20. high rate uncorrelated bit extraction for shared secret key generation from channel measurements
1.
IEEE TRANSACTIONS ON MOBILE COMPUTING 1 High Rate Uncorrelated Bit Extraction for Shared Secret Key Generation from Channel Measurements Neal Patwari, Jessica Croft, Suman Jana, and Sneha K. Kasera University of Utah, Salt Lake City, USA Abstract—Secret keys can be generated and shared between two wireless nodes by measuring and encoding radio channel characteristics without ever revealing the secret key to an eavesdropper at a third location. This paper addresses bit extraction, i.e., the extraction of secret key bits from noisy radio channel measurements at two nodes such that the two secret keys reliably agree. Problems include (1) non-simultaneous directional measurements, (2) correlated bit streams, and (3) low bit rate of secret key generation. This paper introduces high rate uncorrelated bit extraction (HRUBE), a framework for interpolating, transforming for de-correlation, and encoding channel measurements using a multi-bit adaptive quantization scheme which allows multiple bits per component. We present an analysis of the probability of bit disagreement in generated secret keys, and we use experimental data to demonstrate the HRUBE scheme and to quantify its experimental performance. As two examples, the implemented HRUBE system can achieve 22 bits per second at a bit disagreement rate of 2.2%, or 10 bits per second at a bit disagreement rate of 0.54%. Index Terms—wireless networks, multipath fading, physical layer, cryptography, key generation 31 I NTRODUCTION tipath properties of the radio channel (gains, phaseThis paper investigates the generation of shared se- shifts, and delays) at any point in time and oncret keys from the observation and processing of re- any given frequency channel are identical on bothciprocal radio channel properties. Shared secret keys directions of the link. • Temporal variations in the radio channel: Over time,are necessary for private communication over an openchannel. Public key cryptography has been the most the multipath channel changes due to movement ofcommon method for the establishment of such keys, but either end of the link, and any motion of peopleconcerns about its limitations has spawned interest in and objects in the environment near the link. Annew methods for key sharing. For example, quantum application may speciﬁcally request a user to movecryptography [1], [2], [3] does not use public keys, but or shake her wireless device in order to generateis prohibitively expensive for most applications. Shared more temporal variation. • Spatial variations: The properties of the radio chan-secret key generation from radio channel measurements,on the contrary, is very inexpensive and can be done nel are unique to the locations of the two endpointswith any standard radio devices which can receive and of the link. An eavesdropper at a third location moretransmit on the same frequency channel. We envision than a few wavelengths from either endpoint willits application in mobile and portable radio communi- measure a different, uncorrelated radio channel [4].cations systems, such as IEEE 802.11 or 802.15.4, which Essentially, the radio channel is a time and space-varyingcommunicate on time-division duplex (TDD) channels. ﬁlter, that at any point in time has the identical ﬁlter Shared secret key generation from channel measure- response for signals sent from a to b as for signals sentments is an application which beneﬁts from the random- from b to a.ness of the multipath channel. It would not, for example, Although the radio channel is reciprocal, measurementswork in a truly free-space environment (such as deep of the radio channel are not reciprocal. Additive noisespace radio links). Secret sharing beneﬁts from: contributes to each measurement as it does in any re- ceived signal. Also, the transceiver hardware used by the • Reciprocity of the wireless radio channel: The mul- two nodes are not identical and affect the signal in each direction in a different way. Furthermore, measurements• Neal Patwari and Jessica Croft are with the University of Utah Depart- ment of Electrical and Computer Engineering. Neal Patwari is partially in both directions of the link cannot typically be made supported by a NSF Career Award #0748206. simultaneously.• Suman Jana and Sneha K. Kasera are with the University of Utah School of Finally, interference power is asymmetric. The pro- Computing. Sneha K. Kasera is partially supported by ONR/ARL MURI grant #W911NF-07-1-0318. posed system is susceptible to denial-of-service by jam-• All authors are partially supported by NSF CyberTrust Grant #0831490 ming, in the same way that the wireless link is suscep- and a Technology Commercialization Project Grant from the University of tible to jamming. If nodes cannot communicate, then Utah Research Foundation. they also cannot measure signal strength and share a
2.
IEEE TRANSACTIONS ON MOBILE COMPUTING 2secret key. However, if multiple-access interference is data which has a high probability of bit agreement. Weinfrequent, and two nodes can receive many packets refer to the combination of the methods as high ratefrom each other, they will have many measurements uncorrelated bit extraction (HRUBE).of signal strength, marginally impacted by interference, As discussed in Section 2, there are methods, calledwith which to encode a secret key. This assumes that an information reconciliation methods, to resolve bit dis-acknowledgement protocol is applied so that two nodes agreements between two nodes without giving away theagree on which packets are to be used in the proposed entire secret key. These methods do give away somesystem. information to an eavesdropper; if enough information We refer to these sources of non-reciprocity collectively can be obtained, an eavesdropper could perform a brute-as ‘noise’ because they are the ultimate cause of bit dis- force search to ﬁnd the secret key. It is best to minimizeagreements between the secret keys generated at nodes the number of bit disagreements and to know a prioria and b. the probability of bit disagreement so that an informa- Bit extraction, i.e., the extraction of secret key bits tion reconciliation method can be designed efﬁciently.from noisy radio channel measurements at two nodes This paper provides a theoretical framework to designsuch that the two secret keys reliably agree, is a major systems with low probability of bit disagreement.statistical signal processing problem in shared secretkey generation. As opposed to communications signalprocessing, it has no interest in obtaining the transmitteddata from another device. We refer to this problem asa radio channel signal processing problem since measure-ments of the radio channel are the signal of interest. Thispaper contributes a statistical framework and algorithmfor bit extraction which extracts a high bit rate with Fig. 1. Flow chart of high rate uncorrelated bit extraction.given reliability and ensures a bit vector with nearly zerocorrelation. This framework is a signiﬁcant improvement This paper is organized as follows. In Section 2, weon the state-of-the-art in the research area. discuss the work in the area of secret key extraction from Recent results have both suggested and demonstrated radio channel measurements, and position this workbit extraction from a variety of different radio channel in that frame. In Section 3, we provide an adversarymeasurement modalities (e.g., time delay, amplitude, model. In Section 4, we describe the fractional inter-phase, and angle). These results are reviewed in Section polation method used to correct for non-simultaneous2. Several works limit the number of bits per measure- radio channel measurements. Section 5 presents thement to one or zero. Several works have decreased the decorrelation of the measured radio channel signal, andmeasurement rate because correlation between measure- Section 6 presents the multi-bit adaptive quantizationments leads to correlation between bits in the secret key, method. Sections 4 through 6 provide the methodologywhich is detrimental to the security of data encoded and analysis of