An optimal guard-intervals based mechanism for key ... - CiteSeerX

An optimal guard-intervals based mechanism for key generation from multipath wireless channels Youssef El Hajj Shehadeh and Dieter Hogrefe Institute of Computer Science U niversity of G¨ ottingen, Germany E-mail: {shehadeh, hogrefe}@informatik.uni-goettingen.de Abstract—Recently, multipath in wireless channels has shown an interesting aspect. It has been found that wireless channels may provide a common reciprocal source of randomness for any two communicating nodes. This seems particularly interesting for secret key generation in wireless networks. In this paper, we consider the randomness property of wireless channels and present an intelligent algorithm for key generation. We analyze the multipath channel and derive optimal parameters enabling efficient key extraction leveraging the richness of a wireless environment. Finally, we test our algorithm in a typical outdoor wireless channel. Our simulation results show that more than 70 secret bits can be extracted from a single channel observation. Index Terms—multipath channels, key generation, guard intervals, optimal parameters.

I. I NTRODUCTION Wireless communications have encountered a considerable improvement and have integrated human life through various applications, mainly by the widespread of mobile ad hoc and sensor networks. But due to the broadcast nature of wireless communications, security remains a major concern in many applications. Traditional security schemes rely on cryptography and hashing functions [1] providing integrity, confidentiality and authentication. While, on the other hand, key distribution schemes are based on public key cryptography and certification authorities or on key predistribution protocols [2]. With the widespread of wireless communications, especially in dynamic environments, key establishment in some wireless networks is becoming more challenging. Moreover, traditional key establishment schemes are only computationally secure, i.e. they require very large computational power to be broken. Therefore, it is very interesting to establish unconditionally secure protocols. In optical communications, quantum cryptography [3] has been found as a possible solution based on the uncertainty principle in quantum physics. As for wireless communications, the wireless multipath channel has appeared recently to be a candidate [4, 5, 6, 7]. In fact, many real world measurements have shown that in Time Division Duplex (TDD) wireless communications, the multipath channel forms a reciprocal common source of randomness for any two communicating nodes; such that any other nodes separated by distances greater than the order of a wavelength observe different multipath channels. This is mainly due to the fact that in rich scattering environments, channel gains and phases vary rapidly in space.

In other words, this means that an eavesdropper which is located few wavelengths from both communicating nodes (call them Alice and Bob) will observe uncorrelated channel coefficients. Thus, Alice and Bob can leverage their common secret reciprocal channel gains to generate a suitable key for their communication. One may ask then: how practical is such an approach? and how efficient is it? From an information-theoretic point of view, many authors explored the possibility of generating secret keys from correlated sources of randomness as [8, 9] such that any other user not having (total) access to this source learn nothing about the generated key. Moreover, to improve the key agreement performance, some authors propose an information reconciliation stage [10]. And finally, to strengthen the secrecy, some authors consider removing any correlation with the eavesdropper by a privacy amplification stage [11]. Such approaches have been proved in practical scenarios and using on-the-shelf devices to achieve the establishment of a shared secret key. In [4], authors use a level crossing quantization algorithm to extract bits and practically achieve key establishment rates of 1 bit/sec. In [5, 12], the authors extract bits based on an adaptive quantization approach achieving key rates of 22 bits/sec at a bit disagreement rate of 2.2 percent. In [6, 13], the authors considered leveraging multipath by quantizing different channel taps at the same time and then applied LDPC error correcting codes. They have applied their approach on ITU channels and shown interesting results. In [7, 14], the authors presented an interesting approach by mitigating error instead of correcting it and loosing privacy, through intelligent quantization methods using guard intervals and random pre-encryption. Although all these approaches are interesting and have significantly contributed to this domain, they are still not optimal. Some do not leverage significantly the nature of the multipath channel, while others do not consider optimal parameters (as for guard intervals) and they are still not so close to the theoretic bounds, encouraging the research to better more efficient approaches to establish a practical key generation protocol. In this paper, we extend the available approaches enhancing the reliability and efficiency of key generation based on mutlipath channels. We first emphasize the importance of leveraging multipath by quantizing not the channel response but each channel tap gain and we analyze the main origin of

error in case of direct quantization deriving the probability of error formulation. Then, we present an adaptive quantization algorithm for key extraction based on guard intervals, for which we derive the optimal parameters in terms of guard angles and quantization levels as a function of tap-to-noise ratio. Our approach targets achieving maximum optimal number of extracted bits under a certain error threshold constraint. The rest of this paper is organized as follows. Section II presents the general system model, the channel estimation method and the key agreement protocol. In section III, we present the key generation method and the optimal parameters derivation. Then, section IV presents the simulation results and finally we conclude the paper in Section V.

