shared secret key establishment using wireless …
TRANSCRIPT
SHARED SECRET KEY ESTABLISHMENT USING
WIRELESS CHANNEL MEASUREMENTS
by
Jessica Erin Dudley Croft
A dissertation submitted to the faculty ofThe University of Utah
in partial fulfillment of the requirements for the degree of
Doctor of Philosophy
Department of Electrical and Computer Engineering
The University of Utah
July 2011
Copyright c© Jessica Erin Dudley Croft 2011
All Rights Reserved
THE UNIVERSITY OF UTAH GRADUATE SCHOOL
SUPERVISORY COMMITTEE APPROVAL
of a dissertation submitted by
Jessica Erin Dudley Croft
This dissertation has been read by each member of the following supervisory committeeand by majority vote has been found to be satisfactory.
Chair: Neal Patwari
Sneha K. Kasera
Rong-Rong Chen
Cynthia Furse
John Regehr
ACKNOWLEDGEMENTS
Very rarely does a project like this come together based solely upon the work of
the author. Here is where I get to say thank you:
Neal Patwari has put a great deal to time into explanations, editing and encour-
agement. He is unfailingly optimistic and patient and I feel very fortunate to have had
him as an advisor. The SPAN lab he created produces exciting ideas and inventions
and he has fostered a distinctly collegial and collaborative spirit among its members.
I am grateful to have found friends among my colleagues within the SPAN lab: Yang,
Dustin, Piyush, Joey and Merrick.
My parents, Jerry and Diana Croft, gave me a love of learning and a solid place
to rest. They taught me that building or growing or creating something useful can
be a source of great joy and satisfaction. Thank you.
For a hug, or a laugh or a push when I need it, I thank my partner, Todd Bailey.
He listened to me explain the same problem in different ways (some much better
than others) a thousand times in the last few years and never stopped trying to
understand.
ABSTRACT
Secret key establishment (SKE) is a method that allows two users, Alice and
Bob, to obtain shared secret keys using randomness inherent in the wireless channel.
Alice and Bob sample the channel many times, extract bits from those measurements
and then use the bits to encrypt further communications. Even if an eavesdropper,
Eve, were to overhear Alice and Bob measure the channel, she would still have
no knowledge of the secret key because she does not measure the same channel
as Alice and Bob. While the channel is reciprocal and random, measurements of
the channel are temporally correlated and can include non-reciprocities caused by
differing transceiver characteristics and the inability of Alice and Bob to measure the
channel simultaneously. The thesis aims to reduce or remove the non-idealities and
noise of the reciprocal channel measurement process in order to increase secret key
bit rate while maintaining an uncorrelated bit stream.
The first contribution of this thesis addresses correlated received signal strength
(RSS) measurements and differing transceiver characteristics in the context of sensor
nodes. Because typical sensor nodes are constrained both by available energy and
computational power, balancing the decorrelation method with node resources and
changing wireless environments is also addressed. Ranking and fractional delay inter-
polation are used to mitigate non-reciprocities associated with differing transceiver
characteristics and the inability of the two nodes to measure the channel at identical
points in time.
Second, bit extraction is applied to channel impulse response (CIR) measure-
ments. We develop a novel, inexpensive switching system that allows existing single
receiver/single transmitter channel sounding equipment to make bi-directional mea-
surements. With this system it is possible to investigate non-reciprocal interference
and experimentally evaluate bit extraction for CIR that takes advantage of both the
time and spatial diversity of the wireless channel.
Finally, non-uniform sampling caused by non-deterministic packet delay when
sharing a wireless channel with other users is detrimental to bit extraction yet very
common in practical wireless networks, especially for IEEE 802.11-based devices.
Interpolation and regression are used to estimate the reciprocal fading signal given
the non-uniform samples at Alice and Bob and the non-reciprocities caused by non-
simultaneous channel measurements.
iii
CONTENTS
ACKNOWLEDGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
CHAPTERS
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Three General Extraction Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Channel Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.0.1 Received Signal Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2.0.2 Channel Impulse Response . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2. ROBUST UNCORRELATED BIT EXTRACTION METHODOLOGIESFOR WIRELESS SENSORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.3 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.4 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.1 Interpolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.4.2 Ranking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4.2.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.4.2.2 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.4.3 Decorrelation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.4.4 Quantization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5 Experimental Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.6 Enabling Channel Adaptation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.6.1 Previous Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.6.2 Selection of N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.6.3 Covariance Matrix and Correlation Coefficient Estimation . . . . . 26
2.7 ARUBE Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292.7.1 Packet Transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312.7.2 Computational Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.8 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342.9 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3. BIT EXTRACTION FROM CIR USING A BI-DIRECTIONALRADIO CHANNEL MEASUREMENT SYSTEM . . . . . . . . . . . . . 39
3.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.3.1 RF CIR Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.3.2 Secret Key Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.4.1 Power Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463.4.2 Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463.4.3 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.4.4 Example Realization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.5 Bi-Directional CIR Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.5.1 Software Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.5.2 Measurements Collected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.6 Secret Key Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.6.1 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563.6.2 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563.6.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603.6.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4. RECIPROCAL FADING SIGNAL ESTIMATIONMETHODS FOR SECRET KEYESTABLISHMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684.3 Related Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704.4 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714.5 Estimation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.5.1 Polynomial Interpolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734.5.2 Fractional Delay Interpolation . . . . . . . . . . . . . . . . . . . . . . . . . . . 754.5.3 Gaussian Processes Regression . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.5.3.1 Covariance Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774.5.4 Gaussian Processes Regression with Side Information . . . . . . . . . 78
4.5.4.1 Public Exchange of Side Information . . . . . . . . . . . . . . . . . 794.5.4.2 Setting γ2(i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.6 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804.6.1 PHY layer and RSS Measurement . . . . . . . . . . . . . . . . . . . . . . . . 804.6.2 Sample Variance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814.6.3 Sampling Non-uniformity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.7 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834.7.1 Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834.7.2 GPRSI Parameter Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
v
4.7.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844.7.4 Filter Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844.7.5 Normalized Root Mean Square Error . . . . . . . . . . . . . . . . . . . . . 854.7.6 Bit Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.7.6.1 802.15.4 Sensor Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864.7.6.2 802.11 Smartphones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5. CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.1 Key Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
vi
LIST OF FIGURES
1.1 Received signal strength measurements taken over time. Alice and Bob’sRSS measurements are correlated. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1 ARUBE bit extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Areas of bit agreement and bit disagreement for m(i) = 1. . . . . . . . . . 15
2.3 Spatial correlation vs. Pbd and m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 t-statistics for max ρzi,zj vs. N for three datasets and the threshold, γ. . 27
2.5 t-statistics for ρz, vs. N for three datasets and the threshold, γ. . . . . . . 27
2.6 Packets sent for channel probing (—¿) and data transfer (- - -¿), com-putation (boxes) at either node, for overhead and bit extraction. . . . . . 30
2.7 Target Pbd vs. secret key bits per sample for ARUBE (black lines) andHRUBE (gray lines), for N ∈ {17, 35}, K ∈ {128, 256}, and D = K
2, for
averages of the best three datasets (-•-), the worst three (-�-), and theremaining 19 (-N-). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.1 Redirecting the transmitted and received signals to measure both direc-tions of the radio channel between antennas A1 and A2. . . . . . . . . . . . . 50
3.2 Labeled switch diagram in state 1. The correct path for the signal is{G,I,J,L,F,D,B,A}, however three incorrect paths are possible: directlyfrom transmitter to receiver (-.), {G,H,E,D,B,A}(- -), and {G,I,J,K,C,A}(..). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3 One RF switch. RF common can be connected to either RF 1 of RF 2. 52
3.4 Possible linear ranges of four sets of parameters. Given baseline Ipole =50 dB, Iopen = 45 dB, Lcable = 2 dB, Lswitch = 2 dB and Itr = 111 dB,each plot other than baseline changes one parameter. . . . . . . . . . . . . . . 52
3.5 Known attenuation between junctions F and L plotted against receivedpower. Note that measurements and calculations were made assuminga transmitter frequency of 2.44 GHz. . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.6 TX, RX, A1 and A2 locations. The TX and RX are next to oppositewalls of a rectangular room. The two antennas centered between themalong the two remaining walls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.7 Bi-directional measurements for two data sets. Plots 3.7(a)and 3.7(c)and show 10 pairs of measurements. Power in dB is relative to transmitpower. The dark plots are measurements from antenna A1 to A2. Thelight plots are measurements from antenna A2 to A1. The time betweeneach measurement was 0.11s. Plots 3.7(b) and 3.7(d) show the meanand the mean plus and minus the standard deviation of 175 pairs ofmeasurements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.8 Example bi-directional measurements in the frequency domain for (a)dataset A and (b) dataset B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.9 (a) When interference source is off, subsequent CIR measurements be-tween A2 to A1 (tn = 37.4s) and from A1 to A2 (tn = 37.51s) arenearly identical. (b) When interference source is on, CIR measurementsbetween A2 to A1 (tn = 48.84s) are unchanged while those from A1 toA2 (tn = 48.95s) show interference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.10 Secret key bit extraction from CIR measurements involves synchroniza-tion (phase and time delay), interpolation (using fractional delay filtersc), decorrelation (across time delay τ and time t), and quantization(using multi-bit adaptive quantization). . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.11 Two CIR measurements made by Alice and Bob. Aligning the indicesof the dominant multipath does not always align the signals. . . . . . . . . 64
3.12 CIR measurements showing the random rotation which must be removedbefore bits can be extracted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.13 (a) Number of bits extracted per measurement from |H| for various Pbd(b) Number of bits extracted per measurement from ∠H. . . . . . . . . . . . 65
3.14 Number of bits extracted per RSS measurement for various Pbd . . . . . . 66
4.1 Diagram shows placement of Alice’s (�) and Bob’s (©) measurementsat times tc with the placement of interpolated values t∗ (‖). (a) Fractiondelay interpolation interpolates a value half way between Alice’s andBob measurements if the sample period is constant. (b) With non-uniform measurements fractional delay interpolation results in unalignedinterpolated time instants. (c) Polynomial interpolation and Gaussianprocesses regression are able to interpolate measurements at identicaltime instants. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.2 Distribution of measured RSSI values for datasets collected (a) by 802.15.4based devices and (b) 802.11 based devices. The sample variance, σ2
w
for (a) is larger than that of the measurements of (b). . . . . . . . . . . . . . . 89
4.3 Distribution of sample periods for (a) two datasets made with 802.15.4based wireless sensors and (b) two datasets from 802.11 based devices. . 90
4.4 NRMSE between ya and yb for GPRSI with different values for Pa andPd. Overall, GPRSI for 802.11 RSS measurements performs best withPa ≈ 0.5 and Pd ≈ 15. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
viii
4.5 (a) Fractional delay interpolation used to estimate the reciprocal fadingchannel from non-uniformly sampled RSS measurements made by two802.11 devices. (b) Polynomial interpolation. (c) Gaussian processesregression. Solid lines are the estimated signal yc(t∗), dotted lines arethe RSS measurements wc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.6 Filter response for (a) fractional delay interpolation, (b) polynomialinterpolation and (c) Gaussian processes regression at interpolated timeinstant t∗(i) = 0.60. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.7 (a) Polynomial interpolation used to estimate the reciprocal fading sig-nal for 802.11 RSS measurements (b) Estimation using GPRSI. Rootmean square error (RMSE) for the displayed data is (a)0.627 and (b)0.222. 95
4.8 Normalized root mean square error (NRMSE) for error between theoriginal measurements at Alice, wa, and Bob, wb and error betweenthe estimations of the reciprocal fading signal using polynomial inter-polation (PI), fractional delay interpolation (FDI), Gaussian processesregression (GPR) and Gaussian processes regression with side informa-tion (GPRSI) for (a) 11 802.11 datasets and (b) 20 802.15.4 datasets . . 96
4.9 Plot of NRMSE as the probability of dropping a packet, p, increases forFDI (- -), GPR (..) and GPRSI (–), then plotting the average of the topseven datasets (?), middle six datasets (•) and bottom seven datasets(I) with respect to NRMSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.10 Comparison of PI, FDI and GPR with (a) highest, (b) middle and (c)lowest sample variance σ2
w. GPR is an improvement over FDI only atlower sample variances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.11 Bits extracted per second vs. probability of bit disagreement (Pbd) for 13datasets. Data processed using GPR (..), GPRSI ( - ) or FDI ( - - ) thenplotting the average of the top four datasets (?), middle five datasets (•)and bottom four datasets (I) with respect to bits extracted per second.(a) Compares GPR and GPRSI (b) Compares FDI and GPRSI . . . . . . 99
ix
LIST OF TABLES
2.1 m = 1 bit MAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2 t-statistics by method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3 Number of Packets Transmitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.4 Computational Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.5 Bits per sample–Mathur et al. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.6 Average and Minimum Entropy Rates. . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.7 Percentage of bits Eve gets correct. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.1 Switching System Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2 NIST p-values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3 Bits per Sample Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.1 Datasets of decreasing sample variance . . . . . . . . . . . . . . . . . . . . . . . . . 88
CHAPTER 1
INTRODUCTION
Secret key establishment (SKE) is a method that allows two users, Alice and
Bob, to obtain shared secret keys using randomness inherent in the wireless channel
between them without an eavesdropper being able to obtain the key. Because the
radio channel between Alice and Bob is reciprocal and varies randomly over space
and time, Alice and Bob are able to measure some characteristic of the wireless
channel many times then extract bits from those measurements to create matching
secret keys. Even if a passive eavesdropper, Eve, were listening to Alice and Bob make
measurements of the channel, she would be unable to measure the same channel as
Alice and Bob and unable to create a matching secret key.
Interest in SKE as an alternate method to ensure data privacy is due in part
to perceived weaknesses in traditional public key cryptography which relies on as-
sumptions about the computational strength of an attacker. One of the advantages
of shared secret keys extracted from channel measurements is that such keys offer
the possibility of information theoretic security as long as it is possible to obtain
more bits in the secret key than there is information to send [64]. Such keys are
considered secure even if an adversary is in possession of a computer with unbounded
computing power [12] while keys created using traditional cryptographic methods,
such as Diffie-Hellman key exchange, are considered secure only if the adversary has
bounded computing power. This is the same impetus driving research in quantum
cryptography, but because channel measurement methods are much less expensive,
bit extraction is currently possible with common consumer wireless devices.
Shared secret keys from channel measurements could also have advantages for
resource constrained sensor nodes. Various methods of adapting traditional cryp-
tography to sensor nodes have included predistribution of shared keys [13],[41] to
2
adapt to sensor node’s typical constrained power and exploration of elliptical curve
cryptography [44] to adapt to a small storage area and limited computational power.
Given that secret keys from channel measurements are cryptographically stronger
than traditional methods, they might require less on-node storage space. For instance
112-bit key extracted from channel measurements is equivalent in cryptographic
strength to a 2048-bit Diffie-Hellman key [39]. In addition, some SKE methods are
less computationally complex than traditional cryptographic methods.
Given these reasons for proceeding, SKE faces it’s own challenges and require-
ments. First, the radio channel must be changing. SKE would not work in a static
free-space environment since it depends upon the presence of multipath fading as
the source for randomness in the shared secret keys. This is counterintuitive since for
most wireless communication applications fading is detrimental. Also, in an otherwise
static channel, an attacker would be able to induce motion into the channel and
thereby gain knowledge about the secret key
The second major challenge is that while the wireless channel is reciprocal, mea-
surements of the channel include non-reciprocities from many sources including:
• interference
• thermal noise
• quantization noise
• differing transceiver characteristics
• time-division duplex (TDD) sampling
Many of these non-reciprocities can be seen in Figure 1.1. Because the channel is
TDD, Alice and Bob are unable to sample the channel simultaneously and instead
must take turns. During the time spent waiting to sample the channel can change
resulting in differing measurements at Alice and Bob. Quantization noise is also a
source of non-reciprocities. The devices used to measure RSS in Figure 1.1 quantize
1 dBm to 1 RSSI and while the major features of the fading signal are captured,
3
many smaller features are not. In addition, while an effort is made on the part
of the hardware manufacturer to ensure 1 dBm is always quantized to 1 RSSI, some
quantization bins are larger than others. Even with identical hardware, as was the case
in Figure 1.1, differences in transceiver hardware are common. On average, Alice’s
RSS measurements, always report just slightly less received power than Bob’s mea-
surements. In practical applications, identical hardware cannot be assumed. These
non-reciprocities have been addressed by a number of signal processing techniques
including windowed filters [45, 71], interpolation [53], ranking [20] and Gaussian
processes regression.
Thirdly there are requirements about the characteristics of the secret key itself.
Ideally the extracted bits would have a high entropy rate, no disagreement between
the bits extracted at Alice and the bits extracted at Bob and because sampling the
channel requires a packet to be transmitted, it is advantageous to be able to extract
a large number of bits from each sample especially for energy poor devices. Also,
in the context of information theoretic security every bit of information requires one
secret key bit.
The high entropy rate requirement is a heuristic for randomness. At minimum,
the bits in the secret key need to be independent, but as shown in Figure 1.1, the
measurements are temporally correlated. One way to ensure independence is to
increase the sampling period, but this in many cases increases the time required
to create a secret key. Another method is to decorrelate the measurements before
extracting bits. While a high entropy is required to ensure a random key, it is not
sufficient. The National Institute of Standards (NIST) has published a series of
probabilistic tests [60] which can be used to verify the randomness of shared secret
keys.
It is difficult to have both a low probability of bit disagreement and a high bit
extraction rate. Both of these factors influence the time required to perform SKE and
the number of packets that must be transmitted. In order for encryption/decryption
to work, the bits in the shared secret key at Alice and Bob must match perfectly. In
the event that they do not, information reconciliation is performed where Alice and
4
Bob exchange information publicly to correct disagreements [11]. As the probability
of bit disagreement increases, more information is leaked to an eavesdropper, Eve.
Removing non-reciprocities before bits are extracted from the measurements can
increase the number of bits that can be extracted while lowering the probability
of bit disagreement.
How these requirements and challenges and the resources needed to meet them
are balanced is unique to each bit extraction method. In the remainder of this
introduction I briefly describe three bit extraction approaches and explain how the
wireless channel is measured for bit extraction. I will then list describe the adversary
model before listing my own contributions and the structure of the dissertation.
1.1 Three General Extraction Methods
The simplest and least computationally complex bit extraction methods quantize
the measured channel characteristic into two bins, one bin for values less than the
mean and one bin for values greater than the mean, and then assign a 1 or a 0 to
each measurement based upon the bin it falls in. While this is easy to implement, the
trade-off is very low entropy. Modifications have been made that create high entropy
keys, at the cost of a low bit extraction rate[45]. These methods aim to have no bit
disagreement.
A second general method [53] uses the Karhunen–Loeve transform (KLT) to
remove the correlation between measurements before extracting a secret key. The
number of bits extracted from each measurement is determined by a target percent of
disagreeing bits and the correlation between Alice’s and Bob’s measurements. While
this method is significantly more computationally complex than the first, by allowing
a certain number of bits to disagree many more bits can be extracted. The bit
disagreement is rectified in a later information reconciliation step such as Cascade
[11]. This second general method has the advantage of a tunable probability of
bit disagreement and high entropy secret keys at the cost of higher computational
complexity.
The third general method is composed of three steps: advantage distillation,
5
information reconciliation, and privacy amplification [9],[8]. Advantage distillation is
another way to say that the two nodes sample some characteristic of the channel that
is known to them, but not an adversary. This is identical to what the first two general
methods do, but while the second method removes correlation between bits before
quantization, this general method quantizes and performs information reconciliation
before addressing the correlation between bits. The privacy amplification step is
then used to ensure the key has a high entropy. Reported rates of extraction using
this method are nearly 1 bits per sample for 802.11 based devices [30]. One of the
disadvantages is that since the percentage of bit disagreements is not tunable, the
information reconciliation step can be expensive in terms the amount of information
potentially revealed to an eavesdropper.
1.2 Channel Measurements
The channel can be viewed as a reciprocal filter that varies over time and space.
In general more information collected about the channel means a larger number of
bits can be extracted, but some measurements require more time to take or the
measurement equipment is expensive. Regardless of the equipment or measured
statistic, however, all of these measurements are time-division duplex (TDD). To
measure any characteristic, Alice must transmit to Bob who measures the channel
and then transmits to Alice who also measures the channel. During the time be-
tween measurements, the channel has changed introducing non-reciprocities into the
measurements.
Since Hershey first proposed the idea of bit extraction for shared secret keys in
[28], a large number of channel measurement types have been explored including
angle of arrival [6], phase [28] [61] and received signal strength [45] [30] [53],[74],[56]
which can include signal envelopes [7] [71] and level crossings [45]. In addition to
these one-dimensional measurements, channel impulse response (CIR) has also been
explored as a source for shared secret keys [79], [26], [75], [18].
6
1.2.0.1 Received Signal Strength
Received signal strength (RSS) is by far the most commonly measured channel
characteristic because RSS measurement capability is built in to most consumer
wireless devices such as smartphones and laptops. Academic research has also focused
on RSS bit extraction using 802.15.4 based sensor nodes [2, 56, 53, 20] due to the
ease of access to wireless parameters. Hardware in the transceiver measures received
power which is the squared magnitude of the complex baseband power. RSS, then, is
the average received power over a single packet that is then converted to an integer
number or RSS integer (RSSI). The conversion from the RSS measurement which
is commonly in decibels (dB) varies depending up on the radio hardware. Often an
increase in 1 dBm with respect to the mean received power corresponds to an increase
of 1 RSSI.
Not all RSS measurements are created equal in terms of the number of bits it is
possible to extract. A wider channel bandwidth has a detrimental effect on the bit
extraction rate. For instance, in IEEE 802.11 based devices, the RSS is calculated
for a signal over a bandwidth 4 times as wide as IEEE 802.15.4 based devices, so the
channel gain is not as affected by narrowband fading. This reduces the number of
bits it is possible to extract. Similarly, devices operating at higher frequencies are
more susceptible to narrowband fading so the higher the frequency the more bits can
be extracted all other parameters being equal.
Because RSS is an average of magnitude it does not provide any information about
the phase of the signal nor about the individual multipath components. While RSS
measurements are one-dimensional, they have been used them as part of a MIMO-like
bit extraction algorithm using many cooperating nodes [56].
