Table Of ContentThe Passive Eavesdropper Affects my Channel:
Secret-Key Rates under Real-World Conditions
— Extended Version —
Christan Zenger, Hendrik Vogt, Jan Zimmer, Aydin Sezgin, Christof Paar
Ruhr-Universita¨t Bochum, Germany
{christian.zenger, hendrik.vogt, jan.zimmer, aydin.sezgin, christof.paar}@rub.de
7 Abstract—Channel-reciprocity based key generation (CRKG) that the channel of Alice-to-Bob gets uncorrelated to that of
1 hasgainedsignificantimportanceasithasrecentlybeenproposed Eve,aslongasEveispositionedmorethanhalfawavelength
0 asapotentiallightweightsecuritysolutionforIoTdevices.How-
away from Alice and Bob, commonly referred to as Jake’s
2 ever,theimpactoftheattacker’spositionincloserangehasonly
n rarelybeenevaluatedinpractice,posinganopenresearchprob- model [13, Chapter 3.2.1]. In the literature, this is usually
a lem about the security of real-world realizations. Furthermore, referred to as spatial decorrelation [14]. A study [4] has
J this would further bridge the gap between theoretical channel questioned this assumption by practical evaluation. Recently,
4 models and their practice-oriented realizations. For security a comprehensive study [15] has shown that for many popular
metrics, we utilize cross-correlation, mutual information, and a
1 correlation models of scattering environments, the eavesdrop-
lower bound on secret-key capacity. We design a practical setup
per might obtain largely correlated observations, especially if
ofthreepartiessuchthatthechannelstatistics,althoughbasedon
]
T joint randomness, are always reproducible. We run experiments Eveislocatedwithintheline-of-sightbeamofAliceandBob.
toobtainchannelstatesandevaluatetheaforementionedmetrics In this work, we intend and shed more light on the threats
I
. for the impact of an attacker depending on his position. It turns forCRGKfrompassiveeavesdropping.Asaconsequence,we
s
c outtheattackerhimselfaffectstheoutcome,whichhasnotbeen extendtheworkof[15]byprovidingmoreelaboratedpractical
[ adequately regarded yet in standard channel models.
measurements. We quantify the leakage of Alice and Bob in
1 relation to Eve with respect to the distance, especially for low
I. INTRODUCTION
v rangesthatintroducenear-fieldeffects.Themeasurementsetup
4 The inherent randomness of the wireless medium can be isdesignedwiththeobjectivetogeneratereproducibleresults,
0
utilized for extracting a shared secret, since wireless channels such that we can justify stationary random processes. This is
9
exhibit the feature of reciprocity. This approach is referred a fundamental necessity in order to obtain meaningful results,
3
0 to as channel-reciprocity based key generation (CRKG). The which has sometimes been overlooked in previous work. The
. underlying assumption is that an eavesdropper (Eve) cannot cross-correlation and achievable secret-key rate serve as the
1
0 obtain the same channel state, and thus cannot compute the performance metrics that indicate the common randomness
7 key. The general feasibility of the approach has been reported available to Alice and Bob, and likewise, the information loss
1 by several early works in the literature [1], [2], which have to Eve. We evaluate the metrics for the original data and
v: been extended by subsequent studies related to practical key the processed versions after down-sampling or decorrelation.
i agreement [3], [4]. In particular, there have been some works The results demonstrate that the close physical presence of
X
thatdealwiththeremovaloftemporalcorrelation,bymethods Eve in the communication setting significantly changes the
ar likeprincipalcomponentanalysis(PCA)[5],beamforming[6] channel statistics. This phenomenon is so far not covered by
or linear prediction [7]. conventional channel models for CRKG.