have random phases uniformly distributed on [0, 2π] which encourages the idea of quantizing phases to generate secret keys. B. Channel Estimation Orthogonal Frequency Division Multiplexing (OFDM) has appeared recently as a promising modulation technique and is being used in many systems as 802.11n, WiMAX, LTE... The main advantage of OFDM is that it eliminates the effect of multipath enabling a simple estimation and equalization in the frequency domain. In fact, in case of pilot (known) signals transmitted, it has been found that the estimated channel coefficients in the frequency domain can be obtained by a simple division as [15]

II. S YSTEM M ODEL b = H + nG , H

A. General System Model

Node 1: Alice

where nG is the added white Gaussian noise vector which can be different at the two nodes; and H is a vector of N channel coefficients in the frequency domain with N being the FFT size. These channel coefficients can be expressed as

Node 2: Bob

h2 h1

h1E

L−1 −j2πkl 1 X hl exp ( ) Hk = √ N N l=0

h2E

Eavesdropper

Fig. 1. A wireless communication scenario consisting of two legitimate communicating nodes and an adversary.

In this section, we describe the general system model which is formed mainly of two communicating nodes Alice(Node 1) and Bob(Node2) and an eavesdropper (Eve) as shown in Fig. 1. We suppose that Alice and Bob are using the same frequency for communication and that Eve is sufficiently separated so that its channel observations are completely uncorrelated from those of Bob and Alice. Moreover, due to the reciprocity principle, the two channels h2 and h1 are equivalent. As for the channel, we suppose that it is a multipath fading channel which can be modeled as a combination of different channel impulses having different amplitudes and delays. In other words, the channel impulse response at time instant t can be expressed as h(t) =

L−1 X

hl δ(t − τl ),

(2)

(1)

l=0

where δ is the unit impulse function, L is the length of the channel (number of paths), while hl and τl represent the complex gain and delay of the (l + 1)th channel tap. In this case, the channel taps can be considered independent from each other and can be quantized separately thus leveraging multipath to increase the number of generated secret bits. And since the amplitudes of the taps tend to decrease exponentially with delay (first arriving signals have normally highest amplitudes), we do not consider quantizing amplitudes as a secure approach. Yet, channel taps have been shown to

(3)

A direct approach that comes first in mind is quantizing these coefficients directly. But as they are correlated, we tend to transform them to the time domain where we get the uncorrelated channel taps. So, in our approach, we first estimate the Hk ’s and then by Fourier transform we obtain the hl ’s: b = h + z, h (4) with z being here the equivalent Gaussian noise in the time domain. We note here also that the use of N channel coefficients in the frequency domain to find the time domain ones leads to a power gain of Tap-to-Noise Ratio (TNR) = N . C. Agreement Protocol In the last section, we have seen that it is only required that both communicating nodes estimate their common channel to be able to generate a secret key. It is also very important to perform this estimation in a very short period, especially in mobility scenarios where the channel response varies rapidly. Therefore, we suppose a simple agreement protocol where we define, without loss of generality, that Node 1 is the leading node and Node 2 is the follower. In this case, Node 1 first transmits a pilot OFDM symbol enabling the estimation of the channel by Node 2 which then directly transmits another pilot OFDM symbol back. Hence, both can estimate the channel taps (getting some noisy estimates) and proceed in the quantization process. Finally, according to the quantization method as explained later in section III, both nodes start exchanging some parameters, related to the bit extraction method, over the public insecure channel . The purpose of this exchange is to minimize the probability of disagreement without any loss of secrecy.

