.2 Selection of N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.6.3 Covariance Matrix and Correlation Coefficient Estimation . . . . . 26

2.7 ARUBE Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292.7.1 Packet Transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312.7.2 Computational Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.8 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342.9 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

2.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3. BIT EXTRACTION FROM CIR USING A BI-DIRECTIONALRADIO CHANNEL MEASUREMENT SYSTEM . . . . . . . . . . . . . 39

3.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.3.1 RF CIR Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.3.2 Secret Key Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.4 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.4.1 Power Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463.4.2 Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463.4.3 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.4.4 Example Realization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.5 Bi-Directional CIR Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.5.1 Software Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.5.2 Measurements Collected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

3.6 Secret Key Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.6.1 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563.6.2 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563.6.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603.6.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

4. RECIPROCAL FADING SIGNAL ESTIMATIONMETHODS FOR SECRET KEYESTABLISHMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

4.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684.3 Related Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704.4 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714.5 Estimation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

4.5.1 Polynomial Interpolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734.5.2 Fractional Delay Interpolation . . . . . . . . . . . . . . . . . . . . . . . . . . . 754.5.3 Gaussian Processes Regression . . . . . . . . . . . . . . . . . . . . . . . . . . 76

4.5.3.1 Covariance Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774.5.4 Gaussian Processes Regression with Side Information . . . . . . . . . 78

4.5.4.1 Public Exchange of Side Information . . . . . . . . . . . . . . . . . 794.5.4.2 Setting γ2(i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

4.6 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804.6.1 PHY layer and RSS Measurement . . . . . . . . . . . . . . . . . . . . . . . . 804.6.2 Sample Variance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814.6.3 Sampling Non-uniformity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

4.7 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834.7.1 Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834.7.2 GPRSI Parameter Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

v

4.7.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844.7.4 Filter Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844.7.5 Normalized Root Mean Square Error . . . . . . . . . . . . . . . . . . . . . 854.7.6 Bit Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

4.7.6.1 802.15.4 Sensor Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864.7.6.2 802.11 Smartphones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

4.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5. CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

5.1 Key Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

vi

LIST OF FIGURES

1.1 Received signal strength measurements taken over time. Alice and Bob’sRSS measurements are correlated. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.1 ARUBE bit extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2 Areas of bit agreement and bit disagreement for m(i) = 1. . . . . . . . . . 15

2.3 Spatial correlation vs. Pbd and m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.4 t-statistics for max ρzi,zj vs. N for three datasets and the threshold, γ. . 27

2.5 t-statistics for ρz, vs. N for three datasets and the threshold, γ. . . . . . . 27

2.6 Packets sent for channel probing (—¿) and data transfer (- - -¿), com-putation (boxes) at either node, for overhead and bit extraction. . . . . . 30

2.7 Target Pbd vs. secret key bits per sample for ARUBE (black lines) andHRUBE (gray lines), for N ∈ {17, 35}, K ∈ {128, 256}, and D = K

2, for

averages of the best three datasets (-•-), the worst three (-�-), and theremaining 19 (-N-). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.1 Redirecting the transmitted and received signals to measure both direc-tions of the radio channel between antennas A1 and A2. . . . . . . . . . . . . 50

3.2 Labeled switch diagram in state 1. The correct path for the signal is{G,I,J,L,F,D,B,A}, however three incorrect paths are possible: directlyfrom transmitter to receiver (-.), {G,H,E,D,B,A}(- -), and {G,I,J,K,C,A}(..). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.3 One RF switch. RF common can be connected to either RF 1 of RF 2. 52

3.4 Possible linear ranges of four sets of parameters. Given baseline Ipole =50 dB, Iopen = 45 dB, Lcable = 2 dB, Lswitch = 2 dB and Itr = 111 dB,each plot other than baseline changes one parameter. . . . . . . . . . . . . . . 52

3.5 Known attenuation between junctions F and L plotted against receivedpower. Note that measurements and calculations were made assuminga transmitter frequency of 2.44 GHz. . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.6 TX, RX, A1 and A2 locations. The TX and RX are next to oppositewalls of a rectangular room. The two antennas centered between themalong the two remaining walls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

3.7 Bi-directional measurements for two data sets. Plots 3.7(a)and 3.7(c)and show 10 pairs of measurements. Power in dB is relative to transmitpower. The dark plots are measurements from antenna A1 to A2. Thelight plots are measurements from antenna A2 to A1. The time betweeneach measurement was 0.11s. Plots 3.7(b) and 3.7(d) show the meanand the mean plus and minus the standard deviation of 175 pairs ofmeasurements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.8 Example bi-directional measurements in the frequency domain for (a)dataset A and (b) dataset B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

3.9 (a) When interference source is off, subsequent CIR measurements be-tween A2 to A1 (tn = 37.4s) and from A1 to A2 (tn = 37.51s) arenearly identical. (b) When interference source is on, CIR measurementsbetween A2 to A1 (tn = 48.84s) are unchanged while those from A1 toA2 (tn = 48.95s) show interference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

3.10 Secret key bit extraction from CIR measurements involves synchroniza-tion (phase and time delay), interpolation (using fractional delay filtersc), decorrelation (across time delay τ and time t), and quantization(using multi-bit adaptive quantization). . . . . . . . . . . . . . . . . . . . . . . . . . 63

3.11 Two CIR measurements made by Alice and Bob. Aligning the indicesof the dominant multipath does not always align the signals. . . . . . . . . 64

3.12 CIR measurements showing the random rotation which must be removedbefore bits can be extracted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

3.13 (a) Number of bits extracted per measurement from |H| for various Pbd(b) Number of bits extracted per measurement from ∠H. . . . . . . . . . . . 65

3.14 Number of bits extracted per RSS measurement for various Pbd . . . . . . 66

4.1 Diagram shows placement of Alice’s (�) and Bob’s (©) measurementsat times tc with the placement of interpolated values t∗ (‖). (a) Fractiondelay interpolation interpolates a value half way between Alice’s andBob measurements if the sample period is constant. (b) With non-uniform measurements fractional delay interpolation results in unalignedinterpolated time instants. (c) Polynomial interpolation and Gaussianprocesses regression are able to interpolate measurements at identicaltime instants. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

4.2 Distribution of measured RSSI values for datasets collected (a) by 802.15.4based devices and (b) 802.11 based devices. The sample variance, σ2

w

for (a) is larger than that of the measurements of (b). . . . . . . . . . . . . . . 89

4.3 Distribution of sample periods for (a) two datasets made with 802.15.4based wireless sensors and (b) two datasets from 802.11 based devices. . 90

4.4 NRMSE between ya and yb for GPRSI with different values for Pa andPd. Overall, GPRSI for 802.11 RSS measurements performs best withPa ≈ 0.5 and Pd ≈ 15. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

viii

4.5 (a) Fractional delay interpolation used to estimate the reciprocal fadingchannel from non-uniformly sampled RSS measurements made by two802.11 devices. (b) Polynomial interpolation. (c) Gaussian processesregression. Solid lines are the estimated signal yc(t∗), dotted lines arethe RSS measurements wc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

4.6 Filter response for (a) fractional delay interpolation, (b) polynomialinterpolation and (c) Gaussian processes regression at interpolated timeinstant t∗(i) = 0.60. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

4.7 (a) Polynomial interpolation used to estimate the reciprocal fading sig-nal for 802.11 RSS measurements (b) Estimation using GPRSI. Rootmean square error (RMSE) for the displayed data is (a)0.627 and (b)0.222. 95

4.8 Normalized root mean square error (NRMSE) for error between theoriginal measurements at Alice, wa, and Bob, wb and error betweenthe estimations of the reciprocal fading signal using polynomial inter-polation (PI), fractional delay interpolation (FDI), Gaussian processesregression (GPR) and Gaussian processes regression with side informa-tion (GPRSI) for (a) 11 802.11 datasets and (b) 20 802.15.4 datasets . . 96

4.9 Plot of NRMSE as the probability of dropping a packet, p, increases forFDI (- -), GPR (..) and GPRSI (–), then plotting the average of the topseven datasets (?), middle six datasets (•) and bottom seven datasets(I) with respect to NRMSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

4.10 Comparison of PI, FDI and GPR with (a) highest, (b) middle and (c)lowest sample variance σ2

w. GPR is an improvement over FDI only atlower sample variances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4.11 Bits extracted per second vs. probability of bit disagreement (Pbd) for 13datasets. Data processed using GPR (..), GPRSI ( - ) or FDI ( - - ) thenplotting the average of the top four datasets (?), middle five datasets (•)and bottom four datasets (I) with respect to bits extracted per second.(a) Compares GPR and GPRSI (b) Compares FDI and GPRSI . . . . . . 99

ix

LIST OF TABLES

2.1 m = 1 bit MAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.2 t-statistics by method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.3 Number of Packets Transmitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.4 Computational Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.5 Bits per sample–Mathur et al. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2.6 Average and Minimum Entropy Rates. . . . . . . . . . . . . . . . . . . . . . . . . . 38

2.7 Percentage of bits Eve gets correct. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.1 Switching System Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.2 NIST p-values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

3.3 Bits per Sample Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

4.1 Datasets of decreasing sample variance . . . . . . . . . . . . . . . . . . . . . . . . . 88

CHAPTER 1

INTRODUCTION

Secret key establishment (SKE) is a method that allows two users, Alice and

Bob, to obtain shared secret keys using randomness inherent in the wireless channel

between them without an eavesdropper being able to obtain the key. Because the

radio channel between Alice and Bob is reciprocal and varies randomly over space

and time, Alice and Bob are able to measure some characteristic of the wireless

channel many times then extract bits from those measurements to create matching

secret keys. Even if a passive eavesdropper, Eve, were listening to Alice and Bob make

measurements of the channel, she would be unable to measure the same channel as

Alice and Bob and unable to create a matching secret key.

Interest in SKE as an alternate method to ensure data privacy is due in part

to perceived weaknesses in traditional public key cryptography which relies on as-

sumptions about the computational strength of an attacker. One of the advantages

of shared secret keys extracted from channel measurements is that such keys offer

the possibility of information theoretic security as long as it is possible to obtain

more bits in the secret key than there is information to send [64]. Such keys are

considered secure even if an adversary is in possession of a computer with unbounded

computing power [12] while keys created using traditional cryptographic methods,

such as Diffie-Hellman key exchange, are considered secure only if the adversary has

bounded computing power. This is the same impetus driving research in quantum

cryptography, but because channel measurement methods are much less expensive,

bit extraction is currently possible with common consumer wireless devices.

Shared secret keys from channel measurements could also have advantages for

resource constrained sensor nodes. Various methods of adapting traditional cryp-

tography to sensor nodes have included predistribution of shared keys [13],[41] to

2

adapt to sensor node’s typical constrained power and exploration of elliptical curve

cryptography [44] to adapt to a small storage area and limited computational power.

Given that secret keys from channel measurements are cryptographically stronger

than traditional methods, they might require less on-node storage space. For instance

112-bit key extracted from channel measurements is equivalent in cryptographic

strength to a 2048-bit Diffie-Hellman key [39]. In addition, some SKE methods are

less computationally complex than traditional cryptographic methods.

Given these reasons for proceeding, SKE faces it’s own challenges and require-

ments. First, the radio channel must be changing. SKE would not work in a static

free-space environment since it depends upon the presence of multipath fading as

the source for randomness in the shared secret keys. This is counterintuitive since for

most wireless communication applications fading is detrimental. Also, in an otherwise

static channel, an attacker would be able to induce motion into the channel and

thereby gain knowledge about the secret key

The second major challenge is that while the wireless channel is reciprocal, mea-

surements of the channel include non-reciprocities from many sources including:

• interference

• thermal noise

• quantization noise

• differing transceiver characteristics

• time-division duplex (TDD) sampling

Many of these non-reciprocities can be seen in Figure 1.1. Because the channel is

TDD, Alice and Bob are unable to sample the channel simultaneously and instead

must take turns. During the time spent waiting to sample the channel can change

resulting in differing measurements at Alice and Bob. Quantization noise is also a

source of non-reciprocities. The devices used to measure RSS in Figure 1.1 quantize

1 dBm to 1 RSSI and while the major features of the fading signal are captured,

3

many smaller features are not. In addition, while an effort is made on the part

of the hardware manufacturer to ensure 1 dBm is always quantized to 1 RSSI, some

quantization bins are larger than others. Even with identical hardware, as was the case

in Figure 1.1, differences in transceiver hardware are common. On average, Alice’s

RSS measurements, always report just slightly less received power than Bob’s mea-

surements. In practical applications, identical hardware cannot be assumed. These

non-reciprocities have been addressed by a number of signal processing techniques

including windowed filters [45, 71], interpolation [53], ranking [20] and Gaussian

processes regression.

Thirdly there are requirements about the characteristics of the secret key itself.

Ideally the extracted bits would have a high entropy rate, no disagreement between

the bits extracted at Alice and the bits extracted at Bob and because sampling the

channel requires a packet to be transmitted, it is advantageous to be able to extract

a large number of bits from each sample especially for energy poor devices. Also,

in the context of information theoretic security every bit of information requires one

secret key bit.

The high entropy rate requirement is a heuristic for randomness. At minimum,

the bits in the secret key need to be independent, but as shown in Figure 1.1, the

measurements are temporally correlated. One way to ensure independence is to

increase the sampling period, but this in many cases increases the time required

to create a secret key. Another method is to decorrelate the measurements before

extracting bits. While a high entropy is required to ensure a random key, it is not

sufficient. The National Institute of Standards (NIST) has published a series of

probabilistic tests [60] which can be used to verify the randomness of shared secret

keys.

It is difficult to have both a low probability of bit disagreement and a high bit

extraction rate. Both of these factors influence the time required to perform SKE and

the number of packets that must be transmitted. In order for encryption/decryption

to work, the bits in the shared secret key at Alice and Bob must match perfectly. In

the event that they do not, information reconciliation is performed where Alice and

4

Bob exchange information publicly to correct disagreements [11]. As the probability

of bit disagreement increases, more information is leaked to an eavesdropper, Eve.

Removing non-reciprocities before bits are extracted from the measurements can

increase the number of bits that can be extracted while lowering the probability

of bit disagreement.

How these requirements and challenges and the resources needed to meet them

are balanced is unique to each bit extraction method. In the remainder of this

introduction I briefly describe three bit extraction approaches and explain how the

wireless channel is measured for bit extraction. I will then list describe the adversary

model before listing my own contributions and the structure of the dissertation.

1.1 Three General Extraction Methods

The simplest and least computationally complex bit extraction methods quantize

the measured channel characteristic into two bins, one bin for values less than the

mean and one bin for values greater than the mean, and then assign a 1 or a 0 to

each measurement based upon the bin it falls in. While this is easy to implement, the

trade-off is very low entropy. Modifications have been made that create high entropy

keys, at the cost of a low bit extraction rate[45]. These methods aim to have no bit

disagreement.

A second general method [53] uses the Karhunen–Loeve transform (KLT) to

remove the correlation between measurements before extracting a secret key. The

number of bits extracted from each measurement is determined by a target percent of

disagreeing bits and the correlation between Alice’s and Bob’s measurements. While

this method is significantly more computationally complex than the first, by allowing

a certain number of bits to disagree many more bits can be extracted. The bit

disagreement is rectified in a later information reconciliation step such as Cascade

[11]. This second general method has the advantage of a tunable probability of

bit disagreement and high entropy secret keys at the cost of higher computational

complexity.

The third general method is composed of three steps: advantage distillation,

5

information reconciliation, and privacy amplification [9],[8]. Advantage distillation is

another way to say that the two nodes sample some characteristic of the channel that

is known to them, but not an adversary. This is identical to what the first two general

methods do, but while the second method removes correlation between bits before

quantization, this general method quantizes and performs information reconciliation

before addressing the correlation between bits. The privacy amplification step is

then used to ensure the key has a high entropy. Reported rates of extraction using

this method are nearly 1 bits per sample for 802.11 based devices [30]. One of the

disadvantages is that since the percentage of bit disagreements is not tunable, the

information reconciliation step can be expensive in terms the amount of information

potentially revealed to an eavesdropper.

1.2 Channel Measurements

The channel can be viewed as a reciprocal filter that varies over time and space.

In general more information collected about the channel means a larger number of

bits can be extracted, but some measurements require more time to take or the

measurement equipment is expensive. Regardless of the equipment or measured

statistic, however, all of these measurements are time-division duplex (TDD). To

measure any characteristic, Alice must transmit to Bob who measures the channel

and then transmits to Alice who also measures the channel. During the time be-

tween measurements, the channel has changed introducing non-reciprocities into the

measurements.

Since Hershey first proposed the idea of bit extraction for shared secret keys in

[28], a large number of channel measurement types have been explored including

angle of arrival [6], phase [28] [61] and received signal strength [45] [30] [53],[74],[56]

which can include signal envelopes [7] [71] and level crossings [45]. In addition to

these one-dimensional measurements, channel impulse response (CIR) has also been

explored as a source for shared secret keys [79], [26], [75], [18].

6

1.2.0.1 Received Signal Strength

Received signal strength (RSS) is by far the most commonly measured channel

characteristic because RSS measurement capability is built in to most consumer

wireless devices such as smartphones and laptops. Academic research has also focused

on RSS bit extraction using 802.15.4 based sensor nodes [2, 56, 53, 20] due to the

ease of access to wireless parameters. Hardware in the transceiver measures received

power which is the squared magnitude of the complex baseband power. RSS, then, is

the average received power over a single packet that is then converted to an integer

number or RSS integer (RSSI). The conversion from the RSS measurement which

is commonly in decibels (dB) varies depending up on the radio hardware. Often an

increase in 1 dBm with respect to the mean received power corresponds to an increase

of 1 RSSI.

Not all RSS measurements are created equal in terms of the number of bits it is

possible to extract. A wider channel bandwidth has a detrimental effect on the bit

extraction rate. For instance, in IEEE 802.11 based devices, the RSS is calculated

for a signal over a bandwidth 4 times as wide as IEEE 802.15.4 based devices, so the

channel gain is not as affected by narrowband fading. This reduces the number of

bits it is possible to extract. Similarly, devices operating at higher frequencies are

more susceptible to narrowband fading so the higher the frequency the more bits can

be extracted all other parameters being equal.

Because RSS is an average of magnitude it does not provide any information about

the phase of the signal nor about the individual multipath components. While RSS

measurements are one-dimensional, they have been used them as part of a MIMO-like

bit extraction algorithm using many cooperating nodes [56].

1.2.0.2 Channel Impulse Response

Another channel statistic used for shared secret keys is channel impulse response

(CIR). Unlike RSS, CIR provides information about the magnitude, phase and arrival

time of each multipath component. As such, many more bits can be extracted

from each measurement. Simulated (CIR) measurements have been studied for use

7

with SKE [42, 75, 78, 73, 72]. Given the expense of the measurement equipment,

however, very few truly bi-directional experiments have been conducted. Rather,

many researchers use uni-directional measurements by making a CIR measurement

in one direction and then swapping the position of the transmitter and receiver before

making the second measurement in the reverse direction [79], [26], [75]. While this

captures the spatial features for bit extraction, any time-related diversity in the

channel is treated as noise. This is a very large compromise because in real-world

situations the channel is changing over time and it would be greatly advantageous to

use that randomness in the secret key.

1.3 Adversary Model

The adversary model is very similar across SKE methods. First, we assume that

there is a passive attacker, Eve, who is able to overhear legitimate users, Alice and

Bob, making measurement of the channel between themselves. Eve is able to measure

the channel between herself and Bob and measure the channel between herself and

Alice, but is otherwise unable to interfere. Eve cannot jam the channel nor can

she impersonate a legitimate user. Furthermore, Eve must be at least one half

wavelength away from Alice and Bob. At 2.4 Ghz one wavelength is 12.5 cm. We

assume that Eve has knowledge of the bit extraction method in use, any parameters

used in the bit extraction method and that Eve can obtain any information publicly

exchanged between Alice and Bob. This adversary model is very similar to that used

in Diffie-Hellman key agreement in that neither Diffie-Hellman nor SKE natively offer

authentication.

1.4 Contributions

This research aims to reduce or remove the non-idealities and noise of the re-

ciprocal channel measurement process in order to increase secret key bit rate while

maintaining an uncorrelated bit stream. The following publications have resulted:

8

J. Croft, N. Patwari, and S.K. Kasera. Robust uncorrelated bit extraction

methodologies for wireless sensors. In Proceedings of the 9th ACM/IEEE

International Conference on Information Processing in Sensor Networks,

pages 70–81. ACM, 2010.

J. Croft and N. Patwari. Bit extraction from CIR using a bi-directional

radio channel measurement system. IEEE Transactions on Mobile Com-

puting, 2010. (submitted).

J. Croft and N. Patwari. Estimation methods for bit extraction. IEEE

Transactions on Mobile Computing, 2011. (to be submitted).

J. Croft, N. Patwari, and S.K. Kasera. Demonstration abstract: Bit

extraction from received signal strength, 2010.

N. Patwari, J. Croft, S. Jana, and S.K. Kasera. High rate uncorrelated bit

extraction for shared secret key generation from channel measurements.

IEEE Transactions on Mobile Computing, pages 17–30, 2009.

The structure of this dissertation is as follows: Chapter 2 explores mitigation of

non-reciprocities associated with differing hardware characteristics and how to adapt

bit extraction to changing wireless environments. The cost of bit extraction is found

in terms of computational complexity and the total number of packets exchanged

for a given key length. This method is applied to RSS measurements taken with

802.15.4-based sensor nodes. This method improved the bit extraction rate by 25 to

60% compared to a previous bit extraction method.

Chapter 3 applies bit extraction to channel impulse response (CIR) measurements.