1.2.0.2 Channel Impulse Response
Another channel statistic used for shared secret keys is channel impulse response
(CIR). Unlike RSS, CIR provides information about the magnitude, phase and arrival
time of each multipath component. As such, many more bits can be extracted
from each measurement. Simulated (CIR) measurements have been studied for use
7
with SKE [42, 75, 78, 73, 72]. Given the expense of the measurement equipment,
however, very few truly bi-directional experiments have been conducted. Rather,
many researchers use uni-directional measurements by making a CIR measurement
in one direction and then swapping the position of the transmitter and receiver before
making the second measurement in the reverse direction [79], [26], [75]. While this
captures the spatial features for bit extraction, any time-related diversity in the
channel is treated as noise. This is a very large compromise because in real-world
situations the channel is changing over time and it would be greatly advantageous to
use that randomness in the secret key.
1.3 Adversary Model
The adversary model is very similar across SKE methods. First, we assume that
there is a passive attacker, Eve, who is able to overhear legitimate users, Alice and
Bob, making measurement of the channel between themselves. Eve is able to measure
the channel between herself and Bob and measure the channel between herself and
Alice, but is otherwise unable to interfere. Eve cannot jam the channel nor can
she impersonate a legitimate user. Furthermore, Eve must be at least one half
wavelength away from Alice and Bob. At 2.4 Ghz one wavelength is 12.5 cm. We
assume that Eve has knowledge of the bit extraction method in use, any parameters
used in the bit extraction method and that Eve can obtain any information publicly
exchanged between Alice and Bob. This adversary model is very similar to that used
in Diffie-Hellman key agreement in that neither Diffie-Hellman nor SKE natively offer
authentication.
1.4 Contributions
This research aims to reduce or remove the non-idealities and noise of the re-
ciprocal channel measurement process in order to increase secret key bit rate while
maintaining an uncorrelated bit stream. The following publications have resulted:
8
J. Croft, N. Patwari, and S.K. Kasera. Robust uncorrelated bit extraction
methodologies for wireless sensors. In Proceedings of the 9th ACM/IEEE
International Conference on Information Processing in Sensor Networks,
pages 70–81. ACM, 2010.
J. Croft and N. Patwari. Bit extraction from CIR using a bi-directional
radio channel measurement system. IEEE Transactions on Mobile Com-
puting, 2010. (submitted).
J. Croft and N. Patwari. Estimation methods for bit extraction. IEEE
Transactions on Mobile Computing, 2011. (to be submitted).
J. Croft, N. Patwari, and S.K. Kasera. Demonstration abstract: Bit
extraction from received signal strength, 2010.
N. Patwari, J. Croft, S. Jana, and S.K. Kasera. High rate uncorrelated bit
extraction for shared secret key generation from channel measurements.
IEEE Transactions on Mobile Computing, pages 17–30, 2009.
The structure of this dissertation is as follows: Chapter 2 explores mitigation of
non-reciprocities associated with differing hardware characteristics and how to adapt
bit extraction to changing wireless environments. The cost of bit extraction is found
in terms of computational complexity and the total number of packets exchanged
for a given key length. This method is applied to RSS measurements taken with
802.15.4-based sensor nodes. This method improved the bit extraction rate by 25 to
60% compared to a previous bit extraction method.
Chapter 3 applies bit extraction to channel impulse response (CIR) measurements.
In order to obtain bi-directional CIR measurements an inexpensive novel switching
system was designed to allow existing single transmitter/single receiver hardware
to make bi-directional measurements. A description and analysis of the system is
included so that similar systems can be built. A new algorithm for CIR bit extraction
is described and applied to the bi-directional CIR measurements.
9
Chapter 4 addresses problems found during the demonstration [19] of bit extrac-
tion in a very busy wireless environment using 802.11 devices. Ideal conditions for
bit extraction ie. two users uniformly sampling a quickly varying channel, cannot
be assumed. An estimation method using Gaussian processes regression with public
discussion was found to improve the number of bits extracted by up to 50% in adverse
conditions for 802.11 RSS measurements.
Chapter 5 forms the conclusion and presents avenues for future research into
shared secret keys from wireless channel measurements.
10
10.8 10.9 11.0 11.1 11.2 11.3 11.4 11.5 11.6
time (s)
−15
−10
−5
0
5
10
15
RSSI
Alice
Bob
Eve
Figure 1.1. Received signal strength measurements taken over time. Alice and Bob’sRSS measurements are correlated.
CHAPTER 2
ROBUST UNCORRELATED BIT
EXTRACTION METHODOLOGIES FOR
WIRELESS SENSORS
2.1 Abstract
This paper presents novel methodologies which allow robust secret key extraction
from radio channel measurements which suffer from real-world non-reciprocities and
a priori unknown fading statistics. These methodologies have low computational
complexity, automatically adapt to differences in transmitter and receiver hardware,
fading distribution and temporal correlations of the fading signal to produce secret
keys with uncorrelated bits. Moreover, the introduced method produces secret key
bits at a higher rate than has previously been reported. We validate the method
using extensive measurements between TelosB wireless sensors.
2.2 Introduction
For many applications of wireless sensor networks, data privacy is a key require-
ment. Since sensor nodes may be collecting private data, for example, in patient
health monitoring networks, users must have guarantees of privacy. Without data
privacy, patients will not be willing to participate and hospitals will not be in com-
pliance with confidentiality regulations. However, because of the limited energy and
computational resources of sensor nodes, realistic methods for secure authentication
and privacy face special challenges. 1
1This chapter first appeared as J. Croft, N. Patwari, and S.K. Kasera. ”Robust uncorrelated bitextraction methodologies for wireless sensors” In Proceedings of the 9th ACM/IEEE InternationalConference of Information Processing in Sensor Networks. ACM, 2010.
12
To meet the critical need for secure communications, existing research has devel-
oped methods to address these multiple challenges. Existing work uses predistributed
shared secret keys and public key methods adapted for use on resource constrained
sensor nodes. Various methods of probabilistic predistribution [13] [41] have balanced
security and limited on-device storage space. Public key methods have used elliptic
curve cryptography [44] to create public keys within sensor node resources.
Unlike traditional cryptography methods, we address the problem of secret key
establishment between two wireless sensor nodes for secure communication using the
time and space variations in the time-division duplex channel. The radio channel
offers a unique opportunity to build alternate robust security solutions in a resource
efficient manner. A key generated from radio channel characteristics [6] [30] [61]
reflects the uniqueness of the time and space in which it was created. Two nodes,
Alice and Bob, are able to measure a characteristic of the channel between them,
each generates a key from those measurements, and then uses that key to encrypt
further communications. Even if Eve, an attacker, were able to overhear legitimate
users Alice and Bob during the collection of channel measurements, Eve would be
unable to duplicate the key because she would not have measured the same channel
as that between Alice and Bob.
Using temporal and spatial variation in channel characteristics for secret key
establishment is not a new idea. Key generation from channel characteristics was first
described in [28]. Since then several existing efforts including our own have designed
and evaluated bit extraction schemes using many different channel characteristics.
Some of these characteristics are angle of arrival [6], phase [28] [61], received signal
strength [45] [30] [53], signal envelopes [7] [71] and level crossings [45]. Of these,
received signal strength (RSS), or channel gain, is most commonly available because
of the low device cost and the requirement for inexpensive sensor nodes. To keep the
cost low and to be able to use off-the-shelf hardware, we also use RSS in this paper.
Unfortunately, existing methods have significant problems achieving high bit gen-
eration rates when required to achieve (1) a low probability of bit disagreement and
(2) uncorrelated bits. Existing methods sacrifice bit generation rate to achieve low
13
bit disagreement rates. A low bit generation rate leads to high energy consumption
as nodes repeatedly probe the channel to extract sufficient bits. This severely limits
the lifetime of the node. The high rate uncorrelated bit extraction (HRUBE) method
can achieve a high rate of uncorrelated bits with a reliably low probability of bit
disagreement. However, it requires precise knowledge of the distribution and the
temporal statistics of the radio channel. Sensor nodes are deployed in a wide variety
of environments so such a priori knowledge is unrealistic. Further, if statistical
assumptions are made that are incorrect, the benefits of the method are lost.
Here we present a method which comprehensively addresses these limitations.
Our scheme implements a ranking method to remove the non-reciprocities that are
inevitable as a result of wireless sensors having differing transceiver hardware charac-
teristics. Ranking is more robust because even when the measured values at different
nodes are of a different scale, the order of the measurements will be the same. For
example, the method avoids the disagreements caused by differing transmit powers
and RSSI circuit variations. Even in identical hardware, variations of scale exist,
and with different hardware, differences will be greater. Ranking also makes the bit
extraction process independent of fading distribution. Further, we test and develop
protocols which adaptively determine the covariance structure of the measured data
in order to reliably extract high entropy rate secret keys with a tunable probability
of bit disagreement.
We experimentally test our method using TelosB wireless motes. We evaluate
and compare schemes using data collected in three different environments in 25 data
sets, totaling 450,000 RSS samples. The extensive data collection allows accurate
characterization of important figures of merit, including extracted bits per sample
and entropy rate. While the design of a robust and practical scheme is the main
objective of this work, we also find that our scheme improves the rate at which
secret bits can be extracted. The tested method can extract 40 bits per second at
a probability of bit disagreement of 0.04. Compared to the HRUBE bit extraction
method, this method is more robust to differences in hardware, adapts to the channel
environment, can be implemented on a wireless mote and produces 30% more bits per
14
sample. The tested method produces the highest secret key extraction rate reported
to date.
The rest of this paper is organized as follows. Section 2.3 lays out the adversary
model used in this paper. In Section 2.4 we will describe the Ranking HRUBE
method. Section 2.5 describes our data collection process. In Sections 2.6 and 2.7 we
address issues related to implementation on wireless sensors. Sections 2.8 and 2.9
contain a summary and discussion of our findings. Section 2.10 forms a conclusion.
2.3 Adversary Model
We assume that the adversary, Eve, can listen to all the communication between
Alice and Bob. Eve can also measure both the channels between herself and Alice and
between herself and Bob at the same time when Alice and Bob measure the channel
between them for key extraction. We assume that Eve is more than a few wavelengths
away from Alice or Bob. We also assume that Eve knows the key extraction algorithm
and the values of the parameters used in the algorithm. We assume that Eve cannot
jam the communication channel between Alice and Bob. We also assume that Eve
cannot cause a man-in-the-middle attack, i.e., our methodology does not authenticate
Alice or Bob. In this aspect, the technique of key extraction from RSS is comparable
with classical key establishment techniques such as Diffie-Hellman [22], which also
use message exchanges to establish keys and do not authenticate Alice or Bob.
2.4 Methodology
Key extraction benefits from the reciprocity of the channel gain (or loss) between
two antennas and the fluctuations of the channel gain in a non-static channel. In a
reciprocal channel, the multipath properties including gain, phase shifts and delays
are identical in both directions of a link at any point in time. However, successful key
extraction must account for the sources of non-reciprocities present in measurements
of the channel gain, such as additive noise, and differences in hardware. These non-
reciprocities are the source of bit disagreement, i.e. bits that do not match between
the two generated keys. In addition, a good key has uncorrelated bits, despite the
fact that fading is a temporally-correlated random process. The adaptive ranking-
15
Figure 2.1. ARUBE bit extraction
Figure 2.2. Areas of bit agreement and bit disagreement for m(i) = 1.
0.9990.990.9
10−3
10−2
10−1
Correlation Coefficient ρ
Pro
babili
ty o
f B
it D
isagre
em
ent
m=4
m=3
m=2
m=1
Figure 2.3. Spatial correlation vs. Pbd and m
16
based uncorrelated bit extraction (ARUBE) method uses four tools to address these
challenges:
1. Interpolation removes non-reciprocities caused by the half-duplex nature of the
channel.
2. Ranking reduces non-reciprocities caused by differing hardware characteristics
and outputs data with an a priori known distribution.
3. Decorrelation removes temporal correlation from the RSS fading signal.
4. Quantization extracts bits from interpolated, ranked and decorrelated RSS
measurements.
A block diagram is shown in Figure 2.1. We expand upon these steps in the following
sections.
2.4.1 Interpolation
The half-duplex nature of the PHY layer (e.g., in 802.15.4) means that Alice and
Bob are unable to simultaneously measure the channel gain. To compensate we use
a finite impulse response (FIR) fractional delay filter, which interpolates to obtain
an estimate of the channel gains in both directions of the link at a single point in
time. The fractional delay between the ith measurement by Alice, wa(i), and the ith
measurement made by Bob, wb(i), is,
µ =1
2
[τb(i)− τa(i)
T
](2.1)
where τb(i) and τa(i) are the arrival times of the ith packet at Bob and Alice respec-
tively.
We implement two fractional delay filters, one each at Alice and Bob. W.l.o.g. we
assume that τa(i) < τb(i) so that µ > 0. If we interpolate points in wa so that the ith
sample is delayed by (1 + µ)T and interpolate points in wb so that the ith sample is
17
delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays
can be broken down into fractional, µ, and integer, n, delays. At each node:
µa = µ µb = 1− µ na = 1 nb = 0 (2.2)
We implement the cubic Farrow filter [24]. For c ∈ {a, b}:
hc =[µ3c/6− µc/6,−µ3
c/2 + µ2c/2 + µc,
µ3c/2− µ2
c + 1,−µ3c/6 + µ2
c/2− µc/3]T
The filtered signal, xc, becomes the input to the next step in the bit extraction
process.
2.4.2 Ranking
Ranking is used to remove the differences in the unknown transmitter and receiver
characteristics which differ between the two directions. As its output ranking also
produces values with a uniform distribution.
2.4.2.1 Motivation
As we note above, the channel gain is reciprocal, but each receiver actually
measures RSSI, a voltage in the receiver IC. The RSSI has an affine relationship
with channel gain, denoted CG,
RSSI = c1CG + co (2.3)
and c1, c0 ∈ R depend on the two nodes. The parameter c0 will vary due to differing
transmit powers or differing battery voltages at the two nodes. Both c0 and c1 vary
because the devices use different hardware or because manufacturing differences in
identical hardware [52].
The device parameters c0 and c1 can be considered to be constant over the short
periods time required to generate a secret key from the channel (tens of seconds).
If the channel gain is reciprocal and the RSSI is given by (2.3), ranking will recover
identical signals.
18
The ranking process also homogenizes the output distribution. As will be dis-
cussed in Section 2.4.4, it is required to know the distribution of the data input
into the quantizer. Ranking does not provide a uniform distribution as input to the
quantizer because decorrelation is performed in between ranking and quantization;
however, ranking does eliminate the changes that would occur based on the particular
environment. For example, narrowband fading statistics may be Ricean, Rayleigh,
or Weibull distributed [27], however, the distribution of the output of the ranking
operation will remain uniform.
2.4.2.2 Algorithm
Next, we describe how to perform ranking for the ARUBE method. In short,
we take each segment of K values from the continuous-valued, interpolated channel
measurements and output discrete-valued numbers which indicate their order within
the group of K. We also use a set of known “dummy values” to increase the
randomness of the output of the ranking. However, for introductory purposes, we
first introduce ranking without dummy values, and then define the process of ranking
with dummy values.
The input to the ranking operation are theK-length sub-vectors x(t)c , for c ∈ {a, b}.
By sub-vectors, we mean that channel interpolated channel measurements, {xc(i)}i,
are input to a serial-to-parallel converter that outputs sub-vectors of length K, which
we denote xc(t). Specifically,
x(t)c = [xc((t− 1)K + 1), . . . , xc(tK)]T (2.4)
Ranking is a function R : Zk → KK0 , where K0 is a set of finite size with minimum
1 and maximum K. When there are no “ties” in input data, K0 = {1, . . . , K}, and
xc(t) is ranked such that the jth element of the tth ranked sub-vector is
r(t)c (j) = |{k : x(t)c (j) > x(t)c (k)}|+ 1
+1
2|{k 6= j : x(t)c (j) = x(t)c (k)}|
When there are no ties in the input data, r(t)c (j) is simply the order of x
(t)c (j) in a
sorted list of x(t)c . When there are ties, the value of r
(t)c (j) is the average of the order
19
of the tied values in the sorted list. For example, for K = 5 and this particular xc,
the vector rc would be output from the ranking method,
xc(i)i = [13, 11, 10, 14, 11︸ ︷︷ ︸x
(1)c
, 12, 16, 17, 19, 15︸ ︷︷ ︸x
(2)c
, 18, 17]
rc(i)i = [4, 2.5, 1, 5, 2.5︸ ︷︷ ︸r(1)c
, 1, 3, 4, 5, 2︸ ︷︷ ︸r(2)c
](2.5)
If the number of input values of {xc(i)}i cannot be evenly divided by K, the left over
values are not used.
Next we describe the introduction of “dummy values” to add randomness to the
output of our ranking method. Ranking the measurements directly introduces non-
randomness that could possibly be exploited by an attacker. If the first K − k
measurements are known or guessed, for k � K, it would be less difficult to accurately
determine the ranks of the remaining k measurements. To avoid this problem, we
introduce D dummy values into the input stream. The ranking with dummy values
is a function R : Zk → KKD , where KD is a set of finite size with minimum 1 and
maximum K +D. When there are no ties in input data, KD = {1, . . . , K +D}.
In the ARUBE method, we determine D dummy values from D evenly spaced
quantiles of the distribution of {xc(i)}i. Specifically, we use F−1xc
(n−0.5D
)for n =
1, . . . , D, where Fxc (x) is the cumulative distribution function (CDF) of xc. Note
that values are found independently at each node c ∈ {a, b}.
The jth element of the tth ranked sub-vector, r(t)c , becomes,
r(t)c (j) = |{k : x(t)c (j) > d(t)c (k)}|+ 1
+1
2|{k 6= j : x(t)c (j) = d(t)c (k)}|
where
d(t)c =
[x(t)c
T, F−1xc
(0.5
D
), . . . , F−1xc
(D − 0.5
D
)]T(2.6)
2.4.3 Decorrelation
Adjacent channel measurements in rc are correlated. In this paper we use the
discrete Karhunen-Loeve transform (KLT) to convert the measured, interpolated,
20
ranked channel measurements in ra and rb into uncorrelated components. Given
the covariance matrix of correlated data the KLT looks for an orthogonal basis that
decorrelates the data. If the data is Gaussian, the decorrelated data will also be
independent.
Assume that the input vector at node c ∈ {a, b}, rc, has mean µc, covariance ma-
trix Rr and length N . The singular value decomposition (SVD) of Rr can be written,
Rr = USUT , where U is the matrix of eigenvectors, and S = diag{σ21, ..., σ
2N}, is a
diagonal matrix of the corresponding eigenvalues. We assume that the eigenvectors
have been sorted in order of decreasing eigenvalue, so that σ21 ≥ σ2
2 ≥ ... ≥ σ2N ≥ 0.
Note that UTU = IN , where IN is the N × N identity matrix. The discrete KLT
calculates yc as
yc = UT (rc − µc). (2.7)
It can be shown that Ry, the covariance matrix of yc is equal to S. Because S is
diagonal, yc has uncorrelated elements.
In Section 2.6 we discuss the online determination of Rr and the setting of
parameter N .
2.4.4 Quantization
There is a tradeoff between the probability of bit disagreement, Pbd, and the
number of bits generated. Multi-bit adaptive quantization [53] (MAQ) achieves a
high rate of bits per sample for a desired Pbd.
W.l.o.g. we choose Alice to be the ‘leader’ and Bob to be the ‘follower’. We first
quantize ya(i) into one of J , 2mi+2 = 4× 2mi equally likely quantization levels. We
determine the quantization levels based on the CDF of ya(i), Fi(y) = P [ya(i) ≤ y].
The thresholds, ηj, are calculated as,
ηj = F−1i
(j
4× 2mi
), for j = 1, . . . , J − 1. (2.8)
and η0 = −∞ and ηJ =∞.
21
The quantization bins are then defined by the thresholds. The jth quantization
bin is the interval (ηj−1, ηj) for j = 1, . . . , J , so j(i) is given by
j(i) = maxj
[j : ya(i) > ηj−1] (2.9)
Next, we define the following binary variables:
• Define e(j), for j = 1, . . . , J as
e(j) =
{1, (j mod 4) ≥ 20, otherwise
(2.10)
• Create a Gray codeword with mi bits, that is, an ordered list of 2mi possible
mi-bit codewords.
• Let f1(j) = b j−14c. Define d1(j) ∈ {0, 1}mi to be equal to the f1(j)th Gray
codeword.
• Let f0(j) = b j+1 mod J4
c. Define d0(j) ∈ {0, 1}mi to be equal to the f0(j)th Gray
codeword.
These variables are shown in Table 2.1 for m(i) = 1.
Multi-bit adaptive quantization proceeds as follows. The leader node, Alice in
this case, quantizes ya(i) in the correct quantization k(i) for all components i. Alice
then transmits the bit vector e = [e(j(1)), . . . e(j(N))]T to the follower node, Bob.
Both nodes encode their secret key using codeword d0 when e = 0, and codeword d1
when e = 1. Specifically the secret key for node c is
zc = [de(j(1))(j(1)), . . . , de(j(N))(j(N))] (2.11)
where j(i) is given in Eq. 2.9. Figure 2.2 shows a graphic representation of the
m(i) = 1-bit case.
The Pbd in MAQ is related to the correlation coefficient between components and
the number of bits extracted from each decorrelated component, ya(i). The correlation
22
coefficient of the ith component, denoted ρi, can be determined from the covariance
matrix of the decorrelated components.
ρi =
√[Ry]i,iσ2i
(2.12)
From the areas of bit disagreement in Figure 2.2, the analytical approximation of bit
disagreement rate vs. correlation coefficient in Figure 2.3 is derived [53].
The greater the correlation between components the more bits that can be ex-
tracted or the lower the percentage of bit disagreement. The total number of bits ex-
tracted from each group of decorrelated measurements, yc is denoted M =∑N
i=1m(i).
2.5 Experimental Data Collection
For purposes of evaluation, we implement three wireless sensors capable of col-
lecting RSS measurements. The TelosB mote is a low power wireless sensor module
equipped with an IEEE 802.15.4 compliant RF transceiver (the TI CC2420), built-in
antenna and a micro-controller.