Throughout the paper, we use cross-correlation, mutual Section II introduces the system model and elaborates on
information, and secret-key rates as performance metric. The boththeprocessingofthemeasureddataandtheperformance
theoretical foundation of secret-key rates has been established metrics on security. The measurement setup is described in
by Maurer [8] and Ahlswede et al. [9]. They coined the section III. The evaluation and results of the measurement
information-theoretic source-type model, where Alice, Bob campaign are presented in section IV. Finally, section V
and Eve have access to a jointly random source, and derived concludes the paper.
bounds on the secret-key capacity. Their result is used in a
large body of research, especially for Gaussian channels, e.g., II. SYSTEMMODEL
reference [10] for a multi-observation model or [2] for the As depicted in Figure 1, we consider Alice, Bob and Eve
application to UWB channels. measuring the channel h ∈ R, h ∈ R, h ∈ R and
ab,k ba,k ae,k
However, some of the popular beliefs regarding the ca- h ∈ R, which represent the state of Alice-to-Bob, Bob-
be,k
pabilities of the eavesdropper have to be challenged. Many to-Alice, Alice-to-Eve and Bob-to-Eve channels, respectively,
previousworks,e.g.,[11],[12],havereliedontheassumption andkdenotesadiscretetimeinstant.Wemodelthesevariables
hab,k k. Decorrelation is practically more relevant than downsam-
Alice Bob pling (even if no i.i.d. can be achieved), since the information
h loss is significantly lower.
ba,k
h
hae,k be,k B. Performance metrics
Eve
Throughout the paper, we use (1) the Pearson correlation
and (2) secret-key rates as performance metrics for security.
Fig.1. Overviewofthesystemmodel.
1) Pearson correlation
The Pearson correlation provides a measure of linear depen-
as joint stationary and ergodic random processes. In general, dence between two data series. The values span between
Eve gets two channel states (hae,k,hbe,k), however, in this −1 and 1, where 1 refers to absolute correlation, 0 to no
study we focus on hae,k only. In the following, we use the correlation,and−1toperfectinversecorrelation.Itisawide-
labels xk :=hba,k for Alice, yk :=hab,k for Bob, and zk := usedmetricforsecrecyofpracticalsecret-keygeneration[15].
hae,k forEve.Furthermore,wedefinethevectorprocessvk := GivenafinitecollectionofN pairs(xk,yk)fromtheprocess,
(x ,y ,z )T. we use the estimator
k k k
N−1
A. Processing (cid:80)
(x −x¯)(y −y¯)
i i
For different k, the random vectors vk are likely to exhibit ρxy = (cid:115) i=0 (cid:115) , (5)
correlation in time, since the wireless channel is varying N−1 N−1
(cid:80) (x −x¯)2 (cid:80) (y −y¯)2
only slowly in indoor environments. In order to remove the i i
i=0 i=0
temporal dependencies, we perform two alternative options
of processing, namely either downsampling or decorrelation. where x¯= 1 (cid:80)N−1x and y¯= 1 (cid:80)N−1y are the sample
N j=0 j N j=0 j
We show both options for x only, since we have the same means.
k
processing for y and z .
k k 2) Secret-key rate
1) Downsampling Weintroducetheinformation-theoreticsecret-keyrateanduse
If we keep only every N th variable of the process x , we the downsampled process (1). Recall that the vds are i.i.d. We
m k k
effectively downsample by factor N and obtain characterize vds by the joint probability density function f .
m k vds
k
We apply a lower bound on secret-key capacity based on the
xds =x . (1)
k kNm source-type model, under the following conditions:
Thegeneratedxds canbeassumedindependentunderthecon- 1) The joint probability density function f is known a
k vds
k
dition that the process does not exhibit any dependence after priori at all terminals.
an interval of N variables. Subsequently, we assume that 2) AliceandBobexchangemessagesoveranauthenticated,
m
the vds = (cid:0)xds,yds,zds(cid:1)T are identically and independently public channel with unlimited communication capacity.
k k k k
distributed (i.i.d.) for different k. 3) Eve remains passive at all times.