In order to obtain bi-directional CIR measurements an inexpensive novel switching

system was designed to allow existing single transmitter/single receiver hardware

to make bi-directional measurements. A description and analysis of the system is

included so that similar systems can be built. A new algorithm for CIR bit extraction

is described and applied to the bi-directional CIR measurements.

9

Chapter 4 addresses problems found during the demonstration [19] of bit extrac-

tion in a very busy wireless environment using 802.11 devices. Ideal conditions for

bit extraction ie. two users uniformly sampling a quickly varying channel, cannot

be assumed. An estimation method using Gaussian processes regression with public

discussion was found to improve the number of bits extracted by up to 50% in adverse

conditions for 802.11 RSS measurements.

Chapter 5 forms the conclusion and presents avenues for future research into

shared secret keys from wireless channel measurements.

10

10.8 10.9 11.0 11.1 11.2 11.3 11.4 11.5 11.6

time (s)

−15

−10

−5

0

5

10

15

RSSI

Alice

Bob

Eve

Figure 1.1. Received signal strength measurements taken over time. Alice and Bob’sRSS measurements are correlated.

CHAPTER 2

ROBUST UNCORRELATED BIT

EXTRACTION METHODOLOGIES FOR

WIRELESS SENSORS

2.1 Abstract

This paper presents novel methodologies which allow robust secret key extraction

from radio channel measurements which suffer from real-world non-reciprocities and

a priori unknown fading statistics. These methodologies have low computational

complexity, automatically adapt to differences in transmitter and receiver hardware,

fading distribution and temporal correlations of the fading signal to produce secret

keys with uncorrelated bits. Moreover, the introduced method produces secret key

bits at a higher rate than has previously been reported. We validate the method

using extensive measurements between TelosB wireless sensors.

2.2 Introduction

For many applications of wireless sensor networks, data privacy is a key require-

ment. Since sensor nodes may be collecting private data, for example, in patient

health monitoring networks, users must have guarantees of privacy. Without data

privacy, patients will not be willing to participate and hospitals will not be in com-

pliance with confidentiality regulations. However, because of the limited energy and

computational resources of sensor nodes, realistic methods for secure authentication

and privacy face special challenges. 1

1This chapter first appeared as J. Croft, N. Patwari, and S.K. Kasera. ”Robust uncorrelated bitextraction methodologies for wireless sensors” In Proceedings of the 9th ACM/IEEE InternationalConference of Information Processing in Sensor Networks. ACM, 2010.

12

To meet the critical need for secure communications, existing research has devel-

oped methods to address these multiple challenges. Existing work uses predistributed

shared secret keys and public key methods adapted for use on resource constrained

sensor nodes. Various methods of probabilistic predistribution [13] [41] have balanced

security and limited on-device storage space. Public key methods have used elliptic

curve cryptography [44] to create public keys within sensor node resources.

Unlike traditional cryptography methods, we address the problem of secret key

establishment between two wireless sensor nodes for secure communication using the

time and space variations in the time-division duplex channel. The radio channel

offers a unique opportunity to build alternate robust security solutions in a resource

efficient manner. A key generated from radio channel characteristics [6] [30] [61]

reflects the uniqueness of the time and space in which it was created. Two nodes,

Alice and Bob, are able to measure a characteristic of the channel between them,

each generates a key from those measurements, and then uses that key to encrypt

further communications. Even if Eve, an attacker, were able to overhear legitimate

users Alice and Bob during the collection of channel measurements, Eve would be

unable to duplicate the key because she would not have measured the same channel

as that between Alice and Bob.

Using temporal and spatial variation in channel characteristics for secret key

establishment is not a new idea. Key generation from channel characteristics was first

described in [28]. Since then several existing efforts including our own have designed

and evaluated bit extraction schemes using many different channel characteristics.

Some of these characteristics are angle of arrival [6], phase [28] [61], received signal

strength [45] [30] [53], signal envelopes [7] [71] and level crossings [45]. Of these,

received signal strength (RSS), or channel gain, is most commonly available because

of the low device cost and the requirement for inexpensive sensor nodes. To keep the

cost low and to be able to use off-the-shelf hardware, we also use RSS in this paper.

Unfortunately, existing methods have significant problems achieving high bit gen-

eration rates when required to achieve (1) a low probability of bit disagreement and

(2) uncorrelated bits. Existing methods sacrifice bit generation rate to achieve low

13

bit disagreement rates. A low bit generation rate leads to high energy consumption

as nodes repeatedly probe the channel to extract sufficient bits. This severely limits

the lifetime of the node. The high rate uncorrelated bit extraction (HRUBE) method

can achieve a high rate of uncorrelated bits with a reliably low probability of bit

disagreement. However, it requires precise knowledge of the distribution and the

temporal statistics of the radio channel. Sensor nodes are deployed in a wide variety

of environments so such a priori knowledge is unrealistic. Further, if statistical

assumptions are made that are incorrect, the benefits of the method are lost.

Here we present a method which comprehensively addresses these limitations.

Our scheme implements a ranking method to remove the non-reciprocities that are

inevitable as a result of wireless sensors having differing transceiver hardware charac-

teristics. Ranking is more robust because even when the measured values at different

nodes are of a different scale, the order of the measurements will be the same. For

example, the method avoids the disagreements caused by differing transmit powers

and RSSI circuit variations. Even in identical hardware, variations of scale exist,

and with different hardware, differences will be greater. Ranking also makes the bit

extraction process independent of fading distribution. Further, we test and develop

protocols which adaptively determine the covariance structure of the measured data

in order to reliably extract high entropy rate secret keys with a tunable probability

of bit disagreement.

We experimentally test our method using TelosB wireless motes. We evaluate

and compare schemes using data collected in three different environments in 25 data

sets, totaling 450,000 RSS samples. The extensive data collection allows accurate

characterization of important figures of merit, including extracted bits per sample

and entropy rate. While the design of a robust and practical scheme is the main

objective of this work, we also find that our scheme improves the rate at which

secret bits can be extracted. The tested method can extract 40 bits per second at

a probability of bit disagreement of 0.04. Compared to the HRUBE bit extraction

method, this method is more robust to differences in hardware, adapts to the channel

environment, can be implemented on a wireless mote and produces 30% more bits per

14

sample. The tested method produces the highest secret key extraction rate reported

to date.

The rest of this paper is organized as follows. Section 2.3 lays out the adversary

model used in this paper. In Section 2.4 we will describe the Ranking HRUBE

method. Section 2.5 describes our data collection process. In Sections 2.6 and 2.7 we

address issues related to implementation on wireless sensors. Sections 2.8 and 2.9

contain a summary and discussion of our findings. Section 2.10 forms a conclusion.

2.3 Adversary Model

We assume that the adversary, Eve, can listen to all the communication between

Alice and Bob. Eve can also measure both the channels between herself and Alice and

between herself and Bob at the same time when Alice and Bob measure the channel

between them for key extraction. We assume that Eve is more than a few wavelengths

away from Alice or Bob. We also assume that Eve knows the key extraction algorithm

and the values of the parameters used in the algorithm. We assume that Eve cannot

jam the communication channel between Alice and Bob. We also assume that Eve

cannot cause a man-in-the-middle attack, i.e., our methodology does not authenticate

Alice or Bob. In this aspect, the technique of key extraction from RSS is comparable

with classical key establishment techniques such as Diffie-Hellman [22], which also

use message exchanges to establish keys and do not authenticate Alice or Bob.

2.4 Methodology

Key extraction benefits from the reciprocity of the channel gain (or loss) between

two antennas and the fluctuations of the channel gain in a non-static channel. In a

reciprocal channel, the multipath properties including gain, phase shifts and delays

are identical in both directions of a link at any point in time. However, successful key

extraction must account for the sources of non-reciprocities present in measurements

of the channel gain, such as additive noise, and differences in hardware. These non-

reciprocities are the source of bit disagreement, i.e. bits that do not match between

the two generated keys. In addition, a good key has uncorrelated bits, despite the

fact that fading is a temporally-correlated random process. The adaptive ranking-

15

Figure 2.1. ARUBE bit extraction

Figure 2.2. Areas of bit agreement and bit disagreement for m(i) = 1.

0.9990.990.9

10−3

10−2

10−1

Correlation Coefficient ρ

Pro

babili

ty o

f B

it D

isagre

em

ent

m=4

m=3

m=2

m=1

Figure 2.3. Spatial correlation vs. Pbd and m

16

based uncorrelated bit extraction (ARUBE) method uses four tools to address these

challenges:

1. Interpolation removes non-reciprocities caused by the half-duplex nature of the

channel.

2. Ranking reduces non-reciprocities caused by differing hardware characteristics

and outputs data with an a priori known distribution.

3. Decorrelation removes temporal correlation from the RSS fading signal.

4. Quantization extracts bits from interpolated, ranked and decorrelated RSS

measurements.

A block diagram is shown in Figure 2.1. We expand upon these steps in the following

sections.

2.4.1 Interpolation

The half-duplex nature of the PHY layer (e.g., in 802.15.4) means that Alice and

Bob are unable to simultaneously measure the channel gain. To compensate we use

a finite impulse response (FIR) fractional delay filter, which interpolates to obtain

an estimate of the channel gains in both directions of the link at a single point in

time. The fractional delay between the ith measurement by Alice, wa(i), and the ith

measurement made by Bob, wb(i), is,

µ =1

2

[τb(i)− τa(i)

T

](2.1)

where τb(i) and τa(i) are the arrival times of the ith packet at Bob and Alice respec-

tively.

We implement two fractional delay filters, one each at Alice and Bob. W.l.o.g. we

assume that τa(i) < τb(i) so that µ > 0. If we interpolate points in wa so that the ith

sample is delayed by (1 + µ)T and interpolate points in wb so that the ith sample is

17

delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays

can be broken down into fractional, µ, and integer, n, delays. At each node:

µa = µ µb = 1− µ na = 1 nb = 0 (2.2)

We implement the cubic Farrow filter [24]. For c ∈ {a, b}:

hc =[µ3c/6− µc/6,−µ3

c/2 + µ2c/2 + µc,

µ3c/2− µ2

c + 1,−µ3c/6 + µ2

c/2− µc/3]T

The filtered signal, xc, becomes the input to the next step in the bit extraction

process.

2.4.2 Ranking

Ranking is used to remove the differences in the unknown transmitter and receiver

characteristics which differ between the two directions. As its output ranking also

produces values with a uniform distribution.

2.4.2.1 Motivation

As we note above, the channel gain is reciprocal, but each receiver actually

measures RSSI, a voltage in the receiver IC. The RSSI has an affine relationship

with channel gain, denoted CG,

RSSI = c1CG + co (2.3)

and c1, c0 ∈ R depend on the two nodes. The parameter c0 will vary due to differing

transmit powers or differing battery voltages at the two nodes. Both c0 and c1 vary

because the devices use different hardware or because manufacturing differences in

identical hardware [52].

The device parameters c0 and c1 can be considered to be constant over the short

periods time required to generate a secret key from the channel (tens of seconds).

If the channel gain is reciprocal and the RSSI is given by (2.3), ranking will recover

identical signals.

18

The ranking process also homogenizes the output distribution. As will be dis-

cussed in Section 2.4.4, it is required to know the distribution of the data input

into the quantizer. Ranking does not provide a uniform distribution as input to the

quantizer because decorrelation is performed in between ranking and quantization;

however, ranking does eliminate the changes that would occur based on the particular

environment. For example, narrowband fading statistics may be Ricean, Rayleigh,

or Weibull distributed [27], however, the distribution of the output of the ranking

operation will remain uniform.

2.4.2.2 Algorithm

Next, we describe how to perform ranking for the ARUBE method. In short,

we take each segment of K values from the continuous-valued, interpolated channel

measurements and output discrete-valued numbers which indicate their order within

the group of K. We also use a set of known “dummy values” to increase the

randomness of the output of the ranking. However, for introductory purposes, we

first introduce ranking without dummy values, and then define the process of ranking

with dummy values.

The input to the ranking operation are theK-length sub-vectors x(t)c , for c ∈ {a, b}.

By sub-vectors, we mean that channel interpolated channel measurements, {xc(i)}i,

are input to a serial-to-parallel converter that outputs sub-vectors of length K, which

we denote xc(t). Specifically,

x(t)c = [xc((t− 1)K + 1), . . . , xc(tK)]T (2.4)

Ranking is a function R : Zk → KK0 , where K0 is a set of finite size with minimum

1 and maximum K. When there are no “ties” in input data, K0 = {1, . . . , K}, and

xc(t) is ranked such that the jth element of the tth ranked sub-vector is

r(t)c (j) = |{k : x(t)c (j) > x(t)c (k)}|+ 1

+1

2|{k 6= j : x(t)c (j) = x(t)c (k)}|

When there are no ties in the input data, r(t)c (j) is simply the order of x

(t)c (j) in a

sorted list of x(t)c . When there are ties, the value of r

(t)c (j) is the average of the order

19

of the tied values in the sorted list. For example, for K = 5 and this particular xc,

the vector rc would be output from the ranking method,

xc(i)i = [13, 11, 10, 14, 11︸ ︷︷ ︸x

(1)c

, 12, 16, 17, 19, 15︸ ︷︷ ︸x

(2)c

, 18, 17]

rc(i)i = [4, 2.5, 1, 5, 2.5︸ ︷︷ ︸r(1)c

, 1, 3, 4, 5, 2︸ ︷︷ ︸r(2)c

](2.5)

If the number of input values of {xc(i)}i cannot be evenly divided by K, the left over

values are not used.

Next we describe the introduction of “dummy values” to add randomness to the

output of our ranking method. Ranking the measurements directly introduces non-

randomness that could possibly be exploited by an attacker. If the first K − k

measurements are known or guessed, for k � K, it would be less difficult to accurately

determine the ranks of the remaining k measurements. To avoid this problem, we

introduce D dummy values into the input stream. The ranking with dummy values

is a function R : Zk → KKD , where KD is a set of finite size with minimum 1 and

maximum K +D. When there are no ties in input data, KD = {1, . . . , K +D}.

In the ARUBE method, we determine D dummy values from D evenly spaced

quantiles of the distribution of {xc(i)}i. Specifically, we use F−1xc

(n−0.5D

)for n =

1, . . . , D, where Fxc (x) is the cumulative distribution function (CDF) of xc. Note

that values are found independently at each node c ∈ {a, b}.

The jth element of the tth ranked sub-vector, r(t)c , becomes,

r(t)c (j) = |{k : x(t)c (j) > d(t)c (k)}|+ 1

+1

2|{k 6= j : x(t)c (j) = d(t)c (k)}|

where

d(t)c =

[x(t)c

T, F−1xc

(0.5

D

), . . . , F−1xc

(D − 0.5

D

)]T(2.6)

2.4.3 Decorrelation

Adjacent channel measurements in rc are correlated. In this paper we use the

discrete Karhunen-Loeve transform (KLT) to convert the measured, interpolated,

20

ranked channel measurements in ra and rb into uncorrelated components. Given

the covariance matrix of correlated data the KLT looks for an orthogonal basis that

decorrelates the data. If the data is Gaussian, the decorrelated data will also be

independent.

Assume that the input vector at node c ∈ {a, b}, rc, has mean µc, covariance ma-

trix Rr and length N . The singular value decomposition (SVD) of Rr can be written,

Rr = USUT , where U is the matrix of eigenvectors, and S = diag{σ21, ..., σ

2N}, is a

diagonal matrix of the corresponding eigenvalues. We assume that the eigenvectors

have been sorted in order of decreasing eigenvalue, so that σ21 ≥ σ2

2 ≥ ... ≥ σ2N ≥ 0.

Note that UTU = IN , where IN is the N × N identity matrix. The discrete KLT

calculates yc as

yc = UT (rc − µc). (2.7)

It can be shown that Ry, the covariance matrix of yc is equal to S. Because S is

diagonal, yc has uncorrelated elements.

In Section 2.6 we discuss the online determination of Rr and the setting of

parameter N .

2.4.4 Quantization

There is a tradeoff between the probability of bit disagreement, Pbd, and the

number of bits generated. Multi-bit adaptive quantization [53] (MAQ) achieves a

high rate of bits per sample for a desired Pbd.

W.l.o.g. we choose Alice to be the ‘leader’ and Bob to be the ‘follower’. We first

quantize ya(i) into one of J , 2mi+2 = 4× 2mi equally likely quantization levels. We

determine the quantization levels based on the CDF of ya(i), Fi(y) = P [ya(i) ≤ y].

The thresholds, ηj, are calculated as,

ηj = F−1i

(j

4× 2mi

), for j = 1, . . . , J − 1. (2.8)

and η0 = −∞ and ηJ =∞.

21

The quantization bins are then defined by the thresholds. The jth quantization

bin is the interval (ηj−1, ηj) for j = 1, . . . , J , so j(i) is given by

j(i) = maxj

[j : ya(i) > ηj−1] (2.9)

Next, we define the following binary variables:

• Define e(j), for j = 1, . . . , J as

e(j) =

{1, (j mod 4) ≥ 20, otherwise

(2.10)

• Create a Gray codeword with mi bits, that is, an ordered list of 2mi possible

mi-bit codewords.

• Let f1(j) = b j−14c. Define d1(j) ∈ {0, 1}mi to be equal to the f1(j)th Gray

codeword.

• Let f0(j) = b j+1 mod J4

c. Define d0(j) ∈ {0, 1}mi to be equal to the f0(j)th Gray

codeword.

These variables are shown in Table 2.1 for m(i) = 1.

Multi-bit adaptive quantization proceeds as follows. The leader node, Alice in

this case, quantizes ya(i) in the correct quantization k(i) for all components i. Alice

then transmits the bit vector e = [e(j(1)), . . . e(j(N))]T to the follower node, Bob.

Both nodes encode their secret key using codeword d0 when e = 0, and codeword d1

when e = 1. Specifically the secret key for node c is

zc = [de(j(1))(j(1)), . . . , de(j(N))(j(N))] (2.11)

where j(i) is given in Eq. 2.9. Figure 2.2 shows a graphic representation of the

m(i) = 1-bit case.

The Pbd in MAQ is related to the correlation coefficient between components and

the number of bits extracted from each decorrelated component, ya(i). The correlation

22

coefficient of the ith component, denoted ρi, can be determined from the covariance

matrix of the decorrelated components.

ρi =

√[Ry]i,iσ2i

(2.12)

From the areas of bit disagreement in Figure 2.2, the analytical approximation of bit

disagreement rate vs. correlation coefficient in Figure 2.3 is derived [53].

The greater the correlation between components the more bits that can be ex-

tracted or the lower the percentage of bit disagreement. The total number of bits ex-

tracted from each group of decorrelated measurements, yc is denoted M =∑N

i=1m(i).

2.5 Experimental Data Collection

For purposes of evaluation, we implement three wireless sensors capable of col-

lecting RSS measurements. The TelosB mote is a low power wireless sensor module

equipped with an IEEE 802.15.4 compliant RF transceiver (the TI CC2420), built-in

antenna and a micro-controller.

TinyOS/NesC software is written for the TelosB motes for measurement and

communication. Nodes Alice (a) and Bob (b) take turns transmitting probing packets.

Each probing packet contains a counter value and a unique node id number. When

node c ∈ {a, b} receives the ith packet, it (1) obtains the RSS of the packet, wc,i; (2)

stores the received counter value i and the RSS value wc,i; (3) increments its local

counter value and (4) builds a new data packet containing the new counter value and

its own node ID and sends it over the radio to node c where c ∈ {a, b} and c 6= c.

The packet transmission rate of the device, and thus the RSS sampling rate, is 50

per second. The third node, Eve, designated the attacker node, overhears all of the

packets being transmitted between the other two nodes, estimates the RSS of each

packet and stores the data. Eve’s TelosB mote does not transmit any packets. Data

is collected on a laptop to enable arbitrary application of the RSS measurements in

secret key establishment.

We collected 25 datasets with a total of 443, 600 samples. Most datasets had

between 10,000 and 20,000 RSS samples while a few datasets had more than 50,000

23

or less than 5,000. At 50 samples per second it takes 5 minutes to collect 15,000

samples. The nodes were arranged in various geometries to evaluate the ability of

Eve to obtain the same key as Alice and Bob and to see how the signal to noise ratio

(SNR) might affect the methods. For all datasets, Alice and Eve were placed on a flat

surface while Bob was rotated and moved randomly by an experimenter to introduce

random fading into the channel. In the 16 datasets where Eve was present, she was

at most 45cm from Alice and in few cases she was less than 6.25cm or λ2

from Alice.

Six datasets were collected where Bob was more than 1.5m from Alice and Eve. All

signal processing was done in Python.

2.6 Enabling Channel Adaptation

In [53] the authors presented HRUBE, a framework for bit extraction from channel

measurements, but did not have a realistic method for implementation. This section

presents methods to select the parameters of the ARUBE method. These parameters

include the number of decorrelated components, N , the decorrelation matrix, U ,

and the number of bits per component, {m(i)}i. The selection of these parameters

depends upon the radio channel between Alice and Bob. For example, in a quickly

varying channel we would expect the covariance matrix to be different than in a slowly

varying channel. Also, the number of bits extracted from the channel would increase

with signal to noise ratio.

2.6.1 Previous Approach

In the HRUBE method, the covariance matrix, Rx, was estimated as

Rxc,xc =1

2C − 1

∑c∈{a,b}

C∑i=1

(x(i)c − µc)(x(i)

c − µc)T

(2.13)

where x(i)c is the ith N -length measured RSS vector at node c, C is the total number

of vectors and

µc =1

C

C∑i=1

x(i)c . (2.14)

The N × N decorrelation matrix U is found by the SVD. The values, m(i), were

determined from the covariance matrix of xa and xb. The secret key, zc, was then

24

extracted from the same measurements as were used to estimate the covariance

matrix.