TinyOS/NesC software is written for the TelosB motes for measurement and
communication. Nodes Alice (a) and Bob (b) take turns transmitting probing packets.
Each probing packet contains a counter value and a unique node id number. When
node c ∈ {a, b} receives the ith packet, it (1) obtains the RSS of the packet, wc,i; (2)
stores the received counter value i and the RSS value wc,i; (3) increments its local
counter value and (4) builds a new data packet containing the new counter value and
its own node ID and sends it over the radio to node c where c ∈ {a, b} and c 6= c.
The packet transmission rate of the device, and thus the RSS sampling rate, is 50
per second. The third node, Eve, designated the attacker node, overhears all of the
packets being transmitted between the other two nodes, estimates the RSS of each
packet and stores the data. Eve’s TelosB mote does not transmit any packets. Data
is collected on a laptop to enable arbitrary application of the RSS measurements in
secret key establishment.
We collected 25 datasets with a total of 443, 600 samples. Most datasets had
between 10,000 and 20,000 RSS samples while a few datasets had more than 50,000
23
or less than 5,000. At 50 samples per second it takes 5 minutes to collect 15,000
samples. The nodes were arranged in various geometries to evaluate the ability of
Eve to obtain the same key as Alice and Bob and to see how the signal to noise ratio
(SNR) might affect the methods. For all datasets, Alice and Eve were placed on a flat
surface while Bob was rotated and moved randomly by an experimenter to introduce
random fading into the channel. In the 16 datasets where Eve was present, she was
at most 45cm from Alice and in few cases she was less than 6.25cm or λ2
from Alice.
Six datasets were collected where Bob was more than 1.5m from Alice and Eve. All
signal processing was done in Python.
2.6 Enabling Channel Adaptation
In [53] the authors presented HRUBE, a framework for bit extraction from channel
measurements, but did not have a realistic method for implementation. This section
presents methods to select the parameters of the ARUBE method. These parameters
include the number of decorrelated components, N , the decorrelation matrix, U ,
and the number of bits per component, {m(i)}i. The selection of these parameters
depends upon the radio channel between Alice and Bob. For example, in a quickly
varying channel we would expect the covariance matrix to be different than in a slowly
varying channel. Also, the number of bits extracted from the channel would increase
with signal to noise ratio.
2.6.1 Previous Approach
In the HRUBE method, the covariance matrix, Rx, was estimated as
Rxc,xc =1
2C − 1
∑c∈{a,b}
C∑i=1
(x(i)c − µc)(x(i)
c − µc)T
(2.13)
where x(i)c is the ith N -length measured RSS vector at node c, C is the total number
of vectors and
µc =1
C
C∑i=1
x(i)c . (2.14)
The N × N decorrelation matrix U is found by the SVD. The values, m(i), were
determined from the covariance matrix of xa and xb. The secret key, zc, was then
24
extracted from the same measurements as were used to estimate the covariance
matrix.
2.6.2 Selection of N
The computational complexity of estimating the covariance matrix and calculating
the SVD are both dependent upon N as will be discussed in Section 2.7. Increasing
N will decrease temporal correlation between bits in the secret key because more
samples are simultaneously decorrelated. For example, setting N = 50 produced
sufficiently decorrelated bits for the HRUBE method [53]. Because of the tradeoff
between computational complexity and temporal decorrelation, finding a minimum
range or value for N could significantly reduce the number of calculations.
In order to test for uncorrelated bits, we look at two types of correlation coeffi-
cients:
1. Pair-wise bit correlation coefficients. We denote ρzi,zj as the correlation coeffi-
cient between the ith and jth component of vector zc (Eq 2.11), for any particular
combination (i, j) where i 6= j. There are(M2
)different values of ρzi,zj .
2. Global bit correlation coefficient. We denote ρz as the correlation coefficient
between any pair of different components of zc. Here we assume that the
correlation coefficient is identical across all combinations of (i, j) and we use
our data to estimate the single value of ρz.
There are(M2
)different pairwise correlation coefficients, ρzi,zj , but because there are
more of them, each one is estimated with few realizations, which we denote as n.
The global bit correlation coefficient, ρz, is a single number but it has many more
realizations, n. By performing statistical tests on both correlation coefficients, we can
reliably verify that bits are uncorrelated.
To avoid confusion, it should be noted that we now have two types of correlation,
spatial and temporal. The first, spatial, is ‘good’ correlation (Eq 2.12 and Figure 2.3)
between the decorrelated components ya(i) and yb(i). This spatial correlation is what
makes bit extraction effective. The second describes temporal correlation between
25
bits. Both ρzi,zj and ρz quantify temporal correlation that might allow an attacker to
have a better chance of guessing subsequent bits given knowledge of some bits. We
quantify the effect of N on temporal correlation in this section.
Estimated correlation coefficients will never be precisely zero, even if ρ = 0. We
use hypothesis tests to quantify if these non-zero correlation coefficients are likely to
have been generated if the true ρ = 0. Formally, the decision is:
H0 :ρ = 0
H1 :ρ 6= 0(2.15)
The hypothesis test is performed on the t statistic [29],
t = ρ
√1− ρ2n− 2
H1
><H0
γ (2.16)
where ρ is the correlation coefficient estimated from the data either ρzi,zj or ρz, n is the
number of realizations used in the estimate and γ is a threshold. The threshold is set
by choosing a desired false alarm rate, α, and applying knowledge of the distribution
of t (t distribution with n− 2 degrees of freedom). In the limit for high n (n > 100)
the distribution of t approaches the zero-mean unit-variance Gaussian distribution.
We plot the t-statistics vs. N and the appropriate thresholds for three datasets in
Figures 2.4 and 2.5. Each dataset has many pairwise correlation coefficients, so for
simplicity we plot only the maximum pairwise correlation coefficients in Figure 2.4.
For the datasets presented here, the minimum number of realizations is n = 833. We
set the false alarm probability, α = 0.05, therefore we would expect even if ρ = 0
to see 5% of the values crossing the threshold. In all plots the target Pbd = 0.04,
K = 256, and D = 128.
As shown in Figure 2.4, for N ≥ 15 the datasets u, s and t decide H0 more than
1 − α = 95% of the time. The global correlation, ρz, as shown in Figure 2.5, is
dependent upon the dataset. H0 is decided for datasets u, s and t at N = 27, 25, 17
respectively. Based on the tests of ρzi,zj we may believe N > 15 is sufficient, however,
because of the tests on ρz, we may wish to set N > 30.
We also tested the effect of N on the number of bits extracted per sample. We
tested the total number of bits per sample for a range of 5 ≤ N ≤ 50 and over the
26
same three datasets. We found that the choice of N does not have a significant effect
on the number of bits extracted per sample.
In addition, we tested the entropy of the bitstream vs. N . For N larger than 15,
entropy slowly increases with N . These results are presented in Table 2.6.
2.6.3 Covariance Matrix and Correlation Coefficient Estimation
In the previous section we looked at the effect of N on temporal correlation when
the covariance matrix was estimated as in Eq. 2.13. In other words, the covariance
matrix was estimated using all measurements made in both directions. If this were
implemented, it would take many minutes to collect all of the RSS measurements.
Alternatively the covariance matrix would be estimated and the KLT performed for
every vector of samples collected. In either case, it would either computationally
expensive or introduce high latency.
We see three options in addition to the full method for calculating the covariance
matrix:
1. Full: The covariance matrix is estimated on the nodes for all vectors of collected
channel measurements using Eq. 2.13. The SVD of the covariance matrix is
calculated on each node and the decorrelation matrix, U , is found.
2. Offline: The covariance matrix is estimated offline from previously collected
data, the SVD of the covariance matrix is calculated and then the decorrelation
matrix, U , is loaded onto both nodes prior to deployment.
3. Uni-directional: The covariance matrix is estimated by each node using only
the measurements it has collected. In this case the covariance matrices at Alice
and Bob would be,
Rra,ra =1
C − 1
C∑i=1
(r(i)a − µa)(r(i)a − µa)T
Rrb,rb =1
C − 1
C∑i=1
(r(i)b − µb)(r
(i)b − µb)
T
27
Table 2.1. m = 1 bit MAQBin Codeword Interval
j f1 f0 e of y(i)1 0 0 0 (−∞, F−1i (0.125))2 0 0 1 (F−1i (0.125), F−1i (0.25))3 0 1 1 (F−1i (0.25), F−1i (0.375))4 0 1 0 (F−1i (0.375), F−1i (0.5))5 1 1 0 (F−1i (0.5), F−1i (0.625))6 1 1 1 (F−1i (0.625), F−1i (0.75))7 1 0 1 (F−1i (0.75), F−1i (0.875))8 1 0 0 (F−1i (0.875),+∞)
5 10 15 20 25 30 35 40 45 50N-elements in KLT
1
2
3
4
5
6
7
8
9
10
t Sta
tist
ic
dataset udataset sdataset t
Figure 2.4. t-statistics for max ρzi,zj vs. N for three datasets and the threshold, γ.
5 10 15 20 25 30 35 40 45 50N-elements in KLT
-2
-1
0
1
2
3
4
5
t Sta
tist
ic
dataset udataset sdataset t
Figure 2.5. t-statistics for ρz, vs. N for three datasets and the threshold, γ.
28
4. Partial: Alice and Bob collect and share Nc preliminary channel measurements,
wpa and wpb. Both vectors are interpolated and ranked then the covariance
matrix is estimated at both nodes using the preliminary bi-directional data,
Rrc,rc =1
Nc − 1
[Nc∑i=1
(r(i)pa − µpa)(r(i)pa − µpa)T
+Nc∑i=1
(r(i)pb − µpb)(r
(i)pb − µpb)
T
](2.17)
The SVD of the covariance matrix is calculated on each node to obtain U .
The advantages of each method are as follows. The full method will decorrelate
the measurement vectors better than the other three, but is expensive in terms of
time and computation. The offline method is much less computationally intensive
since the KLT is not calculated online, but does not adapt to changes in the radio
channel. The uni-directional method requires no additional data sharing between the
two nodes other than probe packets and MAQ protocol, but is as computationally
expensive as the the full method. The partial method, while more computationally
expensive than the offline method, can adapt to changes in the wireless channel
because it decorrelates the bit stream immediately after calculating U .
To determine the effect of these four methods on temporal correlation we take
one of the datasets, u, which was also used in the previous section and run the same
hypothesis tests. Table 2.2 shows that none of the four methods results in correlation
coefficients ρzi,zj or ρz which are significantly different than zero. For all methods,
Pbd = 0.04, K = 256 and D = 128.
The effect of the covariance estimation method on the bits extracted per sample
is also of concern. On average the partial method extracted 5% fewer bits per sample
than did the offline, full or uni-directional methods. For the offline method we used
dataset r as the dataset to compute the decorrelation matrix U . Dataset r was
collected in similar channel conditions as dataset u.
Rarely, the uni-directional method produced as much as 40% fewer bits per sample.
This method suffers from the fact that the U matrix can be highly sensitive to noise.
This is because the order of the eigenvectors and the sign of the eigenvectors can
29
be different at Alice and Bob. Other methods guarantee U will be identical at both
nodes.
To determine the number of bits to extract from each component, Alice and Bob
must know the correlation coefficients ρ(i) (Eq. 2.12). In the uni-directional method,
Alice and Bob cannot determine the correlation coefficients. In addition, in the
offline method the values of the correlation coefficients are virtually certain to vary
with differing channel conditions. In these two cases, Alice and Bob could do one of
two things:
1. Make a conservative guess based on a metric like signal to noise ratio.
2. Exchange a subset of the decorrelated components, yc, and use them to calculate
the correlation coefficients similar to the partial method.
Although it would be cheaper both in terms of computation and time if the SVD
was calculated offline, it would leave the nodes without any means of calculating a new
U matrix or correlation coefficients if the nodes were deployed in an environment with
significantly different wireless characteristics than the previously gathered samples.
To allow adaptation, we use the partial method in the rest of this paper.
2.7 ARUBE Protocol
In this section we describe the ARUBE protocol and find the number of transmis-
sions necessary to extract a secret key of length Lk. Figure 2.6 shows a diagram of
the protocol.
At a high level, the protocol has two parts separated by the dotted horizontal
line in Figure 2.6. In the first part (steps 1-3 in Figure 2.6) the two nodes estimate
the covariance matrix and calculate the decorrelation matrix, U , and the bit vector,
m. In the second part (steps 4-7) the nodes measure the channel and using U and
m, extract bits for a secret key. The second part can be repeated as many times as
necessary to obtain the desired number of bits in the secret key. The process can be
described as follows:
30
Figure 2.6. Packets sent for channel probing (—¿) and data transfer (- - -¿),computation (boxes) at either node, for overhead and bit extraction.
1. Alice (the leader) and Bob (the follower) exchange Nc packets. The packets
contain the RSS value of the last received packet at the respective node so that
both nodes have a copy of the preliminary RSS measurement vectors.
2. Alice and Bob rank and interpolate both vectors.
3. Both nodes estimate bi-directional covariance matrix, calculate the SVD to find
the decorrelation matrix, U , and the bit vector, m.
4. Alice and Bob exchangeK probing packets which contain no data. After packets
are exchanged, Alice has a vector of RSS as measured from Bob to Alice and
31
Bob has a vector of RSS as measured from Alice to Bob.
5. Alice and Bob interpolate, rank and decorrelate their RSS vectors to obtain ya
and yb respectively.
6. Alice quantizes ya to obtain the secret key, za, and the e-vector. She sends the
e-vector to Bob.
7. Bob, upon receipt of the e-vector from Alice, quantizes yb to obtain the secret
key zb.
The fourth through seventh steps are performed until the secret key is of desired
length. If the channel changes substantially or the percentage of bit disagreement
is higher than expected, the first three steps can be performed again to obtain an
estimate of current channel statistics.
With the ARUBE protocol in mind we determine the number of transmissions
needed to create a shared secret key of length Lk. We define the constants
Nc = Samples required to calculate Rrpa,rpb
N = Length of vector to be decorrelated
K = Number of samples to rank
Be = Bits extracted per sample
We calculate the number of transmissions required to generate a key of length Lk
and the computational complexity of each step with respect to N , K and Nc. The
number of bits extracted per sample, Be, is dependent upon the environment where
the bit extraction is performed.
2.7.1 Packet Transmissions
Table 2.3 shows the number of packets transmitted when Lk = 128, Nc = 1000,
K = 256 and Be = [0.4, 0.75] as the number of keys created increases. The number
of packets transmitted is
Nt = Nc +
(⌈LkBeK
⌉K +G
)(2.18)
32
Where G is the number of packets required for Alice to transmit the e-vector. G is
dependent on the number of bits in a packet, P , and the number of components in
yc from which bits can be extracted Mn = |{i : m(i) 6= 0}|.
G =LkMMn
1
P(2.19)
The number of bits extracted per sample, Be, has the greatest effect on the number of
packets transmitted. The transmissions above the dotted horizontal line in Figure 2.6
are overhead and are independent of the number or length of secret keys to be
generated. The amount of transmission overhead is dependent only upon Nc. While
the leader and follower nodes transmit nearly the same number of packets, the leader
node will transmit more over time because of the e-vector packets.
2.7.2 Computational Complexity
The gray boxes in Figure 2.6 indicate computations that are done on each respec-
tive node. The computational complexity of each step is listed in Table 2.4.
While the calculation of the SVD has the highest order of any operation, it may be
possible to simplify the order. For example only Mn = |{i : m(i) 6= 0}| of eigenvectors
need to be calculated. If Mn ≤ N it can be less computationally complex to calculate
one eigenvector at a time and stop extracting eigenvectors when m(i) = 0. Depending
upon the number and length of keys to be generated, the covariance matrix estimation
and calculation of the SVD might not be the most significant portion of the required
computation although they have the highest order.
Although an exact comparison is difficult, we expect ARUBE to extract secret bits
with fewer computations in comparison to the Diffie-Hellman secret key exchange.
The main computation for the Diffie-Hellman scheme is the modular exponentiation,
(ga mod p)b mod p [48]. Here, p is a large prime number, g is the generator of the
order of p − 1, in the group < Z∗p,× >, and a and b are the secrets of Alice and
Bob, respectively. This modular exponentiation has a time complexity of O(nM(k))
where n is the number of bits in p, k is the number of bits in a or b, and M(k) is
the complexity of a chosen multiplication algorithm. Using the Karatsuba algorithm
for multiplication [32], M(k) = O(k1.585). The time complexity of the ARUBE bit
33
Table 2.2. t-statistics by method
Methodρzi,zj ρz
N=17 N=3 N=17 N=35Full 2.950 3.369 1.864 0.444Offline 2.825 2.194 0.533 1.159Uni-directional 2.950 3.196 1.978 0.589Partial Nc =1000
2.201 2.828 0.228 0.926
Partial Nc =2000
2.952 2.851 0.366 1.440
Table 2.3. Number of Packets TransmittedBe Node Overhead Key 1 Key 4 Key 7
0.4Alice 1000 1263 2052 2841Bob 1000 1256 2024 2792
0.75Alice 1000 1264 1800 2336Bob 1000 1256 1768 2280
Table 2.4. Computational ComplexityOverhead Complexity
Interpolate O(Nc)Rank O(NclogK)
Calculate Rxpa,xpb O(N2Nc)Calculate SVD O(N3)
Bit Extraction Complexity
Interpolate O(K)Rank O(KlogK)
Decorrelate O(NK)Quantize O(K)
34
extraction steps is O(NK). Considering k and K to be constant, and noting that
a smaller symmetric key is equivalent in strength to a much larger Diffie-Hellman
Key (e.g., 112-bit symmetric key is equivalent to 2048-bit Diffie-Hellman key [49]),
ARUBE is computationally more efficient than the Diffie-Hellman key exchange.
2.8 Results
In this section we quantify the performance of the ARUBE method. We look at
three metrics: (1) secret bits per sample; (2) estimated entropy rate of secret key
bits; and (3) resistance to a passive attack.
Secret Bits per Sample: The number of secret key bits generated per sample
directly impacts the latency and energy efficiency of key establishment. Figure 2.7
plots ARUBE (and for comparison, HRUBE) secret bits per sample vs. Pbd for N ∈
{17, 35}, K ∈ {128, 256}, and D = K2
. We assume the best case the HRUBE method,
that it estimates the U and {m(i)}i on the same data set which it then uses to extract
bits. Out of 25 data sets, we plot the average of the top three with respect to bits
extracted per sample, the average of the bottom three and the average remaining 19
datasets.
We show a comparable analysis with the same datasets for a bit extraction method
developed by Mathur et al. [45] in Table 2.5. Unlike ARUBE, this method was
developed solely to produce keys with Pbd = 0, with no expectation of information
reconciliation. This method finds extrusions in a filtered vector of RSS measurements.
An extrusion is where the values of a filtered RSS vector are above some threshold
γ or below −γ. If an extrusion is at least m measurements long and exists on both
directions of the link, it will be assigned as a 1 if it is above γ, or as a 0 if it is below
−γ.
To find the values in Table 2.5 we selected many values of γ between 0.1σ ≤
γ ≤ 1.5σ where σ is the standard deviation of the filtered RSS vector, and found the
maximum bits per sample that could be generated which had a Pbd less than a given
value. Table 2.5 shows the average for the best three, worst three and remaining
19 datasets. While this method requires much less computation than ARUBE and
35
K=128 K=256
N=
17
0.01 0.02 0.03 0.04 0.05 0.06 0.07Target Bit Disagreement Rate
0.0
0.2
0.4
0.6
0.8
1.0
Secr
et
bit
s per
sam
ple
0.01 0.02 0.03 0.04 0.05 0.06 0.07Target Bit Disagreement Rate
0.0
0.2
0.4
0.6
0.8
1.0
Secr
et
bit
s per
sam
ple
N=
35
0.01 0.02 0.03 0.04 0.05 0.06 0.07Target Bit Disagreement Rate
0.0
0.2
0.4
0.6
0.8
1.0
Secr
et
bit
s per
sam
ple
0.01 0.02 0.03 0.04 0.05 0.06 0.07Target Bit Disagreement Rate
0.0
0.2
0.4
0.6
0.8
1.0
Secr
et
bit
s per
sam
ple
Figure 2.7. Target Pbd vs. secret key bits per sample for ARUBE (black lines) andHRUBE (gray lines), for N ∈ {17, 35}, K ∈ {128, 256}, and D = K
2, for averages of
the best three datasets (-•-), the worst three (-�-), and the remaining 19 (-N-).
36
unlike similar extraction methods produces keys with high entropy, the number of
bits extracted per sample is very low. Even at small Pbd, ARUBE produces 4 times
more bits per sample and up to 9 times more with larger Pbd.
Entropy Rate: We estimate the entropy rate of the generated secret key bits,
i.e., a quantification of the uncertainty of the bit sequence. If generated bits are
perfectly independent, they should achieve an entropy rate of 1. Although it is not
sufficient for a secret key to have a high entropy in order to be secure, it is necessary.
We generate bits from datasets using Pbd = 0.04, K = 256, and D = 128, and then
estimate the entropy rate using the approximate entropy test in the NIST’s statistical
test suite for random number generators [60]. The average and minimum values over
23 of the 25 datasets are listed in Table 2.6. The remaining two datasets had < 500
bits, not enough to estimate entropy.
Evaluation of Possible Attacker Success: In this paper we take a straight-
forward, if simplistic, view of the ability of an eavesdropper to obtain Alice and
Bob’s secret key. We provide one way to see how the ARUBE and HRUBE methods
perform when under attack from a passive listener. For both methods, Eve performs
bit extraction in the same manner as Alice and Bob. Eve overhears the Nc preliminary
measurements and the RSS values contained within the packets sent between Alice
and Bob to find U and {m(i)}i. We assume Eve knows the constants N , K and Pbd
that Alice and Bob use for bit extraction. The average percentages of bits Eve gets
correct for the HRUBE and ARUBE methods over the 16 datasets (where Eve was
present) are compared in Table 2.7.
2.9 Discussion
Assuming the best case for the HRUBE method, that it estimates the U and
{m(i)}i on the same data set which it then uses to extract bits, we see that the
ARUBE still outperforms the HRUBE. Both the ARUBE and HRUBE methods are
resistant to a passive evesdropper, as shown in Table 2.7. The ARUBE method
achieves higher entropy than the HRUBE method, and increasing N from N = 17 to
N = 35 also increases the estimated entropy rate for both methods (Table 2.6).