high-rate uncorrelated bit extraction.with that key. Both compromises reduce the bit rate In Section 7, the HRUBE method is implemented inof generated secret keys. In addition, solutions are ad wireless nodes and the bit disagreement rate is shownhoc; each measurement modality requires a separate and compared to the analytical results. Finally, futuremethodology for secret key generation. work and conclusions are presented in Section 8. This work provides a framework for bit extractionusing three signal processing methods: 2 R ELATED WORK 1) Fractional interpolation: Introduces different frac- There have been several papers on the topic of secret tional delays at each node to account for the fact key generation from radio channel measurements. In that the two directional measurements are not mea- the earliest work [5], it was suggested to send two sured simultaneously. unmodulated continuous wave (CW) signals in both 2) De-correlation transformation: Produces a mea- directions through a channel and measure and quantize surement vector with uncorrelated components via the phase difference between the two at each end of a Karhunen-Lo` ve transformation of the original e the link to generate a shared secret. Phase differences channel measurement vector. between multiple channels have been further explored 3) Multi-bit adaptive quantization (MAQ): Converts in [6], [7]. real-valued channel measurements into bits adap- Time delay and gain are also features of the radio tively based on the measured value, using commu- channel that are reciprocal and can be used for se- nication so that both nodes agree on the quantiza- cret generation. The impulse response, in particular, the tion scheme. amplitude of multipath at many time delays, can beThe ﬂow chart of the proposed method is shown in used as a shared secret [8], [9], [10]. While [8], [10] useFigure 1. In this paper, we use these procedures in order ultra-wideband (UWB) radios to measure the impulseto transform correlated, real-valued radio channel signal response, [9] estimates channel gains and delays frommeasurements at two nodes into uncorrelated binary relatively narrowband cellular signals.
3.
IEEE TRANSACTIONS ON MOBILE COMPUTING 3 Amplitude or channel gain is the most common recip- suggests that when bit disagreements are seen in a secretrocal channel feature used for secret generation in the key, nodes should simply regenerate a new secret untilliterature [11], [12], [13], [14], [15], [16], [17]. Amplitude the secret key agrees. The work in [7] explores the energycan be more easily measured than time delay or phase tradeoff between secret regeneration and transmit poweron most existing hardware, and thus is more readily (to increase the SINR at the ends of the link to reduceapplicable to common wireless networks. the probability of bit disagreement). Angle-of-arrival (AOA) itself is not reciprocal – the The majority of reported research has addressed sys-AOA at at the two ends of a link is different. However, tem development from simulation and analysis usingsteerable directional antennas can be used as in [14] to standard statistical channel models [8], [7], [11], [9], [10],measure reciprocal channel gains, which are reciprocal, [13], [15], [6]. Statistical channel fading models such asand generate shared secret keys. The antenna used in Rayleigh, Ricean, and Gaussian have been applied. These[14] is a relatively simple directional antenna, but re- models can be used to compute the probabilities of secretquires access points to have additional physical space key bit agreement, the probabilities that retransmissionfor a multi-element antenna. is necessary, and the bit rate which can be generated In Section 7, we use measurements of amplitude for its either in theory or by a particular encoding algorithm.ease of implementation. However, the HRUBE methods Notably, several researchers have reported experimen-are generally applicable across channel measurement tal results and implementations [10], [12], [14], [16]. Inmodalities discussed above. [10], several bi-directional UWB measurements are made A critical part of practical systems will be the ability and used to compute the number of secret key bits whichto generate arbitrarily long secret keys. Research has could be generated. In [12], an implementation using theaddressed the use of multiple measurements to increase universal software radio peripheral (USRP) and GNUthe size of the secret. As mentioned, [14] used multiple software radio generates and receives the required multi-different beam patterns to allow for multiple measure- carrier signal and evaluates the bit rate of the system.ments. Multiple measurements can also be made at Two implementations in [16] use both off-the-shelf andmany different frequencies [12]. Multiple measurements testbed 802.11a devices to implement secret sharing andover time are used in [11], [13], [15], [6], [16], [17] to achieve about a 1 bit per second rate. In [14], researchersincrease the number of bits in the secret. In this work, use a steerable directional antenna in combination withwe provide a method to de-correlate an arbitrary vector Zigbee radio hardware to generate a secret betweenof collected measurements. Previous works have often two nodes and test what an eavesdropper would haveused correlated measurements to generate the secret key, received. This work also demonstrates its techniqueswhich may be less robust to attacks. using a Zigbee radio implementation, but the techniques Signiﬁcant research has addressed the more general reported here are fundamentally unlike those reportedtopic of obtaining a shared secret key from observations in [14]. This paper reports in detail a new method forof correlated random variables [18], [19]. An eavesdrop- reliably estimating a high-rate uncorrelated bit streamper can also observe a correlated random variable, and from radio channel measurements.the secrecy information rate is shown to be a function We have not seen any secret key bit rate reported asof the mutual information between these three observed high as achieved in our experiments, up to 22 bits/sec.random variables. Analysis of the secrecy rate for UWB In [16], an experimental implementation achieves aboutchannels in [8], [10] and for fading channels in [13] have a 1 bit/sec rate, for which the authors target a 10−8 bitapplied this analysis to the case in which the correlated disagreement rate. In this paper, we report experimentalrandom variables correspond to measured radio channel bit rates from 3 bits/sec at the lowest probability ofcharacteristics. Information theoretic results have shown bit disagreement (0.04%) to a rate of 22 bits/sec at thethat two nodes cannot achieve an arbitrarily small bit highest probability of bit disagreement (2.2%). There is adisagreement rate without communicating some infor- tradeoff in secret key generation between high bit rate ofmation over a common channel [18]. the secret key and low probability of bit disagreement, Because of these results, most reported research has and the proposed method can be used to provide aused limited feedback [11], [9], [10], [13], [14], [6], [17] variety of achieveable points, particularly at higher bitto correct small amounts of disagreement between the rates than previously reported.secret generated a the two ends of a link. This com-munication is referred to as ‘information reconciliation’,‘public feedback’, or ‘error correction’. In this paper we 3 A DVERSARY M ODELassume that information reconciliation will be part of In our adversary model we assume that the adversary,the system design, but we do not explore its use. We Eve, can listen to all the communication between Al-explore minimizing the rate of bit disagreement in order ice and Bob. Eve can also measure both the channelsto reduce the quantity of information reconciliation that between herself and Alice and between herself andmust be performed in order to reliably agree on a shared Bob at the same time when Alice and Bob measuresecret key. the channel between them for key extraction. We also As an alternative to information reconciliation, [7] assume that Eve knows the key extraction algorithm
4.