2.6.2 Selection of N

The computational complexity of estimating the covariance matrix and calculating

the SVD are both dependent upon N as will be discussed in Section 2.7. Increasing

N will decrease temporal correlation between bits in the secret key because more

samples are simultaneously decorrelated. For example, setting N = 50 produced

sufficiently decorrelated bits for the HRUBE method [53]. Because of the tradeoff

between computational complexity and temporal decorrelation, finding a minimum

range or value for N could significantly reduce the number of calculations.

In order to test for uncorrelated bits, we look at two types of correlation coeffi-

cients:

1. Pair-wise bit correlation coefficients. We denote ρzi,zj as the correlation coeffi-

cient between the ith and jth component of vector zc (Eq 2.11), for any particular

combination (i, j) where i 6= j. There are(M2

)different values of ρzi,zj .

2. Global bit correlation coefficient. We denote ρz as the correlation coefficient

between any pair of different components of zc. Here we assume that the

correlation coefficient is identical across all combinations of (i, j) and we use

our data to estimate the single value of ρz.

There are(M2

)different pairwise correlation coefficients, ρzi,zj , but because there are

more of them, each one is estimated with few realizations, which we denote as n.

The global bit correlation coefficient, ρz, is a single number but it has many more

realizations, n. By performing statistical tests on both correlation coefficients, we can

reliably verify that bits are uncorrelated.

To avoid confusion, it should be noted that we now have two types of correlation,

spatial and temporal. The first, spatial, is ‘good’ correlation (Eq 2.12 and Figure 2.3)

between the decorrelated components ya(i) and yb(i). This spatial correlation is what

makes bit extraction effective. The second describes temporal correlation between

25

bits. Both ρzi,zj and ρz quantify temporal correlation that might allow an attacker to

have a better chance of guessing subsequent bits given knowledge of some bits. We

quantify the effect of N on temporal correlation in this section.

Estimated correlation coefficients will never be precisely zero, even if ρ = 0. We

use hypothesis tests to quantify if these non-zero correlation coefficients are likely to

have been generated if the true ρ = 0. Formally, the decision is:

H0 :ρ = 0

H1 :ρ 6= 0(2.15)

The hypothesis test is performed on the t statistic [29],

t = ρ

√1− ρ2n− 2

H1

><H0

γ (2.16)

where ρ is the correlation coefficient estimated from the data either ρzi,zj or ρz, n is the

number of realizations used in the estimate and γ is a threshold. The threshold is set

by choosing a desired false alarm rate, α, and applying knowledge of the distribution

of t (t distribution with n− 2 degrees of freedom). In the limit for high n (n > 100)

the distribution of t approaches the zero-mean unit-variance Gaussian distribution.

We plot the t-statistics vs. N and the appropriate thresholds for three datasets in

Figures 2.4 and 2.5. Each dataset has many pairwise correlation coefficients, so for

simplicity we plot only the maximum pairwise correlation coefficients in Figure 2.4.

For the datasets presented here, the minimum number of realizations is n = 833. We

set the false alarm probability, α = 0.05, therefore we would expect even if ρ = 0

to see 5% of the values crossing the threshold. In all plots the target Pbd = 0.04,

K = 256, and D = 128.

As shown in Figure 2.4, for N ≥ 15 the datasets u, s and t decide H0 more than

1 − α = 95% of the time. The global correlation, ρz, as shown in Figure 2.5, is

dependent upon the dataset. H0 is decided for datasets u, s and t at N = 27, 25, 17

respectively. Based on the tests of ρzi,zj we may believe N > 15 is sufficient, however,

because of the tests on ρz, we may wish to set N > 30.

We also tested the effect of N on the number of bits extracted per sample. We

tested the total number of bits per sample for a range of 5 ≤ N ≤ 50 and over the

26

same three datasets. We found that the choice of N does not have a significant effect

on the number of bits extracted per sample.

In addition, we tested the entropy of the bitstream vs. N . For N larger than 15,

entropy slowly increases with N . These results are presented in Table 2.6.

2.6.3 Covariance Matrix and Correlation Coefficient Estimation

In the previous section we looked at the effect of N on temporal correlation when

the covariance matrix was estimated as in Eq. 2.13. In other words, the covariance

matrix was estimated using all measurements made in both directions. If this were

implemented, it would take many minutes to collect all of the RSS measurements.

Alternatively the covariance matrix would be estimated and the KLT performed for

every vector of samples collected. In either case, it would either computationally

expensive or introduce high latency.

We see three options in addition to the full method for calculating the covariance

matrix:

1. Full: The covariance matrix is estimated on the nodes for all vectors of collected

channel measurements using Eq. 2.13. The SVD of the covariance matrix is

calculated on each node and the decorrelation matrix, U , is found.

2. Offline: The covariance matrix is estimated offline from previously collected

data, the SVD of the covariance matrix is calculated and then the decorrelation

matrix, U , is loaded onto both nodes prior to deployment.

3. Uni-directional: The covariance matrix is estimated by each node using only

the measurements it has collected. In this case the covariance matrices at Alice

and Bob would be,

Rra,ra =1

C − 1

C∑i=1

(r(i)a − µa)(r(i)a − µa)T

Rrb,rb =1

C − 1

C∑i=1

(r(i)b − µb)(r

(i)b − µb)

T

27

Table 2.1. m = 1 bit MAQBin Codeword Interval

j f1 f0 e of y(i)1 0 0 0 (−∞, F−1i (0.125))2 0 0 1 (F−1i (0.125), F−1i (0.25))3 0 1 1 (F−1i (0.25), F−1i (0.375))4 0 1 0 (F−1i (0.375), F−1i (0.5))5 1 1 0 (F−1i (0.5), F−1i (0.625))6 1 1 1 (F−1i (0.625), F−1i (0.75))7 1 0 1 (F−1i (0.75), F−1i (0.875))8 1 0 0 (F−1i (0.875),+∞)

5 10 15 20 25 30 35 40 45 50N-elements in KLT

1

2

3

4

5

6

7

8

9

10

t Sta

tist

ic

dataset udataset sdataset t

Figure 2.4. t-statistics for max ρzi,zj vs. N for three datasets and the threshold, γ.

5 10 15 20 25 30 35 40 45 50N-elements in KLT

-2

-1

0

1

2

3

4

5

t Sta

tist

ic

dataset udataset sdataset t

Figure 2.5. t-statistics for ρz, vs. N for three datasets and the threshold, γ.

28

4. Partial: Alice and Bob collect and share Nc preliminary channel measurements,

wpa and wpb. Both vectors are interpolated and ranked then the covariance

matrix is estimated at both nodes using the preliminary bi-directional data,

Rrc,rc =1

Nc − 1

[Nc∑i=1

(r(i)pa − µpa)(r(i)pa − µpa)T

+Nc∑i=1

(r(i)pb − µpb)(r

(i)pb − µpb)

T

](2.17)

The SVD of the covariance matrix is calculated on each node to obtain U .

The advantages of each method are as follows. The full method will decorrelate

the measurement vectors better than the other three, but is expensive in terms of

time and computation. The offline method is much less computationally intensive

since the KLT is not calculated online, but does not adapt to changes in the radio

channel. The uni-directional method requires no additional data sharing between the

two nodes other than probe packets and MAQ protocol, but is as computationally

expensive as the the full method. The partial method, while more computationally

expensive than the offline method, can adapt to changes in the wireless channel

because it decorrelates the bit stream immediately after calculating U .

To determine the effect of these four methods on temporal correlation we take

one of the datasets, u, which was also used in the previous section and run the same

hypothesis tests. Table 2.2 shows that none of the four methods results in correlation

coefficients ρzi,zj or ρz which are significantly different than zero. For all methods,

Pbd = 0.04, K = 256 and D = 128.

The effect of the covariance estimation method on the bits extracted per sample

is also of concern. On average the partial method extracted 5% fewer bits per sample

than did the offline, full or uni-directional methods. For the offline method we used

dataset r as the dataset to compute the decorrelation matrix U . Dataset r was

collected in similar channel conditions as dataset u.

Rarely, the uni-directional method produced as much as 40% fewer bits per sample.

This method suffers from the fact that the U matrix can be highly sensitive to noise.

This is because the order of the eigenvectors and the sign of the eigenvectors can

29

be different at Alice and Bob. Other methods guarantee U will be identical at both

nodes.

To determine the number of bits to extract from each component, Alice and Bob

must know the correlation coefficients ρ(i) (Eq. 2.12). In the uni-directional method,

Alice and Bob cannot determine the correlation coefficients. In addition, in the

offline method the values of the correlation coefficients are virtually certain to vary

with differing channel conditions. In these two cases, Alice and Bob could do one of

two things:

1. Make a conservative guess based on a metric like signal to noise ratio.

2. Exchange a subset of the decorrelated components, yc, and use them to calculate

the correlation coefficients similar to the partial method.

Although it would be cheaper both in terms of computation and time if the SVD

was calculated offline, it would leave the nodes without any means of calculating a new

U matrix or correlation coefficients if the nodes were deployed in an environment with

significantly different wireless characteristics than the previously gathered samples.

To allow adaptation, we use the partial method in the rest of this paper.

2.7 ARUBE Protocol

In this section we describe the ARUBE protocol and find the number of transmis-

sions necessary to extract a secret key of length Lk. Figure 2.6 shows a diagram of

the protocol.

At a high level, the protocol has two parts separated by the dotted horizontal

line in Figure 2.6. In the first part (steps 1-3 in Figure 2.6) the two nodes estimate

the covariance matrix and calculate the decorrelation matrix, U , and the bit vector,

m. In the second part (steps 4-7) the nodes measure the channel and using U and

m, extract bits for a secret key. The second part can be repeated as many times as

necessary to obtain the desired number of bits in the secret key. The process can be

described as follows:

30

Figure 2.6. Packets sent for channel probing (—¿) and data transfer (- - -¿),computation (boxes) at either node, for overhead and bit extraction.

1. Alice (the leader) and Bob (the follower) exchange Nc packets. The packets

contain the RSS value of the last received packet at the respective node so that

both nodes have a copy of the preliminary RSS measurement vectors.

2. Alice and Bob rank and interpolate both vectors.

3. Both nodes estimate bi-directional covariance matrix, calculate the SVD to find

the decorrelation matrix, U , and the bit vector, m.

4. Alice and Bob exchangeK probing packets which contain no data. After packets

are exchanged, Alice has a vector of RSS as measured from Bob to Alice and

31

Bob has a vector of RSS as measured from Alice to Bob.

5. Alice and Bob interpolate, rank and decorrelate their RSS vectors to obtain ya

and yb respectively.

6. Alice quantizes ya to obtain the secret key, za, and the e-vector. She sends the

e-vector to Bob.

7. Bob, upon receipt of the e-vector from Alice, quantizes yb to obtain the secret

key zb.

The fourth through seventh steps are performed until the secret key is of desired

length. If the channel changes substantially or the percentage of bit disagreement

is higher than expected, the first three steps can be performed again to obtain an

estimate of current channel statistics.

With the ARUBE protocol in mind we determine the number of transmissions

needed to create a shared secret key of length Lk. We define the constants

Nc = Samples required to calculate Rrpa,rpb

N = Length of vector to be decorrelated

K = Number of samples to rank

Be = Bits extracted per sample

We calculate the number of transmissions required to generate a key of length Lk

and the computational complexity of each step with respect to N , K and Nc. The

number of bits extracted per sample, Be, is dependent upon the environment where

the bit extraction is performed.

2.7.1 Packet Transmissions

Table 2.3 shows the number of packets transmitted when Lk = 128, Nc = 1000,

K = 256 and Be = [0.4, 0.75] as the number of keys created increases. The number

of packets transmitted is

Nt = Nc +

(⌈LkBeK

⌉K +G

)(2.18)

32

Where G is the number of packets required for Alice to transmit the e-vector. G is

dependent on the number of bits in a packet, P , and the number of components in

yc from which bits can be extracted Mn = |{i : m(i) 6= 0}|.

G =LkMMn

1

P(2.19)

The number of bits extracted per sample, Be, has the greatest effect on the number of

packets transmitted. The transmissions above the dotted horizontal line in Figure 2.6

are overhead and are independent of the number or length of secret keys to be

generated. The amount of transmission overhead is dependent only upon Nc. While

the leader and follower nodes transmit nearly the same number of packets, the leader

node will transmit more over time because of the e-vector packets.

2.7.2 Computational Complexity

The gray boxes in Figure 2.6 indicate computations that are done on each respec-

tive node. The computational complexity of each step is listed in Table 2.4.

While the calculation of the SVD has the highest order of any operation, it may be

possible to simplify the order. For example only Mn = |{i : m(i) 6= 0}| of eigenvectors

need to be calculated. If Mn ≤ N it can be less computationally complex to calculate

one eigenvector at a time and stop extracting eigenvectors when m(i) = 0. Depending

upon the number and length of keys to be generated, the covariance matrix estimation

and calculation of the SVD might not be the most significant portion of the required

computation although they have the highest order.

Although an exact comparison is difficult, we expect ARUBE to extract secret bits

with fewer computations in comparison to the Diffie-Hellman secret key exchange.

The main computation for the Diffie-Hellman scheme is the modular exponentiation,

(ga mod p)b mod p [48]. Here, p is a large prime number, g is the generator of the

order of p − 1, in the group < Z∗p,× >, and a and b are the secrets of Alice and

Bob, respectively. This modular exponentiation has a time complexity of O(nM(k))

where n is the number of bits in p, k is the number of bits in a or b, and M(k) is

the complexity of a chosen multiplication algorithm. Using the Karatsuba algorithm

for multiplication [32], M(k) = O(k1.585). The time complexity of the ARUBE bit

33

Table 2.2. t-statistics by method

Methodρzi,zj ρz

N=17 N=3 N=17 N=35Full 2.950 3.369 1.864 0.444Offline 2.825 2.194 0.533 1.159Uni-directional 2.950 3.196 1.978 0.589Partial Nc =1000

2.201 2.828 0.228 0.926

Partial Nc =2000

2.952 2.851 0.366 1.440

Table 2.3. Number of Packets TransmittedBe Node Overhead Key 1 Key 4 Key 7

0.4Alice 1000 1263 2052 2841Bob 1000 1256 2024 2792

0.75Alice 1000 1264 1800 2336Bob 1000 1256 1768 2280

Table 2.4. Computational ComplexityOverhead Complexity

Interpolate O(Nc)Rank O(NclogK)

Calculate Rxpa,xpb O(N2Nc)Calculate SVD O(N3)

Bit Extraction Complexity

Interpolate O(K)Rank O(KlogK)

Decorrelate O(NK)Quantize O(K)

34

extraction steps is O(NK). Considering k and K to be constant, and noting that

a smaller symmetric key is equivalent in strength to a much larger Diffie-Hellman

Key (e.g., 112-bit symmetric key is equivalent to 2048-bit Diffie-Hellman key [49]),

ARUBE is computationally more efficient than the Diffie-Hellman key exchange.

2.8 Results

In this section we quantify the performance of the ARUBE method. We look at

three metrics: (1) secret bits per sample; (2) estimated entropy rate of secret key

bits; and (3) resistance to a passive attack.

Secret Bits per Sample: The number of secret key bits generated per sample

directly impacts the latency and energy efficiency of key establishment. Figure 2.7

plots ARUBE (and for comparison, HRUBE) secret bits per sample vs. Pbd for N ∈

{17, 35}, K ∈ {128, 256}, and D = K2

. We assume the best case the HRUBE method,

that it estimates the U and {m(i)}i on the same data set which it then uses to extract

bits. Out of 25 data sets, we plot the average of the top three with respect to bits

extracted per sample, the average of the bottom three and the average remaining 19

datasets.

We show a comparable analysis with the same datasets for a bit extraction method

developed by Mathur et al. [45] in Table 2.5. Unlike ARUBE, this method was

developed solely to produce keys with Pbd = 0, with no expectation of information

reconciliation. This method finds extrusions in a filtered vector of RSS measurements.

An extrusion is where the values of a filtered RSS vector are above some threshold

γ or below −γ. If an extrusion is at least m measurements long and exists on both

directions of the link, it will be assigned as a 1 if it is above γ, or as a 0 if it is below

−γ.

To find the values in Table 2.5 we selected many values of γ between 0.1σ ≤

γ ≤ 1.5σ where σ is the standard deviation of the filtered RSS vector, and found the

maximum bits per sample that could be generated which had a Pbd less than a given

value. Table 2.5 shows the average for the best three, worst three and remaining

19 datasets. While this method requires much less computation than ARUBE and

35

K=128 K=256

N=

17

0.01 0.02 0.03 0.04 0.05 0.06 0.07Target Bit Disagreement Rate

0.0

0.2

0.4

0.6

0.8

1.0

Secr

et

bit

s per

sam

ple

0.01 0.02 0.03 0.04 0.05 0.06 0.07Target Bit Disagreement Rate

0.0

0.2

0.4

0.6

0.8

1.0

Secr

et

bit

s per

sam

ple

N=

35

0.01 0.02 0.03 0.04 0.05 0.06 0.07Target Bit Disagreement Rate

0.0

0.2

0.4

0.6

0.8

1.0

Secr

et

bit

s per

sam

ple

0.01 0.02 0.03 0.04 0.05 0.06 0.07Target Bit Disagreement Rate

0.0

0.2

0.4

0.6

0.8

1.0

Secr

et

bit

s per

sam

ple

Figure 2.7. Target Pbd vs. secret key bits per sample for ARUBE (black lines) andHRUBE (gray lines), for N ∈ {17, 35}, K ∈ {128, 256}, and D = K

2, for averages of

the best three datasets (-•-), the worst three (-�-), and the remaining 19 (-N-).

36

unlike similar extraction methods produces keys with high entropy, the number of

bits extracted per sample is very low. Even at small Pbd, ARUBE produces 4 times

more bits per sample and up to 9 times more with larger Pbd.

Entropy Rate: We estimate the entropy rate of the generated secret key bits,

i.e., a quantification of the uncertainty of the bit sequence. If generated bits are

perfectly independent, they should achieve an entropy rate of 1. Although it is not

sufficient for a secret key to have a high entropy in order to be secure, it is necessary.

We generate bits from datasets using Pbd = 0.04, K = 256, and D = 128, and then

estimate the entropy rate using the approximate entropy test in the NIST’s statistical

test suite for random number generators [60]. The average and minimum values over

23 of the 25 datasets are listed in Table 2.6. The remaining two datasets had < 500

bits, not enough to estimate entropy.

Evaluation of Possible Attacker Success: In this paper we take a straight-

forward, if simplistic, view of the ability of an eavesdropper to obtain Alice and

Bob’s secret key. We provide one way to see how the ARUBE and HRUBE methods

perform when under attack from a passive listener. For both methods, Eve performs

bit extraction in the same manner as Alice and Bob. Eve overhears the Nc preliminary

measurements and the RSS values contained within the packets sent between Alice

and Bob to find U and {m(i)}i. We assume Eve knows the constants N , K and Pbd

that Alice and Bob use for bit extraction. The average percentages of bits Eve gets

correct for the HRUBE and ARUBE methods over the 16 datasets (where Eve was

present) are compared in Table 2.7.

2.9 Discussion

Assuming the best case for the HRUBE method, that it estimates the U and

{m(i)}i on the same data set which it then uses to extract bits, we see that the

ARUBE still outperforms the HRUBE. Both the ARUBE and HRUBE methods are

resistant to a passive evesdropper, as shown in Table 2.7. The ARUBE method

achieves higher entropy than the HRUBE method, and increasing N from N = 17 to

N = 35 also increases the estimated entropy rate for both methods (Table 2.6).

37

ARUBE generates up to 60% more bits compared to HRUBE method (Figure 2.7)

for low Pbd. For K = 256 and D = 128, the ARUBE achieves up to 25% more bits

for medium and high Pbd. For most datasets, the ARUBE achieves higher bit rate

at a given Pbd. The greatest improvements occur in datasets with high SNR. The

performance improvement is seen for both N = 17 and N = 35. We note that setting

K too low reduces the benefit of the ARUBE method, e.g., for K = 64 the two

methods are approximately equivalent.

Note that K can be set to an arbitrary integer. For instance, if Be = 0.8 and the

desired key length is 128 bits, it would be faster to collect and rank K = 10.8∗128 = 160

samples. After U is determined, at 50 samples per second, it would take a wireless

sensor 3.2 seconds to collect the required 160 samples for the secret key.

2.10 Conclusion

We presented a new method of secret key generation, ARUBE, that adapts to

the radio channel environment and the characteristics of the two wireless sensors in

use. Further, for medium and high SNR channels, the ARUBE produces more bits

per sample, thus reducing the number of transmissions (energy) required to produce

a given length secret key. In comparison with the HRUBE, another uncorrelated

bit extraction method, ARUBE extracts 30%-60% more bits in situations with high

SNR. ARUBE is shown to produce uncorrelated bits, is resistant to a simple passive

eavesdropper, and secret keys have an entropy rate above 0.97. The number of packet

transmissions and computational complexity are presented.

Future work should test simplifications and implementations of ARUBE. Algo-

rithms to reduce the computational complexity of the KLT exist and should be

tested. The offline version of ARUBE is implemented in TinyOS, and current work

is implementing the complete method.