37
ARUBE generates up to 60% more bits compared to HRUBE method (Figure 2.7)
for low Pbd. For K = 256 and D = 128, the ARUBE achieves up to 25% more bits
for medium and high Pbd. For most datasets, the ARUBE achieves higher bit rate
at a given Pbd. The greatest improvements occur in datasets with high SNR. The
performance improvement is seen for both N = 17 and N = 35. We note that setting
K too low reduces the benefit of the ARUBE method, e.g., for K = 64 the two
methods are approximately equivalent.
Note that K can be set to an arbitrary integer. For instance, if Be = 0.8 and the
desired key length is 128 bits, it would be faster to collect and rank K = 10.8∗128 = 160
samples. After U is determined, at 50 samples per second, it would take a wireless
sensor 3.2 seconds to collect the required 160 samples for the secret key.
2.10 Conclusion
We presented a new method of secret key generation, ARUBE, that adapts to
the radio channel environment and the characteristics of the two wireless sensors in
use. Further, for medium and high SNR channels, the ARUBE produces more bits
per sample, thus reducing the number of transmissions (energy) required to produce
a given length secret key. In comparison with the HRUBE, another uncorrelated
bit extraction method, ARUBE extracts 30%-60% more bits in situations with high
SNR. ARUBE is shown to produce uncorrelated bits, is resistant to a simple passive
eavesdropper, and secret keys have an entropy rate above 0.97. The number of packet
transmissions and computational complexity are presented.
Future work should test simplifications and implementations of ARUBE. Algo-
rithms to reduce the computational complexity of the KLT exist and should be
tested. The offline version of ARUBE is implemented in TinyOS, and current work
is implementing the complete method.
38
Table 2.5. Bits per sample–Mathur et al.Pbd ≤ 0.0 0.0025 0.01 0.04 0.07
Best 0.074 0.077 0.082 0.088 0.089Middle 0.055 0.064 0.072 0.074 0.076Worst 0.0 0.032 0.05 0.057 0.057
Table 2.6. Average and Minimum Entropy Rates.N = 17 N = 35
Method Mean Min Mean MinARUBE 0.9808 0.9653 0.9833 0.9757HRUBE 0.9767 0.9433 0.9825 0.9712
Table 2.7. Percentage of bits Eve gets correct.Method Compared to Alice Compared to BobARUBE 50.19 50.53HRUBE 50.64 50.76
CHAPTER 3
BIT EXTRACTION FROM CIR USING A
BI-DIRECTIONAL RADIO CHANNEL
MEASUREMENT SYSTEM
3.1 Abstract
Experimental research in secret key extraction typically uses received signal strength
(RSS) measurements as a source for secret keys. In this paper we perform experi-
mental research using channel impulse response (CIR) measurements, one of the few
reports of experimental CIR-based secret key generation. Usually, bi-directional CIR
measurements require two channel measurement devices or a vector network analyzer
(VNA). To obtain measurements for this research we developed a novel electronically
controlled switching system that allows a single receiver and a single transmitter
to alternate the direction of measurement between two antennas, which provides
an inexpensive alternative for bi-directional channel measurement. We present a
description and analysis of such switching systems. We also introduce and apply a new
algorithm that extracts bits with high entropy from bi-directional CIR measurements.
We find that the rate of bit extraction from CIR measurements is up to eight times
faster than from RSS measurements.
3.2 Introduction
Concerns about the long-term security of public key cryptography have led to the
development of new approaches for data encryption. 1 One approach is to establish a
shared secret key between two transceivers based upon measurements of their shared
1This chapter is in second revision as J. Croft and N. Patwari. ”Bit extraction from CIR usinga bi-directional radio channel measurement system.” IEEE Transactions on Mobile Computing
40
radio channel [28]. Significant work has addressed the theoretical bounds for the
rate at which a secret key may be generated [72]. Fundamentally, this generation
rate is a function of the correlation between the channel measurements at the two
transceivers [47]. Experimental measurements are thus critical in order to determine
this correlation, as a function of the band, interference level, channel measurement
modality, and other channel parameters. Experimental data also allow development
and testing of algorithms for secret key generation [30].
This paper contributes to two of these critical areas. First we investigate a
novel means to make bi-directional measurements with only a single transmitter
and receiver. Second we describe a new method of extracting bits from channel
impulse response (CIR) measurements and experimentally demonstrate the method’s
performance.
Electromagnetic wave propagation between two antennas is, in fact, reciprocal
[68]; that is, at the same frequency and same time, signals sent in opposite directions
between two antennas experience identical changes in phase and amplitude. However,
measurements of the received signal at the two antennas are not identical. First,
additive thermal noise and interference from other devices on the same band con-
tribute to each receiver differently. Second, typical radios do not transmit and receive
simultaneously, and instead are time-division duplex (TDD). Thus measurements of
the channel at the two transceivers occur separated in time, during which time the
channel may change.
To accurately design secret key establishment schemes to be used with practical
TDD transceivers, which are subject to outside interference, one must have the
capability to perform bi-directional channel measurements. Significant experimental
secret key establishment research has been performed using measurements of received
signal strength (RSS) [30, 71, 53, 79, 26, 45, 20, 6]. In contrast, the experimental
use of channel impulse response (CIR) measurements in secret key establishment
is relatively rare in the literature, even as theoretical results have shown promise
[79, 26, 42, 75, 78].
In part, the relative scarcity of experimental research using CIR measurements
41
is due to the lack of inexpensive transceiver hardware with which to make the mea-
surements. Standard receivers either do not calculate CIR or do not export CIR
information to higher layers, thus specialized receivers must be designed or costly
RF measurement equipment used for the purpose. A single software radio or vector
signal analyzer / vector signal generator (VSA/VSG) can be used, but measuring a
bi-directional link between two transceivers would require two such systems. A vector
network analyzer (VNA) can also be used to measure the bi-directional radio channel.
In either case, such equipment can cost many tens of thousands of US dollars which
has limited their use in practice.
This paper has two main parts. In the first part, we present an inexpensive
electrically-controlled RF switch system that enables a single transmitter and single
receiver to be used to make bi-directional radio channel measurements. Rather than
using two transceivers, the system switches the direction of channel measurement
between two antennas. This direction-alternation uses four voltage-controlled RF
switches and a control system. The novelty of this switching system is that it removes
the distinction between the transmit and receive antennas, allowing existing uni-
directional equipment to make bi-directional measurements. The switching system is
simple and useful for a variety of channel measurement studies, yet we are not aware
of any prior published study of the characteristics or design of such a system. One
implementation described in Section 3.4 allows channel measurement between 0-3
GHz using inexpensive, commercial off-the-shelf (COTS) RF and control hardware.
There are two major limitations of the switching system. The first is that, if not
designed correctly, the leakage power through the switching system can be higher than
the desired power received through the wireless channel. We explore the design of the
system to keep the leakage power low in Section 3.4. The second is that due to cable
connections, the antennas cannot be separated by an arbitrary path length. Because
of the path length limitations, this system will be useful in indoor, or short-range
outdoor, radio channel measurement experiments. Many wireless networks are short
range such as intra-vehicle communication and wireless body sensor networks. In the
past these measurement studies have used a VNA [63], [65], [66], [3] but with the
42
proposed system a VNA is not required. Numerous studies of indoor propagation
use single TX, single RX measurement equipment [31], [5], [16], [34], [76]. Given the
similarity between this system and a vector network analyzer, we present this system
as an economical alternative to a vector network analyzer if a single TX, single RX
channel measurement system is available.
In the second part of this paper, we introduce and test a new algorithm for
secret key establishment from CIR measurements. We apply the developed switching
system to make bi-directional measurements of CIR in a time-varying channel and
use the measurement results to evaluate the performance of secret key generation,
including entropy, and the rate of generation of secret key bits. A key component
of the developed algorithm is to decorrelate measurements across time delay and
measurement time, so that the generated secret key bit stream has very high entropy
rate. We find that secret key bits can be generated from CIR measurements at
eight times the rate compared to RSS measurements. Further, we find that CIR
phase information, compared to CIR magnitude information, is a relatively minor
contributor to secret key establishment.
Section 3.3 summarizes research in the areas of channel impulse response mea-
surement and secret key establishment. In Section 3.4, we describe the power loss,
RF leakage and system limitations common to all four-switch systems and present an
example implementation to show how the components used affect the dynamic range
of the system. Section 3.5 describes three sets of measurements. In section 3.6 we
present the bit extraction method and show how it performs in terms of rate of bit
extraction and entropy rate. Section 3.7 concludes.
3.3 Related Work
This paper merges two typically disparate topics: RF channel impulse response
measurement, and 2) secret key establishment. Research which addresses secret key
establishment from CIR measurements has largely avoided experimental performance
analysis from bi-directional measurements. Research in RF CIR measurement has
presented few tools for bi-directional CIR measurement, except for the vector network
43
analyzer, which is extremely expensive and relatively slow. We describe both related
research areas here.
3.3.1 RF CIR Measurement
While measurement studies have characterized indoor and outdoor wireless chan-
nel characteristics including time of arrival and jitter [51, 54], channel impulse re-
sponse [17, 21, 55], and spatial and temporal fading correlations [1, 23], key extraction
from the wireless channel requires bi-directional measurements. With the exception
of [51], the cited measurement studies employed a single transmitter and a single
receiver. While a vector network analyzer (VNA) like in [51], does make bi-directional
measurements, no prior research has used these measurements to generate secret keys.
In this paper, we provide a new bi-directional channel measurement tool using
a set of RF switches. The use of RF switches to extend the usefulness of wireless
channel measurement equipment is not itself new. In general, transceivers use RF
switches or circulators to enable the use of one antenna with a separate transmit
and receive path. In addition, switched array wideband MIMO channel sounders like
those in [43], [4], [36], [70], [35], use RF switches. In these M×N MIMO systems, one
switch at the TX and one switch at the RX are used to select one antenna element of
the M or N antennas in the array to serially probe the M ×N channels. In contrast,
we use four switches to select which of two antennas the transmitted signal is sent and
to connect the receiver to the opposite antenna. The contribution of this system’s use
of RF switches is to remove the distinction between transmit and receive antennas
completely. Further, we consider the resulting isolation issues and contribute simple
engineering rules for system design.
3.3.2 Secret Key Establishment
Even over very short path lengths, security is of concern. For instance, wireless
body area sensor networks [3], [69] have path lengths of less than a meter and in a
health care setting, government regulations can require the privacy of the data col-
lected. In addition, in confined spaces such as airplanes [66], buses [65] or automobiles
[62] it might be desirable to keep information private from other passengers.
44
Secret key establishment uses the reciprocal nature of the wireless channel to
generate shared secret keys at two nodes, Alice and Bob, without prior agreement.
Because the channel is a time-varying, location specific filter, characteristics of the
channel at Alice and Bob are different than those at an attacker node, Eve. To
generate shared secret keys Alice and Bob measure some characteristic of the channel
over time and then extract bits from those measurements. Because Eve cannot
measure the same channel as Alice and Bob, she is unable to generate the same
secret key.
Secret keys extracted from channel measurements was first suggested by Hershey
[28]. Since then, many channel characteristics have been used including measurements
of phase [28, 61], channel impulse response [72, 79, 26, 42, 75, 78, 73], or amplitude
gain [30, 53, 71, 45, 20, 6, 7, 40].
Challenges for bit extraction include 1) the time correlated nature of channel
measurements, which reduce the cryptographic strength of the key unless accounted
for in algorithm design, and 2) the non-reciprocities which occur due to the half-duplex
nature of the channel measurements (since both transceivers cannot measure the
channel simultaneously). For the latter, in order to guarantee complete agreement
between the two generated secret keys, information reconciliation [11] is often used
to correct a small number of discrepancies without giving away the entire secret key.
For those papers with experimental results, received signal strength (RSS) is the
most common measurement modality because of its ease of collection. Equipment
used to measure the channel for secret key extraction include software radios [40],
wireless sensor nodes [53, 20], or wireless cards in laptops [30]. Nearly all of these
experimental results used one-dimensional data sources for key extraction with the
exception of [79, 26]. While [45] did collect CIR data, only the magnitude of the
dominant multipath component is encoded as bits for a secret key.
Simulated channel impulse response measurements have been used as a source for
secret keys [42, 75, 78, 73, 72]. Models for the simulated channels came from [25] and
ITU cellular channels, among others. Many of these papers establish upper bounds
for the maximum number of bits that can be extracted. For instance, [78] and [73]
45
both found the maximum number of bits extracted per measurement is affected by
the assumptions made about the signal to noise ratio and number of paths in the
channel.
Finally, [79], [26], and [75] (to a lesser extent) use experimental uni-directional
CIR measurements as the source for shared secret keys. In order to approximate
bi-directional measurements, the researchers collected data, switched the position of
transmitter and receiver and then collected more data. Both [79] and [26] make
the problematic assumption that the channel does not change between reciprocal
measurements and instead use movement of the transmitter and receiver in a static
channel as the sole source of randomness. In real-world situations, the channel
is dynamic, changing due to the movement of people, vehicles, tree leaves, etc.
The dynamic nature of the channel is both a benefit, when it is used to increase
the rate of secret key bit generation, and a source of bit disagreement, when it
happens more quickly than Alice and Bob can measure [30]. Bi-directional CIR
measurements are clearly important to the experimental evaluation of CIR-based
secret key establishment.
3.4 Analysis
In this section we present a bi-directional switching system which uses four RF
switches to alternate the direction of measurement between two antennas as shown
in Figure 3.1. The path of the transmitted signal is dictated by the system state. In
short, in state 1 the channel is measured from A2 to A1, while in state 2, the channel
is measured in the opposite direction.
Compared to a single transmitter and receiver that measure the wireless channel in
only one direction, the bi-directional switching system has more sources of power loss
due to the multiple switches and cables. These extra components may also introduce
non-reciprocities into the measurements due to uneven power loss. Further, it is
possible for the transmitted power to take a “wrong” path through the switches to
reach the receiver without traveling across the wireless channel. In this section we
explore the process of choosing system parameters based on design requirements.
46
3.4.1 Power Loss
First we consider the power loss between TX and RX in Figure 3.2. In addition to
path loss between antennas A1 and A2, further signal attenuation can be attributed
to switch insertion loss and loss in the cables. Traveling from TX to RX the signal
is attenuated by four switches and two cables. At this point we assume that switch
insertion loss is identical at each switch, denoted Lswitch in dB, and that the four
cables are identical in length and have loss Lcable in dB. While design equations can
be complicated by dB units, most specifications are reported in dB. Therefore, unless
otherwise noted, we will also use dB. The worst case total attenuation in dB suffered
by the signal arriving at RX, Lsignal, can be written as:
Lsignal = Lpath + 2Lcable + 4Lswitch (3.1)
where Lpath is the dB radio channel path loss between points F and L in Figure 3.2.
3.4.2 Leakage
Two types of leakage are possible. The first is leakage through the wireless channel
directly from the transmitter to the receiver, possibly due to imperfect shielding of
TX and RX components. The other type of leakage is through the switches. Referring
to Figure 3.3, switch leakage can either be across an open switch, either RF 1 or RF
2, to RF Common or through a switch from RF 1 to RF 2. As such, one switch has
two types of isolation. We call the dB isolation between RF 1 and RF 2, the two
poles of the switch, Ipole, and the dB isolation between RF Common and the open
connection, Iopen. At this point we assume that the switches have the same Ipole and
Iopen, but we remove this assumption when discussing the example realization at the
end of this section.
Figure 3.2 shows three different leakage paths. Consider the two leakage paths
through the switches. Both paths include two cables, Lcable, one RF 1-RF 2 isolation
Ipole, and one RF 1-RF Common isolation, Iopen. The isolation along one of the switch
leak paths is:
Ileak = Ipole + Iopen + 2Lcable (3.2)
47
Leakage directly from RX to TX also needs to be considered. We call the isolation
between RX and TX, Itr. The total power arriving at the receiver in dB, Pr, is the
sum of the signal power and the leakage power which add together in linear terms,
Pr = Pt + 10 log10
(10−
Lsignal10 + 2 · 10−
Ileak10 + 10−
Itr10
)(3.3)
where Pt is the transmit power in W.
We plot Pr versus Lpath for various switch and isolation characteristics in Fig-
ure 3.4. Depending on these characteristics there is non-linearity in the received
power equation. In particular, as Lpath →∞, Pr approaches a constant.
3.4.3 System Design
In order to design the system such that the linear range of (3.3) contains the
range of path losses we desire to measure, we must choose appropriate components.
In this section we provide guidelines for the selection of switches and system design
parameters. First we provide a rule of thumb for switch selection, and then we discuss
the requirements for TX/RX isolation.
As path loss, Lpath, increases, at some point the signal power will become domi-
nated by leakage power. Rewriting Equation 3.3 we have:
Pr = Pt − Lsignal + 10 log10 (1 + Esw + Etr) (3.4)
where,
Esw = 2 · 10−Ipole−Iopen+Lpath+4Lswitch
10 (3.5)
Etr = 10−Itr+Lpath+2Lcable+4Lswitch
10 (3.6)
Both Esw and Etr are error terms which cause non-linearity in the system response.
The error term Esw corresponds to the non-linearity that can be controlled by choice
of switch, while the error term Etr corresponds to the non-linearity that is affected
by the TX/RX isolation, Itr.
As we can see from (3.4), if Esw and Etr are zero, then the received power is linearly
related to the transmit power and the path loss. The extra losses, 2Lcable + 4Lswitch,
from (3.3) can be measured and removed in calibration.
48
Ignoring for the moment error contributed by the TX/RX isolation (Etr = 0), the
system response will be less than 3 dB in error due to switch leakage when Esw ≤ 1.
Setting (5) ≤ 1,
2 · 10−Lleak+Lpath+2Lcable+4Lswitch
10 ≤ 1 (3.7)
Simplifying and replacing Lleak with switch parameters,
Ipole + Iopen − 4Lswitch ≥ 3 + Lpath (3.8)
This equation relates switch parameters with measured path loss. When selecting
a switch, we must ensure that the left hand side of (3.8), Ipole + Iopen − 4Lswitch, is
greater than 3 dB plus the maximum path loss we expect to be able to measure.
For some applications, 3 dB error is likely to be acceptable since it is similar to
errors for typical path loss measurements, but for small scale fading, a more accurate
limit might be 1 dB. In that case,
2 · 10−Lleak+Lpath+2Lcable+4Lswitch
10 ≤ 0.25 (3.9)
Simplifying and replacing Lleak with switch parameters,
Ipole + Iopen − 4Lswitch ≥ −3 + Lpath (3.10)
Similarly, to quantify the requirements for TX/RX isolation, Itr, we can evaluate
Etr. If Etr ≤ 1, then the system response will be less than 3 dB in error due to
TX/RX leakage. This requirement along with (6) leads to,
Itr − 2Lcable ≥ Lpath + 4Lswitch (3.11)
The system response will be less than 1 dB in error due to TX/RX leakage when
Itr − 2Lcable ≥ Lpath − 6 + 4Lswitch (3.12)
Itr is a function of the TX and RX equipment used with the four switch system. It
can be measured by disconnecting the RF output of the TX and the RF input of
the RX and measuring received power. If Itr needs to be increased, the TX and RX
should be separated by a greater distance or extra shielding added.
49
The difficulty in increasing the distance between TX and RX is that it will require
longer cables and thus Lcable will also increase, decreasing the linear range of the
system. It will be important to use low loss cable as the length of the cable increases
in order to maintain an acceptable dynamic range.
In summary, a system designer should select a switch using the maximum expected
path loss and (3.8). Then the system designer should select cable and evaluate if Itr
is sufficient based on (3.11).
3.4.4 Example Realization
In this section we experimentally validate the desired dynamic range of the four
switch system. The individual components and nominal values for component pa-
rameters are listed in Table 3.1. To validate the dynamic range, we put increasing
amounts of attenuation between points F and L in Figure 3.2 using cable and a
variable attenuator. Figure 3.5 shows power at the receiver, Pr vs. the known
attenuation Lpath.
This is compared to the analytical Pr using (3.3) and measured values for loss
and isolation. These values ranged between 1.54 and 2.39 dB for Lswitch and between
44.84 and 53.21 dB for Iopen. We used Ipole = 50 dB as cited in the datasheet. As
discussed we found Itr = 111 dB. When taking this measurement, the noise floor of
the receiver was −125 dB. Because the insertion loss and isolation characteristics vary
slightly between the two sides of any switch, the dynamic response in the two states
are slightly different. This is especially evident at the bottom of the dynamic range.
Figure 3.5 shows that the linear range of the bi-directional measurement system
paired with our software radio has a dynamic range of 40 dB to around 85 dB. Within
that dynamic range, received power in state 1 and state 2 are nearly identical. The
non-linearity at the top of this range is caused by saturation of the A/D converter of
the software radio.
The measurements we present in this paper are at path losses much less than 85
dB, typically 70 dB. At 70 dB of path loss, leakage causes 0.11 dB of error in our
measurements. This is much smaller than typical path loss measurement errors.
50
(a) State 1. A2 is Transmitter
(b) State 2. A2 is Receiver
Figure 3.1. Redirecting the transmitted and received signals to measure bothdirections of the radio channel between antennas A1 and A2.
Table 3.1. Switching System ComponentsComponent Type Parameters
Switches Mini-Circuits ZX80-DR230+ Iopen = 48dB, Ipole = 50dB,Lswitch = 1.7dB
Output Controller ADAM-4050 Max. Switching Frequency= 83Hz
Cables 8 m LMR-400 coax 0.2 dB/m loss @ 2.4 Ghz
51
Figure 3.2. Labeled switch diagram in state 1. The correct path for the signalis {G,I,J,L,F,D,B,A}, however three incorrect paths are possible: directly fromtransmitter to receiver (-.), {G,H,E,D,B,A}(- -), and {G,I,J,K,C,A} (..).
3.5 Bi-Directional CIR Measurements
In this section we describe the bi-directional measurements made using our im-
plementation of the measurement system presented in Section 3.4. For completeness,
a description of the channel sounding equipment used is included.