IEEE TRANSACTIONS ON MOBILE COMPUTING 4and the values of the parameters used in the algorithm. measurement is made at time τa (i) = τa (i − 1) + TR,aHowever, we assume that Eve cannot be very close (less where TR is the time since the previous measurement.than a few multiples of the wavelength of the radio Similarly, node b makes ith measurement wb (i) at timewaves being used [16]) to either Alice or Bob while they τb (i) = τb (i − 1) + TR,b .are extracting their shared key. This will ensure that Eve We assume that channel measurements are made atmeasures a different, uncorrelated radio channel [4]. We greater than the Nyquist rate for the channel. For aassume that Eve cannot jam the communication channel fading channel, the Nyquist rate is twice the maximumbetween Alice and Bob. We also assume that Eve cannot Doppler frequency, fd . Previous works have assumedcause a man-in-the-middle attack, i.e., our methodology that channel probes in the two directions are much moredoes not authenticate Alice or Bob. In other words, frequent than fd [16]. In this work, probing require-the proposed system works against passive adversaries. ments are relaxed somewhat because the signal can beIn this aspect, the technique of key extraction from reconstructed at simultaneous probe times as long as thewireless signal strengths is comparable with classical key 1 probes are taken more often than 2fd , i.e., we alwaysestablishment techniques such as Difﬁe-Hellman, which 1 have TR,c < 2fd for c ∈ {a, b}.also use message exchanges to establish keys and do In general, given that samples are taken at least asnot authenticate Alice or Bob. However, classical key fast as the Nyquist rate, interpolation can be performedexchange techniques make use of unproven assumptions regardless of whether TR,a and TR,b are constant overabout the computational hardness of different problems time, or if TR,a = TR,b . Thus multiple-access delays, orsuch as the discrete logarithm problem. In contrast, the delays due to retransmission, are acceptable within aproposed key extraction technique provides information- limit. As a simple example, one might perform lineartheoretic secrecy and does not assume any bounds on the interpolation between samples to approximate the valuecomputational power of the adversary. of wa at time τ with τa (i − 1) ≤ τ ≤ τa (i) as Even without an authentication mechanism, the Difﬁe-Hellman scheme has found widespread use in network wa (i) − wa (i − 1) wa (i − 1) + [τ − τa (i − 1)] (1)security protocols and standards (e.g., for providing Per- τa (i) − τa (i − 1)fect Forward Secrecy, Strong password protocols, etc.). If nodes agreed to interpolate to half-way between theirWe expect that our scheme will provide a strong alterna- 1 probing times, then both nodes would use τ = 2 [τa (i) +tive to the Difﬁe-Hellman scheme in wireless networks. τb (i)] in (1. Since each node would be able to recordThere is a growing amount of work in authenticating transmission or reception times, τa (i) and τb (i) for all i,wireless devices based on their physical and radiometric on its own clock, no explicit synchronization is requiredproperties (e.g., [17], [20]). These and future authentica- in this procedure. Other approximation algorithms cantion mechanisms can be used in conjunction with our use τa and wa from multiple recent samples to performsecret key establishment scheme. higher-order interpolation. Here, for computational simplicity, we choose to im-4 F RACTIONAL I NTERPOLATION F ILTERING plement a protocol which allows nodes a nearly constantChannel measurements for secret key generation will packet rate. Thus we assume TR = TR,a = TR,b for allalmost certainly be half-duplex, that is, the transmission time. We deﬁne two fractional interpolation ﬁlters, onefrom node a to node b is not made at the same time for each node. We deﬁne the fractional sampling offsetas the transmission from node b to node a. Standard µ astransceivers cannot transmit and receive simultaneously, 1 τb (i) − τa (i) µ= . (2)so non-simultaneous measurements in the two directions 2 TRmust be dealt with regardless of the type of radio Without loss of generality, assume that τa (i) < τb (i),channel measurements made. As described in Section 2, so that µ > 0. If node a delayed its ith sample bymany methods use sequential measurements over time (1 + µ)TR , and simultaneously, node b delayed its sam-in order to generate arbitrarily long secret keys. In this ples by (1 − µ)TR , we would have had simultaneouspaper, we use fractional interpolation ﬁlters to allow measurements. To estimate these delayed samples, wenodes to estimate what the measurements would have specify a fractional delay µc and integer delay mc for ¯been if they had been measured simultaneously. each node: For channel measurement, we assume nodes repeat-edly transmit packets in a TDD protocol1 . Each node µa = µ µb = 1 − µreceives a packet from the other node and uses it to ma = 1 ¯ mb = 0 ¯measure the channel characteristic. Let wa (i) be the ithchannel measurement at node a made at time τa (i). After using a fractional interpolation ﬁlter to delay itsWe assume that the constant packet rate means the ith signal by µa = µ, node a will also add an additional unit sample delay. Node b uses its fractional interpolation 1. Whether or not the transmission is a data packet or any arbitraryﬁnite-duration signal, we use the term ‘packet’ to describe the trans- ﬁlter to delay its signal by µb = 1 − µ, and does notmission. add any additional unit delays.
5.