III. C HANNEL Q UANTIZATION In this section, we present the proposed channel quantization and bit extraction approach. But first, we present the direct approach consisting of non-intelligent quantization of all channel taps. We discuss why this approach leads to a high error rate which has lead many to use error correcting codes, information reconciliation and consequently privacy amplification. A. Direct Quantization The direct approach consists of directly quantizing the phases of the obtained channel taps without any further considerations. Distribution of channel values in the complex plane

C. Optimal Parameters

2 Channel without noise Channel with noise

1.5

In this section, we derive the probability of disagreement as a function of the guard angle β, the quantization level M , and the tap-to-noise ratio TNR. We define here TNR as being the ratio between the power of a channel tap and the corresponding noise. In fact, based on this definition, we can later obtain optimal parameters for every channel tap as those are in general of different powers. By considering h1 as the channel estimate at Node 1 and h2 as the channel estimate at Node 2, and by taking only one tap, equation (4), can be written as

1

Imaginary

0.5 0 −0.5 −1 −1.5 −2 −2.5

−2

−1.5

−1

−0.5

0 Real

0.5

1

1.5

sending the corresponding indexes and so does the follower back. Thus they agree on which channel taps to quantize. As for the performance, it is clear that larger boundary regions leads to a lower probability of bit disagreement while causing also a lower number of bits extracted as channel taps are more likely to be discarded. Thus, a performance-efficiency trade-off can be made in this case. We thus consider a certain target probability of key disagreement and try to extract the maximum number of secret bits. In particular, we consider a target disagreement per channel tap less than 10−3 and we try to find the optimal guard angle value and quantization level achieving the maximum number of secret bits.

2

2.5

Fig. 2. A distribution of some channel realizations and their noisy estimates over the complex plane.

In Fig. 2 , we show a plot of a large number of channel realizations over the complex plane and their noisy estimates. Considering particularly the values at the border regions (four regions in this case), we can see clearly that they are the most prone to error. Thus, an intelligent quantization approach should avoid quantizing these values. Thus, from here comes the idea of using guard intervals separating the different quantization regions. B. Quantization with Guard Intervals As we have seen above, it is obvious that the high error rate is mainly due to the channel values close to the border regions. Therefore, we separate the quantization regions by small boundary regions mitigating the channel values that may cause a disagreement between the two communicating nodes. And as we will proceed in quantizing the phase of the obtained channel values, we define the boundary regions by guard phase intervals such that if the channel tap phase lies in one of these intervals, it is simply discarded. From a security point of view, one may think how can each node inform the other that a channel tap should be discarded without any loss of secrecy. In fact, as the quantization regions are equiprobable, so should be the boundary regions. In this case, any node can just publicly announce, for example, that channel tap of index i should be discarded. In our approach, the leader node first announces its accepted channel taps by

h2 = h1 + z2 − z1 = h1 + z 0 ,

(5)

where in this case h1 is considered normalized, and z1 , z2 are then the independent added white Gaussian noises at both nodes which are supposed to be of equal power σ 2 = 1/T N R. Then, z 0 is the equivalent noise of power 2 × σ 2 . Let θ1 , θ2 be the phases of h1 and h2 , respectively and let φ be the phase of z 0 . Then the probability of error can be expressed as the probability that θ1 and θ2 are in two different quantization regions. As θ1 is uniformly distributed, this can be reduced to calculating the probability of error given that θ1 is in the first region. In other words, for a guard phase of β and M quantization levels, it is the probability that θ2 > π/M + β/2 or θ2 < −π/M − β/2 given that θ1 ∈ [(-π/M + β/2) (π/M − β/2)]. This can also be approximated(for large TNR) as the probability of θ2 > π/M + β/2 given that θ1 ∈ [0 (π/M − β/2)]. From Fig. 3, one can write: tan(∆θ) =

|z 0 | sin(φ − θ1 ) x = , |h1 | |h1 |

(6)

where ∆θ is the phase difference due to noise, φ is the phase of the equivalent noise z 0 , and θ1 is the phase of h1 . As z 0 follows CN (0, 2σ 2 ) distribution, and as φ and θ1 are uniformly distributed, then s = |z 0 | sin(φ − θ1 ) follows N (0, σ 2 ) distribution. We also note that |h1 | = 1 as it is normalized in this case. Consequently, we can write the probability of error as a

1200

1.4 1.2

h2

∆Ө

1000

1

Ф Guard angle

x

Number of Quantization levels

z'

0.8 0.6 0.4

h1

0

600

400

200

0.2

Ө1

800

0

10

20

30 40 Tap−to−Noise ratio

50

60

(a) Optimal guard angle

70

0

0

10

20

30 40 Tap−to−Noise ratio

50

60

70

(b) Optimal quantization

Average number of bits

10

Fig. 3.