Subsequently, the asymptotic bound is given by [9]
2) Decorrelation
We need to provide an estimator for the autocorrelation C ≥I(cid:0)xds;yds(cid:1)
sk k k
function −min(cid:2)I(cid:0)xds;zds(cid:1),I(cid:0)yds;zds(cid:1)(cid:3)=:R (6)
k k k k sk
N−l−1
1 (cid:88)
rˆ [l]= x x . (2) for each k, since the process is stationary. Since the actual
xx N −l i i+l
probability distributions are unknown in practice, we evaluate
i=0
thelowerbound(6)byestimations,basedonafinitenumberof
Thisestimatorisunbiasediftheprocessiscorrelation-ergodic.
measured samples. We utilize a k-nearest neighbor estimator
The linear forward predictor for x of order N is given by
k m
(NNE) for the mutual information, which is based on the idea
(cid:88)Nm and implementation of [17]. Mutual information is a function
xˆ = a x , (3)
k i k−i of joint and marginal probability densities. For a measure
i=1 of the joint density, the estimator computes the distance
where ai ∈ R are parameter coefficients, which can be com- betweenatupleofsamplesanditskth-nextneighbor.Asimilar
puted by Levinson-Durbin recursion based on Yule-Walker approachisprovidedforthemarginaldensities.Tobestofour
equations [16]. We define knowledge, the reliability of the NNE has not been studied
xde =x −xˆ (4) systematically. However, results in [17] indicate that at least
k k k
formultivariateGaussianvariables,theestimationerrorisvery
as innovation sequence, which is orthogonal to past hab,k−i low if N >104 samples are used for the estimation.
for i>0. However, orthogonal (or uncorrelated if zero-mean) Note that the bound (6) could have been defined with
variables do not necessarily imply independence, especially the original v or the decorrelated processes (4), such that
k
not joint independence of vde = (cid:0)xde,yde,zde(cid:1)T for different less information is discarded than in case of downsampling.
k k k k
TABLEI
However, in order to obtain an accurate estimation of (6), we
PARAMETERSOFTHEMEASUREMENTSETUP
require i.i.d. samples for the two following reasons:
1) The bound (6) has been derived under the assumption Parameter Variable Value
of an unlimited number of i.i.d. observations from a Samplinginterval Ts 100msec
random source. Therefore, a value of Rsk measured in Probingduration Tp <5msec
bitsperobservation,ismeaningfulonlyifthetimeseries Stepsize ∆d 5mm
is i.i.d. as well. Accuracyofstepsize ∆ˆd ±0.05mm
2) The NNE of [17] requires i.i.d. samples, since it relies GeometricaldistanceBob-Eve ∆BE [0,30]cm
onKhinchin’stheorem[18,p.277].Ifthetimeseriesof GeometricaldistanceAlice-Bob ∆AB 5m
samplesexhibitssomedependenceintime,theestimator Samplesperstep N 3·105
might induce an undesired bias.
Therefore, if we apply the process v or its decorrelated
k
modification(4),wehaveanapproximationofthelowerbound all experiments. We will also provide a full version of the
R (6) only. While approximating the common information paper with results of 23 further positionings in the building.
sk
of Alice and Bob is a rather ”safe” option, we need to be We perform mobile, long-time narrow-band channel mea-
cautious regarding Eve. In order to minimize the risk of surements on 2.4 GHz (wavelength 12.5 cm). The data ex-
underestimating Eve, we verify our results obtained from v change protocol is implemented on three Raspberry Pi 2 plat-
k
or the decorrelated version (4) by comparing them with the forms (credit-card sized computer). All devices are equipped
downsampling approach, since it provides a more accurate with a CC2531 USB enabled IEEE 802.15.4 communication
description of the information leakage to Eve. Unfortunately, interface1. The CC2531 is a true SoC solution for IEEE
byremovingsamplesfromtheestimation,theNNEgetsmore 802.15.4 applications, that is compatible to network layer
biased. standards for resource-constrained devices: ZigBee, Wire-
lessHART, and 6LoWPAN. The platform is equipped with
proprietaryPCBantennas,i.e.,MeanderedInverted-Fantenna
(MIFA), with the size of 5×12 mm. These antennas provide
good performance with a small form factor. The platform
and antenna design are widely used in commercial products
X and suited for systems where ultra-low-power consumption is
Room: required.