IEEE TRANSACTIONS ON MOBILE COMPUTING 5 We use the Farrow ﬁlter, a ﬁnite impulse response where A is an N × N matrix. The mean of yc is zero,implementation which introduces an arbitrary fractional and the covariance matrix of yc , Ry , is given bydelay [21]. Standard implementations of the Farrow ﬁlter Ry = E yc yc = AT Rx A T (4)are four-tap FIR ﬁlters which provide a parabolic orcubic interpolation between samples. Such ﬁlters are Assume the singular value decomposition of Rx is,often used in discrete-time implementations of receivertiming synchronization loops, and are well-suited for Rx = U SU T , (5)DSP implementation [22]. We implemented a cubic Far- where U is the matrix of eigenvectors, and S =row ﬁlter, parameterized by µa or µb . For c ∈ {a, b}, 2 2 diag σ1 , . . . , σN , a diagonal matrix of the correspond- µ3 c µc µ3 µ2 ing eigenvalues. We assume that the eigenvectors have hc = − , − c + c + µc , been sorted in order of decreasing eigenvalue, so that 6 6 2 2 T σ1 ≥ σ2 ≥ · · · ≥ σN ≥ 0. Note that U T U = IN , where IN 2 2 2 µ3 c µc µ3 µ2 µc is the N × N identity matrix. − µ2 − , − c + c − c (3) 2 2 6 2 3 The discrete Karhunen-Lo` ve transform simply as- eNote that hc requires recalculation only when µc signs A = U ,changes. The input of ﬁlter hc are the measurements yc = U T (xc − µc ). (6){wc (i)}i , and we deﬁne the output as {xc (i)}i . These out- The vectors ya and yb for nodes a and b, respectively,puts are estimates of the radio channel at simultaneous become the input for the MAQ scheme described ininstants, halfway between the original non-simultaneous Section 6. When simplifying (4) we have the result that,measurements. These vectors xa and xb , Ry = U T Rx U = U T U SU T U = S, xa = [xa (1)T , . . . , xa (N )T ]T xb = [xb (1)T , . . . , xb (N )T ]T , and the output vector yc in fact has a diagonal covari- ance matrix, indicating uncorrelated elements.where N is the desired length of the vector. These vectors Note that uncorrelated is not the same as independent;become the input for the de-correlation transformation while they are the same for Gaussian random vectors,discussed in the following section. they are not equivalent in general. The KLT guarantees zero covariance between elements, but not higher-order5 D E -C ORRELATION T RANSFORMATION cross-moments. Uncorrelated but not independent bitsIn this paper, we use the discrete Karhunen-Lo` ve trans- e may result in an a per bit entropy of less than 1.0;form (KLT) to convert the measured channel vectors xa we show in Section 7.7 from experiments an entropyand xb into uncorrelated components. The KLT has been estimate of between 0.96 to 0.98. Depending on the trueapplied for many different types of signals for purposes joint distribution, it may be possible for an attackerof noise reduction and data compression. We apply the to use the higher-order cross-moments to predict oneKLT for the purpose of generating nearly uncorrelated value from others. Investigation of this possibility mustelements for our secret, which for robustness to attacks, involve extensive measurements to allow inference onshould not contain signiﬁcant correlation between ele- the joint distribution of the data yc , and we leave this toments. future research. The discrete KLT provides an orthogonal basis whichde-correlates the input vector, assuming a known model 5.1 Bi-Directional Measurement Covariancefor the covariance structure of the original vector. For Although the elements of yc are decorrelated by the KLT,particular classes of signals, we can ﬁnd such statistical there is still covariance between the yc and yc , where ¯models; e.g., for electrocardiogram signals [23], voice c, c ∈ {a, b} and c = c. That is, c and c are the indices for ¯ ¯ ¯signals, internet trafﬁc measurements [24], and ﬁnger- the opposite direction measurements of the link betweenprints [25], models have been developed from large nodes a and b. In fact, a high positive correlation betweensets of measurements. In this paper, we develop such the two different directions of the link is what enablesa covariance model using a large set of measurements, secret sharing. We denote the covariance matrix of theand use it to calculate the appropriate KLT. original measurements to be Rxc ,xc , ¯ In the discrete KLT, a linear transformation of aninput vector is taken, which results in a vector with Rxc ,xc ¯ E (xc − µc )(xc − µc )T = E (xc − µc )(xc − µc )T . ¯ ¯ ¯ ¯uncorrelated elements. Assume that the (length N ) input After the KLT, the vectors yc and yc have covariance ¯vector at node c ∈ {a, b}, xc , has mean µc and covariance matrix denoted as Ryc ,yc ,matrix Rx 2 . A linear transform of the data is ¯ yc = AT (xc − µc ), Ryc ,yc ¯ E yc yc = U T Rxc ,xc U. T ¯ ¯ (7) The ith diagonal element of Ryc ,yc , denoted here as ¯ 2. We assume that the mean at each node can be different due to thedifferent transmit powers, but that the covariance matrix is the same [Ryc ,yc ]i,i , is the covariance of yc (i) and yc (i). The vari- ¯ ¯ 2at both nodes. ance of yc is given by σi and is equal to the variance of
6.