8 6 4 2

Geometrical representation of the channel noisy estimates. 0

β π + ) M 2

Pθ = P (θ2 > = P (∆θ >

20

30 40 Tap−to−Noise ratio

50

60

70

Fig. 4. Optimal guard angle (a), number of quantization levels (b), and average number of bits generated per one channel tap as a function of T N R for a probability of error < 0.001.

β π + − θ1 ) M 2

π β + − θ1 )), (7) M 2 where β being always the guard phase, and M the number of quantization levels. By replacing tan(∆θ) by s, we obtain: = P (tan(∆θ) > tan(

π β + − θ1 )), M 2 which can be written in the form of the Error function: 1 π β 1 − θ1 + ))], Pθ = · [1 − erf ( √ tan( 2 M 2 2σ Pθ = P (s > tan(

(8)

(9)

Finally the total probability of error can be found by integrating over the (reduced) range of θ1 : 1 · π/M − β/2

10

(c) Average number of bits generated

function of θ1 as

P =

0

Z

θ=π/M −β/2

Pθ (β, M, σ)dθ,

(10)

θ=0

On the other hand, the average number of generated bits per channel tap depends also directly on β and M and can be found to be upper bounded by β·M ) · log2 (M ), (11) 2π From (10), we proceed in computing the probability of error in function of TNR for different values of β and M . Then, by considering the threshold probability of error of 10−3 per channel tap, we find the optimal parameters giving the maximum number of average bits as shown in Fig. 4. As concerning the key agreement protocol, we consider that Node 1 decides for these values by sending its TNR values to Node 2. It is clear here that this exchange has no drawback on secrecy as the transmitted TNR values show nothing about the Nav ≤ (1 −

phases of the taps which have a random distribution. Finally, after exchange of parameters in addition to the declaration of which channel taps are to be quantized (not in guard region as discussed previously and of sufficient power), both nodes proceed in quantizing the phases (as PSK demodulation) of the agreed-on channel taps and extracting secret bits. IV. S IMULATION R ESULTS AND D ISCUSSIONS In this section, we analyze the performance of the proposed algorithms under the assumptions explained above. In fact, as we have already mentioned, there is an efficiency-performance trade-off. So we target a certain probability of disagreement in the key generation to be less than 10−2 , i.e. the probability that there is no error in any channel tap quantization. And from this defined goal, we obtained by Monte Carlo simulations the target probability of error per one channel tap as below 10−3 . Our system follows the 802.11n standard [16]. In particular, we consider both the 20 MHz and 40 MHz bandwidths divided over 64 subcarriers and we consider TDD communication. As for the channel model, we test our algorithms on one of the defined channel models by IEEE 802.11 Task Group n TGn [17]; particularly, we use the Model F which is defined as a large space indoor or outdoor channel model. We consider in our simulations a SISO (Single Input Single Output) channel and we test our algorithms in terms of number of secret bits generated in a single channel observation. Further, we express the results of our algorithms in terms of probability of disagreement and average number of generated bits as a function of SNR, where SNR stands here for the received signal-to-noise ratio. In Fig. 5, we trace the probability of disagreement as a function of SNR. For the direct quantization approach, we observe a high probability of disagreement which makes it a

0

10

100 Guard intervals, 20MHz Guard intervals, 40MHz

Direct quantization Guard intervals, 20MHz Guard intervals, 40MHz

80 Average Number Of Bits

Probability of disagreement

90

−1

10

−2

10

70 60 50 40 30 20

−3

10

10

Fig. 5.