5.87m x 5.17m
X In order to establish common channel probing, Alice peri-
Z Y odically sends data frames to Bob and waits for acknowledg-
ments. Eve also receives these request-response pairs. When
receiving a probe, all three devices extract Received Signal
Z Y
Strength Indicators (RSSI) values and, thus, can measure a
channel-dependent sequence over time. For evaluation of the
channel measurements, we store and process the realizations
of v :=(x ,y ,z )T, locally on a monitoring laptop.
k k k k
Table I lists the relevant parameters of our measurement
setup. We obtain a complete realization of v on every
k
sampling interval T = 100 msec. The protocol ensures that
Fig. 2. The testbed includes several experimental setups for performance s
evaluation as well as for security analysis. Alice (X), Bob (Y) and Eve (Z) Alice, Bob, and Eve can probe the channel within a probing
aremountedonaautomatedantennapositioningsystem. duration T <5 msec. We want to analyze the joint statistical
p
propertiesofthesampleswithrespecttothepositionofEvein
the scene. As a consequence, we apply an automated antenna
III. MEASUREMENTS
positioningsystem,whichisconstructedfromalow-reflective
The testbed is applied at the premises of our research
material, cf. Figure 2. It moves the antenna of Eve on a
group, which is an office area in a university building. Alice
linear guide towards the fixed antenna of Bob in step size
is positioned at a predestined access point position. Bob ∆ = 5 mm with accuracy ∆ˆ = ±0.05 mm. The variable
d d
and Eve are mounted on an automated antenna positioning
distance ∆ ranges from 0 to 30 cm in order to provide
BE
setup, which is located at several predestined ”end-device”
60 different locations. Alice’s antenna is placed orthogonal to
positions (cf. Figure 2). For this, we choose positions which
the linear guiding at a fixed distance ∆ = 5 m. For each
AB
are representative for security-related IoT devices, such as
position of Eve’s antenna, we record at least N samples.
doorknobs (keyless entry systems), window frames (perimeter
Alice and Bob extract the common randomness x and y
k k
fence intrusion sensor), and wall (motion detectors) positions.
fromatime-varyingchannel.Sinceweaimformeaningfuland
Due to a lack of space, in this version of the paper we restrict
ourselves to a description of one representative realization of 1http://www.ti.com/tool/cc2531emk
0.6 2) Fig. 5 shows the results for the downsampled process
]
n
o vds of (1).
ati Continuous rotation 3) Fikg. 6 depicts the results for the decorrelated process
erv 0.4 Random rotation vde of (4).
bs k
x)[bits/ol 0.2 ETnAivhleieenc.cece,o,Ylwum∈en(cid:8)isnytkrco,odynukdsecti,etyukdgtsee(cid:9)nSefuroibrcfiBlgaoubbreelassndaXsZ∈fo∈ll(cid:8)o(cid:8)xwzkks,.,xzFdkkdeeo,,rxzdkkdcsso(cid:9)(cid:9)nvffooerr-
;
0
x
( 1) Subfigures a) show the Pearson correlation (5) vs.
I 0
geometrical distance ∆ between the three pairs
0 20 40 60 80 100 120 BE
(Alice↔Bob ρ , Alice↔Eve ρ , Bob↔Eve ρ ).
l XZ XY YZ
2) Subfigures b) zoom into the correlation ρ of
XY
Alice↔Bob.
Fig.3. Self-dependenceofchannelgainswithrespecttotimedelay.Setup
isequippedwithaluminumstripsofeithercontinuousorrandomrotation. 3) Subfiguresc)depictthethreemutualinformationresults
(I(X;Y),I(X;Z),I(Y;Z))andthesecret-keyrateR
sk
of (6) vs. geometrical distance ∆ .