IEEE TRANSACTIONS ON MOBILE COMPUTING 6yc since c, c ∈ {a, b}. So the correlation coefﬁcient of the ¯ ¯ ¯ ¯ of T , where NT = |T |. Then the secret key bit vectorith component, denoted ρi , is of node c ∈ {a, b} is given by zc = [zc (1), . . . , zc (NT )]T , where [Ryc ,yc ]i,i ¯ 1, xc (tj ) > γ ρi = 2 . (8) zc (j) = (9) σi 0, xc (tj ) < −γ The correlation coefﬁcient ρi is effectively a measure We note that the work in [16] does not directly encodeof the SNR of the measurement of the bi-directional ith xc (i). Instead, only one sample from each ‘excursion’ ofcomponent of y. When the ‘noise’ contributing to both {xc (i)}i is encoded. An excursion is any sequence ofya (i) and yb (i) is high, the value of [Ryc ,yc ]i,i is low 2 ¯ {xc (i)}i which are either all above the high thresholdcompared to σi , and ρi is closer to zero. When there is or below the low threshold. This method allows highvery little noise, ρi is close to 1. In Section 6.4, we show reliability in bit encoding while reducing correlationthat the value of ρi is the critical component to determine between subsequent bits.both how many bits to which the ith component canbe quantized, and the performance of the quantization The beneﬁt of the one bit and censor scheme in generalmethod, i.e., the probability that the bits generated agree is that data that falls near zero, which would be likely toat the two nodes. have opposite sign at the opposite end of the link, is not used in the secret. The value of ya (i) would be known to an eavesdropper to be either within or outside of the6 M ULTI - BIT A DAPTIVE Q UANTIZATION threshold region, but this provides no information aboutThe objective of this section is to describe the quantiza- whether the value is above γ or below −γ. If i ∈ T , thetion of the transformed vector yc , for c ∈ {a, b}, into a measurement is not used in the secret, and if i ∈ T , the /secret key bit vector. Quantization in this application has eavesdropper has no information about whether ya (tj )two conﬂicting goals: is greater than γ or less than −γ. So, the communicated 1) Secret length maximization: Obtain as long of a secret data does not reveal anything about the generated secret (in bits) as possible. key bits. 2) Error minimization: Keep the probability that the Compared to the method proposed in this paper, the secret key will not match at nodes a and b as low censoring scheme has two main drawbacks. First, the use as possible. of censoring causes loss of bits. The number of bits lostWe also must maintain zero covariance between ele- to censoring depends on the measured data. In order toments of secret key, and thus do not use vector quantiza- ensure a secret with a consistent number of bits, extration. Instead, we use scalar quantization on each element measurements must be gathered prior to bit extraction.of yc . Consider this tradeoff on a single component, In numerical results related in Section 7.6, between 5% tocomponent i. The quantizer for component i is a function 27% of measurements are lost to censoring. The secondQi : R → {1, . . . , 2mi }, where mi is the number of bits to drawback is that it is not possible to generate more thanwhich we quantize the ith component. one bit from each real-valued measurement, that is, mi = 1 for all i.6.1 Related Work: Censoring SchemeSeveral past works in bit extraction from channel mea- 6.2 Formulationsurements have quantized each measurement to one oftwo bins and a ‘censor’ region [16], [17], [14], [15]. In We propose a multi-bit adaptive quantization (MAQ)these methods, when a measurement has a value near scheme for secret sharing. The MAQ scheme adaptivelyzero, the measurement is not used in the secret, and quantizes each measurement to an arbitrary number ofotherwise, the measurement is quantized by its sign to a bits without censoring. No ﬁxed quantization scheme is‘0’ or ‘1’. This one bit and censor method, as a standard able to achieve a low error rate because when ya (i) ismethod used in related work, provides a good point very near to a threshold, there is a high probability thatof comparison for the MAQ method presented in this yb (i) crosses to the other side of that threshold. As apaper. solution, we propose to change the quantization scheme In the standard censoring method, a low threshold at both a and b based on the measurement at one of theand a high threshold are speciﬁed, for example, [−γ, γ]. nodes. For this discussion, without loss of generality, weThe indices of the values that fall within the threshold assume that node a is the ‘leader’ node in the multi-region are not encoded. Speciﬁcally, node a forms the set bit adaptive quantization scheme, and that node b is theTa = {i : −γ ≤ xa (i) ≤ γ} and transmits the list of the ‘follower’.elements in Ta to node b. Node b then similarly forms Tb In the MAQ scheme, we ﬁrst quantize ya (i) to Kand transmits Tb Ta to node a. The union of both sets, 2mi +2 = 4 × 2mi equally-likely quantization levels. ToT = Ta ∪ Tb are the indices not used in the shared secret. achieve equally-likely quantization levels, we require the ¯Let T = {1, . . . , N } T be the indices that will be used distribution for ya (i). In general, let Fi (y) = P [ya (i) ≤ y]in the secret, and let tj ∈ {1, . . . , NT } be the jth element be the cumulative distribution function (CDF) of ya (i).
7.
IEEE TRANSACTIONS ON MOBILE COMPUTING 7 Bin Codeword e Interval Bin Codeword e Interval k d1 d0 of y(i) k d1 d0 of y(i) 1 0 0 0 (−∞, Fi−1 (0.125)] 1 01 00 0 (−∞, Fi−1 (0.0625)] 2 0 0 1 (Fi−1 (0.125), Fi−1 (0.25)] 2 01 00 1 (Fi−1 (0.0625), Fi−1 (0.125)] 3 0 1 1 (Fi−1 (0.25), Fi−1 (0.375)] 3 01 01 1 (Fi−1 (0.125), Fi−1 (0.1875)] 4 0 1 0 (Fi−1 (0.375), Fi−1 (0.5)] 4 01 01 0 (Fi−1 (0.1875), Fi−1 (0.25)] 5 1 1 0 (Fi−1 (0.5), Fi−1 (0.625)] 5 11 01 0 (Fi−1 (0.25), Fi−1 (0.3125)] 6 1 1 1 (Fi−1 (0.625), Fi−1 (0.75)] 6 11 01 1 (Fi−1 (0.3125), Fi−1 (0.375)] 7 1 0 1 (Fi−1 (0.75), Fi−1 (0.875)] 7 11 11 1 (Fi−1 (0.375), Fi−1 (0.4375)] 8 1 0 0 (Fi−1 (0.875), +∞) 8 11 11 0 (Fi−1 (0.4375), Fi−1 (0.5)] 9 10 11 0 (Fi−1 (0.5), Fi−1 (0.5625)] TABLE 1 10 10 11 1 (Fi−1 (0.5625), Fi−1 (0.625)] Example mi = 1-bit adaptive quantization scheme. 11 10 10 1 (Fi−1 (0.625), Fi−1 (0.6875)] 12 10 10 0 (Fi−1 (0.6875), Fi−1 (0.75)] 13 00 10 0 (Fi−1 (0.75), Fi−1 (0.8125)] 14 00 10 1 (Fi−1 (0.8125), Fi−1 (0.875)] 15 00 00 1 (Fi−1 (0.875), Fi−1 (0.9325)Thresholds for equally likely quantization bins are gen- 16 00 00 0 (Fi−1 (0.9325), +∞)erated by using the inverse of the CDF, TABLE 2 k Example mi = 2-bit adaptive quantization scheme. ηk = Fi−1 , for k = 1, . . . , K − 1. (10) 4 × 2 miIn the following for ease of notation, let η0 = −∞and ηK = ∞. The kth quantization bin is the interval 6.3 Discussion(ηk−1 , ηk ] for k = 1, . . . , K, so k(i) is given by The above MAQ scheme provides a new method for a k(i) = max{k s.t. ya (i) > ηk−1 }. (11) multi-bit adaptive quantization for each component of k vector y. No components are ‘censored’, and instead, a Next, we use a particular type of Gray code to adap- leader node decides upon the quantization scheme fromtively assign a binary codeword to each quantization bin. two options which is least likely to cause disagreementWe do this by deﬁning the following binary variables: between the two nodes. When disagreements occur, due • Deﬁne e(k), for k = 1, . . . , K as to the use of Gray coding, it is very likely that only one bit of the multi-bit codeword will be in error. 