3.5.1 Software Radio
Any existing radio channel measurement equipment could be used in conjunction
with the four switch system described in this paper; we use the Sigtek ST-515 software
radio. Among other characteristics, the ST-515 can measure the time delay, phase
and amplitude of multipath in the radio channel. It has two parts, a TX and an RX.
In normal operation, the TX is in a fixed position while the RX is mobile.
The TX consists of a direct sequence spread spectrum (DSSS) generator, up con-
verter (2.400 to 2.483 GHz) and a power amplifier. The RX contains a down converter,
snapshot digitizer and a computer running Matlab for control and computation, and
can collect nine measurements per second.
The RX measures the channel impulse response (CIR) over time, h(tn, τ),
h(tn, τ) = ejθ∑i
αi(tn)ejφi(tn)η(τ − τi(tn)) (3.13)
where αi(tn), τi(tn) and φi(tn) are the amplitude, delay and phase shift, respectively, of
the ith multipath component measured at time tn and η(τ) is the autocorrelation of the
52
Figure 3.3. One RF switch. RF common can be connected to either RF 1 of RF 2.
0 20 40 60 80 100 120Known Attenuation (dB)
�100
�80
�60
�40
�20
Rece
ived P
ow
er
.
(dB
rela
tive t
o t
ransm
it p
ow
er)
BaselineIpole=60
Itr=100
Lswitch=1
Figure 3.4. Possible linear ranges of four sets of parameters. Given baselineIpole = 50 dB, Iopen = 45 dB, Lcable = 2 dB, Lswitch = 2 dB and Itr = 111 dB,each plot other than baseline changes one parameter.
0 20 40 60 80 100 120 140Known Attenuation (dB)
�110
�100
�90
�80
�70
�60
�50
�40
�30
�20
Rece
ived
Pow
er
.
(dB
rela
tive
to tr
ansm
it po
wer
) measured state 1measured state 2calculated state 1calculated state 2
Figure 3.5. Known attenuation between junctions F and L plotted against receivedpower. Note that measurements and calculations were made assuming a transmitterfrequency of 2.44 GHz.
53
PN code signal. The PN autocorrelation function is a finite-bandwidth approximation
of the Dhirac impulse function. Due to the fact that RX and TX are not phase-
synchronous, θ is a uniform random(0, 2
π
)variable.
3.5.2 Measurements Collected
We present measurements from an indoor office environment with the objective of
characterizing the non-reciprocities that would exist in measurements of the radio
channel that two transceivers would experience during secret key establishment.
While the channel is reciprocal, measurements of the channel are not. Using the
four switch system in experiments allows us to characterize the channel that two
transceivers would utilize.
Figure 3.6. TX, RX, A1 and A2 locations. The TX and RX are next to oppositewalls of a rectangular room. The two antennas centered between them along the tworemaining walls.
In these experiments, the antennas are approximately 3.5 m apart as shown in
Figure 3.6 and are stationary. The type of motion in the wireless channel is changed
between datasets. In dataset A (Figure 3.7(a) and 3.7(b)), nothing is moving in the
room. In dataset B (Figure 3.7(c) and 3.7(d)), an experimenter is walking between
the antennas.
54
(a)
0.0 0.1 0.2 0.3 0.4 0.5 0.6Time Delay, �, (�s)
-130
-120
-110
-100
-90
-80
-70
Pow
er
(dB
)
�(�)
�(�) +�(�)
�(�)��(�)
(b)
(c)
0.0 0.1 0.2 0.3 0.4 0.5 0.6Time Delay, �, (�s)
-130
-120
-110
-100
-90
-80
-70
Pow
er
(dB
)
�(�)
�(�) +�(�)
�(�)��(�)
(d)
Figure 3.7. Bi-directional measurements for two data sets. Plots 3.7(a)and 3.7(c)and show 10 pairs of measurements. Power in dB is relative to transmit power.The dark plots are measurements from antenna A1 to A2. The light plots aremeasurements from antenna A2 to A1. The time between each measurement was0.11s. Plots 3.7(b) and 3.7(d) show the mean and the mean plus and minus thestandard deviation of 175 pairs of measurements.
55
The first two plots of Figure 3.7 show that measurements of channel impulse
response do not change significantly over time when there is no movement. However,
during movement in the wireless channel (Figures 3.7(c)- 3.7(d)) the measured CIR
varies.
The results are similar in the frequency domain. Figure 3.8 plots two subsequent
channel frequency response measurements from dataset A and two from dataset B.
The time between the two measurements is 0.11s.
In the final experiment we introduce time-varying interference into the channel.
We place three wireless sensors close to one of the antennas. The wireless sensor
modules have an IEEE 812.15.4 transmitter which is programmed to transmit at a
center frequency of 2.440 GHz at a transmit power of 0 dBm. The synchronized
wireless sensors alternate between 10 seconds of continuous packet transmission and
10 seconds of radio silence.
Figure 3.9 shows the magnitude of individual channel impulse responses. At tn >
45s the wireless sensor modules next to A2 are transmitting and interference is only
present on one side of link.
3.6 Secret Key Extraction
In this section we present a method of extracting bits from bi-directional measure-
ments to create shared secret keys. Tools for extraction of uncorrelated secret key bits
from RSS measurements are devleoped in [53] and [20]. This paper further develops
a method to generate uncorrelated secret key bits from channel impuse response
measruements. As with RSS measurements, the challenge for bit extraction is to
extract as many uncorrelated bits as possible with low probability of bit disagreement
between the keys generated at two transceivers.
For the sake of notational simplicity and in keeping with other work in this area,
we designate two nodes, Alice or “a”, and Bob or “b”, as the legitimate users. In
this case, Alice is at antenna A1 and Bob is at antenna A2. When we speak of Alice
measuring the channel we mean that she records the channel impulse response when
Bob is transmitting. After N measurements are made at each antenna, Alice and
56
Bob each have matrix Hc where,
Hc = [hc(1), . . . , hc(N)] (3.14)
Each CIR measurement, hc(n, k) = h(tn, kT ) from (3.13) as measured at node c ∈
{a, b}, has K measured time delays and is defined as,
hc(n) = [hc(n, 1), . . . , hc(n,K)]T (3.15)
Signal processing is used to remove correlation between subsequent channel mea-
surements and to mitigate non-reciprocities caused by the half-duplex nature of
channel and the unsynchronized TX and RX. This method has four steps: 1)
synchronize 2) interpolate 3) decorrelate 4) quantize. We describe each step in Section
3.6.2, and a block diagram is given in Figure 3.10.
3.6.1 Adversary Model
We assume that the adversary, Eve, can listen to all communications between
Alice and Bob. Eve can also measure both the channels between herself and Alice and
between herself and Bob at the same time when Alice and Bob measure the channel
between them for key extraction. We assume that Eve is more than a few wavelengths
away from Alice or Bob. We also assume that Eve knows the key extraction algorithm
and the values of the parameters used in the algorithm. We assume that Eve cannot
jam the communication channel between Alice and Bob. We also assume that Eve
cannot cause a man-in-the-middle attack, i.e., our methodology does not authenticate
Alice or Bob.
3.6.2 Method
Synchronize: The lack of time synchronization between transmitter and receiver
introduces non-reciprocities between measurements made by Alice and those made
by Bob in both the magnitude and phase of the signal. One simple method to
synchronize time delay is to shift the measurement so that the dominant (highest
power) multipath is at a known time delay, but if two paths of equal strength are
measured this will occasionally fail to align the signals, as shown in Figure 3.11. In
57
addition, the signals have a random rotation caused by slight differences in the carrier
frequencies (Figure 3.12). In order to maximize the number of bits extracted we need
to align the signals both along τ and in phase.
To correct the shift along τ we use the median of the magnitude of the signal in
linear units. The median of the nth measurement, kn, is the value of the first index
where the cumulative sum of |hc(n)| is greater than 12
∑Kk=1|hc(n, k)|. If this median
is significantly different than the index of the maximum, the signal is shifted.
We encode CIR samples from before and after the peak kn. Let k− and k+ denote
the number of CIR samples before and after the peak to be encoded, respectively.
From our measurements, we find that k− = 10 and k+ = 40 capture the samples that
are typically above the noise floor, and thus K = 51.
We can correct the phase offset by rotating each measurement so that the angle
of the sum of the channel impulse response is equal to zero. We find the offset, θc(n),
as
θc(n) = −∠K∑k=1
hc(n, k) (3.16)
where c ∈ {a, b}. Then for each measurement we shift, truncate and rotate. For
n = 1, . . . , N ,
fa(n) = [ha(n, kn − k−), . . . , ha(n, kn + k+)]T ejθa(n)
fb(n) = [hb(n, kn − k−), . . . , hb(n, kn + k+)]T ejθb(n)
We can extract bits from either the phase or magnitude information in fc. When
we refer to the encoding of magnitude information, we let fc = |fc|, and when we
refer to the encoding of phase information, we let fc = unwrap(fc). The next three
steps, interpolation, decorrelation and quantization are performed once for |fc| and
once more for ∠fc. We use unwrap(x) to denote the phase unwrapping of complex
vector x.
Finally, we denote matrix Fc as,
Fc = [fc(1), . . . , fc(N)] (3.17)
Interpolate: Like most transceivers, the presented bi-directional measurement
system is incapable of making simultaneous measurements in opposite directions. In
58
other words, it is not possible to measure from antenna A1 to A2 and measure the
channel from A2 to A1 at the same time. The time between measurements introduces
non-reciprocities.
We use a fractional delay interpolation filter to obtain an estimate of the channel
in both directions at a single point in time. The fractional delay between the nth
measurement made by Alice and the nth measurement made by Bob
µ =1
2
[tb(n)− ta(n)
T
](3.18)
where tb(n) and ta(n) are the arrival times of the nth signal at Bob and Alice
respectively.
We implement two fractional delay filters, one for each side of the link. W.l.o.g. we
assume that ta(n) < tb(n) so that µ > 0. The filters are applied to rows in Fc, where
Fc = [f1c, . . . , fkc]T and c ∈ {a, b}. If we interpolate points in fka where k = 1 . . . K so
each sample is delayed by (1+µ)T and interpolate points in fkb so that each sample is
delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays
can be broken down into fractional, µ, and integer, i, delays. At each node:
µa = µ µb = 1− µ ia = 1 ib = 0 (3.19)
We implement the cubic Farrow filter [24]. For c ∈ {a, b}:
sc =[µ3c/6− µc/6,−µ3
c/2 + µ2c/2 + µc,
µ3c/2− µ2
c + 1,−µ3c/6 + µ2
c/2− µc/3]T
For each time delay, k = 1, . . . , K, we convolve fkc with the filter to obtain gTkc = fkc∗scand Gc = [g1c, . . . ,gkc]
T . The matrix of filtered signals Gc where c ∈ {a, b}, becomes
the input to the next step in the bit extraction process.
Decorrelate: Bits extracted from correlated measurements are likely to also be
correlated, thereby reducing the strength of the secret key. A valid solution would
be to sub-sample measurements far enough apart in time or space such that the
measurements are no longer correlated. However, this could reduce the rate of bit
extraction. Instead of sub-sampling, we use the Karhunen-Loeve transform to obtain
decorrelated measurements.
59
There are KN elements of Gc. The covariance matrix for all elements of Gc would
have K2N2 elements. To avoid dealing with such a large matrix, we decorrelate along
the columns of Gc = [gc(1), . . . ,gc(N)] and then along the rows.
Given one synchronized, interpolated measurement, gc(n) we decorrelate by
yc = UTg (gc(n)− µg) (3.20)
where µg is the mean of gc(n) and Ug is the decorrelation matrix. The decorrelation
matrix, Ug, is found from the singular value decomposition (SVD) of the covariance
matrix, Rg = cov(gc(n)), such that, Rg = UgSgUTg , where Sg is a diagonal matrix of
eigenvalues. The decorrelated vectors, yc are the columns of Yc = [yc(1), . . . ,yc(N)].
Decorrelation of the components in time is very similar to the above step. However,
because each of the K rows of Yc = [y1c, . . . ,ykc]T are correlated differently over time,
we need to estimate a covariance matrix and calculate the SVD to find a decorrelation
matrix for each row. Given the kth row at node c, ykc, we decorrelate by
zkc = UTk (ykc − µk) (3.21)
where µk is the mean of ykc and Uk is a matrix that transforms ykc into uncorrelated
components. The decorrelation matrix, Uk is found from the SVD of the covariance
matrix, Ry = cov(ykc) such that Ry = UkSkUTk .
The covariance matrices are estimated using measurements made in both direc-
tions. In order for Alice and Bob to each have a copy of all measurements this data
must be exchanged between them over an unsecured channel. Since an evesdropper
would be expected to overhear this exchange, preliminary measurements used to
estimate the covariance matrices are not used for secret key bit extraction. Then
further measurements are collected and decorrelated for bit extraction.
Quantization: The next step is to quantize the decorrelated measurements.
While we want to maximize the number of bits extracted from each decorrelated
value, we also want to limit the probability of bit disagreement, Pbd. We apply
multi-bit adaptive quantization [53] (MAQ), which achieves a high rate of bits per
sample for a desired Pbd. The number of bits extracted from each zkc depends on the
correlation between the reciprocal components and the desired, or target, Pbd.
60
3.6.3 Results
Data: We collected 3200 pairs of bi-directional CIR measurements using the four
switch system described previously. The dataset was split in half, with 1600 pairs of
measurements used to estimate the covariance matrices and 1600 pairs from which
bits were extracted. The antennas were placed 3 meters apart. An experimenter
walked at a slow pace (0.1 meters per second) in a circle between the antennas while
the measurements were conducted.
Bits Extracted: The above bit extraction method was applied separately to the
magnitude and then to the phase of the measurements. The number of bits extracted
per measurement for a range of Pbds are plotted in Figure 3.13.
A wideband estimate of RSS can be found from the CIR measurements by finding
the area under the magnitude of the CIR signal [57]
r(n) = 10 log10
K∑k=1
|h(k, n)|2 (3.22)
for n = 1 . . . N . For comparison we applied a similar bit extraction method to
these calculated RSS values. The bits per measurement vs. the probability of bit
disagreement for the calculated RSS values are plotted in Figure 3.14.
Key Strength: We used NIST’s approximate entropy test from the randomness
test suite [60] to find the entropy rate of keys generated using this bit extraction
method. The average entropy rate was 0.9847 for magnitude and 0.9870 for phase.
For comparison the average entropy rate for keys generated from the RSS data was
0.9846. An ideal bit stream has entropy rate 1.0.
While high entropy is necessary for a strong key, it is not sufficient since the key
must also be random. We used additional tests from NIST’s randomness test suite
to help determine if the keys were random. Each of the 11 tests is a hypothesis test
that evaluates randomness based on a characteristic of the sequence. The p-values
for these tests are in Table 3.2 for two target Pbd = 0.4, 0.75 for CIR magnitude data
and Pbd = 0.04 for estimated RSS data. A p-value of greater than 0.01 is considered
as passing, though values closer to 1 are judged to be more random.
61
2.420 2.425 2.430 2.435 2.440 2.445 2.450 2.455 2.460Frequency (GHz)
-140
-120
-100
-80
-60
Att
enuati
on (
dB
)
State 1State 2
(a)
2.420 2.425 2.430 2.435 2.440 2.445 2.450 2.455 2.460Frequency (GHz)
-160
-140
-120
-100
-80
-60
-40
Att
enuati
on (
dB
)
State 1State 2
(b)
Figure 3.8. Example bi-directional measurements in the frequency domain for (a)dataset A and (b) dataset B.
Table 3.2. NIST p-valuesCIR RSS
NIST Test Pbd = .04 Pbd = .075 Pbd = .04Approx. Entropy 0.752 0.833 0.146
Block Freq. 0.998 1.0 0.911Cum.Sum Forward 1.0 1.0 0.942Cum.Sum Reverse 1.0 1.0 0.737
FFT 0.751 0.974 0.854Freq. 0.989 0.992 0.643
Linear Comp. 0.423 0.313 0.677Template 0.763 0.506 0.394
Rank 0.791 0.626 0.742Runs 0.642 0.483 0.765Serial 0.584 0.569 0.655
62
0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6Time Delay, �, (�s)
�150
�140
�130
�120
�110
�100
�90
�80
�70
�60R
ece
ived P
ow
er
.
(dB
rela
tive t
o t
ransm
it p
ow
er) tn =37.4s
tn =37.51
(a)
0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6TimeDelay, �, (�s)
�150
�140
�130
�120
�110
�100
�90
�80
�70
�60
Rece
ived P
ow
er
.
(dB
rela
tive t
o t
ransm
it p
ow
er) tn =48.84s
tn =48.95s
(b)
Figure 3.9. (a) When interference source is off, subsequent CIR measurementsbetween A2 to A1 (tn = 37.4s) and from A1 to A2 (tn = 37.51s) are nearlyidentical. (b) When interference source is on, CIR measurements between A2 toA1 (tn = 48.84s) are unchanged while those from A1 to A2 (tn = 48.95s) showinterference.
63
Fig
ure
3.1
0.
Sec
ret
key
bit
extr
acti
onfr
omC
IRm
easu
rem
ents
invo
lves
synch
roniz
atio
n(p
has
ean
dti
me
del
ay),
inte
rpol
atio
n(u
sing
frac
tion
aldel
ayfilt
ers c
),dec
orre
lati
on(a
cros
sti
me
del
ayτ
and
tim
et)
,an
dquan
tiza
tion
(usi
ng
mult
i-bit
adap
tive
quan
tiza
tion
).
64
20 40 60 80 100 120τ index, k
0.00
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
Norm
alized M
agnit
ude,
|h(n
)| Alice
Bob
Figure 3.11. Two CIR measurements made by Alice and Bob. Aligning the indicesof the dominant multipath does not always align the signals.
−0.06 −0.04 −0.02 0.00 0.02 0.04 0.06Real Part
−0.05
0.00
0.05
0.10
0.15
Imagin
ary
Part
CIR 1
CIR 2
CIR 3
CIR 4
Figure 3.12. CIR measurements showing the random rotation which must beremoved before bits can be extracted.
3.6.4 Discussion
Using the presented bit extraction method, we can extract 3.89 times more bits
for a Pbd = 0.1 from CIR measurements than from RSS measurements and 7.84 times
for a Pbd = 0.04 (Table 3.3). Keys extracted from CIR measurements using the above
method have a high entropy rate and have been tested by the NIST randomness test
suite to have characteristics consistent with random bit sequences.
65
0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07Probability of Bit Disagreement
0
1
2
3
4
5
6
7
8
9
Bit
s p
er
Measure
ment
(magnit
ude)
(a) Bits from Magnitude
0.00 0.02 0.04 0.06 0.08 0.10Probability of Bit Disagreement
0.0
0.2
0.4
0.6
0.8
1.0
1.2
Bit
s p
er
Measure
ment
(phase)
(b) Bits from Phase
Figure 3.13. (a) Number of bits extracted per measurement from |H| for variousPbd (b) Number of bits extracted per measurement from ∠H.
Table 3.3. Bits per Sample ComparisonBits Extracted Per Sample From: Improvement
Pbd CIR Mag CIR phase RSS0.01 1.0 0.09 0.28 389%0.02 1.9 0.18 0.42 495%0.04 4.8 0.38 0.66 784%
66
0.00 0.02 0.04 0.06 0.08 0.10Probability of Bit Disagreement
0.2
0.4
0.6
0.8
1.0
1.2
1.4
Bit
s p
er
Measure
ment
Figure 3.14. Number of bits extracted per RSS measurement for various Pbd
With this algorithm many more bits are extracted from the magnitude of CIR
measurements than the phase. This is due in part to the aliasing nature of the
(−π, π) phase signal. Although the phase was unwrapped, the unwrapping algorithm
was ignorant of the relationship between hc(n) and hc(n+1). This could have caused
discontinuities between subsequent measurements that may have introduced non-
reciprocities in some measurement pairs.
3.7 Conclusion
This paper presents a four switch system built from off-the-shelf hardware that
economically extends the usefulness of pre-existing radio channel measurement equip-
ment. By alternating the direction of measurement using RF switches, this sys-
tem allows a software radio with a single TX and single RX to make bi-directional
measurements. We presented design equations that take switch, channel and cable
characteristics into account in order to ensure that the leakage power is kept low.
These design equations can be applied to any similar four switch system. Using these
equations we showed the effect of switch characteristics on the expected linear range
of the system.
The switching system allowed the collection of bi-directional channel impulse
response measurements which were used to evaluate a new bit extraction algorithm.
67
This bit extraction method does not rely on the assumption of a static channel with
moving transmitters and receivers. Instead, it can take advantage of the dynamic
nature of the channel itself. We found that the bit extraction method produces
bits with a high entropy rate and characteristics consistent with those of random
bit sequences. The rate of bit extraction from CIR measurements is nearly 8 times
greater than the rate of bit extraction from RSS measurements for a 0.04 probability
of bit disagreement.
CHAPTER 4
RECIPROCAL FADING SIGNAL ESTIMATION
METHODS FOR SECRET KEY
ESTABLISHMENT
4.1 Abstract
Methods for secret key establishment (SKE) from bi-directional radio channel
measurements have largely assumed that measurements are made simultaneously.
Practical time-division duplex (TDD) transceivers measure the two directions of a
radio link at different times. Further, other users of the channel create multiple access
delays which result in random and irregular measurement times. In this paper we
explore estimation methods which allow two TDD transceivers on multiuser channels
to reduce the disagreement between their channel measurements, which improves their
ability to extract shared secret key bits from them. We present a novel estimation
method which uses side information to increase the bit extraction rate up to 50%
compared to without side information.
4.2 Introduction
Secret key establishment (SKE) from bidirectional channel measurements is a
method for two wireless devices to obtain a shared secret key without communicating
any information about the key to an eavesdropper. The two transceivers make
measurements of the multipath fading channel, which serves as a joint source of
randomness between them that is not known by an eavesdropper at a different
location, because the channel reflects the uniqueness of the time and space in which
it was created [6, 30, 61]. SKE is a tool for information theoretic security, which, in
69
contrast to computational security, makes no assumptions about the computational
limitations of an eavesdropper, but may require a secret key rate as high as the
information rate of the secret message being exchanged [64]. Thus increasing the
rate at which secret key bits can be reliably extracted from bidirectional channel
measurements is a critical requirement for practical systems. This paper provides
methods to increase the agreement between the two directional measurements and
thus increase the extraction rate.