38

Table 2.5. Bits per sample–Mathur et al.Pbd ≤ 0.0 0.0025 0.01 0.04 0.07

Best 0.074 0.077 0.082 0.088 0.089Middle 0.055 0.064 0.072 0.074 0.076Worst 0.0 0.032 0.05 0.057 0.057

Table 2.6. Average and Minimum Entropy Rates.N = 17 N = 35

Method Mean Min Mean MinARUBE 0.9808 0.9653 0.9833 0.9757HRUBE 0.9767 0.9433 0.9825 0.9712

Table 2.7. Percentage of bits Eve gets correct.Method Compared to Alice Compared to BobARUBE 50.19 50.53HRUBE 50.64 50.76

CHAPTER 3

BIT EXTRACTION FROM CIR USING A

BI-DIRECTIONAL RADIO CHANNEL

MEASUREMENT SYSTEM

3.1 Abstract

Experimental research in secret key extraction typically uses received signal strength

(RSS) measurements as a source for secret keys. In this paper we perform experi-

mental research using channel impulse response (CIR) measurements, one of the few

reports of experimental CIR-based secret key generation. Usually, bi-directional CIR

measurements require two channel measurement devices or a vector network analyzer

(VNA). To obtain measurements for this research we developed a novel electronically

controlled switching system that allows a single receiver and a single transmitter

to alternate the direction of measurement between two antennas, which provides

an inexpensive alternative for bi-directional channel measurement. We present a

description and analysis of such switching systems. We also introduce and apply a new

algorithm that extracts bits with high entropy from bi-directional CIR measurements.

We find that the rate of bit extraction from CIR measurements is up to eight times

faster than from RSS measurements.

3.2 Introduction

Concerns about the long-term security of public key cryptography have led to the

development of new approaches for data encryption. 1 One approach is to establish a

shared secret key between two transceivers based upon measurements of their shared

1This chapter is in second revision as J. Croft and N. Patwari. ”Bit extraction from CIR usinga bi-directional radio channel measurement system.” IEEE Transactions on Mobile Computing

40

radio channel [28]. Significant work has addressed the theoretical bounds for the

rate at which a secret key may be generated [72]. Fundamentally, this generation

rate is a function of the correlation between the channel measurements at the two

transceivers [47]. Experimental measurements are thus critical in order to determine

this correlation, as a function of the band, interference level, channel measurement

modality, and other channel parameters. Experimental data also allow development

and testing of algorithms for secret key generation [30].

This paper contributes to two of these critical areas. First we investigate a

novel means to make bi-directional measurements with only a single transmitter

and receiver. Second we describe a new method of extracting bits from channel

impulse response (CIR) measurements and experimentally demonstrate the method’s

performance.

Electromagnetic wave propagation between two antennas is, in fact, reciprocal

[68]; that is, at the same frequency and same time, signals sent in opposite directions

between two antennas experience identical changes in phase and amplitude. However,

measurements of the received signal at the two antennas are not identical. First,

additive thermal noise and interference from other devices on the same band con-

tribute to each receiver differently. Second, typical radios do not transmit and receive

simultaneously, and instead are time-division duplex (TDD). Thus measurements of

the channel at the two transceivers occur separated in time, during which time the

channel may change.

To accurately design secret key establishment schemes to be used with practical

TDD transceivers, which are subject to outside interference, one must have the

capability to perform bi-directional channel measurements. Significant experimental

secret key establishment research has been performed using measurements of received

signal strength (RSS) [30, 71, 53, 79, 26, 45, 20, 6]. In contrast, the experimental

use of channel impulse response (CIR) measurements in secret key establishment

is relatively rare in the literature, even as theoretical results have shown promise

[79, 26, 42, 75, 78].

In part, the relative scarcity of experimental research using CIR measurements

41

is due to the lack of inexpensive transceiver hardware with which to make the mea-

surements. Standard receivers either do not calculate CIR or do not export CIR

information to higher layers, thus specialized receivers must be designed or costly

RF measurement equipment used for the purpose. A single software radio or vector

signal analyzer / vector signal generator (VSA/VSG) can be used, but measuring a

bi-directional link between two transceivers would require two such systems. A vector

network analyzer (VNA) can also be used to measure the bi-directional radio channel.

In either case, such equipment can cost many tens of thousands of US dollars which

has limited their use in practice.

This paper has two main parts. In the first part, we present an inexpensive

electrically-controlled RF switch system that enables a single transmitter and single

receiver to be used to make bi-directional radio channel measurements. Rather than

using two transceivers, the system switches the direction of channel measurement

between two antennas. This direction-alternation uses four voltage-controlled RF

switches and a control system. The novelty of this switching system is that it removes

the distinction between the transmit and receive antennas, allowing existing uni-

directional equipment to make bi-directional measurements. The switching system is

simple and useful for a variety of channel measurement studies, yet we are not aware

of any prior published study of the characteristics or design of such a system. One

implementation described in Section 3.4 allows channel measurement between 0-3

GHz using inexpensive, commercial off-the-shelf (COTS) RF and control hardware.

There are two major limitations of the switching system. The first is that, if not

designed correctly, the leakage power through the switching system can be higher than

the desired power received through the wireless channel. We explore the design of the

system to keep the leakage power low in Section 3.4. The second is that due to cable

connections, the antennas cannot be separated by an arbitrary path length. Because

of the path length limitations, this system will be useful in indoor, or short-range

outdoor, radio channel measurement experiments. Many wireless networks are short

range such as intra-vehicle communication and wireless body sensor networks. In the

past these measurement studies have used a VNA [63], [65], [66], [3] but with the

42

proposed system a VNA is not required. Numerous studies of indoor propagation

use single TX, single RX measurement equipment [31], [5], [16], [34], [76]. Given the

similarity between this system and a vector network analyzer, we present this system

as an economical alternative to a vector network analyzer if a single TX, single RX

channel measurement system is available.

In the second part of this paper, we introduce and test a new algorithm for

secret key establishment from CIR measurements. We apply the developed switching

system to make bi-directional measurements of CIR in a time-varying channel and

use the measurement results to evaluate the performance of secret key generation,

including entropy, and the rate of generation of secret key bits. A key component

of the developed algorithm is to decorrelate measurements across time delay and

measurement time, so that the generated secret key bit stream has very high entropy

rate. We find that secret key bits can be generated from CIR measurements at

eight times the rate compared to RSS measurements. Further, we find that CIR

phase information, compared to CIR magnitude information, is a relatively minor

contributor to secret key establishment.

Section 3.3 summarizes research in the areas of channel impulse response mea-

surement and secret key establishment. In Section 3.4, we describe the power loss,

RF leakage and system limitations common to all four-switch systems and present an

example implementation to show how the components used affect the dynamic range

of the system. Section 3.5 describes three sets of measurements. In section 3.6 we

present the bit extraction method and show how it performs in terms of rate of bit

extraction and entropy rate. Section 3.7 concludes.

3.3 Related Work

This paper merges two typically disparate topics: RF channel impulse response

measurement, and 2) secret key establishment. Research which addresses secret key

establishment from CIR measurements has largely avoided experimental performance

analysis from bi-directional measurements. Research in RF CIR measurement has

presented few tools for bi-directional CIR measurement, except for the vector network

43

analyzer, which is extremely expensive and relatively slow. We describe both related

research areas here.

3.3.1 RF CIR Measurement

While measurement studies have characterized indoor and outdoor wireless chan-

nel characteristics including time of arrival and jitter [51, 54], channel impulse re-

sponse [17, 21, 55], and spatial and temporal fading correlations [1, 23], key extraction

from the wireless channel requires bi-directional measurements. With the exception

of [51], the cited measurement studies employed a single transmitter and a single

receiver. While a vector network analyzer (VNA) like in [51], does make bi-directional

measurements, no prior research has used these measurements to generate secret keys.

In this paper, we provide a new bi-directional channel measurement tool using

a set of RF switches. The use of RF switches to extend the usefulness of wireless

channel measurement equipment is not itself new. In general, transceivers use RF

switches or circulators to enable the use of one antenna with a separate transmit

and receive path. In addition, switched array wideband MIMO channel sounders like

those in [43], [4], [36], [70], [35], use RF switches. In these M×N MIMO systems, one

switch at the TX and one switch at the RX are used to select one antenna element of

the M or N antennas in the array to serially probe the M ×N channels. In contrast,

we use four switches to select which of two antennas the transmitted signal is sent and

to connect the receiver to the opposite antenna. The contribution of this system’s use

of RF switches is to remove the distinction between transmit and receive antennas

completely. Further, we consider the resulting isolation issues and contribute simple

engineering rules for system design.

3.3.2 Secret Key Establishment

Even over very short path lengths, security is of concern. For instance, wireless

body area sensor networks [3], [69] have path lengths of less than a meter and in a

health care setting, government regulations can require the privacy of the data col-

lected. In addition, in confined spaces such as airplanes [66], buses [65] or automobiles

[62] it might be desirable to keep information private from other passengers.

44

Secret key establishment uses the reciprocal nature of the wireless channel to

generate shared secret keys at two nodes, Alice and Bob, without prior agreement.

Because the channel is a time-varying, location specific filter, characteristics of the

channel at Alice and Bob are different than those at an attacker node, Eve. To

generate shared secret keys Alice and Bob measure some characteristic of the channel

over time and then extract bits from those measurements. Because Eve cannot

measure the same channel as Alice and Bob, she is unable to generate the same

secret key.

Secret keys extracted from channel measurements was first suggested by Hershey

[28]. Since then, many channel characteristics have been used including measurements

of phase [28, 61], channel impulse response [72, 79, 26, 42, 75, 78, 73], or amplitude

gain [30, 53, 71, 45, 20, 6, 7, 40].

Challenges for bit extraction include 1) the time correlated nature of channel

measurements, which reduce the cryptographic strength of the key unless accounted

for in algorithm design, and 2) the non-reciprocities which occur due to the half-duplex

nature of the channel measurements (since both transceivers cannot measure the

channel simultaneously). For the latter, in order to guarantee complete agreement

between the two generated secret keys, information reconciliation [11] is often used

to correct a small number of discrepancies without giving away the entire secret key.

For those papers with experimental results, received signal strength (RSS) is the

most common measurement modality because of its ease of collection. Equipment

used to measure the channel for secret key extraction include software radios [40],

wireless sensor nodes [53, 20], or wireless cards in laptops [30]. Nearly all of these

experimental results used one-dimensional data sources for key extraction with the

exception of [79, 26]. While [45] did collect CIR data, only the magnitude of the

dominant multipath component is encoded as bits for a secret key.

Simulated channel impulse response measurements have been used as a source for

secret keys [42, 75, 78, 73, 72]. Models for the simulated channels came from [25] and

ITU cellular channels, among others. Many of these papers establish upper bounds

for the maximum number of bits that can be extracted. For instance, [78] and [73]

45

both found the maximum number of bits extracted per measurement is affected by

the assumptions made about the signal to noise ratio and number of paths in the

channel.

Finally, [79], [26], and [75] (to a lesser extent) use experimental uni-directional

CIR measurements as the source for shared secret keys. In order to approximate

bi-directional measurements, the researchers collected data, switched the position of

transmitter and receiver and then collected more data. Both [79] and [26] make

the problematic assumption that the channel does not change between reciprocal

measurements and instead use movement of the transmitter and receiver in a static

channel as the sole source of randomness. In real-world situations, the channel

is dynamic, changing due to the movement of people, vehicles, tree leaves, etc.

The dynamic nature of the channel is both a benefit, when it is used to increase

the rate of secret key bit generation, and a source of bit disagreement, when it

happens more quickly than Alice and Bob can measure [30]. Bi-directional CIR

measurements are clearly important to the experimental evaluation of CIR-based

secret key establishment.

3.4 Analysis

In this section we present a bi-directional switching system which uses four RF

switches to alternate the direction of measurement between two antennas as shown

in Figure 3.1. The path of the transmitted signal is dictated by the system state. In

short, in state 1 the channel is measured from A2 to A1, while in state 2, the channel

is measured in the opposite direction.

Compared to a single transmitter and receiver that measure the wireless channel in

only one direction, the bi-directional switching system has more sources of power loss

due to the multiple switches and cables. These extra components may also introduce

non-reciprocities into the measurements due to uneven power loss. Further, it is

possible for the transmitted power to take a “wrong” path through the switches to

reach the receiver without traveling across the wireless channel. In this section we

explore the process of choosing system parameters based on design requirements.

46

3.4.1 Power Loss

First we consider the power loss between TX and RX in Figure 3.2. In addition to

path loss between antennas A1 and A2, further signal attenuation can be attributed

to switch insertion loss and loss in the cables. Traveling from TX to RX the signal

is attenuated by four switches and two cables. At this point we assume that switch

insertion loss is identical at each switch, denoted Lswitch in dB, and that the four

cables are identical in length and have loss Lcable in dB. While design equations can

be complicated by dB units, most specifications are reported in dB. Therefore, unless

otherwise noted, we will also use dB. The worst case total attenuation in dB suffered

by the signal arriving at RX, Lsignal, can be written as:

Lsignal = Lpath + 2Lcable + 4Lswitch (3.1)

where Lpath is the dB radio channel path loss between points F and L in Figure 3.2.

3.4.2 Leakage

Two types of leakage are possible. The first is leakage through the wireless channel

directly from the transmitter to the receiver, possibly due to imperfect shielding of

TX and RX components. The other type of leakage is through the switches. Referring

to Figure 3.3, switch leakage can either be across an open switch, either RF 1 or RF

2, to RF Common or through a switch from RF 1 to RF 2. As such, one switch has

two types of isolation. We call the dB isolation between RF 1 and RF 2, the two

poles of the switch, Ipole, and the dB isolation between RF Common and the open

connection, Iopen. At this point we assume that the switches have the same Ipole and

Iopen, but we remove this assumption when discussing the example realization at the

end of this section.

Figure 3.2 shows three different leakage paths. Consider the two leakage paths

through the switches. Both paths include two cables, Lcable, one RF 1-RF 2 isolation

Ipole, and one RF 1-RF Common isolation, Iopen. The isolation along one of the switch

leak paths is:

Ileak = Ipole + Iopen + 2Lcable (3.2)

47

Leakage directly from RX to TX also needs to be considered. We call the isolation

between RX and TX, Itr. The total power arriving at the receiver in dB, Pr, is the

sum of the signal power and the leakage power which add together in linear terms,

Pr = Pt + 10 log10

(10−

Lsignal10 + 2 · 10−

Ileak10 + 10−

Itr10

)(3.3)

where Pt is the transmit power in W.

We plot Pr versus Lpath for various switch and isolation characteristics in Fig-

ure 3.4. Depending on these characteristics there is non-linearity in the received

power equation. In particular, as Lpath →∞, Pr approaches a constant.

3.4.3 System Design

In order to design the system such that the linear range of (3.3) contains the

range of path losses we desire to measure, we must choose appropriate components.

In this section we provide guidelines for the selection of switches and system design

parameters. First we provide a rule of thumb for switch selection, and then we discuss

the requirements for TX/RX isolation.

As path loss, Lpath, increases, at some point the signal power will become domi-

nated by leakage power. Rewriting Equation 3.3 we have:

Pr = Pt − Lsignal + 10 log10 (1 + Esw + Etr) (3.4)

where,

Esw = 2 · 10−Ipole−Iopen+Lpath+4Lswitch

10 (3.5)

Etr = 10−Itr+Lpath+2Lcable+4Lswitch

10 (3.6)

Both Esw and Etr are error terms which cause non-linearity in the system response.

The error term Esw corresponds to the non-linearity that can be controlled by choice

of switch, while the error term Etr corresponds to the non-linearity that is affected

by the TX/RX isolation, Itr.

As we can see from (3.4), if Esw and Etr are zero, then the received power is linearly

related to the transmit power and the path loss. The extra losses, 2Lcable + 4Lswitch,

from (3.3) can be measured and removed in calibration.

48

Ignoring for the moment error contributed by the TX/RX isolation (Etr = 0), the

system response will be less than 3 dB in error due to switch leakage when Esw ≤ 1.

Setting (5) ≤ 1,

2 · 10−Lleak+Lpath+2Lcable+4Lswitch

10 ≤ 1 (3.7)

Simplifying and replacing Lleak with switch parameters,

Ipole + Iopen − 4Lswitch ≥ 3 + Lpath (3.8)

This equation relates switch parameters with measured path loss. When selecting

a switch, we must ensure that the left hand side of (3.8), Ipole + Iopen − 4Lswitch, is

greater than 3 dB plus the maximum path loss we expect to be able to measure.

For some applications, 3 dB error is likely to be acceptable since it is similar to

errors for typical path loss measurements, but for small scale fading, a more accurate

limit might be 1 dB. In that case,

2 · 10−Lleak+Lpath+2Lcable+4Lswitch

10 ≤ 0.25 (3.9)

Simplifying and replacing Lleak with switch parameters,

Ipole + Iopen − 4Lswitch ≥ −3 + Lpath (3.10)

Similarly, to quantify the requirements for TX/RX isolation, Itr, we can evaluate

Etr. If Etr ≤ 1, then the system response will be less than 3 dB in error due to

TX/RX leakage. This requirement along with (6) leads to,

Itr − 2Lcable ≥ Lpath + 4Lswitch (3.11)

The system response will be less than 1 dB in error due to TX/RX leakage when

Itr − 2Lcable ≥ Lpath − 6 + 4Lswitch (3.12)

Itr is a function of the TX and RX equipment used with the four switch system. It

can be measured by disconnecting the RF output of the TX and the RF input of

the RX and measuring received power. If Itr needs to be increased, the TX and RX

should be separated by a greater distance or extra shielding added.

49

The difficulty in increasing the distance between TX and RX is that it will require

longer cables and thus Lcable will also increase, decreasing the linear range of the

system. It will be important to use low loss cable as the length of the cable increases

in order to maintain an acceptable dynamic range.

In summary, a system designer should select a switch using the maximum expected

path loss and (3.8). Then the system designer should select cable and evaluate if Itr

is sufficient based on (3.11).

3.4.4 Example Realization

In this section we experimentally validate the desired dynamic range of the four

switch system. The individual components and nominal values for component pa-

rameters are listed in Table 3.1. To validate the dynamic range, we put increasing

amounts of attenuation between points F and L in Figure 3.2 using cable and a

variable attenuator. Figure 3.5 shows power at the receiver, Pr vs. the known

attenuation Lpath.

This is compared to the analytical Pr using (3.3) and measured values for loss

and isolation. These values ranged between 1.54 and 2.39 dB for Lswitch and between

44.84 and 53.21 dB for Iopen. We used Ipole = 50 dB as cited in the datasheet. As

discussed we found Itr = 111 dB. When taking this measurement, the noise floor of

the receiver was −125 dB. Because the insertion loss and isolation characteristics vary

slightly between the two sides of any switch, the dynamic response in the two states

are slightly different. This is especially evident at the bottom of the dynamic range.

Figure 3.5 shows that the linear range of the bi-directional measurement system

paired with our software radio has a dynamic range of 40 dB to around 85 dB. Within

that dynamic range, received power in state 1 and state 2 are nearly identical. The

non-linearity at the top of this range is caused by saturation of the A/D converter of

the software radio.

The measurements we present in this paper are at path losses much less than 85

dB, typically 70 dB. At 70 dB of path loss, leakage causes 0.11 dB of error in our

measurements. This is much smaller than typical path loss measurement errors.

50

(a) State 1. A2 is Transmitter

(b) State 2. A2 is Receiver

Figure 3.1. Redirecting the transmitted and received signals to measure bothdirections of the radio channel between antennas A1 and A2.

Table 3.1. Switching System ComponentsComponent Type Parameters

Switches Mini-Circuits ZX80-DR230+ Iopen = 48dB, Ipole = 50dB,Lswitch = 1.7dB

Output Controller ADAM-4050 Max. Switching Frequency= 83Hz

Cables 8 m LMR-400 coax 0.2 dB/m loss @ 2.4 Ghz

51

Figure 3.2. Labeled switch diagram in state 1. The correct path for the signalis {G,I,J,L,F,D,B,A}, however three incorrect paths are possible: directly fromtransmitter to receiver (-.), {G,H,E,D,B,A}(- -), and {G,I,J,K,C,A} (..).

3.5 Bi-Directional CIR Measurements

In this section we describe the bi-directional measurements made using our im-

plementation of the measurement system presented in Section 3.4. For completeness,

a description of the channel sounding equipment used is included.

3.5.1 Software Radio

Any existing radio channel measurement equipment could be used in conjunction

with the four switch system described in this paper; we use the Sigtek ST-515 software

radio. Among other characteristics, the ST-515 can measure the time delay, phase

and amplitude of multipath in the radio channel. It has two parts, a TX and an RX.

In normal operation, the TX is in a fixed position while the RX is mobile.

The TX consists of a direct sequence spread spectrum (DSSS) generator, up con-

verter (2.400 to 2.483 GHz) and a power amplifier. The RX contains a down converter,

snapshot digitizer and a computer running Matlab for control and computation, and

can collect nine measurements per second.

The RX measures the channel impulse response (CIR) over time, h(tn, τ),

h(tn, τ) = ejθ∑i

αi(tn)ejφi(tn)η(τ − τi(tn)) (3.13)

where αi(tn), τi(tn) and φi(tn) are the amplitude, delay and phase shift, respectively, of

the ith multipath component measured at time tn and η(τ) is the autocorrelation of the

52

Figure 3.3. One RF switch. RF common can be connected to either RF 1 of RF 2.

0 20 40 60 80 100 120Known Attenuation (dB)

�100

�80

�60

�40

�20

Rece

ived P

ow

er

.

(dB

rela

tive t

o t

ransm

it p

ow

er)

BaselineIpole=60

Itr=100

Lswitch=1

Figure 3.4. Possible linear ranges of four sets of parameters. Given baselineIpole = 50 dB, Iopen = 45 dB, Lcable = 2 dB, Lswitch = 2 dB and Itr = 111 dB,each plot other than baseline changes one parameter.

0 20 40 60 80 100 120 140Known Attenuation (dB)

�110

�100

�90

�80

�70

�60

�50

�40

�30

�20

Rece

ived

Pow

er

.

(dB

rela

tive

to tr

ansm

it po

wer

) measured state 1measured state 2calculated state 1calculated state 2

Figure 3.5. Known attenuation between junctions F and L plotted against receivedpower. Note that measurements and calculations were made assuming a transmitterfrequency of 2.44 GHz.