1, k mod 4 ≥ 2 Further, the passing of the vector e does not provide e(k) = 0, o.w. an eavesdropper with any information about the secret key bits. Knowing e(k(i)) eliminates half of the possible In other words, e(k) is the twos bit in the binary quantization levels. But codewords are equally likely representation of integer k. given the knowledge of e(k(i)). For example, for the • Create a Gray codeword with mi bits, that is, an mi = 1 case, if e = 1, then the eavesdropper knows that ordered list of 2mi possible mi -bit codewords. A ya (i) is neither very high in magnitude nor very low Gray codeword list changes only one bit between in magnitude. However, there are four possible equally- neighboring codewords in the list. likely bins with e = 1, two which would be encoded • Let f1 (k) = k−1 . Deﬁne d1 (k) ∈ {0, 1}mi to be 4 with d1 = 1 and two with d1 = 0. The eavesdropper equal to the f1 (k)th Gray codeword. That is, it is has no information to which bit the component will be the same Gray codeword list but with each element encoded. repeated four times. • Let f0 (k) = k+1 mod K . Deﬁne d0 (k) ∈ {0, 1}mi to 4 be equal to the f0 (k)th Gray code. That is, it is the 6.4 Analysis of Probability of Bit Disagreement same list as d1 (k) but circularly shifted by two. The performance of a particular MAQ scheme is mea-Two examples are presented in Table 1 and Table 2, for sured by its probability of bit disagreement (PBD ), thatthe case of mi = 1 and mi = 2, respectively. is, the probability that nodes a and b encode a bit Multi-bit adaptive quantization proceeds as follows. differently. We use the term ‘disagreement’ rather thanFirst, from the values of ya (i), leader node a determines ‘error’ because there is no notion of the ‘correct’ bit tothe quantization bin k(i) for all components i. Node a which a and b should have encoded when they disagree.transmits the bit vector e = [e(k(1)), . . . , e(k(N ))]T to In this section, we analyze bit disagreement prob-the follower node b. Both nodes then encode their secret abilities as a function of the number of quantizationkey using codeword d1 whenever e = 1, and codeword bits mi and the joint distribution of ya (i) and yb (i).d0 whenever e = 0. Speciﬁcally, the secret key is Let the joint probability distribution function (pdf) be z = de(k(1)) (k(1)), . . . , de(k(N )) (k(N )) fYa (i),Yb (i) (ya , yb ). As discussed, the two marginal distri- butions are identical, so we refer to the marginal pdf aswhere k(i) is given in (11). fi (y) and the cumulative distribution function (CDF) as
8.
IEEE TRANSACTIONS ON MOBILE COMPUTING 8 the marginal variances of ya (i) and yb (i) are identical, 2 which we denote as σi . Let the correlation coefﬁcient of ya (i) and yb (i) be ρi . Then the conditional pdf of Yb (i)|Ya (i) has mean ρi Ya (i) and variance σi (1 − ρ2 ). 2 i Thus, P [CA|ya ] for the 1-bit adaptive quantization case can be written as: F −1 (αya ) − ρi ya P [CA|ya ] ≥ Φ σi 1 − ρ2 i F −1 (βya ) − ρi ya −Φ (13) σi 1 − ρ2 i where Φ(x) is the unit variance Gaussian CDF, and αyaFig. 2. Diagram showing area of Fi−1 (ya ), Fi−1 (yb ) where and βya are the high and low limits for a given ya of thegenerated bits at a and b will agree (gray area) and segment of yb which results in codeword agreement. Fordisagree (white area) for the 1-bit adaptive quantization the 1-bit adaptive quantization case, it can be seen fromscheme. Figure 2 that 0.25, Fi (ya ) ≤ 0.125 0.5, 0.125 < Fi (ya ) ≤ 0.375 Fi (y). The conditional CDF of yb (i) given ya (i) is written αya =as FYb (i)|Ya (i) (yb |ya ). 0.75, 0.375 < Fi (ya ) ≤ 0.625 1, 0.625 < Fi (ya ) We ﬁrst discuss the probability of codeword disagree- ment, and then provide an approximation for the prob- 0, Fi (ya ) < 0.375ability of bit disagreement. The two are the same in the 0.25, 0.375 ≤ Fi (ya ) < 0.625 βy a =mi = 1 case, but different in general. 0.5, 0.625 ≤ Fi (ya ) < 0.875 For certain combinations of (ya (i), yb (i)), the codeword 0.75, 0.875 ≤ Fi (ya ) at node a will be encoded differently than at node b, and In general, for an mi -bit quantization scheme,these combinations can be viewed graphically on a 2-Dplot. Recall that node a is the leader node, and so ya αya = min 1, Fi (ya ) + 2−(mi +2) 2−(mi +1)decides the quantization scheme. Given ya (i), the valueof yb (i) thus decides whether or not a bit disagreement βy a = max 0, Fi (ya ) − 2−(mi +2) (14) 2−(mi +1)occurs. For example, for the 1-bit adaptive quantiza- where we deﬁne the u-multiple ﬂoor and ceiling func-tion scheme displayed in Table 1, the combinations of tions which return the highest multiple of u lower than(ya (i), yb (i)) which result in bit agreement are shown its argument, and the lowest multiple of u higher thanin Figure 2 as the gray shaded area. There is a wide its argument, respectively:diagonal area, where ya (i) is close to or equal to yb (i),which would result in codeword agreement. x x ⌊x⌋u = u , ⌈x⌉u = u (15) If we refer to the shaded area of the diagram (the bit u uagreement area) as A, then the probability of codeword Equation (13) is less than or equal to the exactagreement, denoted PCA , is P [agreement] because we only consider the main diago- nal area of agreement. For example, we do not consider PCA = fYa (i),Yb (i) (ya , yb )dya dyb . the top-left area and bottom-right area in Figure 2. These A non-diagonal elements will typically have a very smallAnother way to write this equation is probability, because they correspond to observing nearly opposite values on the two directional measurements. PCA = P [CA|ya ] fi (ya )dya (12) Since the two measurements have high positive corre- ya lation, it is highly unlikely to observe nearly oppositewhere P [CA|ya ] is the probability of code agreement values.given ya , Using (12) and (13) we can solve for a lower bound on the probability of agreement. We note that for the P [CA|ya ] = fYb (i)|Ya (i) (yb |ya )dyb , Gassian case, Fi−1 (x) = σi Φ−1 (x) where Φ−1 (x) is the yb ∈A(ya ) inverse of the zero-mean unit variance CDF. A substitu-and A(ya ) = {yb : (ya , yb ) ∈ A}. tion of v = ya /σi results in the expression, ∞ Φ−1 [ασi v ] − ρi w6.5 MAQ Performance in Gaussian Case PCA ≥ Φ − v=−∞ 1 − ρ2 iFor the case that ya (i) and yb (i) are jointly Gaussian and 2zero mean, we can ﬁnd a more direct expression for the Φ−1 [βσi v ] − ρi v e−v /2 Φ √ dv (16)probability of code agreement. Note that we know that 1 − ρ2 i 2π
9.