BE
reproducible results, we have to create an environment which
Most of the practical key generation schemes use down-
provides the joint stationarity to the random process. There-
sampling or decorrelation on the original observations v . We
k
fore, with a distance of 10 cm to Alice’s antenna, we deploy
introduce the Figs. 4, 5 and 6 in order to analyze whether
a curtain of 30 × 30 cm aluminum strips that continuously
downsampling and decorrelation obscure certain features of
rotates at ≈ 0.1 rotations per second, cf. Figure 2. However,
the channel that are important for the security evaluation of
the rotation itself inserts a deterministic component into the
thesystem.Westartwithacomparisonofthecross-correlation
channel.Theevolutionoftheself-dependenceofchannelgains
behavior between Alice and Bob, as well as to a potential
— we show exemplary xds — is illustrated in Figure 3. It
k attacker. By comparing Figure 4 (a-b) and Figure 5 (a-b) we
showsthatthemutualinformationdecaysrapidlyandvanishes
seethatnosignificantdifferencesinρ andρ occurafter
XY XZ
after four samples, corresponding to approximately 400 ms.
downsampling. (Further, ρ and ρ are almost identical
XZ YZ
However,duetothecontinuouslyrotatingcurtainofaluminum
due to channel reciprocity between Alice and Bob.) The high
strips, we discover strong stochastical dependencies after 96
similarity is due to the fact that even the process v does
k
samples, corresponding to approximately 9.6 s. Therefore, we
not exhibit much dependency in time, as already hinted in
adapt a random source (Unix file /dev/urandom) to the
Figure3.Asaconsequence,theresultsobtainedforv expose
k
motor controller and program the instrument to rotate with
a valid approximation of the cross-correlation. As it can be
random speed between 0.240 rad/s and 1 rad/s in random
seen from Figure 5, in case of downsampling the results are
directionandwithrandomintervallengths0◦,1◦,...60◦ (uni-
more noisy, since much fewer samples are available for the
formlydistributed).Figure3showsthatnostrongstochastical
estimations.
dependencies are given anymore.
After decorrelation, the results (see Figure 6) show that
(unlike in case of downsampling) the correlation decreases
IV. EVALUATIONANDRESULTS
on average by ≈ 0.05, which can have a significant nega-
Wenowusetheexperimentalmeasurementstoevaluateand tive impact on the performance of a potential quantization
compare the results of the Pearson correlation (5), mutual scheme, cf. [19, Figure 3]. Furthermore, the difference be-
information, as well as the achievable bound of the secret- tween the minimum and maximum value significantly de-
key capacity (6), as a function of attacker’s distance ∆BE to creases. Whereas in the original (and downsampled) signal
Bob.Weinterprettheoriginalmeasurementsasrealizationsof the difference is 0.995 − 0.98 = 0.015, the difference is
vk. In addition, we have the decorrelated and downsampled 0.97−0.89=0.08 for the decorrelated signal. This probably
outcomes, denoted by the processes vde and vds, respectively. stems from errors of the autocorrelation estimate (2), which
k k
The decorrelated samples are obtained by a linear prediction is necessary for the linear forward prediction. Another reason
of order Nm = 30. To generate the i.i.d. random vectors might be the Pearson correlation where single outliers (e.g.,
vkds we downsample vk by the factor Nm = 30. In sub- strong peaks) significantly influence the result. Analyzing the
subsection II-B2, we have already outlined the necessity of impact of decorrelation techniques on the reciprocity and
i.i.d. random vectors to obtain accurate estimations. This security in detail is left for future work.