53

PN code signal. The PN autocorrelation function is a finite-bandwidth approximation

of the Dhirac impulse function. Due to the fact that RX and TX are not phase-

synchronous, θ is a uniform random(0, 2

π

)variable.

3.5.2 Measurements Collected

We present measurements from an indoor office environment with the objective of

characterizing the non-reciprocities that would exist in measurements of the radio

channel that two transceivers would experience during secret key establishment.

While the channel is reciprocal, measurements of the channel are not. Using the

four switch system in experiments allows us to characterize the channel that two

transceivers would utilize.

Figure 3.6. TX, RX, A1 and A2 locations. The TX and RX are next to oppositewalls of a rectangular room. The two antennas centered between them along the tworemaining walls.

In these experiments, the antennas are approximately 3.5 m apart as shown in

Figure 3.6 and are stationary. The type of motion in the wireless channel is changed

between datasets. In dataset A (Figure 3.7(a) and 3.7(b)), nothing is moving in the

room. In dataset B (Figure 3.7(c) and 3.7(d)), an experimenter is walking between

the antennas.

54

(a)

0.0 0.1 0.2 0.3 0.4 0.5 0.6Time Delay, �, (�s)

-130

-120

-110

-100

-90

-80

-70

Pow

er

(dB

)

�(�)

�(�) +�(�)

�(�)��(�)

(b)

(c)

0.0 0.1 0.2 0.3 0.4 0.5 0.6Time Delay, �, (�s)

-130

-120

-110

-100

-90

-80

-70

Pow

er

(dB

)

�(�)

�(�) +�(�)

�(�)��(�)

(d)

Figure 3.7. Bi-directional measurements for two data sets. Plots 3.7(a)and 3.7(c)and show 10 pairs of measurements. Power in dB is relative to transmit power.The dark plots are measurements from antenna A1 to A2. The light plots aremeasurements from antenna A2 to A1. The time between each measurement was0.11s. Plots 3.7(b) and 3.7(d) show the mean and the mean plus and minus thestandard deviation of 175 pairs of measurements.

55

The first two plots of Figure 3.7 show that measurements of channel impulse

response do not change significantly over time when there is no movement. However,

during movement in the wireless channel (Figures 3.7(c)- 3.7(d)) the measured CIR

varies.

The results are similar in the frequency domain. Figure 3.8 plots two subsequent

channel frequency response measurements from dataset A and two from dataset B.

The time between the two measurements is 0.11s.

In the final experiment we introduce time-varying interference into the channel.

We place three wireless sensors close to one of the antennas. The wireless sensor

modules have an IEEE 812.15.4 transmitter which is programmed to transmit at a

center frequency of 2.440 GHz at a transmit power of 0 dBm. The synchronized

wireless sensors alternate between 10 seconds of continuous packet transmission and

10 seconds of radio silence.

Figure 3.9 shows the magnitude of individual channel impulse responses. At tn >

45s the wireless sensor modules next to A2 are transmitting and interference is only

present on one side of link.

3.6 Secret Key Extraction

In this section we present a method of extracting bits from bi-directional measure-

ments to create shared secret keys. Tools for extraction of uncorrelated secret key bits

from RSS measurements are devleoped in [53] and [20]. This paper further develops

a method to generate uncorrelated secret key bits from channel impuse response

measruements. As with RSS measurements, the challenge for bit extraction is to

extract as many uncorrelated bits as possible with low probability of bit disagreement

between the keys generated at two transceivers.

For the sake of notational simplicity and in keeping with other work in this area,

we designate two nodes, Alice or “a”, and Bob or “b”, as the legitimate users. In

this case, Alice is at antenna A1 and Bob is at antenna A2. When we speak of Alice

measuring the channel we mean that she records the channel impulse response when

Bob is transmitting. After N measurements are made at each antenna, Alice and

56

Bob each have matrix Hc where,

Hc = [hc(1), . . . , hc(N)] (3.14)

Each CIR measurement, hc(n, k) = h(tn, kT ) from (3.13) as measured at node c ∈

{a, b}, has K measured time delays and is defined as,

hc(n) = [hc(n, 1), . . . , hc(n,K)]T (3.15)

Signal processing is used to remove correlation between subsequent channel mea-

surements and to mitigate non-reciprocities caused by the half-duplex nature of

channel and the unsynchronized TX and RX. This method has four steps: 1)

synchronize 2) interpolate 3) decorrelate 4) quantize. We describe each step in Section

3.6.2, and a block diagram is given in Figure 3.10.

3.6.1 Adversary Model

We assume that the adversary, Eve, can listen to all communications between

Alice and Bob. Eve can also measure both the channels between herself and Alice and

between herself and Bob at the same time when Alice and Bob measure the channel

between them for key extraction. We assume that Eve is more than a few wavelengths

away from Alice or Bob. We also assume that Eve knows the key extraction algorithm

and the values of the parameters used in the algorithm. We assume that Eve cannot

jam the communication channel between Alice and Bob. We also assume that Eve

cannot cause a man-in-the-middle attack, i.e., our methodology does not authenticate

Alice or Bob.

3.6.2 Method

Synchronize: The lack of time synchronization between transmitter and receiver

introduces non-reciprocities between measurements made by Alice and those made

by Bob in both the magnitude and phase of the signal. One simple method to

synchronize time delay is to shift the measurement so that the dominant (highest

power) multipath is at a known time delay, but if two paths of equal strength are

measured this will occasionally fail to align the signals, as shown in Figure 3.11. In

57

addition, the signals have a random rotation caused by slight differences in the carrier

frequencies (Figure 3.12). In order to maximize the number of bits extracted we need

to align the signals both along τ and in phase.

To correct the shift along τ we use the median of the magnitude of the signal in

linear units. The median of the nth measurement, kn, is the value of the first index

where the cumulative sum of |hc(n)| is greater than 12

∑Kk=1|hc(n, k)|. If this median

is significantly different than the index of the maximum, the signal is shifted.

We encode CIR samples from before and after the peak kn. Let k− and k+ denote

the number of CIR samples before and after the peak to be encoded, respectively.

From our measurements, we find that k− = 10 and k+ = 40 capture the samples that

are typically above the noise floor, and thus K = 51.

We can correct the phase offset by rotating each measurement so that the angle

of the sum of the channel impulse response is equal to zero. We find the offset, θc(n),

as

θc(n) = −∠K∑k=1

hc(n, k) (3.16)

where c ∈ {a, b}. Then for each measurement we shift, truncate and rotate. For

n = 1, . . . , N ,

fa(n) = [ha(n, kn − k−), . . . , ha(n, kn + k+)]T ejθa(n)

fb(n) = [hb(n, kn − k−), . . . , hb(n, kn + k+)]T ejθb(n)

We can extract bits from either the phase or magnitude information in fc. When

we refer to the encoding of magnitude information, we let fc = |fc|, and when we

refer to the encoding of phase information, we let fc = unwrap(fc). The next three

steps, interpolation, decorrelation and quantization are performed once for |fc| and

once more for ∠fc. We use unwrap(x) to denote the phase unwrapping of complex

vector x.

Finally, we denote matrix Fc as,

Fc = [fc(1), . . . , fc(N)] (3.17)

Interpolate: Like most transceivers, the presented bi-directional measurement

system is incapable of making simultaneous measurements in opposite directions. In

58

other words, it is not possible to measure from antenna A1 to A2 and measure the

channel from A2 to A1 at the same time. The time between measurements introduces

non-reciprocities.

We use a fractional delay interpolation filter to obtain an estimate of the channel

in both directions at a single point in time. The fractional delay between the nth

measurement made by Alice and the nth measurement made by Bob

µ =1

2

[tb(n)− ta(n)

T

](3.18)

where tb(n) and ta(n) are the arrival times of the nth signal at Bob and Alice

respectively.

We implement two fractional delay filters, one for each side of the link. W.l.o.g. we

assume that ta(n) < tb(n) so that µ > 0. The filters are applied to rows in Fc, where

Fc = [f1c, . . . , fkc]T and c ∈ {a, b}. If we interpolate points in fka where k = 1 . . . K so

each sample is delayed by (1+µ)T and interpolate points in fkb so that each sample is

delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays

can be broken down into fractional, µ, and integer, i, delays. At each node:

µa = µ µb = 1− µ ia = 1 ib = 0 (3.19)

We implement the cubic Farrow filter [24]. For c ∈ {a, b}:

sc =[µ3c/6− µc/6,−µ3

c/2 + µ2c/2 + µc,

µ3c/2− µ2

c + 1,−µ3c/6 + µ2

c/2− µc/3]T

For each time delay, k = 1, . . . , K, we convolve fkc with the filter to obtain gTkc = fkc∗scand Gc = [g1c, . . . ,gkc]

T . The matrix of filtered signals Gc where c ∈ {a, b}, becomes

the input to the next step in the bit extraction process.

Decorrelate: Bits extracted from correlated measurements are likely to also be

correlated, thereby reducing the strength of the secret key. A valid solution would

be to sub-sample measurements far enough apart in time or space such that the

measurements are no longer correlated. However, this could reduce the rate of bit

extraction. Instead of sub-sampling, we use the Karhunen-Loeve transform to obtain

decorrelated measurements.

59

There are KN elements of Gc. The covariance matrix for all elements of Gc would

have K2N2 elements. To avoid dealing with such a large matrix, we decorrelate along

the columns of Gc = [gc(1), . . . ,gc(N)] and then along the rows.

Given one synchronized, interpolated measurement, gc(n) we decorrelate by

yc = UTg (gc(n)− µg) (3.20)

where µg is the mean of gc(n) and Ug is the decorrelation matrix. The decorrelation

matrix, Ug, is found from the singular value decomposition (SVD) of the covariance

matrix, Rg = cov(gc(n)), such that, Rg = UgSgUTg , where Sg is a diagonal matrix of

eigenvalues. The decorrelated vectors, yc are the columns of Yc = [yc(1), . . . ,yc(N)].

Decorrelation of the components in time is very similar to the above step. However,

because each of the K rows of Yc = [y1c, . . . ,ykc]T are correlated differently over time,

we need to estimate a covariance matrix and calculate the SVD to find a decorrelation

matrix for each row. Given the kth row at node c, ykc, we decorrelate by

zkc = UTk (ykc − µk) (3.21)

where µk is the mean of ykc and Uk is a matrix that transforms ykc into uncorrelated

components. The decorrelation matrix, Uk is found from the SVD of the covariance

matrix, Ry = cov(ykc) such that Ry = UkSkUTk .

The covariance matrices are estimated using measurements made in both direc-

tions. In order for Alice and Bob to each have a copy of all measurements this data

must be exchanged between them over an unsecured channel. Since an evesdropper

would be expected to overhear this exchange, preliminary measurements used to

estimate the covariance matrices are not used for secret key bit extraction. Then

further measurements are collected and decorrelated for bit extraction.

Quantization: The next step is to quantize the decorrelated measurements.

While we want to maximize the number of bits extracted from each decorrelated

value, we also want to limit the probability of bit disagreement, Pbd. We apply

multi-bit adaptive quantization [53] (MAQ), which achieves a high rate of bits per

sample for a desired Pbd. The number of bits extracted from each zkc depends on the

correlation between the reciprocal components and the desired, or target, Pbd.

60

3.6.3 Results

Data: We collected 3200 pairs of bi-directional CIR measurements using the four

switch system described previously. The dataset was split in half, with 1600 pairs of

measurements used to estimate the covariance matrices and 1600 pairs from which

bits were extracted. The antennas were placed 3 meters apart. An experimenter

walked at a slow pace (0.1 meters per second) in a circle between the antennas while

the measurements were conducted.

Bits Extracted: The above bit extraction method was applied separately to the

magnitude and then to the phase of the measurements. The number of bits extracted

per measurement for a range of Pbds are plotted in Figure 3.13.

A wideband estimate of RSS can be found from the CIR measurements by finding

the area under the magnitude of the CIR signal [57]

r(n) = 10 log10

K∑k=1

|h(k, n)|2 (3.22)

for n = 1 . . . N . For comparison we applied a similar bit extraction method to

these calculated RSS values. The bits per measurement vs. the probability of bit

disagreement for the calculated RSS values are plotted in Figure 3.14.

Key Strength: We used NIST’s approximate entropy test from the randomness

test suite [60] to find the entropy rate of keys generated using this bit extraction

method. The average entropy rate was 0.9847 for magnitude and 0.9870 for phase.

For comparison the average entropy rate for keys generated from the RSS data was

0.9846. An ideal bit stream has entropy rate 1.0.

While high entropy is necessary for a strong key, it is not sufficient since the key

must also be random. We used additional tests from NIST’s randomness test suite

to help determine if the keys were random. Each of the 11 tests is a hypothesis test

that evaluates randomness based on a characteristic of the sequence. The p-values

for these tests are in Table 3.2 for two target Pbd = 0.4, 0.75 for CIR magnitude data

and Pbd = 0.04 for estimated RSS data. A p-value of greater than 0.01 is considered

as passing, though values closer to 1 are judged to be more random.

61

2.420 2.425 2.430 2.435 2.440 2.445 2.450 2.455 2.460Frequency (GHz)

-140

-120

-100

-80

-60

Att

enuati

on (

dB

)

State 1State 2

(a)

2.420 2.425 2.430 2.435 2.440 2.445 2.450 2.455 2.460Frequency (GHz)

-160

-140

-120

-100

-80

-60

-40

Att

enuati

on (

dB

)

State 1State 2

(b)

Figure 3.8. Example bi-directional measurements in the frequency domain for (a)dataset A and (b) dataset B.

Table 3.2. NIST p-valuesCIR RSS

NIST Test Pbd = .04 Pbd = .075 Pbd = .04Approx. Entropy 0.752 0.833 0.146

Block Freq. 0.998 1.0 0.911Cum.Sum Forward 1.0 1.0 0.942Cum.Sum Reverse 1.0 1.0 0.737

FFT 0.751 0.974 0.854Freq. 0.989 0.992 0.643

Linear Comp. 0.423 0.313 0.677Template 0.763 0.506 0.394

Rank 0.791 0.626 0.742Runs 0.642 0.483 0.765Serial 0.584 0.569 0.655

62

0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6Time Delay, �, (�s)

�150

�140

�130

�120

�110

�100

�90

�80

�70

�60R

ece

ived P

ow

er

.

(dB

rela

tive t

o t

ransm

it p

ow

er) tn =37.4s

tn =37.51

(a)

0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6TimeDelay, �, (�s)

�150

�140

�130

�120

�110

�100

�90

�80

�70

�60

Rece

ived P

ow

er

.

(dB

rela

tive t

o t

ransm

it p

ow

er) tn =48.84s

tn =48.95s

(b)

Figure 3.9. (a) When interference source is off, subsequent CIR measurementsbetween A2 to A1 (tn = 37.4s) and from A1 to A2 (tn = 37.51s) are nearlyidentical. (b) When interference source is on, CIR measurements between A2 toA1 (tn = 48.84s) are unchanged while those from A1 to A2 (tn = 48.95s) showinterference.

63

Fig

ure

3.1

0.

Sec

ret

key

bit

extr

acti

onfr

omC

IRm

easu

rem

ents

invo

lves

synch

roniz

atio

n(p

has

ean

dti

me

del

ay),

inte

rpol

atio

n(u

sing

frac

tion

aldel

ayfilt

ers c

),dec

orre

lati

on(a

cros

sti

me

del

ayτ

and

tim

et)

,an

dquan

tiza

tion

(usi

ng

mult

i-bit

adap

tive

quan

tiza

tion

).

64

20 40 60 80 100 120τ index, k

0.00

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

Norm

alized M

agnit

ude,

|h(n

)| Alice

Bob

Figure 3.11. Two CIR measurements made by Alice and Bob. Aligning the indicesof the dominant multipath does not always align the signals.

−0.06 −0.04 −0.02 0.00 0.02 0.04 0.06Real Part

−0.05

0.00

0.05

0.10

0.15

Imagin

ary

Part

CIR 1

CIR 2

CIR 3

CIR 4

Figure 3.12. CIR measurements showing the random rotation which must beremoved before bits can be extracted.

3.6.4 Discussion

Using the presented bit extraction method, we can extract 3.89 times more bits

for a Pbd = 0.1 from CIR measurements than from RSS measurements and 7.84 times

for a Pbd = 0.04 (Table 3.3). Keys extracted from CIR measurements using the above

method have a high entropy rate and have been tested by the NIST randomness test

suite to have characteristics consistent with random bit sequences.

65

0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07Probability of Bit Disagreement

0

1

2

3

4

5

6

7

8

9

Bit

s p

er

Measure

ment

(magnit

ude)

(a) Bits from Magnitude

0.00 0.02 0.04 0.06 0.08 0.10Probability of Bit Disagreement

0.0

0.2

0.4

0.6

0.8

1.0

1.2

Bit

s p

er

Measure

ment

(phase)

(b) Bits from Phase

Figure 3.13. (a) Number of bits extracted per measurement from |H| for variousPbd (b) Number of bits extracted per measurement from ∠H.

Table 3.3. Bits per Sample ComparisonBits Extracted Per Sample From: Improvement

Pbd CIR Mag CIR phase RSS0.01 1.0 0.09 0.28 389%0.02 1.9 0.18 0.42 495%0.04 4.8 0.38 0.66 784%

66

0.00 0.02 0.04 0.06 0.08 0.10Probability of Bit Disagreement

0.2

0.4

0.6

0.8

1.0

1.2

1.4

Bit

s p

er

Measure

ment

Figure 3.14. Number of bits extracted per RSS measurement for various Pbd

With this algorithm many more bits are extracted from the magnitude of CIR

measurements than the phase. This is due in part to the aliasing nature of the

(−π, π) phase signal. Although the phase was unwrapped, the unwrapping algorithm

was ignorant of the relationship between hc(n) and hc(n+1). This could have caused

discontinuities between subsequent measurements that may have introduced non-

reciprocities in some measurement pairs.

3.7 Conclusion

This paper presents a four switch system built from off-the-shelf hardware that

economically extends the usefulness of pre-existing radio channel measurement equip-

ment. By alternating the direction of measurement using RF switches, this sys-

tem allows a software radio with a single TX and single RX to make bi-directional

measurements. We presented design equations that take switch, channel and cable

characteristics into account in order to ensure that the leakage power is kept low.

These design equations can be applied to any similar four switch system. Using these

equations we showed the effect of switch characteristics on the expected linear range

of the system.

The switching system allowed the collection of bi-directional channel impulse

response measurements which were used to evaluate a new bit extraction algorithm.

67

This bit extraction method does not rely on the assumption of a static channel with

moving transmitters and receivers. Instead, it can take advantage of the dynamic

nature of the channel itself. We found that the bit extraction method produces

bits with a high entropy rate and characteristics consistent with those of random

bit sequences. The rate of bit extraction from CIR measurements is nearly 8 times

greater than the rate of bit extraction from RSS measurements for a 0.04 probability

of bit disagreement.

CHAPTER 4

RECIPROCAL FADING SIGNAL ESTIMATION

METHODS FOR SECRET KEY

ESTABLISHMENT

4.1 Abstract

Methods for secret key establishment (SKE) from bi-directional radio channel

measurements have largely assumed that measurements are made simultaneously.

Practical time-division duplex (TDD) transceivers measure the two directions of a

radio link at different times. Further, other users of the channel create multiple access

delays which result in random and irregular measurement times. In this paper we

explore estimation methods which allow two TDD transceivers on multiuser channels

to reduce the disagreement between their channel measurements, which improves their

ability to extract shared secret key bits from them. We present a novel estimation

method which uses side information to increase the bit extraction rate up to 50%

compared to without side information.

4.2 Introduction

Secret key establishment (SKE) from bidirectional channel measurements is a

method for two wireless devices to obtain a shared secret key without communicating

any information about the key to an eavesdropper. The two transceivers make

measurements of the multipath fading channel, which serves as a joint source of

randomness between them that is not known by an eavesdropper at a different

location, because the channel reflects the uniqueness of the time and space in which

it was created [6, 30, 61]. SKE is a tool for information theoretic security, which, in

69

contrast to computational security, makes no assumptions about the computational

limitations of an eavesdropper, but may require a secret key rate as high as the

information rate of the secret message being exchanged [64]. Thus increasing the

rate at which secret key bits can be reliably extracted from bidirectional channel

measurements is a critical requirement for practical systems. This paper provides

methods to increase the agreement between the two directional measurements and

thus increase the extraction rate.

The radio channel at the same frequency and same time is reciprocal, however,

bidirectional measurements of the channel are not. First, additive noise, interference,

and hardware differences cause errors in the channel measurements. Second, time-

division duplex transceivers are unable to transmit and receive simultaneously, thus

one cannot sample the two directions of the channel at the same time. In packet-

switched networks, measurements are made only when the devices are able to access

the channel to send a packet. In a multiuser channel, packets are delayed non-

deterministically by other users’ traffic, and thus measurements are made at random

and irregular intervals[58].

The non-identical, irregular measurement times in multiuser channels can cause

severe degradation in the performance of bit extraction methods. We first experienced

these problems during a demonstration of SKE on two 802.11 devices at the ACM

MOBICOM conference in 2010 [19]. While our SKE implementation worked well in

the lab, among a high density of active 802.11 devices in the demo session, our devices

experienced many very long multiple access delays, and as a result the bit extraction

rate was very low.

Our work addresses the practical, real-world problems caused in SKE from the use

of noisy channel measurements taken at non-identical, irregular sample times. These

problems are common to TDD devices which operate in multiple access channels.