IEEE TRANSACTIONS ON MOBILE COMPUTING 9 Probability of Bit Disagreement −1 10 −2 10 m=4 m=3 −3 m=2 10 m=1 0.9 0.99 0.999 Correlation Coefficient ρ Fig. 4. Diagram showing area of (ya , yb ) where generatedFig. 3. Analytical approximation for the probability of bit bits at a and b will agree (gray area), disagree (whitedisagreement from (17) as a function of number of bits area), and will be censored (crosshatched area) for theper codeword, m, and correlation coefﬁcient, ρ. censoring scheme. 0.3 Probability of Censoring MeasurementNote that (16) is not a function of σi , the variance of the γ = σ/5 γ = σ/10ith component of y. Instead, it is solely a function of φi 0.25 γ = σ/20and mi . Note that the probability of code disagreementPCD = 1−PCA , from the lower bound in (16), we have an 0.2upper bound on PCD . Borrowing from digital commu-nications analysis of Gray coded symbol constellations, 0.15for low PCD , we can approximate the probability of bitdisagreement, PBD , as 0.1 PBD ≈ PCD /mi . (17) 0.05 0.9 0.99 0.999This expression (16) is solved numerically, and results Correlation Coefficient ρfor the PBD are plotted in Figure 3. Fig. 5. Analytical probability of a bit being censored in the censoring scheme vs. ρ and γ.6.6 Censoring Scheme Performance in GaussianCaseThe multi-bit adaptive quantization scheme offers the This expression is only a function of γ/σi and ρ, andpossibility of encoding a component with more than is plotted in Figure 5. Similarly, the probability of bitone bit, which is not possible in the existing censoring disagreement for the censoring scheme (given that it isscheme. However, for the mi = 1 case, we can compare not censored) is given by,the two bit extraction schemes and evaluate their relative 2 1 e−v /2beneﬁts. PBD = P [BD |v] √ dv We begin by formulating the probability of bit dis- 1 − P [Cens] v 2π agreement in the censoring scheme. The bit is censored 1 − Φ γ/σi −ρi v , v < −γ √ 2 1−ρi σiwhenever either a or b measures a value between −γ and γ. Agreement occurs whenever both ya (i) < −γ and P [BD |v] = −γ/σi −ρi v √ 2 γ (19) Φ , v> σiyb (i) < −γ, or whenever both ya (i) > γ and yb (i) > γ. 1−ρi 0, o.w. These cases are shown in Figure 4, which is analogousto Figure 2 for the 1-bit MAQ scheme. The performance of the censoring scheme should be Assuming a joint Gaussian distribution for (ya , yb ), as judged on the probability of bit disagreement given thatassumed in Section 6.5, we can calculate the probability the bit is used in the secret (is not censored). This is whyof censoring, P [Cens], and the probability of bit dis- the conditional probability of bit disagreement is dividedagreement. by the factor of (1 − P [Cens]). The result is plotted in 2 Figure 6. e−v /2 P [Cens] = P [Cens |v] √ dv (18) v 2π γ 1, if − σi ≤ v < σi γ 6.7 Performance Discussion and ComparisonP [Cens |v] = γ/σi −ρi v −γ/σi −ρi v We can compare the results in Figure 6 to the m = 1 line Φ √ 2 −Φ √ 2 , o.w. 1−ρi 1−ρi in Figure 3. For low thresholds γ, the censoring scheme
10.
IEEE TRANSACTIONS ON MOBILE COMPUTING 10 γ = σ/20 memory capabilities, and the TelosB can send 250 kbps. γ = σ/10 Probability of Bit Disagreement We choose the hardware to show the ability of simple −1 γ = σ/5 10 hardware devices to collect channel data useful for secret key exchange. We program the TelosB 802.15.4 radios to transmit and −2 10 receive packets which are used as channel probes. In general, any data could be sent in the probe packets, including application data. In our implementation, the −3 10 packets include only minimal data: the packet header, a node id, and a sequence number. When one radio 0.9 0.99 0.999 receives a packet, it measures and records the RSS and Correlation Coefficient ρ stores it with the packet sequence number. Then, it in-Fig. 6. Analytical probability of bit disagreement from (19) crements the sequence number and replies with a packetvs. ρ and censoring threshold γ, given that the bit is not with the incremented sequence number. This processcensored. repeats until the two nodes have collected enough probe data. Each packet contains a total of 10 bytes and thus has a duration of 40 µs. Processing time dominates theresults in a higher probability of bit disagreement than packet duration, and the channel is measured at a ratethe 1-bit MAQ scheme. At high γ (e.g., the γ/σ = 0.2 of approximately 100 probe packets per second, or 50case) censoring can provide a lower bit disagreement probes per node.probability than 1-bit MAQ. However, at high γ, many In any implementation, the RSS value measured bybits are censored. For example, for γ/σ = 0.2 and a receiver is device-speciﬁc. On the TelosB, the RSS isρ = 0.96, the censoring scheme achieves conditional a signed 8-bit integer value, a value proportional toprobability of bit disagreement of 0.01 compared to 0.03 the measured average received power over the durationfor the 1-bit MAQ scheme, but the censoring scheme of the packet, in decibel milliwatts (dBm). While thismust censor 24.7% of components. integer value could be converted to a dBm value, it is For a moment, ignoring the loss of bits caused by unnecessary for our purposes, since all testbed radiosthe censoring scheme, we consider when to use the are TelosB devices and thus have the same RSSI charac-censoring scheme instead of the MAQ scheme. When teristic.the correlation coefﬁcient ρ is low, the threshold can beset high, and the conditional probability of bit disagree- Our experimental tests involve two nodes, a and b,ment can be made lower in the censoring scheme. For about 0.5 meters apart, measuring link (a, b). The originalexample, if one wishes to design for highest possible bit channel measurement vectors wa and wb are the listsrate with PBD ≤ 0.04, one would choose m = 1 for of measured RSS values at nodes a and b, respectively.0.95 < ρ < 0.98, m = 2 for 0.98 < ρ < 0.993, and m = 3 Figure 7 shows an example of wa and