The radio channel at the same frequency and same time is reciprocal, however,
bidirectional measurements of the channel are not. First, additive noise, interference,
and hardware differences cause errors in the channel measurements. Second, time-
division duplex transceivers are unable to transmit and receive simultaneously, thus
one cannot sample the two directions of the channel at the same time. In packet-
switched networks, measurements are made only when the devices are able to access
the channel to send a packet. In a multiuser channel, packets are delayed non-
deterministically by other users’ traffic, and thus measurements are made at random
and irregular intervals[58].
The non-identical, irregular measurement times in multiuser channels can cause
severe degradation in the performance of bit extraction methods. We first experienced
these problems during a demonstration of SKE on two 802.11 devices at the ACM
MOBICOM conference in 2010 [19]. While our SKE implementation worked well in
the lab, among a high density of active 802.11 devices in the demo session, our devices
experienced many very long multiple access delays, and as a result the bit extraction
rate was very low.
Our work addresses the practical, real-world problems caused in SKE from the use
of noisy channel measurements taken at non-identical, irregular sample times. These
problems are common to TDD devices which operate in multiple access channels.
We study, in particular, the estimation of what we term the reciprocal fading signal,
that is, the channel state between two transceivers which is measured in noise and
at different, potentially irregular, sample times at the two different devices. We
compare different interpolation and regression methods, including fractional delay
70
interpolation (FDI), polynomial interpolation (PI), and Gaussian processes regression
(GPR), which estimate the value of the reciprocal fading signal at common times. FDI
is used in related research [53], and we show it is insufficient in the case when channel
measurements are noisy and irregular. We also investigate the use of side information
(obtained from public discussion) at the two transceivers to increase performance,
in a method we call GPR with side information (GPRSI). We evaluate performance
using experimental measurements made with Nexus One phones (802.11) and TelosB
wireless sensors (802.15.4). We show, for example, that GPRSI can achieve a bit
extraction rate up to 50% higher than GPR.
We provide a short summary of related research in Section 4.3. In Section 4.4
we set up the problem. In Section 4.5 we examine four methods of estimating the
reciprocal fading signal using interpolation and regression. Section 4.6 describes the
differences in the two testbeds we use to experimentally evaluate the four estimation
methods. In Section 4.7 we show how these methods affect the bit extraction and the
error between Alice’s and Bob’s estimation. Section 4.8 forms the conclusion.
4.3 Related Research
Shared secret key extraction from channel characteristics was first described in [28].
Since then several efforts have designed and evaluated bit extraction schemes using
many different channel characteristics. Some of these characteristics are angle of
arrival [6], phase [28, 61] and received signal strength [45, 30, 53] ,[7, 71], [45]. Of these,
received signal strength (RSS) is most commonly studied because RSS measurement
capability is ubiquitous in standard commercial devices.
While signal processing has been used to increase the bit extraction rate in SKE
methods reported in the literature. Most of the signal processing techniques have
been computationally inexpensive such as a low pass filter [45, 71] fractional delay
interpolation [53] or ranking [20]. In all cases, these techniques have been performed
independently at the two nodes.
Public discussion between two parties is an important means to reliably establish
secret keys from shared random variables [46]. Usually this has included sharing
71
information about the collected measurements. Information has been shared to
facilitate various quantization methods [45, 53, 15] and for information reconciliation
[11] which corrects a small number of discrepancies between the shared secret keys.
How much of this information is exchanged and in what manner is carefully addressed
to keep the secret key safe from eavesdroppers. In this paper, we study the use of a
particular example of public discussion, that is, the exchange of one bit of information
about the measurement, in order to improve reciprocal fading channel estimation.
While public discussion for other tasks within bit extraction is common, few
estimation methods have taken advantage of information publicly shared between
Alice and Bob. In this paper we present a way for Alice and Bob to estimate
the reciprocal fading signal using Gaussian processes regression. Gaussian processes
regression (GPR) is a useful tool for wireless sensor networks that has been used
mainly to estimate a spatial field using data collected by sensors nodes. Examples
include GPR for environmental sensor networks [50], adaptive sampling [33] and
sensor network deployment [37]. GPR estimates the value of a signal at unobserved
points in time based upon observed measurements and a covariance function and,
unlike some interpolation techniques such as fractional delay interpolation, GPR can
take noisy measurements into account. Since it is possible for the two nodes to
share the covariance function as well as some information about the noise of each
measurement with respect to the actual fading signal, GPR can be used to improve
reciprocal fading channel estimation.
4.4 Problem Statement
We assume that Alice and Bob make measurements of a reciprocal channel. These
measurements are not identical due to noise and the inability of Alice and Bob measure
the channel at identical times. The object is to estimate the underlying reciprocal
fading signal, y(t), from these noisy, offset measurements.
Many channel characteristics can be used for secret key establishment (SKE), but
received signal strength (RSS) is most common. To measure the RSS, Alice and
Bob exchange n packets as fast as possible. Upon receipt of Alice’s ith packet, Bob
72
measures the RSS and sends a packet to Alice, who also measures RSS. After data
collection ends, Alice and Bob each have a vector of RSS values,
wc = [wc(1), . . . , wc(n)] (4.1)
where c ∈ {a, b}. We use subscripts a or b to refer to Alice and Bob respectively.
These measurements were made at times
tc = [tc(1), . . . , tc(n)] (4.2)
We assume that Alice and Bob are time synchronized and that error in measuring
the times tc or error due to clock-skew is much less than the smallest sample period,
T = tc(i+ 1)− tc(i). Alice and Bob also collect Nc calibration measurements that are
shared between the two nodes. Since the RSS values are exchanged over an unsecured
channel, we assume that an eavesdropper has knowledge of these measurements and
so they are not used as part of the secret key.
While the channel is reciprocal, Alice and Bob’s measurements, wc, are noisy, so
that,
wc(tc(i)) = y(tc(i)) + ε(tc(i)) (4.3)
where y(t) is the reciprocal fading signal sampled at times tc(i) and ε(t) is noise at
time tc(i). We assume that y(t) is a wide-sense stationary (WSS) process.
Equation 4.3 makes it clear that non-reciprocities, the reasons that wa(i) 6= wb(i),
come from two sources:
1. Alice and Bob are unable to measure the channel at identical points in time.
2. The measurements themselves are noisy.
The problem studied in this paper is to have Alice and Bob separately or with some
shared knowledge estimate the reciprocal RSS signal y(t) at common points in time.
We denote these common times as t∗,
t∗ = [t∗(1), . . . , t∗(n)] (4.4)
73
where t∗(1) < · · · < t∗(n), and generally the ith common time is between the ith
sample times of Alice and Bob, ta(i) ≤ t∗(i) ≤ tb(i). The problem then is for Alice
and Bob to estimate yc, where
yc = [yc(t∗(1)), . . . , yc(t∗(n)) (4.5)
for c ∈ {a, b}. Throughout this paper values of t∗ are calculated as,
t∗ =1
2(tb + ta) (4.6)
This paper explores polynomial interpolation, fractional delay interpolation and
Gaussian processes regression as ways of increasing the number of bits that can be
extracted by mitigating non-reciprocities in Alice’s and Bob’s measurements.
4.5 Estimation Methods
Interpolation and noise reduction with non-uniform samples is a general problem
with wide applicability. These problems are experienced regardless of measurement
type and regardless of the bit extraction methodology as long as the measurements are
TDD. While some systems can be designed to prioritize transmission and reception
for secret key extraction, practical systems will need to be robust to non-uniformity
in order to operate on general-purpose devices, in multiple-user interference and at
very low received power. In this section we describe four methods for mitigating noise
in bi-directional TDD channel measurements that can be categorized as interpolation
or regression.
In broad terms, interpolation is used to align sample instances or to find the value
of a signal at unobserved points in time when the signal is bandlimited, sampled
above it’s Nyquist rate with no noise, εc(i) = 0. Regression, on the other hand, is
used to estimate the real signal in the presence of noise. Since the measurements of the
reciprocal fading signal are both unaligned in time and noisy, it is possible that both
interpolation and regression are needed depending upon the wireless environment.
4.5.1 Polynomial Interpolation
In order to estimate the value of a signal at unobserved points in time t∗, poly-
nomial interpolation (PI) fits a polynomial of order q to measured values. For
74
band-limited signals, a cubic polynomial (q = 3) is often used since it is a reasonable
approximation of a sinc function [24]. The polynomial used to estimate the reciprocal
fading signal can be written as,
y(t∗(i)) = a3t∗(i)3 + a2t∗(i)
2 + a1t∗(i) + a0 (4.7)
The polynomial coefficients, a = [a1, a2, a3, a4], are found by solving a system of
equations:
Πa = wc (4.8)
where Π is tc(1)3 tc(1)2 tc(1) 1tc(2)3 tc(2)2 tc(2) 1tc(3)3 tc(3)2 tc(3) 1tc(4)3 tc(4)2 tc(4) 1
(4.9)
and wc = [wc(1), wc(2), wc(3), wc(4)]T
Solving for a,
a = Π−1wc (4.10)
the estimated reciprocal fading signal becomes,
y(t∗(i)) =[t∗(i)
3, t∗(i)2, t∗(i), 1
]Π−1wc (4.11)
where the coefficients of the polynomial filter are hPIc = t∗Π−1 and assuming Π is
invertible. The filter coefficients hPIc are only dependent upon the time at which the
reciprocal fading signal is estimated t∗(i) and the times at which the fading signal
was measured, tc.
If all adjacent sample instants, tc(i) and tc(i + 1), are the same distance apart
and the time value to be interpolated is delayed by the same amount with respect
to tc, the system of equations only has to be solved once. This is referred to as
fractional delay interpolation [24]. However, if tc(i+ 1)− tc(i) is not a function of i,
the system of equations must be solved for each set of four adjacent samples and new
filter coefficients found for each new interpolated time, t∗(i). The advantage of PI is
that it is able to interpolate any t∗(i) even with non-uniform samples.
75
4.5.2 Fractional Delay Interpolation
If the sampling period is constant, ie., T = tc(i+1)−tc(i) for all i and for c ∈ {a, b},
then a fractional delay interpolation (FDI) filter can be used to mitigate half-duplex
noise. FDI filters have been used to synchronize sampling in digital modems and
in sound recording [38]. Similarly to PI, we want to to estimate the value of the
reciprocal fading signal, y(t), at unobserved points in time, t∗. The estimated signal
is,
y(t∗(i)) = hFDIc (4)wc(i− 2) + hFDIc (3)wc(i− 1) + (4.12)
hFDIc (2)wc(i+ 1) + hFDIc (1)wc(i+ 2)
The polynomial interpolator is a general case for FDI.
If Alice and Bob are sampling at the same rate, the fractional delay between the
ith measurement by Alice, wa(i), and the ith measurement made by Bob, wb(i), is,
µ =1
2
[tb(i)− ta(i)
T
](4.13)
where tb(i) and ta(i) are the arrival times of the ith packet at Bob and Alice respec-
tively and T is the (constant) sample period.
We implement two fractional delay filters, one each at Alice and Bob. W.l.o.g. we
assume that ta(i) < tb(i) so that µ > 0. If we interpolate points in wa so that the ith
sample is delayed by (1 + µ)T and interpolate points in wb so that the ith sample is
delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays
can be broken down into fractional, µ, and integer, d, delays. At each node:
µa = µ µb = 1− µ da = 1 db = 0 (4.14)
We implement the cubic Farrow filter [24]. For c ∈ {a, b}:
hFDIc =[µ3c/6− µc/6,−µ3
c/2 + µ2c/2 + µc,
µ3c/2− µ2
c + 1,−µ3c/6 + µ2
c/2− µc/3]T
(4.15)
Assuming a uniform sample period t∗ = ta + µ = tb + T − µ. Figure 4.1(a) shows
a diagram of the sampled and interpolated time instances for uniform measurements.
76
For non-uniform samples, Figure 4.1(b), the interpolated times are no longer aligned
at Alice and Bob and ta + µ 6= tb + T − µ. Polynomial interpolation and Gaussian
processes regression, which we discuss in the following sections, are able to interpolate
values that even with non-uniform samples are aligned in time as shown in Figure
4.1(c). To make a fair comparison between those and fractional delay interpolation
we will assume that t∗ is still half way between Alice’s and Bob measurements as in
(4.6)
4.5.3 Gaussian Processes Regression
Gaussian process regression (GPR), known as kriging in the field of geostatistics,
can be used for interpolation or regression. A Gaussian process is completely specified
by its mean function and covariance function [59]. While wc is not exactly Gaussian,
previous analysis using the assumption of a Gaussian distribution for similar data has
been demonstrated to be experimentally accurate [53]. The mean function m(t) and
the covariance function k(t, t′) of a real process y(t) are defined as,
m(t) = E[y(t)] (4.16)
k(t, t′) = E[(y(t)−m(t))(y(t)−m(t)′)] (4.17)
If we could measure the real y(t), and given m(t) = 0, the joint distribution of
the n observations, yc at times tc, and the n∗ targets or unobserved points y∗ =
[y∗(i), . . . , y∗(n∗)], at times t∗ = [t∗(1), . . . , t∗(n∗)] is,[yy∗
]∼ N
(0,
[K(t, t) K(t, t∗)K(t∗, t) K(t∗, t∗)
])(4.18)
where [K(t, t∗)]ij = k(t(i), t∗(j)) and [K(t, t)]ij = k(t(i), t(j)). Essentially, K(t1, t2)
is the covariance matrix of y(t1) and y(t2)), for some vectors of sample times t1, t2.
If noise is present, the function y(t) cannot be accurately determined and instead
a noisy version is obtained: wc(i) = y(tc(i)) + ε. If the additive noise, ε, is i.i.d
Gaussian noise with variance σ2ε , the prior on the noisy observations becomes,
cov(wc) = K(tc, tc) +Kε (4.19)
77
where Kε = σ2ε I and assuming ε and y(t) are uncorrelated. The joint distribution of
the observed values, wc = [wc(1), . . . , wc(n)], and the target values under the prior
are [wc
y∗
]∼ N
(0,
[K(tc, tc) +Kε K(tc, t∗)K(t∗, tc) K(t∗, t∗)
])(4.20)
From this distribution, predictive equations for the target values can be derived as
y∗|wc ∼ N (y∗, cov(y∗)) (4.21)
y∗ = K(t∗, tc)[K(tc, tc) +Kε]−1wc, (4.22)
cov(y∗) = K(t∗, t∗)−K(t∗, tc)[K(tc, tc) +Kε]−1K(tc, t∗) (4.23)
where y∗ in (4.22) is the predicted mean value of y(t) at times t∗. We use y∗, which is
the minimum mean square error (MMSE) estimator [77], as our estimate of the real
fading signal, y(t∗).
While it would be possible, if computationally expensive, to perform Gaussian
processes regression over an entire dataset, similar results can be obtained if the
dataset is split into subvectors and GPR performed over each subvector. The length
of a subvector is determined in part by the estimated covariance function. We chose
a subvector length of J = 200 for the 802.11 RSS data and J = 100 for the 802.15.4
RSS data.
4.5.3.1 Covariance Function
For time-series data, the covariance function relates how much two variables
change together verses separation in time. If the covariance function is not known it
is to common to use a general covariance function such as the Matern or Euclidean
functions [67]. However, for RSS data, we are able to find a covariance function for
each dataset using the Nc calibration measurements that Alice and Bob have shared
between themselves.
For uniformly sampled wide sense stationary data, estimating the covariance
function k(t) is straight forward. First finding the covariance matrix as
Kwa,wb= 1
2j−1
[∑ji=1(w
(i)a − µa)(w(i)
a − µa)T+ (4.24)
(w(i)b − µb)(w
(i)b − µb)T
]
78
where µc is the mean value of wc and w(i)c is the jth sub vector of length j = 200 at
node c. The covariance function k(t) is the j2
row of Kwa,wb.
For non-uniformly sampled data, we can use the Wiener-Khintchine theorem to
estimate the covariance function. The Wiener-Khintchine theorem relates the power
spectral density (PSD) of a signal, w(t), to its autocorrelation function. The cross
spectral density of wa(ta) and wb(tb) is,
Sa,b(f) = 1NK
∑Kk=1
[∑Nn1=1wa(n1 + k)e−j2πfta(n1+k) (4.25)∑N
n2=1wb(n2 + k)e−j2πf [tb(n2+k)]
where f is the frequency of interest and wc is wide sense stationary. The auto
covariance function Ra,b(τ), is then calculated as the inverse Fourier transform of
Sa,b(f), by the Wiener-Khintchine theorem [77]
4.5.4 Gaussian Processes Regression with Side Information
Many forms of exchange of information between Alice and Bob are used in SKE
research to improve the reliability and secrecy of extracted keys, including methods
called information reconciliation [11] and public discussion [46]. We suggest that such
methods can be used to improve the estimate of the reciprocal fading channel. In
order to investigate this, we propose one method based on Alice and Bob exchanging
one bit of information, which we call an ”e-value”, about their measurements
In order to improve reciprocal fading channel estimation, Alice and Bob publicly
exchange one bit of information about each wc(i) measurement and incorporate this
measurement in GPR. This one bit of information will allow Alice and Bob to decide
if their measurements are likely to agree when quantized. Then, based on this side
information they alter theirKε matrix in (4.20 - 4.23) toKε = diag([γ2(1), . . . , γ2(n)]).
How γ2(i) is set is explained below.
Although this method is based on GPR, due to the incorporation of side informa-
tion it is not rigorously GPR for two reasons. First, knowing one bit of information
changes the distribution of the measurements so the measurements can no longer
be assumed to resemble a Gaussian distribution. Second, knowledge of the side
79
information received by Alice and Bob alters the conditional covariance of wc and y∗
in a very complicated way. Although the actual covariance matrix of wc and y∗ given
the side information has every element altered compared to (4.20), for simplicity,
we alter only the variance of the elements of wc, that is, the diagonal elements of
Cov(wc). We show in the results that the incorporation of this side information,
although a heuristic in some sense, allows us to better estimate y(t) at both Alice
and Bob in order to extract more bits.
4.5.4.1 Public Exchange of Side Information
Alice and Bob each quantize their measurements, wa and wb, into K number of
bins and assign each measurement an e-value based on the bin. The measurements
that fall into odd numbered bins are 0’s and the measurements that fall into the
even numbered bins are assigned 1’s. Alice and Bob then exchange their vectors of
e-values. The bins must be determined so that Eve does not learn anything about
the expected value of wc(i) given e(i). There are many possible ways to achieve this,
but here we place values in bins based upon the distribution of wc.
The bin thresholds are found so that the probability of a single measurement
being assigned an e-value of 0 or 1 is equally likely. We look at the cumulative
distribution function (CDF) of the measurements to determine the thresholds. Lef
Fi(w) = P [wa(i) ≤ w] be the CDF of wa. For K is odd, the bin thresholds, ηk, are
determined as
ηk = F−1(
2k − 1
2(K − 1)
), for k = 1, . . . , K − 1 (4.26)
and η0 = −∞ and ηK = ∞. If K = 3 then η = [−∞, F−1(14), F−1(3
4),∞]. The n
measurements, wc, are then quantized so that
k(i) = maxk{k s.t. wa(i) > ηk} (4.27)
and we define e(i) as
e(i) = k(i) mod 2 (4.28)
for each measurement, i = 1, . . . , n.
80
If K odd it is possible to assign bins without the e-values giving away information
about the expected value of wc(i), although it can be said that measurements with
e = 1 have a higher sample variance than measurements with e = 0. We do not
consider the case of K even because it is not possible to assign e-values without
giving information about the expected value of wc(i).
4.5.4.2 Setting γ2(i)
The values of γ2(i) where ea(i) 6= eb(i) should be larger than γ2(i) the values
where ea(i) = eb(i). To that end we use two parameters Pa and Pd and define γ2(i)
as
γ2(i) =σ2ε
1Pa
for ea(i) = eb(i),
σ2εPd for ea(i) 6= eb(i)
(4.29)
where σ2ε can be estimated as
σ2ε =
1
n
n∑i=1
(wa(i)− wb(i))2 (4.30)
We discuss these parameters further in Section 4.7.
4.6 Experiment
In this section, we describe the RSS data sets which we have collected using two
different transceiver hardware testbeds. We collect 31 total data sets from the two
testbeds, a total of 213,000 samples of the RSS over 75 minutes of data collection.
This extensive experimental data allows us to provide, in Section 4.7, a quantitative
analysis analysis of the performance of methods propose in Section 4.5.
4.6.1 PHY layer and RSS Measurement
To ensure broad applicability of the results to RSS-based SKE, we use hardware
from two common TDD wireless standards in our experimental evaluation. The first
testbed uses commodity IEEE 802.15.4 radio hardware (MEMSIC TelosB devices),
similar to that previously used in experimental SKE papers [53, 20, 56, 2]. The
second testbed uses two smartphones (Google / HTC NexusOne phones) which are
programmed to communicate via IEEE 802.11b/g.
81
To collect the 20 802.15.4 radio hardware datasets, one node was placed on a
desk while the second node was moved randomly to induce narrow band fading.
The distance between the two nodes was slightly over 1 meter. Half of the 20
datasets collected using the 802.15.4 radio hardware were made in the presence of
802.15.4 interference. To create interference, three additional TelosB sensor nodes
were programmed to take turns transmitting on the same channel as Alice and Bob.
Also, the transmit power was also varied. Fifteen datasets had a transmit power
greater than -5 dBm and five had a transmit power lower than -10 dBm.
Using the IEEE 802.11-based smartphones we collected 11 data sets each with
6000 measurements. One smartphone, Alice, was placed on a desk, while the second
phone Bob was moved randomly to induce narrowband fading in the channel. The
distance between Alice and Bob was approximately 0.75 meters. All 11 data sets were
collected in the same manner with no changes to the default transmit power.
4.6.2 Sample Variance
In free-space with a static channel, bit extraction would be ineffective. The source
of the bits in the secret key is the randomness in the channel due to narrowband
fading. The more the channel varies over time, the more bits it is possible to extract.