We study, in particular, the estimation of what we term the reciprocal fading signal,

that is, the channel state between two transceivers which is measured in noise and

at different, potentially irregular, sample times at the two different devices. We

compare different interpolation and regression methods, including fractional delay

70

interpolation (FDI), polynomial interpolation (PI), and Gaussian processes regression

(GPR), which estimate the value of the reciprocal fading signal at common times. FDI

is used in related research [53], and we show it is insufficient in the case when channel

measurements are noisy and irregular. We also investigate the use of side information

(obtained from public discussion) at the two transceivers to increase performance,

in a method we call GPR with side information (GPRSI). We evaluate performance

using experimental measurements made with Nexus One phones (802.11) and TelosB

wireless sensors (802.15.4). We show, for example, that GPRSI can achieve a bit

extraction rate up to 50% higher than GPR.

We provide a short summary of related research in Section 4.3. In Section 4.4

we set up the problem. In Section 4.5 we examine four methods of estimating the

reciprocal fading signal using interpolation and regression. Section 4.6 describes the

differences in the two testbeds we use to experimentally evaluate the four estimation

methods. In Section 4.7 we show how these methods affect the bit extraction and the

error between Alice’s and Bob’s estimation. Section 4.8 forms the conclusion.

4.3 Related Research

Shared secret key extraction from channel characteristics was first described in [28].

Since then several efforts have designed and evaluated bit extraction schemes using

many different channel characteristics. Some of these characteristics are angle of

arrival [6], phase [28, 61] and received signal strength [45, 30, 53] ,[7, 71], [45]. Of these,

received signal strength (RSS) is most commonly studied because RSS measurement

capability is ubiquitous in standard commercial devices.

While signal processing has been used to increase the bit extraction rate in SKE

methods reported in the literature. Most of the signal processing techniques have

been computationally inexpensive such as a low pass filter [45, 71] fractional delay

interpolation [53] or ranking [20]. In all cases, these techniques have been performed

independently at the two nodes.

Public discussion between two parties is an important means to reliably establish

secret keys from shared random variables [46]. Usually this has included sharing

71

information about the collected measurements. Information has been shared to

facilitate various quantization methods [45, 53, 15] and for information reconciliation

[11] which corrects a small number of discrepancies between the shared secret keys.

How much of this information is exchanged and in what manner is carefully addressed

to keep the secret key safe from eavesdroppers. In this paper, we study the use of a

particular example of public discussion, that is, the exchange of one bit of information

about the measurement, in order to improve reciprocal fading channel estimation.

While public discussion for other tasks within bit extraction is common, few

estimation methods have taken advantage of information publicly shared between

Alice and Bob. In this paper we present a way for Alice and Bob to estimate

the reciprocal fading signal using Gaussian processes regression. Gaussian processes

regression (GPR) is a useful tool for wireless sensor networks that has been used

mainly to estimate a spatial field using data collected by sensors nodes. Examples

include GPR for environmental sensor networks [50], adaptive sampling [33] and

sensor network deployment [37]. GPR estimates the value of a signal at unobserved

points in time based upon observed measurements and a covariance function and,

unlike some interpolation techniques such as fractional delay interpolation, GPR can

take noisy measurements into account. Since it is possible for the two nodes to

share the covariance function as well as some information about the noise of each

measurement with respect to the actual fading signal, GPR can be used to improve

reciprocal fading channel estimation.

4.4 Problem Statement

We assume that Alice and Bob make measurements of a reciprocal channel. These

measurements are not identical due to noise and the inability of Alice and Bob measure

the channel at identical times. The object is to estimate the underlying reciprocal

fading signal, y(t), from these noisy, offset measurements.

Many channel characteristics can be used for secret key establishment (SKE), but

received signal strength (RSS) is most common. To measure the RSS, Alice and

Bob exchange n packets as fast as possible. Upon receipt of Alice’s ith packet, Bob

72

measures the RSS and sends a packet to Alice, who also measures RSS. After data

collection ends, Alice and Bob each have a vector of RSS values,

wc = [wc(1), . . . , wc(n)] (4.1)

where c ∈ {a, b}. We use subscripts a or b to refer to Alice and Bob respectively.

These measurements were made at times

tc = [tc(1), . . . , tc(n)] (4.2)

We assume that Alice and Bob are time synchronized and that error in measuring

the times tc or error due to clock-skew is much less than the smallest sample period,

T = tc(i+ 1)− tc(i). Alice and Bob also collect Nc calibration measurements that are

shared between the two nodes. Since the RSS values are exchanged over an unsecured

channel, we assume that an eavesdropper has knowledge of these measurements and

so they are not used as part of the secret key.

While the channel is reciprocal, Alice and Bob’s measurements, wc, are noisy, so

that,

wc(tc(i)) = y(tc(i)) + ε(tc(i)) (4.3)

where y(t) is the reciprocal fading signal sampled at times tc(i) and ε(t) is noise at

time tc(i). We assume that y(t) is a wide-sense stationary (WSS) process.

Equation 4.3 makes it clear that non-reciprocities, the reasons that wa(i) 6= wb(i),

come from two sources:

1. Alice and Bob are unable to measure the channel at identical points in time.

2. The measurements themselves are noisy.

The problem studied in this paper is to have Alice and Bob separately or with some

shared knowledge estimate the reciprocal RSS signal y(t) at common points in time.

We denote these common times as t∗,

t∗ = [t∗(1), . . . , t∗(n)] (4.4)

73

where t∗(1) < · · · < t∗(n), and generally the ith common time is between the ith

sample times of Alice and Bob, ta(i) ≤ t∗(i) ≤ tb(i). The problem then is for Alice

and Bob to estimate yc, where

yc = [yc(t∗(1)), . . . , yc(t∗(n)) (4.5)

for c ∈ {a, b}. Throughout this paper values of t∗ are calculated as,

t∗ =1

2(tb + ta) (4.6)

This paper explores polynomial interpolation, fractional delay interpolation and

Gaussian processes regression as ways of increasing the number of bits that can be

extracted by mitigating non-reciprocities in Alice’s and Bob’s measurements.

4.5 Estimation Methods

Interpolation and noise reduction with non-uniform samples is a general problem

with wide applicability. These problems are experienced regardless of measurement

type and regardless of the bit extraction methodology as long as the measurements are

TDD. While some systems can be designed to prioritize transmission and reception

for secret key extraction, practical systems will need to be robust to non-uniformity

in order to operate on general-purpose devices, in multiple-user interference and at

very low received power. In this section we describe four methods for mitigating noise

in bi-directional TDD channel measurements that can be categorized as interpolation

or regression.

In broad terms, interpolation is used to align sample instances or to find the value

of a signal at unobserved points in time when the signal is bandlimited, sampled

above it’s Nyquist rate with no noise, εc(i) = 0. Regression, on the other hand, is

used to estimate the real signal in the presence of noise. Since the measurements of the

reciprocal fading signal are both unaligned in time and noisy, it is possible that both

interpolation and regression are needed depending upon the wireless environment.

4.5.1 Polynomial Interpolation

In order to estimate the value of a signal at unobserved points in time t∗, poly-

nomial interpolation (PI) fits a polynomial of order q to measured values. For

74

band-limited signals, a cubic polynomial (q = 3) is often used since it is a reasonable

approximation of a sinc function [24]. The polynomial used to estimate the reciprocal

fading signal can be written as,

y(t∗(i)) = a3t∗(i)3 + a2t∗(i)

2 + a1t∗(i) + a0 (4.7)

The polynomial coefficients, a = [a1, a2, a3, a4], are found by solving a system of

equations:

Πa = wc (4.8)

where Π is tc(1)3 tc(1)2 tc(1) 1tc(2)3 tc(2)2 tc(2) 1tc(3)3 tc(3)2 tc(3) 1tc(4)3 tc(4)2 tc(4) 1

(4.9)

and wc = [wc(1), wc(2), wc(3), wc(4)]T

Solving for a,

a = Π−1wc (4.10)

the estimated reciprocal fading signal becomes,

y(t∗(i)) =[t∗(i)

3, t∗(i)2, t∗(i), 1

]Π−1wc (4.11)

where the coefficients of the polynomial filter are hPIc = t∗Π−1 and assuming Π is

invertible. The filter coefficients hPIc are only dependent upon the time at which the

reciprocal fading signal is estimated t∗(i) and the times at which the fading signal

was measured, tc.

If all adjacent sample instants, tc(i) and tc(i + 1), are the same distance apart

and the time value to be interpolated is delayed by the same amount with respect

to tc, the system of equations only has to be solved once. This is referred to as

fractional delay interpolation [24]. However, if tc(i+ 1)− tc(i) is not a function of i,

the system of equations must be solved for each set of four adjacent samples and new

filter coefficients found for each new interpolated time, t∗(i). The advantage of PI is

that it is able to interpolate any t∗(i) even with non-uniform samples.

75

4.5.2 Fractional Delay Interpolation

If the sampling period is constant, ie., T = tc(i+1)−tc(i) for all i and for c ∈ {a, b},

then a fractional delay interpolation (FDI) filter can be used to mitigate half-duplex

noise. FDI filters have been used to synchronize sampling in digital modems and

in sound recording [38]. Similarly to PI, we want to to estimate the value of the

reciprocal fading signal, y(t), at unobserved points in time, t∗. The estimated signal

is,

y(t∗(i)) = hFDIc (4)wc(i− 2) + hFDIc (3)wc(i− 1) + (4.12)

hFDIc (2)wc(i+ 1) + hFDIc (1)wc(i+ 2)

The polynomial interpolator is a general case for FDI.

If Alice and Bob are sampling at the same rate, the fractional delay between the

ith measurement by Alice, wa(i), and the ith measurement made by Bob, wb(i), is,

µ =1

2

[tb(i)− ta(i)

T

](4.13)

where tb(i) and ta(i) are the arrival times of the ith packet at Bob and Alice respec-

tively and T is the (constant) sample period.

We implement two fractional delay filters, one each at Alice and Bob. W.l.o.g. we

assume that ta(i) < tb(i) so that µ > 0. If we interpolate points in wa so that the ith

sample is delayed by (1 + µ)T and interpolate points in wb so that the ith sample is

delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays

can be broken down into fractional, µ, and integer, d, delays. At each node:

µa = µ µb = 1− µ da = 1 db = 0 (4.14)

We implement the cubic Farrow filter [24]. For c ∈ {a, b}:

hFDIc =[µ3c/6− µc/6,−µ3

c/2 + µ2c/2 + µc,

µ3c/2− µ2

c + 1,−µ3c/6 + µ2

c/2− µc/3]T

(4.15)

Assuming a uniform sample period t∗ = ta + µ = tb + T − µ. Figure 4.1(a) shows

a diagram of the sampled and interpolated time instances for uniform measurements.

76

For non-uniform samples, Figure 4.1(b), the interpolated times are no longer aligned

at Alice and Bob and ta + µ 6= tb + T − µ. Polynomial interpolation and Gaussian

processes regression, which we discuss in the following sections, are able to interpolate

values that even with non-uniform samples are aligned in time as shown in Figure

4.1(c). To make a fair comparison between those and fractional delay interpolation

we will assume that t∗ is still half way between Alice’s and Bob measurements as in

(4.6)

4.5.3 Gaussian Processes Regression

Gaussian process regression (GPR), known as kriging in the field of geostatistics,

can be used for interpolation or regression. A Gaussian process is completely specified

by its mean function and covariance function [59]. While wc is not exactly Gaussian,

previous analysis using the assumption of a Gaussian distribution for similar data has

been demonstrated to be experimentally accurate [53]. The mean function m(t) and

the covariance function k(t, t′) of a real process y(t) are defined as,

m(t) = E[y(t)] (4.16)

k(t, t′) = E[(y(t)−m(t))(y(t)−m(t)′)] (4.17)

If we could measure the real y(t), and given m(t) = 0, the joint distribution of

the n observations, yc at times tc, and the n∗ targets or unobserved points y∗ =

[y∗(i), . . . , y∗(n∗)], at times t∗ = [t∗(1), . . . , t∗(n∗)] is,[yy∗

]∼ N

(0,

[K(t, t) K(t, t∗)K(t∗, t) K(t∗, t∗)

])(4.18)

where [K(t, t∗)]ij = k(t(i), t∗(j)) and [K(t, t)]ij = k(t(i), t(j)). Essentially, K(t1, t2)

is the covariance matrix of y(t1) and y(t2)), for some vectors of sample times t1, t2.

If noise is present, the function y(t) cannot be accurately determined and instead

a noisy version is obtained: wc(i) = y(tc(i)) + ε. If the additive noise, ε, is i.i.d

Gaussian noise with variance σ2ε , the prior on the noisy observations becomes,

cov(wc) = K(tc, tc) +Kε (4.19)

77

where Kε = σ2ε I and assuming ε and y(t) are uncorrelated. The joint distribution of

the observed values, wc = [wc(1), . . . , wc(n)], and the target values under the prior

are [wc

y∗

]∼ N

(0,

[K(tc, tc) +Kε K(tc, t∗)K(t∗, tc) K(t∗, t∗)

])(4.20)

From this distribution, predictive equations for the target values can be derived as

y∗|wc ∼ N (y∗, cov(y∗)) (4.21)

y∗ = K(t∗, tc)[K(tc, tc) +Kε]−1wc, (4.22)

cov(y∗) = K(t∗, t∗)−K(t∗, tc)[K(tc, tc) +Kε]−1K(tc, t∗) (4.23)

where y∗ in (4.22) is the predicted mean value of y(t) at times t∗. We use y∗, which is

the minimum mean square error (MMSE) estimator [77], as our estimate of the real

fading signal, y(t∗).

While it would be possible, if computationally expensive, to perform Gaussian

processes regression over an entire dataset, similar results can be obtained if the

dataset is split into subvectors and GPR performed over each subvector. The length

of a subvector is determined in part by the estimated covariance function. We chose

a subvector length of J = 200 for the 802.11 RSS data and J = 100 for the 802.15.4

RSS data.

4.5.3.1 Covariance Function

For time-series data, the covariance function relates how much two variables

change together verses separation in time. If the covariance function is not known it

is to common to use a general covariance function such as the Matern or Euclidean

functions [67]. However, for RSS data, we are able to find a covariance function for

each dataset using the Nc calibration measurements that Alice and Bob have shared

between themselves.

For uniformly sampled wide sense stationary data, estimating the covariance

function k(t) is straight forward. First finding the covariance matrix as

Kwa,wb= 1

2j−1

[∑ji=1(w

(i)a − µa)(w(i)

a − µa)T+ (4.24)

(w(i)b − µb)(w

(i)b − µb)T

]

78

where µc is the mean value of wc and w(i)c is the jth sub vector of length j = 200 at

node c. The covariance function k(t) is the j2

row of Kwa,wb.

For non-uniformly sampled data, we can use the Wiener-Khintchine theorem to

estimate the covariance function. The Wiener-Khintchine theorem relates the power

spectral density (PSD) of a signal, w(t), to its autocorrelation function. The cross

spectral density of wa(ta) and wb(tb) is,

Sa,b(f) = 1NK

∑Kk=1

[∑Nn1=1wa(n1 + k)e−j2πfta(n1+k) (4.25)∑N

n2=1wb(n2 + k)e−j2πf [tb(n2+k)]

where f is the frequency of interest and wc is wide sense stationary. The auto

covariance function Ra,b(τ), is then calculated as the inverse Fourier transform of

Sa,b(f), by the Wiener-Khintchine theorem [77]

4.5.4 Gaussian Processes Regression with Side Information

Many forms of exchange of information between Alice and Bob are used in SKE

research to improve the reliability and secrecy of extracted keys, including methods

called information reconciliation [11] and public discussion [46]. We suggest that such

methods can be used to improve the estimate of the reciprocal fading channel. In

order to investigate this, we propose one method based on Alice and Bob exchanging

one bit of information, which we call an ”e-value”, about their measurements

In order to improve reciprocal fading channel estimation, Alice and Bob publicly

exchange one bit of information about each wc(i) measurement and incorporate this

measurement in GPR. This one bit of information will allow Alice and Bob to decide

if their measurements are likely to agree when quantized. Then, based on this side

information they alter theirKε matrix in (4.20 - 4.23) toKε = diag([γ2(1), . . . , γ2(n)]).

How γ2(i) is set is explained below.

Although this method is based on GPR, due to the incorporation of side informa-

tion it is not rigorously GPR for two reasons. First, knowing one bit of information

changes the distribution of the measurements so the measurements can no longer

be assumed to resemble a Gaussian distribution. Second, knowledge of the side

79

information received by Alice and Bob alters the conditional covariance of wc and y∗

in a very complicated way. Although the actual covariance matrix of wc and y∗ given

the side information has every element altered compared to (4.20), for simplicity,

we alter only the variance of the elements of wc, that is, the diagonal elements of

Cov(wc). We show in the results that the incorporation of this side information,

although a heuristic in some sense, allows us to better estimate y(t) at both Alice

and Bob in order to extract more bits.

4.5.4.1 Public Exchange of Side Information

Alice and Bob each quantize their measurements, wa and wb, into K number of

bins and assign each measurement an e-value based on the bin. The measurements

that fall into odd numbered bins are 0’s and the measurements that fall into the

even numbered bins are assigned 1’s. Alice and Bob then exchange their vectors of

e-values. The bins must be determined so that Eve does not learn anything about

the expected value of wc(i) given e(i). There are many possible ways to achieve this,

but here we place values in bins based upon the distribution of wc.

The bin thresholds are found so that the probability of a single measurement

being assigned an e-value of 0 or 1 is equally likely. We look at the cumulative

distribution function (CDF) of the measurements to determine the thresholds. Lef

Fi(w) = P [wa(i) ≤ w] be the CDF of wa. For K is odd, the bin thresholds, ηk, are

determined as

ηk = F−1(

2k − 1

2(K − 1)

), for k = 1, . . . , K − 1 (4.26)

and η0 = −∞ and ηK = ∞. If K = 3 then η = [−∞, F−1(14), F−1(3

4),∞]. The n

measurements, wc, are then quantized so that

k(i) = maxk{k s.t. wa(i) > ηk} (4.27)

and we define e(i) as

e(i) = k(i) mod 2 (4.28)

for each measurement, i = 1, . . . , n.

80

If K odd it is possible to assign bins without the e-values giving away information

about the expected value of wc(i), although it can be said that measurements with

e = 1 have a higher sample variance than measurements with e = 0. We do not

consider the case of K even because it is not possible to assign e-values without

giving information about the expected value of wc(i).

4.5.4.2 Setting γ2(i)

The values of γ2(i) where ea(i) 6= eb(i) should be larger than γ2(i) the values

where ea(i) = eb(i). To that end we use two parameters Pa and Pd and define γ2(i)

as

γ2(i) =σ2ε

1Pa

for ea(i) = eb(i),

σ2εPd for ea(i) 6= eb(i)

(4.29)

where σ2ε can be estimated as

σ2ε =

1

n

n∑i=1

(wa(i)− wb(i))2 (4.30)

We discuss these parameters further in Section 4.7.

4.6 Experiment

In this section, we describe the RSS data sets which we have collected using two

different transceiver hardware testbeds. We collect 31 total data sets from the two

testbeds, a total of 213,000 samples of the RSS over 75 minutes of data collection.

This extensive experimental data allows us to provide, in Section 4.7, a quantitative

analysis analysis of the performance of methods propose in Section 4.5.

4.6.1 PHY layer and RSS Measurement

To ensure broad applicability of the results to RSS-based SKE, we use hardware

from two common TDD wireless standards in our experimental evaluation. The first

testbed uses commodity IEEE 802.15.4 radio hardware (MEMSIC TelosB devices),

similar to that previously used in experimental SKE papers [53, 20, 56, 2]. The

second testbed uses two smartphones (Google / HTC NexusOne phones) which are

programmed to communicate via IEEE 802.11b/g.

81

To collect the 20 802.15.4 radio hardware datasets, one node was placed on a

desk while the second node was moved randomly to induce narrow band fading.

The distance between the two nodes was slightly over 1 meter. Half of the 20

datasets collected using the 802.15.4 radio hardware were made in the presence of

802.15.4 interference. To create interference, three additional TelosB sensor nodes

were programmed to take turns transmitting on the same channel as Alice and Bob.

Also, the transmit power was also varied. Fifteen datasets had a transmit power

greater than -5 dBm and five had a transmit power lower than -10 dBm.

Using the IEEE 802.11-based smartphones we collected 11 data sets each with

6000 measurements. One smartphone, Alice, was placed on a desk, while the second

phone Bob was moved randomly to induce narrowband fading in the channel. The

distance between Alice and Bob was approximately 0.75 meters. All 11 data sets were

collected in the same manner with no changes to the default transmit power.

4.6.2 Sample Variance

In free-space with a static channel, bit extraction would be ineffective. The source

of the bits in the secret key is the randomness in the channel due to narrowband

fading. The more the channel varies over time, the more bits it is possible to extract.

We can estimate the variance of the sampled reciprocal fading signal, σ2w, as

σ2w =

1

n

n∑i=1

(wc(i)− µw)2 (4.31)

where the mean, µw, is estimated from

µw =1

n

n∑i=1

wc(i) (4.32)

The sample variances for 802.15.4 RSS measurements in Figure 4.2(a) was around 40,

while the sample variances for 802.11 RSS measurements in Figure 4.2(b) was about

14 on average.

The reason for the difference in σ2w for 802.15.4 and 802.11 is the channel band-

width – 20 Mhz for 802.11 and 5 Mhz for 802.15.4. With 802.11, the RSS is calculated

for a signal over a bandwidth 4 times as wide so the channel gain is not as affected by

82

narrowband fading. Since the fading signal is the signal of interest, the signal power

is reduce when wideband RSS measurements “average out” the fading. Counterintu-

itively this reduces the number of bits can be extracted. The RSS quantization levels

for the two devices are identical – an increase of 1 dB received power with respect to

the mean produces an increase of 1 RSSI.