wb measuredfor 0.993 < ρ < 0.998. For the m = 1 case, the censoring over the course of 100 channel probes. It shows somescheme could be used in order to lower the probability differences between the two directional measurements,of bit disagreement at the expense of higher probability but the large-scale changes of the two signals over timeof censoring. In this example, if we have components i are remarkably similar. The tests also include the mea-with ρi > 0.98, the MAQ scheme offers more bits per surement at an eavesdropper node e which receives butmeasurement component. never transmits. Node e is located about 1.5 m from node b and can measure the RSS on the channels (a, e) and (b, e). Figure 7 also shows the measurement of RSS on7 E XPERIMENTAL I MPLEMENTATION link (a, e). The signal at the eavesdropper is qualitativelyIn this section, we present the collection of a set of very different from the true link measurements.testbed RSS measurements on a bi-directional link and Motion of one of the nodes is used to generate fadinguse the data to provide an example of the implementa- changes in the RSS measurements, which is critical to ob-tion and performance of the HRUBE method. serving fading during short-term experiments in indoor environments. During the experiment, the experimenter7.1 Setup continuously moves one of the nodes in a ‘random’We use Crossbow TelosB wireless sensors which are manner, above, below, and around its starting position.connected via a USB connection to a laptop in order Three experiments are conducted, each for a duration ofto record the collected data for post-processing and about 1000 seconds. In this paper, we chose to measureanalysis. The TelosB mote is a low power wireless sen- vectors with length N = 50. Since measurements aresor module equipped with an IEEE 812.15.4-compliant taken approximately 50 per second, each vector takesRF transceiver (the TI CC2420), built-in antenna and 1 second to record. The long duration of the experimenta micro-controller. In general, wireless sensors are de- ensures that we have enough data to characterize meansigned for low data rate and low computation and and covariance statistics.
11.
IEEE TRANSACTIONS ON MOBILE COMPUTING 11 5 1200 2 Variance σi 900 0 600 300 RSS Integer −5 0 5 10 15 20 −10 0.999 Corr. Coef. ρ −15 0.99 −20 0.9 200 220 240 260 280 300 5 10 15 20 Counter Value ComponentFig. 7. Raw measured RSS values from a to b (+), from b 2 Fig. 8. Variances σi and correlation coefﬁcients ρi of ﬁrstto a (o) and from b to e (*). 20 components of y.7.2 Interpolation Next, we also calculate the covariance between aOur measurement protocol lacks explicit time- measurement and the same measurement on the reversesynchronization, but the protocol approximately link:achieves a fractional time offset of 1/2 at all times. The C ˆ 1 (i)protocol is synchronized in the sense that each node Rxc ,xc ¯ = (x(i) − µa )(xb − µb )T a 2C − 1 i=1transmits a packet as soon as it ﬁnishes receiving a Cprobe packet from the other node. The delay between (i)reception and transmission is nearly the same at each + (xb − µb )(xa − µa )T . (i) (21) i=1node, because they have the same hardware and runthe same software. Packets can be delayed or droppeddue to interference (nodes operate in the same band 7.4 De-Correlation Transformas WiFi), but we ignore these effects. We assume that ˆ From Rx , we calculate the SVD as given in (5). Weτb (1)−τa (1) plot the eigenvalues of each eigenvector (the variance TR is approximately equal to 1/2. That is, nodeb’s probes are sent halfway in between the previous and of each component) in the top subplot of Figure 8.subsequent node a probes. This leads to a µ = 0.25 in Then, using the KLT matrix U , we calculate the cross-(2). Our measured values wa and wb are run through directional covariance matrix from (7) and use it tothe interpolation procedure described in Section 4 and calculate the correlation coefﬁcients ρi as given in (8).the synchronized data xa and xb are then formed using These correlation coefﬁcients are plotted in the bottom(4). subplot of Figure 8. The highest correlation coefﬁcient is s 0.9965; there are seven components with ρ > 0.98 and fourteen components with ρ > 0.95. ˆ Figure 9 shows the ﬁrst nine eigenvectors of Rx , the7.3 Data Model columns of U , both in the time domain and in theWe use the measured data from the ﬁrst experiment frequency domain. The results show that the eigen-(of three) to estimate the mean vectors µxa and µxb , vectors are nearly pure sinusoids. For short periodsand covariance matrix Rx of the data vectors, which is of time (our measurement vectors are recorded withinestimated as: one second), we can consider the fading signal to be a wide-sense stationary (WSS) random process, and as C C 1 1 (i) such, its eigenvectors should be complex exponentials. µxa = x(i) , a µxb = xb For longer periods of time, motion may not be WSS C i=1 C i=1 because of changes in the nature of the motion in the C ˆ 1 channel or of the nodes themselves. Future work should Rx = (x(i) − µa )(x(i) − µa )T a a 2C − 1 address the stationarity of the fading process during i=1 C secret generation. Future implementations may also wish + (i) (i) (xb − µb )(xb − µb )T (20) to use an FFT of the measured RSS values rather than i=1 the KLT in order to reduce computational and memory complexity. (i)where xc is the ith 50-length measured RSS vector at Next, we apply the data model to experimental datanode c, and W = 49951 is the total number of RSS vectors sets two and three. We transform the measured datawhich can be formed from the measured data at each vectors xc from these latter two data sets using the KLTnode. to compute the values of yc = U T (x − µc ), for c ∈ {a, b}.
Clipping is a handy way to collect and organize the most important slides from a presentation. You can keep your great finds in clipboards organized around topics.
Be the first to comment