We can estimate the variance of the sampled reciprocal fading signal, σ2w, as
σ2w =
1
n
n∑i=1
(wc(i)− µw)2 (4.31)
where the mean, µw, is estimated from
µw =1
n
n∑i=1
wc(i) (4.32)
The sample variances for 802.15.4 RSS measurements in Figure 4.2(a) was around 40,
while the sample variances for 802.11 RSS measurements in Figure 4.2(b) was about
14 on average.
The reason for the difference in σ2w for 802.15.4 and 802.11 is the channel band-
width – 20 Mhz for 802.11 and 5 Mhz for 802.15.4. With 802.11, the RSS is calculated
for a signal over a bandwidth 4 times as wide so the channel gain is not as affected by
82
narrowband fading. Since the fading signal is the signal of interest, the signal power
is reduce when wideband RSS measurements “average out” the fading. Counterintu-
itively this reduces the number of bits can be extracted. The RSS quantization levels
for the two devices are identical – an increase of 1 dB received power with respect to
the mean produces an increase of 1 RSSI.
4.6.3 Sampling Non-uniformity
Sampling non-uniformity in 801.11 devices can be related to a large body of
research that looks at packet delay caused by the distributed coordination function
(DCF) [10, 14]. The DCF uses channel sense multiple access with collision avoidance
to maximize channel throughput and ensure every user has equal access. While most
packets are transmitted with relatively short delays, other packets suffer a much
higher delay than average due to the exponential increase in backoff period when
transmission fails. For the purposes of bit extraction, one sample period, ie. the time
between two adjacent measurements by Alice, is composed of:
1. Time delay, δa, for Alice to send a packet to Bob
2. Time, δo, for Bob to receive and process packet. This is assumed constant.
3. Time delay, δb, for Bob to send a packet to Alice
The distribution of time delays, δa and δb, are essentially the same as the distribution
of packet delay in [10, 14] which is affected by the number of users wishing to transmit
and the maximum backoff period, Wi.
Figure 4.3 shows the difference between the distribution of sample periods for
802.15.4 and 802.11 devices. In our experiments, the 802.15.4 devices are operated
on a channel (26) that does not interfere with 802.11 b/g traffic – thus these devices
operate largely without outside interference and the majority of sample periods are
reliably between 15-17 ms, as shown in Figure 4.3(a). In contrast, the 802.11 devices
experience significant multi-user interference, particularly in buildings with many
deployed WiFi access points, as is the case in our experiments. Due to the 802.11
MAC layer, the delay for a device transmitting a packet can be very significant. As
83
shown in Figure 4.3(b), while the 802.11 devices can sample up to two times faster
than the 802.15.4 devices the maximum time between sample points is as much as
six times greater than the average. The distribution for δa + δb + δo in Figure 4.3(b)
is very close to the distribution found in [58]. It is very heavy tailed and has a large
variation in sample period.
4.7 Results
In this section we look at the these four estimation methods, fractional delay inter-
polation (FDI), polynomial interpolation (PI), Gaussian processes regression (GPR)
and Gaussian processes regression with side information (GPRSI), qualitatively and
quantitatively. First we determine how to set parameters Pa and Pd for GPRSI using
the normalized root mean square error between ya(t∗) and ya(t∗), as a metric. Then
we plot the estimated reciprocal fading signal, yc(t∗), and compare the results over
a very small set of points to qualitatively show under what conditions each of these
methods performs best. Since all four methods can be viewed as a filter, we the
compare the frequency response and show that while FDI and GPRSI filters have
frequency responses that tend to match, PI does not. Then we look at the error
between ya(t∗) and ya(t∗) for FDI, PI, GPR and GPRSI. Finally we compare the four
methods with respect to a bit extraction method.
4.7.1 Performance Metrics
While it is not possible to calculate the root mean square error (RMSE) between
the noisy measurements, wc, and the reciprocal fading signal y(t), we can evaluate
the error between Alice’s estimate of y(t), ya(t∗), and Bob’s estimate of y(t), yb(t∗).
Because GPR and GPRSI tend to reduce the range of values and therefore the
apparent RMSE, we use normalized RMSE. NRMSE is RMSE scaled by the standard
deviation of ya.
NRMSE(ya, yb) =
√∑Ni=1(ya(i)− yb(i))2∑Ni=1(ya(i)− µa)2
While increasing the number of bits extracted is the final goal of these estimation
methods, the bit extraction algorithm adds another layer of complexity. We use
84
NRMSE to make analysis of these results applicable to other bit extraction methods,
not just the one used in a following subsection.
4.7.2 GPRSI Parameter Selection
Figure 4.4 shows the NRMSE between Alice’s and Bob’s estimate of y(t) for
values of parameters Pa and Pd using the 802.11 based devices. Given this plot we
choose Pa ≈ 0.5 and Pd ≈ 15. These values are approximate since there is very little
difference in the NRMSE for Pa = 0.5 and Pa = 1 or between difference values of Pd
when Pd > 10.
4.7.3 Example
Figure 4.5 shows data collected by the 802.11 devices and the interpolated data
using (a) FDI, (b) PI, and (c) GPRSI. Because the interpolating polynomial for
PI yc(t∗(i) (4.11), is constrained to go through the sampled points, noise in those
measurements over larger gaps in the data can cause the sampling polynomial at
Alice to be very different from Bob’s. However, using FDI or GPR, Alice’s and Bob’s
estimated signals match quite well. The results for GPR and GPRSI are very similar,
so GPR is not shown.
Unlike, PI and FDI, GPR and GPRSI can be used for regression. Figure 4.7 shows
data that has been estimated using (a) PI and (b) GPR. Because the interpolating
polynomial is constrained to go through the sampled points, it cannot be used to
mitigate quantization noise. On the other hand, because noisy measurements can be
accounted for in GPR, some of the quantization noise can be removed.
4.7.4 Filter Response
Each of these four methods can be viewed as a filter and characterized in terms
of frequency response. The frequency response is found using a non-uniform discrete
Fourier transform (NDFT) which is defined as:
H(f(k)) =N−1∑n=0
hc(n)e−jtc(n)2πf(k) (4.33)
85
where hc are the filter coefficients, tc are the times over which the filter is applied and
f(k) is the kth frequency at which the Fourier transform is evaluated. For PI and
FDI, N = 4. The filter coefficients for FDI are printed in (4.15). Filter coefficients
for GPR are found from the K(t∗, tc)[K(tc, tc) +Kε]−1 term of (4.22). Because GPR
and GPRSI is applied over subvectors of length 200, N = 200.
The frequency response for the FDI filter is shown in Figure 4.6(a) for t∗(i) = 0.60.
The filter response at Alice is very similar to Bob’s filter. The frequency response for
the PI filter is shown in Figure 4.6(b). It becomes a high pass filter over long gaps
between samples, but the larger problem is that the two filters at Alice and Bob do
not match. The frequency response for GPR is shown in Figure 4.6(c). Although not
identifiable as a particular type of filter, the responses at Alice and Bob match quite
well.
4.7.5 Normalized Root Mean Square Error
Figure 4.8 (a) shows the cumulative distribution function (CDF) of the NRMSE
over the 802.11 datasets of the original RSS measurements, wc, and the reciprocal fad-
ing signal estimated using PI, FDI, GPR and GPRSI. Of these methods, PI increases
the NRMSE between Alice and Bob’s measurements compared to the unprocessed
measurements. FDI, GPR and GPRSI all reduce the NRMSE compared to the
original measurements for all datasets, except for one dataset in the case of GPR. In
all cases, GPRSI performs better than the other methods.
The same type of analysis is shown in Figure 4.8 (b) for the 802.15.4 datasets.
Again, PI increases the NRMSE compared to the original measurements. The differ-
ence in FDI vs. the Gaussian processes methods is not as apparent in the 802.15.4
datasets, although GPR and GPRSI are an improvement. The difference between
GPR and GPRSI is negligible. One conclusion we can draw from the differences
between Figure 4.8 (a) and Figure 4.8 (b) is that given the smaller amount of
improvement in GPRSI vs. FDI, the non-reciprocities in reciprocal 802.15.4 RSS
measurements are due in greater proportion to the inability of Alice and Bob to
measure the channel simultaneously than those in 802.11 RSS measurements.
86
In the second experiment we simulated dropped packets in 802.15.4 measurements
by removing the ith sample from wa and wb with probability p. The removal
probability for samples i and j, where i 6= j, are independent. Increasing variability in
the range of sample periods results as the probability of dropping a packet increases.
We plot the bits per sample extracted using GPR, GPRSI, FDI and PI as p increases
from 0 to 0.6 vs. NRMSE disagreement in Figure 4.9. As p increases, the performance
of FDI degrades more rapidly than GPR and GPRSI.
4.7.6 Bit Extraction
Adaptive ranking based uncorrelated bit extraction ARUBE [20] has been used
with RSS measurements made by 802.15.4 based wireless sensors. It has four steps:
interpolation, ranking, decorrelation and quantization. The effectiveness of this
method can be evaluated by looking at the number of bits extracted per sample or the
number of bits extracted per second against the probability of bit disagreement, Pbd.
Fewer samples must be collected to create a shared secret key if the bits extracted
per sample is high, saving both the energy required to transmit a packet and the time
required to so do. Because information must be publicly exchanged to correct bit
disagreement, a lower Pbd will keep more information secret from Eve. It is difficult
to obtain a high rate of bit extraction and a low Pbd.
While judging the performance of estimation methods is made more complex by
using the number of bits extracted as a metric, inclusion of this section is important.
A simple low pass filter would also reduce the NRMSE, but at the expense of removing
information in the signal that could be used as bits in the secret key.
4.7.6.1 802.15.4 Sensor Nodes
In the first experiment with 802.15.4 sensor nodes we decremented the transmitted
power over 17 datasets. At very low received power, RSS data collected by 802.15.4
based sensor nodes has some of the same properties as the 802.11 RSS data: low
sample variance, σ2w, and non-uniform sampling. As the sample variance decreases,
Gaussian processes regression becomes more useful.
Figures 4.10(a,b,c) show the averge of (7, 4, 6) datasets respectively of decreasing
87
sample variance for PI, FDI and GPR. Table 4.1 shows the average sample variance
σ2w for each figure. We used these groupings to keep datasets with similar sample
variance together. As the received power decreases, the number of dropped packets
increases, the noise due to quantization increases and there is a greater non-uniformity
in sampling instants. The decrease in bits per second as the sample variance decreases
is due not only to fewer bits being extracted but to the decrease in the number
of samples per second collected by the nodes because of the dropped packets. By
comparing the ’Bits per Second’ and ’Bits per Sample’ axes of the three plots we can
see that, 0.6 bits per sample results in 24, 14 and 11 Bits per Second as the sample
variance decreases.
4.7.6.2 802.11 Smartphones
We found that for this bit extraction method, polynomial interpolation produces
worse results than using the original measurements, so we only compare GPR, GPRSI
and FDI.
Figure 4.11 (a) shows the bits extracted per second for yc(t∗) using GPR and
GPRSI. Unlike the 802.15.4 datasets the inclusion of side information increases the
number of bits extracted for most datasets. The greatest improvement in bits ex-
tracted per second is seen in datasets that produce the least number of bits. These are
the datasets that also have the smallest sample variance and the largest quantization
noise. Comparing GPR to FDI in Figure 4.11(b), GPRSI can improve the number of
bits extracted per second by up to 50% for some datasets.
4.8 Conclusion
In real-world wireless networks, SKE must extract bits from noisy measurements
taken at irregular intervals. In these situations, we show that standard SKE methods
perform poorly. In this paper we investigate four methods that allow legitimate
users Alice and Bob to obtain improved estimates of the reciprocal fading channel.
We found that in cases with high SNR, even those with moderate non-uniform
sampling characteristics, fractional delay interpolation performs very well, reducing
the NRMSE between Alices and Bobs estimates and increasing the bit extraction
88
(a)
(b)
(c)
-Alice samples -Bob samples - new times, t *
...
...
...
...
...
...
...
...
...
...
...
...
time
time
time
Figure 4.1. Diagram shows placement of Alice’s (�) and Bob’s (©) measurementsat times tc with the placement of interpolated values t∗ (‖). (a) Fraction delayinterpolation interpolates a value half way between Alice’s and Bob measurementsif the sample period is constant. (b) With non-uniform measurements fractionaldelay interpolation results in unaligned interpolated time instants. (c) Polynomialinterpolation and Gaussian processes regression are able to interpolate measurementsat identical time instants.
Table 4.1. Datasets of decreasing sample variance# of Datasets Average σ2
w
Figure 4.10 (a) 7 36.2Figure 4.10 (b) 4 17.9Figure 4.10 (c) 6 7.4
89
−20 −15 −10 −5 0 5 10 15 20RSSI, mean removed
0.00
0.02
0.04
0.06
0.08
0.10
0.12
Pro
babilit
y
dataset f
dataset n
(a)
−20 −15 −10 −5 0 5 10 15 20RSSI, mean removed
0.00
0.02
0.04
0.06
0.08
0.10
0.12
0.14
0.16
Pro
babilit
y
dataset A
dataset B
(b)
Figure 4.2. Distribution of measured RSSI values for datasets collected (a) by802.15.4 based devices and (b) 802.11 based devices. The sample variance, σ2
w for (a)is larger than that of the measurements of (b).
90
0.005 0.010 0.015 0.020 0.025 0.030 0.035 0.040Sample Period (s)
0.00
0.05
0.10
0.15
0.20
0.25
0.30
0.35
0.40
Pro
babilit
y
dataset f
dataset n
(a)
0.005 0.010 0.015 0.020 0.025 0.030 0.035 0.040Sample Period (s)
0.00
0.05
0.10
0.15
0.20
0.25
0.30
0.35
0.40
Pro
babilit
y
dataset A
dataset B
(b)
Figure 4.3. Distribution of sample periods for (a) two datasets made with 802.15.4based wireless sensors and (b) two datasets from 802.11 based devices.
91
rate. For signals with low signal power, or with highly variable sample periods, GPR
performs better in terms of NRMSE and the number of bits extracted at the expense of
much more computation. We present a reciprocal fading channel estimation method
which uses side information obtained from public discussion, which we call GPRSI,
and show that it is able to extract secret key bits at a rate up to 50% higher than
with GPR.
The computation required by GPRSI is more significant than with FDI, but
GPRSI can extract secret key bits more quickly. Future work may address the tradeoff
between communication energy and time saved by the increased bit rate of GPRSI,
versus the lower energy used in computation in FDI. In addition, adaptive methods
may be developed which allow devices to change estimation method based on the
multi-user access delays or packet error rate they experience.
92
0 20 40 60 80 100
Pd
0.150
0.155
0.160
0.165
0.170
0.175
NRMSE(y
a,y
b)
Pa =0.1
Pa =0.5
Pa =1
Pa =3
Figure 4.4. NRMSE between ya and yb for GPRSI with different values for Pa andPd. Overall, GPRSI for 802.11 RSS measurements performs best with Pa ≈ 0.5 andPd ≈ 15.
93
0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
time (s)
−6
−4
−2
0
2
4
6
RSS
FDI ya (t ∗)
FDI yb (t ∗)
(a)
0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
time (s)
−6
−4
−2
0
2
4
6
RSS
PI ya (t ∗)
PI yb (t ∗)
(b)
0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
time (s)
−6
−4
−2
0
2
4
6
RSS
GPRSI ya (t ∗)
GPRSI yb (t ∗)
(c)
Figure 4.5. (a) Fractional delay interpolation used to estimate the reciprocal fadingchannel from non-uniformly sampled RSS measurements made by two 802.11 devices.(b) Polynomial interpolation. (c) Gaussian processes regression. Solid lines are theestimated signal yc(t∗), dotted lines are the RSS measurements wc.
94
0 10 20 30 40 50Frequency, Hz
0.0
0.5
1.0
1.5
2.0
Magnit
ude,
|H(f
)|
HFDIa
HFDIb
(a)
0 10 20 30 40 50Frequency, Hz
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
Magnit
ude,
|H(f
)|
HPIa
HPIc
(b)
0 10 20 30 40 50Frequency, Hz
0.0
0.5
1.0
1.5
2.0
Magnit
ude,
|H(f
)|
HGPRSIa
HGPRSIb
(c)
Figure 4.6. Filter response for (a) fractional delay interpolation, (b) polynomialinterpolation and (c) Gaussian processes regression at interpolated time instantt∗(i) = 0.60.
95
31.04 31.06 31.08 31.10 31.12 31.14
time (s)
−5
−4
−3
−2
−1
0
1
2
3
4
RSS
wa
wb
PI ya (t ∗)
PI yb (t ∗)
(a)
31.04 31.06 31.08 31.10 31.12 31.14
time (s)
−5
−4
−3
−2
−1
0
1
2
3
4
RSS
wa
wb
GPRSI ya (t ∗)
GPRSI yb (t ∗)
(b)
Figure 4.7. (a) Polynomial interpolation used to estimate the reciprocal fadingsignal for 802.11 RSS measurements (b) Estimation using GPRSI. Root mean squareerror (RMSE) for the displayed data is (a)0.627 and (b)0.222.
96
0.12 0.14 0.16 0.18 0.20 0.22 0.24 0.26 0.28 0.30
Normalized RMSE(ya ,yb )
0.0
0.2
0.4
0.6
0.8
1.0
Cum
ula
tiv
e D
istrib
utio
n F
unctio
n
wc
PI y(t∗)
FDI y(t∗)
GPR y(t∗)
GPRSI y(t∗)
(a)
0.2 0.4 0.6 0.8 1.0
Normalized RMSE(ya ,yb )
0.0
0.2
0.4
0.6
0.8
1.0
Cum
ula
tiv
e D
istrib
utio
n F
unctio
n
wc
PI y(t∗)
FDI y(t∗)
GPR y(t∗)
GPRSI y(t∗)
(b)
Figure 4.8. Normalized root mean square error (NRMSE) for error between theoriginal measurements at Alice, wa, and Bob, wb and error between the estimationsof the reciprocal fading signal using polynomial interpolation (PI), fractional delayinterpolation (FDI), Gaussian processes regression (GPR) and Gaussian processesregression with side information (GPRSI) for (a) 11 802.11 datasets and (b) 20802.15.4 datasets
97
0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7Probability of Packet Drop, p
0.15
0.20
0.25
0.30
0.35
0.40
0.45
0.50
0.55
NR
MSE(y
a,y
b)
Figure 4.9. Plot of NRMSE as the probability of dropping a packet, p, increasesfor FDI (- -), GPR (..) and GPRSI (–), then plotting the average of the top sevendatasets (?), middle six datasets (•) and bottom seven datasets (I) with respect toNRMSE
98
0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07Probability of Bit Disagreement, P
bd
0
5
10
15
20
25
30
35
40
45
Bit
s p
er
Second
PI
GPR
FDI
0.0
0.2
0.4
0.6
0.8
1.0
Bit
s p
er
Sam
ple
(a)
0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07Probability of Bit Disagreement, P
bd
0
5
10
15
20
Bit
s p
er
Second
PI
GPR
FDI
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Bit
s p
er
Sam
ple
(b)
0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07Probability of Bit Disagreement, P
bd
0
2
4
6
8
10
12
14
16
Bit
s p
er
Second
PI
GPR
FDI
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Bit
s p
er
Sam
ple
(c)
Figure 4.10. Comparison of PI, FDI and GPR with (a) highest, (b) middle and (c)lowest sample variance σ2
w. GPR is an improvement over FDI only at lower samplevariances.
99
0.00 0.02 0.04 0.06 0.08 0.10Probability of Bit Disagreement, P
bd
0
5
10
15
20
25
30
35
40
Bit
s p
er
Second
(a)
0.00 0.02 0.04 0.06 0.08 0.10Probability of Bit Disagreement, P
bd
0
5
10
15
20
25
30
35
40
Bit
s p
er
Second
(b)
Figure 4.11. Bits extracted per second vs. probability of bit disagreement (Pbd)for 13 datasets. Data processed using GPR (..), GPRSI ( - ) or FDI ( - - ) thenplotting the average of the top four datasets (?), middle five datasets (•) and bottomfour datasets (I) with respect to bits extracted per second. (a) Compares GPR andGPRSI (b) Compares FDI and GPRSI
CHAPTER 5
CONCLUSION
This chapter will summarize key findings before suggesting areas for future work.
5.1 Key Findings
While the wireless channel has the requisite conditions as a source for shared secret
keys, namely randomness and reciprocity, practical considerations such as the time-
division duplex nature of channel sampling, differing hardware characteristics between
users, temporal correlation between measurements and the necessity of sharing the
channel with other users are continuing challenges. This research aims to reduce or
remove the non-idealities and noise of the reciprocal channel measurement process in
order to increase secret key bit rate while maintaining an uncorrelated bit stream.
Wireless sensor networks have a intrinsic need for a way of securing communica-
tions that does not involve a central server or an excessive use of on node storage
space. By using randomness inherent in the wireless channel, it is possible to avoid
the predistribution of shared keys, which for large networks becomes a strain on
limited storage space, and the need for a central server which depending upon network
conditions may not be connected to the network. One of the challenges of bit
extraction is that in order to measure the channel the two nodes must communicate
which for sensor nodes communication is energy intensive. To extend the life of the
network it is advantageous to extract as many bits as possible from each measurement.
To that end, various methods of mitigating non-reciprocities in the measurement were
explored including fractional delay interpolation and ranking.
Ranking addresses the differences in hardware that will be inevitable in heteroge-
neous networks and are present even in supposedly identical transceivers. As long as
the relationship between received power and RSS is monotonically increasing, ranking
101
will remove non-reciprocities between radios that result from differing transmit powers
and RSSI circuit variations. The introduction of ranking increased the number of bits
extracted from 802.15.4 TelosB RSS measurements by up to 30%.
Temporal correlation between measurements is another limiting factor that was
addressed which is useful both for sensor nodes and devices which are less resource
constrained. Correlated bits which can result from correlated measurements weaken
the strength of the shared secret keys. In order to prevent this, measurements can
be decorrelated before bit extraction. Decorrelation is a relatively computationally
complex operation in comparison to other bit extraction steps, so it is necessary to
find the minimum number of measurements that can be decorrelated while ensuring
an independent bit stream. For 802.15.4 RSS measurements it is possible maintain
an uncorrelated bit stream if more than about 35 samples or 0.7 seconds of data are
decorrelated at a time.