4.6.3 Sampling Non-uniformity

Sampling non-uniformity in 801.11 devices can be related to a large body of

research that looks at packet delay caused by the distributed coordination function

(DCF) [10, 14]. The DCF uses channel sense multiple access with collision avoidance

to maximize channel throughput and ensure every user has equal access. While most

packets are transmitted with relatively short delays, other packets suffer a much

higher delay than average due to the exponential increase in backoff period when

transmission fails. For the purposes of bit extraction, one sample period, ie. the time

between two adjacent measurements by Alice, is composed of:

1. Time delay, δa, for Alice to send a packet to Bob

2. Time, δo, for Bob to receive and process packet. This is assumed constant.

3. Time delay, δb, for Bob to send a packet to Alice

The distribution of time delays, δa and δb, are essentially the same as the distribution

of packet delay in [10, 14] which is affected by the number of users wishing to transmit

and the maximum backoff period, Wi.

Figure 4.3 shows the difference between the distribution of sample periods for

802.15.4 and 802.11 devices. In our experiments, the 802.15.4 devices are operated

on a channel (26) that does not interfere with 802.11 b/g traffic – thus these devices

operate largely without outside interference and the majority of sample periods are

reliably between 15-17 ms, as shown in Figure 4.3(a). In contrast, the 802.11 devices

experience significant multi-user interference, particularly in buildings with many

deployed WiFi access points, as is the case in our experiments. Due to the 802.11

MAC layer, the delay for a device transmitting a packet can be very significant. As

83

shown in Figure 4.3(b), while the 802.11 devices can sample up to two times faster

than the 802.15.4 devices the maximum time between sample points is as much as

six times greater than the average. The distribution for δa + δb + δo in Figure 4.3(b)

is very close to the distribution found in [58]. It is very heavy tailed and has a large

variation in sample period.

4.7 Results

In this section we look at the these four estimation methods, fractional delay inter-

polation (FDI), polynomial interpolation (PI), Gaussian processes regression (GPR)

and Gaussian processes regression with side information (GPRSI), qualitatively and

quantitatively. First we determine how to set parameters Pa and Pd for GPRSI using

the normalized root mean square error between ya(t∗) and ya(t∗), as a metric. Then

we plot the estimated reciprocal fading signal, yc(t∗), and compare the results over

a very small set of points to qualitatively show under what conditions each of these

methods performs best. Since all four methods can be viewed as a filter, we the

compare the frequency response and show that while FDI and GPRSI filters have

frequency responses that tend to match, PI does not. Then we look at the error

between ya(t∗) and ya(t∗) for FDI, PI, GPR and GPRSI. Finally we compare the four

methods with respect to a bit extraction method.

4.7.1 Performance Metrics

While it is not possible to calculate the root mean square error (RMSE) between

the noisy measurements, wc, and the reciprocal fading signal y(t), we can evaluate

the error between Alice’s estimate of y(t), ya(t∗), and Bob’s estimate of y(t), yb(t∗).

Because GPR and GPRSI tend to reduce the range of values and therefore the

apparent RMSE, we use normalized RMSE. NRMSE is RMSE scaled by the standard

deviation of ya.

NRMSE(ya, yb) =

√∑Ni=1(ya(i)− yb(i))2∑Ni=1(ya(i)− µa)2

While increasing the number of bits extracted is the final goal of these estimation

methods, the bit extraction algorithm adds another layer of complexity. We use

84

NRMSE to make analysis of these results applicable to other bit extraction methods,

not just the one used in a following subsection.

4.7.2 GPRSI Parameter Selection

Figure 4.4 shows the NRMSE between Alice’s and Bob’s estimate of y(t) for

values of parameters Pa and Pd using the 802.11 based devices. Given this plot we

choose Pa ≈ 0.5 and Pd ≈ 15. These values are approximate since there is very little

difference in the NRMSE for Pa = 0.5 and Pa = 1 or between difference values of Pd

when Pd > 10.

4.7.3 Example

Figure 4.5 shows data collected by the 802.11 devices and the interpolated data

using (a) FDI, (b) PI, and (c) GPRSI. Because the interpolating polynomial for

PI yc(t∗(i) (4.11), is constrained to go through the sampled points, noise in those

measurements over larger gaps in the data can cause the sampling polynomial at

Alice to be very different from Bob’s. However, using FDI or GPR, Alice’s and Bob’s

estimated signals match quite well. The results for GPR and GPRSI are very similar,

so GPR is not shown.

Unlike, PI and FDI, GPR and GPRSI can be used for regression. Figure 4.7 shows

data that has been estimated using (a) PI and (b) GPR. Because the interpolating

polynomial is constrained to go through the sampled points, it cannot be used to

mitigate quantization noise. On the other hand, because noisy measurements can be

accounted for in GPR, some of the quantization noise can be removed.

4.7.4 Filter Response

Each of these four methods can be viewed as a filter and characterized in terms

of frequency response. The frequency response is found using a non-uniform discrete

Fourier transform (NDFT) which is defined as:

H(f(k)) =N−1∑n=0

hc(n)e−jtc(n)2πf(k) (4.33)

85

where hc are the filter coefficients, tc are the times over which the filter is applied and

f(k) is the kth frequency at which the Fourier transform is evaluated. For PI and

FDI, N = 4. The filter coefficients for FDI are printed in (4.15). Filter coefficients

for GPR are found from the K(t∗, tc)[K(tc, tc) +Kε]−1 term of (4.22). Because GPR

and GPRSI is applied over subvectors of length 200, N = 200.

The frequency response for the FDI filter is shown in Figure 4.6(a) for t∗(i) = 0.60.

The filter response at Alice is very similar to Bob’s filter. The frequency response for

the PI filter is shown in Figure 4.6(b). It becomes a high pass filter over long gaps

between samples, but the larger problem is that the two filters at Alice and Bob do

not match. The frequency response for GPR is shown in Figure 4.6(c). Although not

identifiable as a particular type of filter, the responses at Alice and Bob match quite

well.

4.7.5 Normalized Root Mean Square Error

Figure 4.8 (a) shows the cumulative distribution function (CDF) of the NRMSE

over the 802.11 datasets of the original RSS measurements, wc, and the reciprocal fad-

ing signal estimated using PI, FDI, GPR and GPRSI. Of these methods, PI increases

the NRMSE between Alice and Bob’s measurements compared to the unprocessed

measurements. FDI, GPR and GPRSI all reduce the NRMSE compared to the

original measurements for all datasets, except for one dataset in the case of GPR. In

all cases, GPRSI performs better than the other methods.

The same type of analysis is shown in Figure 4.8 (b) for the 802.15.4 datasets.

Again, PI increases the NRMSE compared to the original measurements. The differ-

ence in FDI vs. the Gaussian processes methods is not as apparent in the 802.15.4

datasets, although GPR and GPRSI are an improvement. The difference between

GPR and GPRSI is negligible. One conclusion we can draw from the differences

between Figure 4.8 (a) and Figure 4.8 (b) is that given the smaller amount of

improvement in GPRSI vs. FDI, the non-reciprocities in reciprocal 802.15.4 RSS

measurements are due in greater proportion to the inability of Alice and Bob to

measure the channel simultaneously than those in 802.11 RSS measurements.

86

In the second experiment we simulated dropped packets in 802.15.4 measurements

by removing the ith sample from wa and wb with probability p. The removal

probability for samples i and j, where i 6= j, are independent. Increasing variability in

the range of sample periods results as the probability of dropping a packet increases.

We plot the bits per sample extracted using GPR, GPRSI, FDI and PI as p increases

from 0 to 0.6 vs. NRMSE disagreement in Figure 4.9. As p increases, the performance

of FDI degrades more rapidly than GPR and GPRSI.

4.7.6 Bit Extraction

Adaptive ranking based uncorrelated bit extraction ARUBE [20] has been used

with RSS measurements made by 802.15.4 based wireless sensors. It has four steps:

interpolation, ranking, decorrelation and quantization. The effectiveness of this

method can be evaluated by looking at the number of bits extracted per sample or the

number of bits extracted per second against the probability of bit disagreement, Pbd.

Fewer samples must be collected to create a shared secret key if the bits extracted

per sample is high, saving both the energy required to transmit a packet and the time

required to so do. Because information must be publicly exchanged to correct bit

disagreement, a lower Pbd will keep more information secret from Eve. It is difficult

to obtain a high rate of bit extraction and a low Pbd.

While judging the performance of estimation methods is made more complex by

using the number of bits extracted as a metric, inclusion of this section is important.

A simple low pass filter would also reduce the NRMSE, but at the expense of removing

information in the signal that could be used as bits in the secret key.

4.7.6.1 802.15.4 Sensor Nodes

In the first experiment with 802.15.4 sensor nodes we decremented the transmitted

power over 17 datasets. At very low received power, RSS data collected by 802.15.4

based sensor nodes has some of the same properties as the 802.11 RSS data: low

sample variance, σ2w, and non-uniform sampling. As the sample variance decreases,

Gaussian processes regression becomes more useful.

Figures 4.10(a,b,c) show the averge of (7, 4, 6) datasets respectively of decreasing

87

sample variance for PI, FDI and GPR. Table 4.1 shows the average sample variance

σ2w for each figure. We used these groupings to keep datasets with similar sample

variance together. As the received power decreases, the number of dropped packets

increases, the noise due to quantization increases and there is a greater non-uniformity

in sampling instants. The decrease in bits per second as the sample variance decreases

is due not only to fewer bits being extracted but to the decrease in the number

of samples per second collected by the nodes because of the dropped packets. By

comparing the ’Bits per Second’ and ’Bits per Sample’ axes of the three plots we can

see that, 0.6 bits per sample results in 24, 14 and 11 Bits per Second as the sample

variance decreases.

4.7.6.2 802.11 Smartphones

We found that for this bit extraction method, polynomial interpolation produces

worse results than using the original measurements, so we only compare GPR, GPRSI

and FDI.

Figure 4.11 (a) shows the bits extracted per second for yc(t∗) using GPR and

GPRSI. Unlike the 802.15.4 datasets the inclusion of side information increases the

number of bits extracted for most datasets. The greatest improvement in bits ex-

tracted per second is seen in datasets that produce the least number of bits. These are

the datasets that also have the smallest sample variance and the largest quantization

noise. Comparing GPR to FDI in Figure 4.11(b), GPRSI can improve the number of

bits extracted per second by up to 50% for some datasets.

4.8 Conclusion

In real-world wireless networks, SKE must extract bits from noisy measurements

taken at irregular intervals. In these situations, we show that standard SKE methods

perform poorly. In this paper we investigate four methods that allow legitimate

users Alice and Bob to obtain improved estimates of the reciprocal fading channel.

We found that in cases with high SNR, even those with moderate non-uniform

sampling characteristics, fractional delay interpolation performs very well, reducing

the NRMSE between Alices and Bobs estimates and increasing the bit extraction

88

(a)

(b)

(c)

-Alice samples -Bob samples - new times, t *

...

...

...

...

...

...

...

...

...

...

...

...

time

time

time

Figure 4.1. Diagram shows placement of Alice’s (�) and Bob’s (©) measurementsat times tc with the placement of interpolated values t∗ (‖). (a) Fraction delayinterpolation interpolates a value half way between Alice’s and Bob measurementsif the sample period is constant. (b) With non-uniform measurements fractionaldelay interpolation results in unaligned interpolated time instants. (c) Polynomialinterpolation and Gaussian processes regression are able to interpolate measurementsat identical time instants.

Table 4.1. Datasets of decreasing sample variance# of Datasets Average σ2

w

Figure 4.10 (a) 7 36.2Figure 4.10 (b) 4 17.9Figure 4.10 (c) 6 7.4

89

−20 −15 −10 −5 0 5 10 15 20RSSI, mean removed

0.00

0.02

0.04

0.06

0.08

0.10

0.12

Pro

babilit

y

dataset f

dataset n

(a)

−20 −15 −10 −5 0 5 10 15 20RSSI, mean removed

0.00

0.02

0.04

0.06

0.08

0.10

0.12

0.14

0.16

Pro

babilit

y

dataset A

dataset B

(b)

Figure 4.2. Distribution of measured RSSI values for datasets collected (a) by802.15.4 based devices and (b) 802.11 based devices. The sample variance, σ2

w for (a)is larger than that of the measurements of (b).

90

0.005 0.010 0.015 0.020 0.025 0.030 0.035 0.040Sample Period (s)

0.00

0.05

0.10

0.15

0.20

0.25

0.30

0.35

0.40

Pro

babilit

y

dataset f

dataset n

(a)

0.005 0.010 0.015 0.020 0.025 0.030 0.035 0.040Sample Period (s)

0.00

0.05

0.10

0.15

0.20

0.25

0.30

0.35

0.40

Pro

babilit

y

dataset A

dataset B

(b)

Figure 4.3. Distribution of sample periods for (a) two datasets made with 802.15.4based wireless sensors and (b) two datasets from 802.11 based devices.

91

rate. For signals with low signal power, or with highly variable sample periods, GPR

performs better in terms of NRMSE and the number of bits extracted at the expense of

much more computation. We present a reciprocal fading channel estimation method

which uses side information obtained from public discussion, which we call GPRSI,

and show that it is able to extract secret key bits at a rate up to 50% higher than

with GPR.

The computation required by GPRSI is more significant than with FDI, but

GPRSI can extract secret key bits more quickly. Future work may address the tradeoff

between communication energy and time saved by the increased bit rate of GPRSI,

versus the lower energy used in computation in FDI. In addition, adaptive methods

may be developed which allow devices to change estimation method based on the

multi-user access delays or packet error rate they experience.

92

0 20 40 60 80 100

Pd

0.150

0.155

0.160

0.165

0.170

0.175

NRMSE(y

a,y

b)

Pa =0.1

Pa =0.5

Pa =1

Pa =3

Figure 4.4. NRMSE between ya and yb for GPRSI with different values for Pa andPd. Overall, GPRSI for 802.11 RSS measurements performs best with Pa ≈ 0.5 andPd ≈ 15.

93

0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

time (s)

−6

−4

−2

0

2

4

6

RSS

FDI ya (t ∗)

FDI yb (t ∗)

(a)

0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

time (s)

−6

−4

−2

0

2

4

6

RSS

PI ya (t ∗)

PI yb (t ∗)

(b)

0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

time (s)

−6

−4

−2

0

2

4

6

RSS

GPRSI ya (t ∗)

GPRSI yb (t ∗)

(c)

Figure 4.5. (a) Fractional delay interpolation used to estimate the reciprocal fadingchannel from non-uniformly sampled RSS measurements made by two 802.11 devices.(b) Polynomial interpolation. (c) Gaussian processes regression. Solid lines are theestimated signal yc(t∗), dotted lines are the RSS measurements wc.

94

0 10 20 30 40 50Frequency, Hz

0.0

0.5

1.0

1.5

2.0

Magnit

ude,

|H(f

)|

HFDIa

HFDIb

(a)

0 10 20 30 40 50Frequency, Hz

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

Magnit

ude,

|H(f

)|

HPIa

HPIc

(b)

0 10 20 30 40 50Frequency, Hz

0.0

0.5

1.0

1.5

2.0

Magnit

ude,

|H(f

)|

HGPRSIa

HGPRSIb

(c)

Figure 4.6. Filter response for (a) fractional delay interpolation, (b) polynomialinterpolation and (c) Gaussian processes regression at interpolated time instantt∗(i) = 0.60.

95

31.04 31.06 31.08 31.10 31.12 31.14

time (s)

−5

−4

−3

−2

−1

0

1

2

3

4

RSS

wa

wb

PI ya (t ∗)

PI yb (t ∗)

(a)

31.04 31.06 31.08 31.10 31.12 31.14

time (s)

−5

−4

−3

−2

−1

0

1

2

3

4

RSS

wa

wb

GPRSI ya (t ∗)

GPRSI yb (t ∗)

(b)

Figure 4.7. (a) Polynomial interpolation used to estimate the reciprocal fadingsignal for 802.11 RSS measurements (b) Estimation using GPRSI. Root mean squareerror (RMSE) for the displayed data is (a)0.627 and (b)0.222.

96

0.12 0.14 0.16 0.18 0.20 0.22 0.24 0.26 0.28 0.30

Normalized RMSE(ya ,yb )

0.0

0.2

0.4

0.6

0.8

1.0

Cum

ula

tiv

e D

istrib

utio

n F

unctio

n

wc

PI y(t∗)

FDI y(t∗)

GPR y(t∗)

GPRSI y(t∗)

(a)

0.2 0.4 0.6 0.8 1.0

Normalized RMSE(ya ,yb )

0.0

0.2

0.4

0.6

0.8

1.0

Cum

ula

tiv

e D

istrib

utio

n F

unctio

n

wc

PI y(t∗)

FDI y(t∗)

GPR y(t∗)

GPRSI y(t∗)

(b)

Figure 4.8. Normalized root mean square error (NRMSE) for error between theoriginal measurements at Alice, wa, and Bob, wb and error between the estimationsof the reciprocal fading signal using polynomial interpolation (PI), fractional delayinterpolation (FDI), Gaussian processes regression (GPR) and Gaussian processesregression with side information (GPRSI) for (a) 11 802.11 datasets and (b) 20802.15.4 datasets

97

0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7Probability of Packet Drop, p

0.15

0.20

0.25

0.30

0.35

0.40

0.45

0.50

0.55

NR

MSE(y

a,y

b)

Figure 4.9. Plot of NRMSE as the probability of dropping a packet, p, increasesfor FDI (- -), GPR (..) and GPRSI (–), then plotting the average of the top sevendatasets (?), middle six datasets (•) and bottom seven datasets (I) with respect toNRMSE

98

0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07Probability of Bit Disagreement, P

bd

0

5

10

15

20

25

30

35

40

45

Bit

s p

er

Second

PI

GPR

FDI

0.0

0.2

0.4

0.6

0.8

1.0

Bit

s p

er

Sam

ple

(a)

0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07Probability of Bit Disagreement, P

bd

0

5

10

15

20

Bit

s p

er

Second

PI

GPR

FDI

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Bit

s p

er

Sam

ple

(b)

0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07Probability of Bit Disagreement, P

bd

0

2

4

6

8

10

12

14

16

Bit

s p

er

Second

PI

GPR

FDI

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Bit

s p

er

Sam

ple

(c)

Figure 4.10. Comparison of PI, FDI and GPR with (a) highest, (b) middle and (c)lowest sample variance σ2

w. GPR is an improvement over FDI only at lower samplevariances.

99

0.00 0.02 0.04 0.06 0.08 0.10Probability of Bit Disagreement, P

bd

0

5

10

15

20

25

30

35

40

Bit

s p

er

Second

(a)

0.00 0.02 0.04 0.06 0.08 0.10Probability of Bit Disagreement, P

bd

0

5

10

15

20

25

30

35

40

Bit

s p

er

Second

(b)

Figure 4.11. Bits extracted per second vs. probability of bit disagreement (Pbd)for 13 datasets. Data processed using GPR (..), GPRSI ( - ) or FDI ( - - ) thenplotting the average of the top four datasets (?), middle five datasets (•) and bottomfour datasets (I) with respect to bits extracted per second. (a) Compares GPR andGPRSI (b) Compares FDI and GPRSI

CHAPTER 5

CONCLUSION

This chapter will summarize key findings before suggesting areas for future work.

5.1 Key Findings

While the wireless channel has the requisite conditions as a source for shared secret

keys, namely randomness and reciprocity, practical considerations such as the time-

division duplex nature of channel sampling, differing hardware characteristics between

users, temporal correlation between measurements and the necessity of sharing the

channel with other users are continuing challenges. This research aims to reduce or

remove the non-idealities and noise of the reciprocal channel measurement process in

order to increase secret key bit rate while maintaining an uncorrelated bit stream.

Wireless sensor networks have a intrinsic need for a way of securing communica-

tions that does not involve a central server or an excessive use of on node storage

space. By using randomness inherent in the wireless channel, it is possible to avoid

the predistribution of shared keys, which for large networks becomes a strain on

limited storage space, and the need for a central server which depending upon network

conditions may not be connected to the network. One of the challenges of bit

extraction is that in order to measure the channel the two nodes must communicate

which for sensor nodes communication is energy intensive. To extend the life of the

network it is advantageous to extract as many bits as possible from each measurement.

To that end, various methods of mitigating non-reciprocities in the measurement were

explored including fractional delay interpolation and ranking.

Ranking addresses the differences in hardware that will be inevitable in heteroge-

neous networks and are present even in supposedly identical transceivers. As long as

the relationship between received power and RSS is monotonically increasing, ranking

101

will remove non-reciprocities between radios that result from differing transmit powers

and RSSI circuit variations. The introduction of ranking increased the number of bits

extracted from 802.15.4 TelosB RSS measurements by up to 30%.

Temporal correlation between measurements is another limiting factor that was

addressed which is useful both for sensor nodes and devices which are less resource

constrained. Correlated bits which can result from correlated measurements weaken

the strength of the shared secret keys. In order to prevent this, measurements can

be decorrelated before bit extraction. Decorrelation is a relatively computationally

complex operation in comparison to other bit extraction steps, so it is necessary to

find the minimum number of measurements that can be decorrelated while ensuring

an independent bit stream. For 802.15.4 RSS measurements it is possible maintain

an uncorrelated bit stream if more than about 35 samples or 0.7 seconds of data are

decorrelated at a time.

Experimental research into bit extraction from channel impulse response (CIR)

measurements is scarce compared to research into RSS measurements. Much of the

difference can be attributed to the expense of channel sounding equipment. It is pos-

sible however, to build a inexpensive electronically controlled switching system that

allows existing single transmitter/single receiver equipment to make bi-directional

measurements. The components of this system are easy to obtain and with the

design equations a similar system is straight forward to build. The hope is that this

design will allow further work into bit extraction for CIR measurements.