15

20

25 30 35 SNR per Symbol, dB

40

45

50

Probability of disagreement as a function of SNR.

non-reliable approach. As for the guard intervals quantization method, we observe that the probability of disagreement is below 10−2 as intended. Further, in Fig. 6, we show the average number of secret bits extracted as a function of SNR for the guard intervals method for both 20 MHz and 40 MHz bandwidths. In fact, in case of higher bandwidth, i.e. higher sampling rate, more channel taps are taken into account which leads to a slightly larger number of bits extracted as shown in Fig. 6. We observe here that our optimized method, in the sense of finding optimal parameters, resulted in the extraction of more than 60 bits(respectively 70 bits) per channel realization for an SNR higher than 40 dB for a bandwidth of 20 MHz (respectively 40 MHz). Such high SNR can be practically obtained by a recommended higher power transmission for the purpose of key generation. We note here also that our simulations test finding the average number of bits per single channel realization and in SISO scenarios. In case of MIMO, it is obvious that the average number of bits will be multiplied which makes this approach a reliable and suitable key generation method. V. C ONCLUSION In this paper, we investigated key generation based on the wireless multipath channel. We presented an intelligent method for key extraction based on using guard intervals separating the decision regions. In addition, we derived the optimal parameters in terms of guard angles and number of quantization levels achieving maximum number of secret bits under a certain performance constraint. It has been shown by simulations that our method achieves more than 70 bits per single channel realization in SISO scenarios for a typical outdoor channel model. R EFERENCES [1] R. Oppliger, Contemporary Cryptography, Artech House, Inc., Norwood, MA, 2005.

10 10

Fig. 6.

15

20

25 30 35 SNR per Symbol, dB

40

45

50

Average number of bits generated as a function of SNR.

[2] H. Chan, A. Perrig, D. Song, “Random key predistribution schemes for sensor networks,” Proc. of the 2003 IEEE Symposium on Security and Privacy, May 2003, pp.197. [3] C. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin, “Experimental quantum cryptography,” J. of Cryptol., 1992. [4] S. Mathur, W. Trappe, N. Mandayam, C. ye, and A. Reznik, “RadioTelepathy: extracting a secret key from an unauthenticated wireless channel,” Mobicom ’08, San Francisco, USA, September 2008. [5] N. Patwari, J. Croft, S. Jana, and S. Kasera “High rate uncorrelated bit extraction for shared secret key generation from channel measurements,” IEEE Trans. on Mobile Computing, vol. 9, no. 1, pp. 17-30, January 2010. [6] C. Ye, A. Reznik, G. Sternberg, and Y. Shah, “On the secrecy capabilities of ITU channels,” IEEE VTC’07, Baltimore, MD, October 2007, pp. 2030-2034. [7] J. Wallace, C. Chen and M. Jensen, “Key generation exploiting MIMO channel evolution: algorithms and theoretical limits”, 3rd European Conference on Antennas and Propagation, EuCAP 2009, Berlin, March 2009, pp. 1499-1503. [8] U. Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. on Inf. Theory, vol. 39, no. 4, pp. 733-742, 1993. [9] R. Ahlswde, and I. Csiszar, “Common randomness in information theory and cryptography- Part I: Secret sharing,” IEEE Trans. on Inf. Theory, vol. 39, no. 4, pp. 1121-1132, 1993. [10] G. Brassard and L. Salvail, “Secret key reconciliation by public discussion,” Advances in Cryptology Proc.- Eurocrypt ’93, vol. 765, pp. 410-423, 1994. [11] C. Bennett, G. Brassard, and J.M. Robert, “Privacy amplification by public discussion,” SIAM K. Comput., vol. 17, no. 2, pp. 210-229, 1988. [12] S. Jana, N. Patwari, and S. Krishnamurthy “On the effectiveness of secret key extraction from wireless signal strength in real environments,” MobiCom ’09, Beijing, China, September 2009. [13] C. Ye, A. Reznik, and Y. Shah, “Extracting secrecy from jointly Gaussian random variables,” Proc. of IEEE Int. Symp on Info. Theory, Seattle, WA, Jul 2006, pp. 2593-2597. [14] J. Wallace, “Secure physical layer key generation schemes: performance and information theoretic limits”, IEEE International Conference on Communications, ICC ’09, Dresden, Germany, June 2009, pp. 1-5 . [15] Y. EL Hajj Shehadeh and S. Sezginer, “An iterative estimator for fastvarying channels using successive OFDM symbols”, Proc. PIMRC’09, Tokyo, September 2009, pp. 2404-2408. [16] IEEE-SA, “IEEE 802.11n 2009 Amendment 5 Enhancements for Higher Throughput”, 29 October 2009. [17] V. Erceg et al., ”TGn Channel Models”, IEEE 802.11-03/940r4, January 2004.