Experimental research into bit extraction from channel impulse response (CIR)
measurements is scarce compared to research into RSS measurements. Much of the
difference can be attributed to the expense of channel sounding equipment. It is pos-
sible however, to build a inexpensive electronically controlled switching system that
allows existing single transmitter/single receiver equipment to make bi-directional
measurements. The components of this system are easy to obtain and with the
design equations a similar system is straight forward to build. The hope is that this
design will allow further work into bit extraction for CIR measurements.
CIR measurements include both magnitude and phase information. The number
of bits extracted from the magnitude information was 8 times greater than the number
of bits extracted from the phase information. A large part of the discrepancy is that
phase wraps from 2π to 0. While the CIR measurements are two-dimensional (time
and time delay), the unwrapping algorithm for phase only operated along the time
delay axis and did not take the second dimension into account.
A demo using 802.11-based smartphones brought to light differences in 802.11
and 802.15.4-based wireless devices. Devices using 802.11 must share the channel
with other users which can result in a non-deterministic packet delay. In a very
102
busy wireless environment, the distribution of packet delay is heavy-tailed which
means that measurements of the reciprocal fading signal become very non-uniform.
In addition, Alice and Bob are unable to measure the channel simultaneously due to
the half-duplex nature of the wireless channel. Previous research used fractional delay
interpolation to correct this offset, however fractional delay interpolation degrades
quickly in the presence of highly variable sample periods. Unlike fractional delay,
Gaussian processes regression can be used to estimate the true fading signal in the
presence of non-uniform sampling. In addition, it is possible to incorporate public
discussion between Alice and Bob to obtain a more accurate estimation of the true
reciprocal fading signal. Using this method Alice and Bob to extract 50% more bits
from 802.11 RSS measurements.
5.2 Future Work
The field of secret key establishment has many possible avenues for future research.
Continuing to increase the bit extraction rate either by using signal processing tech-
niques, quantization and coding methods or hardware improvements, is one of the
obvious avenues. It is important because in order to maintain information theoretic
security the secret key bit rate must match or exceed the information bit rate. The
keys must be random, so another avenue is determining if and when the wireless
channel can be considered random. Finally, even with advances in nailing down what
does work, a usable, widely available implementation of SKE does not yet exist, but
smartphones offer a great platform for future implementation.
The research that forms this thesis and the majority of papers on SKE have focused
extensively on the problem of extracting more bits from a given set of measurements
in a shorter amount of time, with a lower probability of bit disagreement and with
a higher entropy. The way this thesis accomplished the first two of these goals was
to remove non-reciprocities associated with the measurements. However this is just
one way to approach the problem. Another possibility for increasing the number of
bits extracted for a given time period is to make the channel measurements more
accurate. For RSS this could be accomplished by using a higher transmit power for
103
SKE than for normal communications. Alternately, increasing the accuracy of RSS
measurement by increasing the number the quantization levels would be a hardware
based solution. For instance an increase of 1 dBm would correspond to 2 RSSI rather
than just in increase of 1 RSSI.
Even with a more efficient or faster bit extraction method, a compromise between
information theoretic security and traditional cryptographic methods may have to
be reached before an implementation of SKE comes into wider use. For RSS data
collected by 802.15.4-based sensor nodes the mutual information in each pair of
samples made at Alice and Bob was around 5 bits. At 50 samples per second this is
only 250 bits per second or about 31 ascii characters. A device wishing to use SKE for
reasons associated with information theoretic security would probably have to decide
what information is most sensitive, encrypt that using SKE and leave the remaining
data to a traditional cryptographic key.
SKE depends upon randomness in the channel created by a user moving one of the
radios, by movement in the channel or both. It has been shown that it is possible for
an active eavesdropper to create deterministic non-random movement in an otherwise
static channel and so have some knowledge of the measurements. One avenue for
investigation is to determine how much randomness exists in user movements of the
radio. When asked to move something randomly, many, if not most, people will
eventually settle into some pattern of movement that feels random, but really isn’t.
One question that needs to be asked is, is this semi-random movement, plus some
minimal movement in the channel, enough to guarantee random secret bits over a
long period of time.
Smartphones offer a very rich testbed for SKE. They can serve as a platform on
which to implement SKE and a way to augment SKE with additional sensors. One
application for an SKE implementation would be to exchange sensitive information
between two smartphones without involving cellular carriers. The two phones would
perform SKE in WiFi ad-hoc mode then encrypt and transmit the data. While
the building blocks are there, a downloadable software application to perform SKE
does not yet exist. Other researchers have suggested using accelerometer data to
104
authenticate two users. This type of authentication could be used with SKE on
smartphones.
A usable implementation of SKE on a smartphone, laptop or similar device would
have to adapt to changing channel conditions. This means being able to determine
when the channel is changing by analyzing the channel measurements or by sens-
ing when movement of the device is sufficient to ensure random bits by analyzing
accelerometer data. Changing channel conditions also includes the number of users
sharing the same channel since this will affect how quickly and uniformly Alice and
Bob can measure the channel.
Finally, smartphones could also be a showcase for SKE as well as a way to collect
information about users’ ideas of random movement. An interesting, easily used
software application could record both accelerometer readings and RSS measurements
in many different wireless environments for many different users. With this large
amount of information it might be possible to determine how to give instructions or
feedback to a user that will maximize the randomness of the users’ movements as well
as providing a large dataset for experimental evaluation of bit extraction methods.
Secret key establishment offers a unique opportunity for consumer devices to create
and use shared secret keys that provide information theoretic security. Unlike quan-
tum cryptography, SKE does not require specialized hardware and is currently within
reach of devices that many people carry in their pockets. As data privacy becomes
more of a concern to people and businesses, SKE could provide a decentralized, secure
method of protecting sensitive information.
REFERENCES
[1] L. Ahumada, R. Feick, R. Valenzuela, and C. Morales. Measurement andcharacterization of the temporal behavior of fixed wireless links. IEEE Trans.Vehicular Technology, 54(6):1913–1922, November 2005.
[2] S.T. Ali, V. Sivaraman, and D. Ostry. Secret key generation rate vs. reconcilia-tion cost using wireless channel characteristics in body area networks. In 2010IEEE/IFIP International Conference on Embedded and Ubiquitous Computing,pages 644–650. IEEE, 2010.
[3] A. Alomainy, Y. Hao, X. Hu, CG Parini, and PS Hall. UWB on-body radiopropagation and system modelling for wireless body-centric networks. In Com-munications, IEE Proceedings-, volume 153, pages 107–114. IET, 2006.
[4] JB Andersen, JO Nielsen, GF Pedersen, K. Olesen, P. Eggers, EH Sorensen, andS. Denno. A 16 by 32 wideband multichannel sounder at 5 GHz for MIMO.In IEEE Antennas and Propagation Society International Symposium, 2004,volume 2, 2004.
[5] C.R. Anderson and T.S. Rappaport. In-building wideband partition loss mea-surements at 2.5 and 60 GHz. IEEE Transactions on Wireless Communications,3(3):922–928, 2004.
[6] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka. Wireless secretkey generation exploiting reactance-domain scalar response of multipath fadingchannels. IEEE Transactions on Antennas and Propagation, 53(11):3776–3784,Nov. 2005.
[7] B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener. Robust key generationfrom signal envelopes in wireless networks. In CCS ’07: Proceedings of the 14thACM Conference on Computer and Communications Security, pages 401–410,Nov. 2007.
[8] Bennett, Brassard, Crepeau, and Maurer. Generalized privacy amplification.In ISIT: Proceedings IEEE International Symposium on Information Theory,sponsored by The Information Theory Society of The Institute of Electrical andElectronic Engineers, 1994.
[9] Charles H. Bennett, Gilles Brassard, Claude Crepeau, and Ueli Maurer. General-ized privacy amplification. IEE Transaction on Information Theory, 41(6):1915–1923, November 1995.
106
[10] G. Bianchi. Performance analysis of the ieee 802.11 distributed coordinationfunction. Selected Areas in Communications, IEEE Journal on, 18(3):535–547,2000.
[11] G. Brassard and L. Salvail. Secret-key reconciliation by public discussion. InAdvances in CryptologyEUROCRYPT93, pages 410–423. Springer, 1994.
[12] D. Catalano. Contemporary cryptology. Birkhauser, 2005.
[13] H. Chan, A. Perrig, and D. Song. Random Key Predistribution Schemes forSensor Networks. In In IEEE Symposium on Security and Privacy, 2003.
[14] P. Chatzimisios, V. Vitsas, and AC Boucouvalas. Throughput and delay analysisof ieee 802.11 protocol. In Networked Appliances, 2002. Liverpool. Proceedings.2002 IEEE 5th International Workshop on, pages 168–174. IEEE, 2002.
[15] C. Chen and M.A. Jensen. Improved channel quantization for secret key estab-lishment in wireless systems. In Wireless Information Technology and Systems(ICWITS), 2010 IEEE International Conference on, pages 1–4. IEEE, 2010.
[16] J.M. Conrat, P. Pajusco, and J.Y. Thiriet. A Multibands Wideband PropagationChannel Sounder from 2 to 60 GHz. In Instrumentation and Measurement Tech-nology Conference, 2006. IMTC 2006. Proceedings of the IEEE, pages 590–595,2006.
[17] D. Cox. Delay Doppler characteristics of multipath propagation at 910 MHzin a suburban mobile radio environment. IEEE Trans. on Ant. & Prop., AP-20(5):625–635, Sept. 1972.
[18] J. Croft and N. Patwari. Bit extraction from CIR using a bi-directional radiochannel measurement system. IEEE Transactions on Mobile Computing, 2010.(submitted).
[19] J. Croft, N. Patwari, and S.K. Kasera. Demonstration abstract: Bit extractionfrom received signal strength. In Proceedings of the 16th annual ACM interna-tional conference on Mobile computing and networking. ACM New York, NY,USA, 2010.
[20] J. Croft, N. Patwari, and S.K. Kasera. Robust uncorrelated bit extractionmethodologies for wireless sensors. In Proceedings of the 9th ACM/IEEE In-ternational Conference on Information Processing in Sensor Networks, pages70–81. ACM, 2010.
[21] D. Devasirvatham. Time delay spread and signal level measurements of 850MHz radio waves in building environments. IEEE Trans. on Ant. & Prop.,AP-34(11):1300–1305, Nov. 1986.
[22] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactionson information Theory, 22(6):644–654, 1976.
107
[23] G. Durgin, V. Kukshya, and T. Rappaport. Wideband measurements of angleand delay dispersion for outdoor and indoor peer-to-peer radio channels at 1920MHz. IEEE Trans. Antennas and Propagation, 51(5):936–944, May 2003.
[24] C Farrow. A continuously variable digital delay element. In IEEE InternationalSymposium on Circuits and Systems, 1988., pages 2641–2645, 1988.
[25] J. Foerster et al. Channel modeling sub-committee final report. IEEE P, pages15–02, 2003.
[26] S.T.B. Hamida, J.B. Pierrot, and C. Castelluccia. An adaptive quantizationalgorithm for secret key generation using radio channel measurements. InProceedings of the 3rd international conference on New technologies, mobilityand security, pages 59–63. IEEE Press, 2009.
[27] H. Hashemi. The indoor radio propagation channel. Proceedings of the IEEE,81(7):943–968, 1993.
[28] J. Hershey, A. Hassan, and R. Yarlagadda. Unconventional cryptographic keyingvariable management. IEEE Trans. Commun., 43(1):3–6, Jan. 1995.
[29] W. W. Hines, D. C. Montgomery, D. M. Goldsman, and C. M. Borror. Probabilityand Statistics in Engineering 4th ed. John Wiley & Sons, 2003.
[30] S. Jana, S.N. Premnath, M. Clark, S.K. Kasera, N. Patwari, and S.V. Krishna-murthy. On the effectiveness of secret key extraction from wireless signal strengthin real environments. In Proceedings of the 15th annual international conferenceon Mobile computing and networking, pages 321–332. ACM, 2009.
[31] J. Jemai and T. Kurner. Broadband WLAN channel sounder for IEEE 802.11b. IEEE Transactions on Vehicular Technology, 57(6):3381–3392, 2008.
[32] A. Karatsuba. The complexity of computations. In Proceedings of the SteklovInstitute of Mathematics, volume 211, pages 169–183, 1995.
[33] J. Kho, A. Rogers, and N.R. Jennings. Decentralized control of adaptivesampling in wireless sensor networks. ACM Transactions on Sensor Networks(TOSN), 5(3):19, 2009.
[34] J. Kivinen, TO Korhonen, P. Aikio, R. Gruber, P. Vainikainen, and S.G.Haggman. Wideband radio channel measurement system at 2 GHz. IEEETransactions on Instrumentation and Measurement, 48(1):39–44, 1999.
[35] M. Kmec, J. Sachs, P. Peyerl, P. Rauschenbach, R. Thom, and R. Zetik. Anovel ultra-wideband real-time MIMO channel sounder architecture. XXVIIIthGeneral Assembly of URSI, 2005.
[36] V.M. Kolmonen, J. Kivinen, L. Vuokko, and P. Vainikainen. 5.3-GHz MIMO ra-dio channel sounder. IEEE Transactions on Instrumentation and Measurement,55(4):1263–1269, 2006.
108
[37] Andreas Krause, Carlos Guestrin, Anupam Gupta, and Jon Kleinberg. Near-optimal sensor placements: Maximizing information while minimizing commu-nication cost, 2006.
[38] TI Laakso, V. Valimaki, M. Karjalainen, and UK Laine. Splitting the unit delay[fir/all pass filters design]. Signal Processing Magazine, IEEE, 13(1):30–60, 1996.
[39] A.K. Lenstra and E.R. Verheul. Selecting cryptographic key sizes. Journal ofCryptology, 14(4):255–293, 2001.
[40] Z. Li, W. Xu, R. Miller, and W. Trappe. Securing wireless systems via lower layerenforcements. In Proc. 5th ACM Workshop on Wireless Security (WiSe’06),pages 33–42, Sept. 2006.
[41] D. Liu, P. Ning, and W. Du. Group-based key predistribution for wireless sensornetworks. ACM Transactions on Sensor Networks (TOSN), 4(2):11, 2008.
[42] M.G. Madiseh, M.L. McGuire, S.W. Neville, and A.A.B. Shirazi. Secret keyextraction in ultra wideband channels for unsynchronized radios. In Commu-nication Networks and Services Research Conference, 2008. CNSR 2008. 6thAnnual, pages 88–95. IEEE, 2008.
[43] B. Maharaj, J. Wallace, M. Jensen, and L. Linde. A Low-cost open-hardwarewideband multiple-input–multiple-output (MIMO) wireless channel sounder.IEEE Transactions on Instrumentation and Measurement, 57(10):2283–2289,2008.
[44] DJ Malan, M. Welsh, and MD Smith. A public-key infrastructure for keydistribution in TinyOS based on elliptic curve cryptography. In Sensor andAd Hoc Communications and Networks, 2004, pages 71–80, 2004.
[45] S. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik. Radio-telepathy:extracting a secret key from an unauthenticated wireless channel. In Proceedingsof the 14th ACM international conference on Mobile computing and networking,pages 128–139. ACM, 2008.
[46] Ueli M. Maurer. Secret key agreement by public discussion from commoninformation. IEEE Trans. Info. Theory, 39(3):733–742, May 1993.
[47] Ueli M. Maurer and Stefan Wolf. Unconditionally secure key agreement andthe intrinsic conditional information. IEEE Trans. Info. Theory, 45(2):499–514,1999.
[48] A.J. Menezes, P.C. Van Oorschot, and S.A. Vanstone. Handbook of AppliedCryptography. CRC, 1996.
[49] National Institute of Standards and Technology. Special Publication 800-57:Recommendation for Key Management. 2007.
109
[50] M.A. Osborne, SJ Roberts, A. Rogers, SD Ramchurn, and N.R. Jennings.Towards real-time information processing of sensor network data using com-putationally efficient multi-output gaussian processes. In Proceedings of the 7thinternational conference on Information processing in sensor networks, pages109–120. IEEE Computer Society, 2008.
[51] K. Pahlavan, P. Krishnamurthy, and J. Beneat. Wideband radio propagationmodeling for indoor geolocation applications. IEEE Comm. Magazine, 36:60–65,April 1998.
[52] N. Patwari and P. Agrawal. Localization Algorithms and Strategies for WirelessSensor Networks, chapter Calibration and Measurement of Signal Strength ofSensor Localization. IGI Global, 2009.
[53] N. Patwari, J. Croft, S. Jana, and S.K. Kasera. High rate uncorrelated bitextraction for shared secret key generation from channel measurements. IEEETransactions on Mobile Computing, pages 17–30, 2009.
[54] N. Patwari, A. Hero III, M. Perkins, N. Correal, and R. O’Dea. Relative locationestimation in wireless sensor networks. IEEE Trans. Signal Process., 51(8):2137–2148, Aug. 2003.
[55] R. Pirkl and G. Durgin. Optimal sliding correlator channel sounder design. IEEETrans. Wireless Communications, 7(9):3488–3497, September 2008.
[56] S.N. Premnath, S.K. Kasera, and N. Patwari. Secret key extraction in mimo-like sensor networks using wireless signal strength. ACM SIGMOBILE MobileComputing and Communications Review, 14(1):7–9, 2010.
[57] T.S. Rappaport. Wireless communications: principles and practice. PrenticeHall, 1996.
[58] P. Raptis, V. Vitsas, K. Paparrizos, P. Chatzimisios, and AC Boucouvalas.Packet delay distribution of the ieee 802.11 distributed coordination function.In Proceedings of the Sixth IEEE International Symposium on World of WirelessMobile and Multimedia Networks, pages 299–304. IEEE Computer Society, 2005.
[59] C.E. Rasmussen and C.K.I. Williams. Gaussian Processes for Machine Learning.The MIT Press, 2006.
[60] A. Rukhin, J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh, M. Levenson,M. Vangel, D. Banks, A. Heckert, et al. A Statistical Test Suite for the Validationof Random Number Generators and Pseudo Random Number Generators forCryptographic Applications. NIST Special Publication, pages 800–822, 2001.
[61] A. Sayeed and A. Perrig. Secure wireless communications: Secret keys throughmultipath. In Acoustics, Speech and Signal Processing, 2008. ICASSP 2008.IEEE International Conference on, pages 3013–3016. IEEE, 2008.
110
[62] M. Schack, R. Geise, I. Schmidt, R. Piesiewiczk, and T. Kurner. UWB chan-nel measurements inside different car types. In 3rd European Conference onAntennas and Propagation, pages 640–644. IEEE, 2009.
[63] M. Schack, J. Jemai, R. Piesiewicz, R. Geise, I. Schmidt, and T. Kurner.Measurements and analysis of an in-car UWB channel. In IEEE VehicularTechnology Conference, pages 459–463, 2008.
[64] C.E. Shannon. Communication Theory of Secrecy Systems. Journal, vol,28(4):656–715, 1949.
[65] D. Singh, Z. Hu, and R. Qiu. UWB channel sounding and channel characteristicsin rectangular metal cavity. In Southeastcon, 2008. IEEE, pages 323–328. IEEE,2008.
[66] C.G. Spiliotopoulos and A.G. Kanatas. Path-Loss and Time-Dispersion Parame-ters of UWB Signals in a Military Airplane. Antennas and Wireless PropagationLetters, IEEE, 8:790–793, 2009.
[67] M.L. Stein. Interpolation of Spatial Data: some theory for kriging. SpringerVerlag, 1999.
[68] W. Stutzman and G. Theile. Antenna Theory and Design. John Wiley & Sons,1981.
[69] K. Takizawa, T. Aoyagi, H.B. Li, J. Takada, T. Kobayashi, and R. Kohno.Path loss and power delay profile channel models for wireless body area net-works. In Antennas and Propagation Society International Symposium, 2009.APSURSI’09. IEEE, pages 1–4. IEEE, 2009.
[70] RS Thom, D. Hampicke, A. Richter, G. Sommerkorn, and U. Trautwein. MIMOvector channel sounder measurement for smart antenna system evaluation. Eu-ropean Transactions on Telecommunications, 12(5), 2001.
[71] Michael A. Tope and John C. McEachen. Unconditionally secure communica-tions over fading channels. In Military Communications Conference (MILCOM2001), volume 1, pages 54–58, Oct. 2001.
[72] J. Wallace. Secure physical layer key generation schemes: Performance and infor-mation theoretic limits. In Communications, 2009. ICC’09. IEEE InternationalConference on, pages 1–5. IEEE.
[73] J.W. Wallace, C. Chen, and M.A. Jensen. Key generation exploiting mimo chan-nel evolution: Algorithms and theoretical limits. In Antennas and Propagation,2009. EuCAP 2009. 3rd European Conference on, pages 1499–1503. IEEE.
[74] M. Wilhelm, I. Martinovic, and J.B. Schmitt. Secret keys from entangled sensormotes: implementation and analysis. In Proceedings of the third ACM conferenceon Wireless network security, pages 139–144. ACM, 2010.
111
[75] R. Wilson, D. Tse, and R. Scholtz. Channel identification: Secret sharing usingreciprocity in UWB channels. IEEE Transactions on Information Forensics andSecurity, 2(3):364–375, Sept. 2007.
[76] H. Yang, P.F.M. Smulders, and M.H.A.J. Herben. Indoor channel measurementsand analysis in the frequency bands 2 GHz and 60 GHz. In IEEE 16th Inter-national Symposium on Personal, Indoor and Mobile Radio Communications,2005. PIMRC 2005, volume 1, 2005.
[77] R.D. Yates and D.J. Goodman. Probability and stochastic processes. Wiley,1999.
[78] C. Ye, A. Reznik, G. Sternberg, and Y. Shah. On the secrecy capabilities ofitu channels. In Vehicular Technology Conference, 2007. VTC-2007 Fall. 2007IEEE 66th, pages 2030–2034. IEEE, 2007.
[79] J. Zhang, S.K. Kasera, and N. Patwari. Mobility assisted secret key generationusing wireless link signatures. In INFOCOM, 2010 Proceedings IEEE, pages 1–5.IEEE, 2010.