CIR measurements include both magnitude and phase information. The number

of bits extracted from the magnitude information was 8 times greater than the number

of bits extracted from the phase information. A large part of the discrepancy is that

phase wraps from 2π to 0. While the CIR measurements are two-dimensional (time

and time delay), the unwrapping algorithm for phase only operated along the time

delay axis and did not take the second dimension into account.

A demo using 802.11-based smartphones brought to light differences in 802.11

and 802.15.4-based wireless devices. Devices using 802.11 must share the channel

with other users which can result in a non-deterministic packet delay. In a very

102

busy wireless environment, the distribution of packet delay is heavy-tailed which

means that measurements of the reciprocal fading signal become very non-uniform.

In addition, Alice and Bob are unable to measure the channel simultaneously due to

the half-duplex nature of the wireless channel. Previous research used fractional delay

interpolation to correct this offset, however fractional delay interpolation degrades

quickly in the presence of highly variable sample periods. Unlike fractional delay,

Gaussian processes regression can be used to estimate the true fading signal in the

presence of non-uniform sampling. In addition, it is possible to incorporate public

discussion between Alice and Bob to obtain a more accurate estimation of the true

reciprocal fading signal. Using this method Alice and Bob to extract 50% more bits

from 802.11 RSS measurements.

5.2 Future Work

The field of secret key establishment has many possible avenues for future research.

Continuing to increase the bit extraction rate either by using signal processing tech-

niques, quantization and coding methods or hardware improvements, is one of the

obvious avenues. It is important because in order to maintain information theoretic

security the secret key bit rate must match or exceed the information bit rate. The

keys must be random, so another avenue is determining if and when the wireless

channel can be considered random. Finally, even with advances in nailing down what

does work, a usable, widely available implementation of SKE does not yet exist, but

smartphones offer a great platform for future implementation.

The research that forms this thesis and the majority of papers on SKE have focused

extensively on the problem of extracting more bits from a given set of measurements

in a shorter amount of time, with a lower probability of bit disagreement and with

a higher entropy. The way this thesis accomplished the first two of these goals was

to remove non-reciprocities associated with the measurements. However this is just

one way to approach the problem. Another possibility for increasing the number of

bits extracted for a given time period is to make the channel measurements more

accurate. For RSS this could be accomplished by using a higher transmit power for

103

SKE than for normal communications. Alternately, increasing the accuracy of RSS

measurement by increasing the number the quantization levels would be a hardware

based solution. For instance an increase of 1 dBm would correspond to 2 RSSI rather

than just in increase of 1 RSSI.

Even with a more efficient or faster bit extraction method, a compromise between

information theoretic security and traditional cryptographic methods may have to

be reached before an implementation of SKE comes into wider use. For RSS data

collected by 802.15.4-based sensor nodes the mutual information in each pair of

samples made at Alice and Bob was around 5 bits. At 50 samples per second this is

only 250 bits per second or about 31 ascii characters. A device wishing to use SKE for

reasons associated with information theoretic security would probably have to decide

what information is most sensitive, encrypt that using SKE and leave the remaining

data to a traditional cryptographic key.

SKE depends upon randomness in the channel created by a user moving one of the

radios, by movement in the channel or both. It has been shown that it is possible for

an active eavesdropper to create deterministic non-random movement in an otherwise

static channel and so have some knowledge of the measurements. One avenue for

investigation is to determine how much randomness exists in user movements of the

radio. When asked to move something randomly, many, if not most, people will

eventually settle into some pattern of movement that feels random, but really isn’t.

One question that needs to be asked is, is this semi-random movement, plus some

minimal movement in the channel, enough to guarantee random secret bits over a

long period of time.

Smartphones offer a very rich testbed for SKE. They can serve as a platform on

which to implement SKE and a way to augment SKE with additional sensors. One

application for an SKE implementation would be to exchange sensitive information

between two smartphones without involving cellular carriers. The two phones would

perform SKE in WiFi ad-hoc mode then encrypt and transmit the data. While

the building blocks are there, a downloadable software application to perform SKE

does not yet exist. Other researchers have suggested using accelerometer data to

104

authenticate two users. This type of authentication could be used with SKE on

smartphones.

A usable implementation of SKE on a smartphone, laptop or similar device would

have to adapt to changing channel conditions. This means being able to determine

when the channel is changing by analyzing the channel measurements or by sens-

ing when movement of the device is sufficient to ensure random bits by analyzing

accelerometer data. Changing channel conditions also includes the number of users

sharing the same channel since this will affect how quickly and uniformly Alice and

Bob can measure the channel.

Finally, smartphones could also be a showcase for SKE as well as a way to collect

information about users’ ideas of random movement. An interesting, easily used

software application could record both accelerometer readings and RSS measurements

in many different wireless environments for many different users. With this large

amount of information it might be possible to determine how to give instructions or

feedback to a user that will maximize the randomness of the users’ movements as well

as providing a large dataset for experimental evaluation of bit extraction methods.

Secret key establishment offers a unique opportunity for consumer devices to create

and use shared secret keys that provide information theoretic security. Unlike quan-

tum cryptography, SKE does not require specialized hardware and is currently within

reach of devices that many people carry in their pockets. As data privacy becomes

more of a concern to people and businesses, SKE could provide a decentralized, secure

method of protecting sensitive information.

REFERENCES

[1] L. Ahumada, R. Feick, R. Valenzuela, and C. Morales. Measurement andcharacterization of the temporal behavior of fixed wireless links. IEEE Trans.Vehicular Technology, 54(6):1913–1922, November 2005.

[2] S.T. Ali, V. Sivaraman, and D. Ostry. Secret key generation rate vs. reconcilia-tion cost using wireless channel characteristics in body area networks. In 2010IEEE/IFIP International Conference on Embedded and Ubiquitous Computing,pages 644–650. IEEE, 2010.

[3] A. Alomainy, Y. Hao, X. Hu, CG Parini, and PS Hall. UWB on-body radiopropagation and system modelling for wireless body-centric networks. In Com-munications, IEE Proceedings-, volume 153, pages 107–114. IET, 2006.

[4] JB Andersen, JO Nielsen, GF Pedersen, K. Olesen, P. Eggers, EH Sorensen, andS. Denno. A 16 by 32 wideband multichannel sounder at 5 GHz for MIMO.In IEEE Antennas and Propagation Society International Symposium, 2004,volume 2, 2004.

[5] C.R. Anderson and T.S. Rappaport. In-building wideband partition loss mea-surements at 2.5 and 60 GHz. IEEE Transactions on Wireless Communications,3(3):922–928, 2004.

[6] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka. Wireless secretkey generation exploiting reactance-domain scalar response of multipath fadingchannels. IEEE Transactions on Antennas and Propagation, 53(11):3776–3784,Nov. 2005.

[7] B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener. Robust key generationfrom signal envelopes in wireless networks. In CCS ’07: Proceedings of the 14thACM Conference on Computer and Communications Security, pages 401–410,Nov. 2007.

[8] Bennett, Brassard, Crepeau, and Maurer. Generalized privacy amplification.In ISIT: Proceedings IEEE International Symposium on Information Theory,sponsored by The Information Theory Society of The Institute of Electrical andElectronic Engineers, 1994.

[9] Charles H. Bennett, Gilles Brassard, Claude Crepeau, and Ueli Maurer. General-ized privacy amplification. IEE Transaction on Information Theory, 41(6):1915–1923, November 1995.

106

[10] G. Bianchi. Performance analysis of the ieee 802.11 distributed coordinationfunction. Selected Areas in Communications, IEEE Journal on, 18(3):535–547,2000.

[11] G. Brassard and L. Salvail. Secret-key reconciliation by public discussion. InAdvances in CryptologyEUROCRYPT93, pages 410–423. Springer, 1994.

[12] D. Catalano. Contemporary cryptology. Birkhauser, 2005.

[13] H. Chan, A. Perrig, and D. Song. Random Key Predistribution Schemes forSensor Networks. In In IEEE Symposium on Security and Privacy, 2003.

[14] P. Chatzimisios, V. Vitsas, and AC Boucouvalas. Throughput and delay analysisof ieee 802.11 protocol. In Networked Appliances, 2002. Liverpool. Proceedings.2002 IEEE 5th International Workshop on, pages 168–174. IEEE, 2002.

[15] C. Chen and M.A. Jensen. Improved channel quantization for secret key estab-lishment in wireless systems. In Wireless Information Technology and Systems(ICWITS), 2010 IEEE International Conference on, pages 1–4. IEEE, 2010.

[16] J.M. Conrat, P. Pajusco, and J.Y. Thiriet. A Multibands Wideband PropagationChannel Sounder from 2 to 60 GHz. In Instrumentation and Measurement Tech-nology Conference, 2006. IMTC 2006. Proceedings of the IEEE, pages 590–595,2006.

[17] D. Cox. Delay Doppler characteristics of multipath propagation at 910 MHzin a suburban mobile radio environment. IEEE Trans. on Ant. & Prop., AP-20(5):625–635, Sept. 1972.

[18] J. Croft and N. Patwari. Bit extraction from CIR using a bi-directional radiochannel measurement system. IEEE Transactions on Mobile Computing, 2010.(submitted).

[19] J. Croft, N. Patwari, and S.K. Kasera. Demonstration abstract: Bit extractionfrom received signal strength. In Proceedings of the 16th annual ACM interna-tional conference on Mobile computing and networking. ACM New York, NY,USA, 2010.

[20] J. Croft, N. Patwari, and S.K. Kasera. Robust uncorrelated bit extractionmethodologies for wireless sensors. In Proceedings of the 9th ACM/IEEE In-ternational Conference on Information Processing in Sensor Networks, pages70–81. ACM, 2010.

[21] D. Devasirvatham. Time delay spread and signal level measurements of 850MHz radio waves in building environments. IEEE Trans. on Ant. & Prop.,AP-34(11):1300–1305, Nov. 1986.

[22] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactionson information Theory, 22(6):644–654, 1976.

107

[23] G. Durgin, V. Kukshya, and T. Rappaport. Wideband measurements of angleand delay dispersion for outdoor and indoor peer-to-peer radio channels at 1920MHz. IEEE Trans. Antennas and Propagation, 51(5):936–944, May 2003.

[24] C Farrow. A continuously variable digital delay element. In IEEE InternationalSymposium on Circuits and Systems, 1988., pages 2641–2645, 1988.

[25] J. Foerster et al. Channel modeling sub-committee final report. IEEE P, pages15–02, 2003.

[26] S.T.B. Hamida, J.B. Pierrot, and C. Castelluccia. An adaptive quantizationalgorithm for secret key generation using radio channel measurements. InProceedings of the 3rd international conference on New technologies, mobilityand security, pages 59–63. IEEE Press, 2009.

[27] H. Hashemi. The indoor radio propagation channel. Proceedings of the IEEE,81(7):943–968, 1993.

[28] J. Hershey, A. Hassan, and R. Yarlagadda. Unconventional cryptographic keyingvariable management. IEEE Trans. Commun., 43(1):3–6, Jan. 1995.

[29] W. W. Hines, D. C. Montgomery, D. M. Goldsman, and C. M. Borror. Probabilityand Statistics in Engineering 4th ed. John Wiley & Sons, 2003.

[30] S. Jana, S.N. Premnath, M. Clark, S.K. Kasera, N. Patwari, and S.V. Krishna-murthy. On the effectiveness of secret key extraction from wireless signal strengthin real environments. In Proceedings of the 15th annual international conferenceon Mobile computing and networking, pages 321–332. ACM, 2009.

[31] J. Jemai and T. Kurner. Broadband WLAN channel sounder for IEEE 802.11b. IEEE Transactions on Vehicular Technology, 57(6):3381–3392, 2008.

[32] A. Karatsuba. The complexity of computations. In Proceedings of the SteklovInstitute of Mathematics, volume 211, pages 169–183, 1995.

[33] J. Kho, A. Rogers, and N.R. Jennings. Decentralized control of adaptivesampling in wireless sensor networks. ACM Transactions on Sensor Networks(TOSN), 5(3):19, 2009.

[34] J. Kivinen, TO Korhonen, P. Aikio, R. Gruber, P. Vainikainen, and S.G.Haggman. Wideband radio channel measurement system at 2 GHz. IEEETransactions on Instrumentation and Measurement, 48(1):39–44, 1999.

[35] M. Kmec, J. Sachs, P. Peyerl, P. Rauschenbach, R. Thom, and R. Zetik. Anovel ultra-wideband real-time MIMO channel sounder architecture. XXVIIIthGeneral Assembly of URSI, 2005.

[36] V.M. Kolmonen, J. Kivinen, L. Vuokko, and P. Vainikainen. 5.3-GHz MIMO ra-dio channel sounder. IEEE Transactions on Instrumentation and Measurement,55(4):1263–1269, 2006.

108

[37] Andreas Krause, Carlos Guestrin, Anupam Gupta, and Jon Kleinberg. Near-optimal sensor placements: Maximizing information while minimizing commu-nication cost, 2006.

[38] TI Laakso, V. Valimaki, M. Karjalainen, and UK Laine. Splitting the unit delay[fir/all pass filters design]. Signal Processing Magazine, IEEE, 13(1):30–60, 1996.

[39] A.K. Lenstra and E.R. Verheul. Selecting cryptographic key sizes. Journal ofCryptology, 14(4):255–293, 2001.

[40] Z. Li, W. Xu, R. Miller, and W. Trappe. Securing wireless systems via lower layerenforcements. In Proc. 5th ACM Workshop on Wireless Security (WiSe’06),pages 33–42, Sept. 2006.

[41] D. Liu, P. Ning, and W. Du. Group-based key predistribution for wireless sensornetworks. ACM Transactions on Sensor Networks (TOSN), 4(2):11, 2008.

[42] M.G. Madiseh, M.L. McGuire, S.W. Neville, and A.A.B. Shirazi. Secret keyextraction in ultra wideband channels for unsynchronized radios. In Commu-nication Networks and Services Research Conference, 2008. CNSR 2008. 6thAnnual, pages 88–95. IEEE, 2008.

[43] B. Maharaj, J. Wallace, M. Jensen, and L. Linde. A Low-cost open-hardwarewideband multiple-input–multiple-output (MIMO) wireless channel sounder.IEEE Transactions on Instrumentation and Measurement, 57(10):2283–2289,2008.

[44] DJ Malan, M. Welsh, and MD Smith. A public-key infrastructure for keydistribution in TinyOS based on elliptic curve cryptography. In Sensor andAd Hoc Communications and Networks, 2004, pages 71–80, 2004.

[45] S. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik. Radio-telepathy:extracting a secret key from an unauthenticated wireless channel. In Proceedingsof the 14th ACM international conference on Mobile computing and networking,pages 128–139. ACM, 2008.

[46] Ueli M. Maurer. Secret key agreement by public discussion from commoninformation. IEEE Trans. Info. Theory, 39(3):733–742, May 1993.

[47] Ueli M. Maurer and Stefan Wolf. Unconditionally secure key agreement andthe intrinsic conditional information. IEEE Trans. Info. Theory, 45(2):499–514,1999.

[48] A.J. Menezes, P.C. Van Oorschot, and S.A. Vanstone. Handbook of AppliedCryptography. CRC, 1996.

[49] National Institute of Standards and Technology. Special Publication 800-57:Recommendation for Key Management. 2007.

109

[50] M.A. Osborne, SJ Roberts, A. Rogers, SD Ramchurn, and N.R. Jennings.Towards real-time information processing of sensor network data using com-putationally efficient multi-output gaussian processes. In Proceedings of the 7thinternational conference on Information processing in sensor networks, pages109–120. IEEE Computer Society, 2008.

[51] K. Pahlavan, P. Krishnamurthy, and J. Beneat. Wideband radio propagationmodeling for indoor geolocation applications. IEEE Comm. Magazine, 36:60–65,April 1998.

[52] N. Patwari and P. Agrawal. Localization Algorithms and Strategies for WirelessSensor Networks, chapter Calibration and Measurement of Signal Strength ofSensor Localization. IGI Global, 2009.

[53] N. Patwari, J. Croft, S. Jana, and S.K. Kasera. High rate uncorrelated bitextraction for shared secret key generation from channel measurements. IEEETransactions on Mobile Computing, pages 17–30, 2009.

[54] N. Patwari, A. Hero III, M. Perkins, N. Correal, and R. O’Dea. Relative locationestimation in wireless sensor networks. IEEE Trans. Signal Process., 51(8):2137–2148, Aug. 2003.

[55] R. Pirkl and G. Durgin. Optimal sliding correlator channel sounder design. IEEETrans. Wireless Communications, 7(9):3488–3497, September 2008.

[56] S.N. Premnath, S.K. Kasera, and N. Patwari. Secret key extraction in mimo-like sensor networks using wireless signal strength. ACM SIGMOBILE MobileComputing and Communications Review, 14(1):7–9, 2010.

[57] T.S. Rappaport. Wireless communications: principles and practice. PrenticeHall, 1996.

[58] P. Raptis, V. Vitsas, K. Paparrizos, P. Chatzimisios, and AC Boucouvalas.Packet delay distribution of the ieee 802.11 distributed coordination function.In Proceedings of the Sixth IEEE International Symposium on World of WirelessMobile and Multimedia Networks, pages 299–304. IEEE Computer Society, 2005.

[59] C.E. Rasmussen and C.K.I. Williams. Gaussian Processes for Machine Learning.The MIT Press, 2006.

[60] A. Rukhin, J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh, M. Levenson,M. Vangel, D. Banks, A. Heckert, et al. A Statistical Test Suite for the Validationof Random Number Generators and Pseudo Random Number Generators forCryptographic Applications. NIST Special Publication, pages 800–822, 2001.

[61] A. Sayeed and A. Perrig. Secure wireless communications: Secret keys throughmultipath. In Acoustics, Speech and Signal Processing, 2008. ICASSP 2008.IEEE International Conference on, pages 3013–3016. IEEE, 2008.

110

[62] M. Schack, R. Geise, I. Schmidt, R. Piesiewiczk, and T. Kurner. UWB chan-nel measurements inside different car types. In 3rd European Conference onAntennas and Propagation, pages 640–644. IEEE, 2009.

[63] M. Schack, J. Jemai, R. Piesiewicz, R. Geise, I. Schmidt, and T. Kurner.Measurements and analysis of an in-car UWB channel. In IEEE VehicularTechnology Conference, pages 459–463, 2008.

[64] C.E. Shannon. Communication Theory of Secrecy Systems. Journal, vol,28(4):656–715, 1949.

[65] D. Singh, Z. Hu, and R. Qiu. UWB channel sounding and channel characteristicsin rectangular metal cavity. In Southeastcon, 2008. IEEE, pages 323–328. IEEE,2008.

[66] C.G. Spiliotopoulos and A.G. Kanatas. Path-Loss and Time-Dispersion Parame-ters of UWB Signals in a Military Airplane. Antennas and Wireless PropagationLetters, IEEE, 8:790–793, 2009.

[67] M.L. Stein. Interpolation of Spatial Data: some theory for kriging. SpringerVerlag, 1999.

[68] W. Stutzman and G. Theile. Antenna Theory and Design. John Wiley & Sons,1981.

[69] K. Takizawa, T. Aoyagi, H.B. Li, J. Takada, T. Kobayashi, and R. Kohno.Path loss and power delay profile channel models for wireless body area net-works. In Antennas and Propagation Society International Symposium, 2009.APSURSI’09. IEEE, pages 1–4. IEEE, 2009.

[70] RS Thom, D. Hampicke, A. Richter, G. Sommerkorn, and U. Trautwein. MIMOvector channel sounder measurement for smart antenna system evaluation. Eu-ropean Transactions on Telecommunications, 12(5), 2001.

[71] Michael A. Tope and John C. McEachen. Unconditionally secure communica-tions over fading channels. In Military Communications Conference (MILCOM2001), volume 1, pages 54–58, Oct. 2001.

[72] J. Wallace. Secure physical layer key generation schemes: Performance and infor-mation theoretic limits. In Communications, 2009. ICC’09. IEEE InternationalConference on, pages 1–5. IEEE.

[73] J.W. Wallace, C. Chen, and M.A. Jensen. Key generation exploiting mimo chan-nel evolution: Algorithms and theoretical limits. In Antennas and Propagation,2009. EuCAP 2009. 3rd European Conference on, pages 1499–1503. IEEE.

[74] M. Wilhelm, I. Martinovic, and J.B. Schmitt. Secret keys from entangled sensormotes: implementation and analysis. In Proceedings of the third ACM conferenceon Wireless network security, pages 139–144. ACM, 2010.

111

[75] R. Wilson, D. Tse, and R. Scholtz. Channel identification: Secret sharing usingreciprocity in UWB channels. IEEE Transactions on Information Forensics andSecurity, 2(3):364–375, Sept. 2007.

[76] H. Yang, P.F.M. Smulders, and M.H.A.J. Herben. Indoor channel measurementsand analysis in the frequency bands 2 GHz and 60 GHz. In IEEE 16th Inter-national Symposium on Personal, Indoor and Mobile Radio Communications,2005. PIMRC 2005, volume 1, 2005.

[77] R.D. Yates and D.J. Goodman. Probability and stochastic processes. Wiley,1999.

[78] C. Ye, A. Reznik, G. Sternberg, and Y. Shah. On the secrecy capabilities ofitu channels. In Vehicular Technology Conference, 2007. VTC-2007 Fall. 2007IEEE 66th, pages 2030–2034. IEEE, 2007.

[79] J. Zhang, S.K. Kasera, and N. Patwari. Mobility assisted secret key generationusing wireless link signatures. In INFOCOM, 2010 Proceedings IEEE, pages 1–5.IEEE, 2010.