is not given for vk and vkde, however, they provide valid By analyzing the attacker’s opportunity, we observe a
approximations, as the results indicate later on. We present wavelength dependent behavior of the correlation between z
k
three Figures 4, 5, 6 with three Subfigures a)-c) each, which and x (or y ), as illustrated in Subfigures a). The following
k k
arearrangedina3x3matrixonthenextpage.Therowsdenote findings hold for all three processes: v , vds, vde. The corre-
k k k
the Figures as follows. lation vs. distance function ρ (and ρ ) looks similar to
XZ YZ
1) Fig. 4 illustrates the results for the original process v . the channel diversity function known from Jake’s model [13],
k
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1
0.994
tneic0.8 tneic0.992 3
iffeoc noita000...246 26 326 6 62 iffeoc noita000..99.988968 26 326 6 62 edutingaM2 26 326 6 62
le le 1
rro 0 rro0.984
C C0.982
-0.2
0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.4. Evaluationresultsofvk.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1 0.995
tne0.8 tne 3
ic ic
iffeoc noita000...246 26 326 6 62 iffeoc noita00.9.9895 26 326 6 62 edutingaM2 26 326 6 62
le le 1
rro 0 rro
C C
-0.2 0.98 0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.5. Evaluationresultsofvkds.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1
tne0.8 tne0.96 2.5
iciffeoc noita00..46 26 326 6 62 iciffeoc noita00..9924 26 326 6 62 edutingaM1.125 26 326 6 62
le0.2 le
rroC 0 rroC 0.9 0.5
0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.6. Evaluationresultsofvkde.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.
whichisazero-orderBesselfunction2 (cf.Figure7).However,
the highest correlation is not at distance ∆ =0, where the
BE 1
correlation is only 0.2. The highest cross-correlation is given
athtea2d.4istGanHczecoafrr∆ieBr.ET≈he1fi2r.s5tccmor,rewlahtiicohniosftzheerowaisveglievnegnthatoaf tneiciffe0.5
o
distance of 4 cm. c n
Note that the cross-correlation behavior of xk to yk is not oitale 0 26 326 6 62
independent of Eve’s antenna position. Figure 4(b) illustrates rro
C
the correlation behavior in detail. The correlation has an
”oscillating” behavior with a wavelength of approximately -0.5
30 25 20 15 10 5 0
Distance between Bob and Eve " [cm]
BE
2Azero-orderBesselfunctionisexpectedforthecross-correlationbehavior
of two receivers if uniformly distributed scatterers are given. According to
Fig.7. Besselfunctionversusdistance.
Jake’smodelthefirstzerocorrelationisgivenafter≈0.4λ,whereλisthe
wavelengthofthecarrier[13],[20].
TABLEII
mutual information and secret-key rates, which are dependent
AVERAGEDRESULTSOFOUREXPERIMENT.
on attacker’s (or third device’s) position. As a result, we dis-
v vds vde covered that the observer effect occurs, which most probably
k k k
ρxk,yk ≈0.99 ≈0.99 0.94 originates from near field distortions. We believe the effect
ρyk,zk ≈0.09 ≈0.09 ≈0.07 needstobeconsideredinthefuture.Commonchannelmodels
I(X;Y) ≈2.92 ≈2.89 ≈2.31 like Jake’s model for channel diversity need to be extended in
I(Y;Z) ≈0.26 ≈0.27 0.10 order to be valid for key generation setups. Furthermore, it
R ≈2.67 ≈2.63 ≈2.22 might be pertinent, for instance, to detect the proximity of
sk
Eve. Basing on our results two bidirectionally communicating
nodesmightrecognizeathirddevice,itsrelativeposition,and
itsmotionintheproximity.Furtherstudiesmightusecomplex-
11 cm, whereby at a distance of 5 cm the curve decreases
valuedchannelprofilestoanalyzethirdpartypositioningbased
rapidly to the lowest level of ≈ 0.98. The reason for that
and motion based influences.
might be the non-perfect uniformly distributed scatterers in
the environment, which are the basis of Jake’s model. The REFERENCES
oscillating behavior in Alice’s and Bob’s original observation
[1] Z.Li,W.Xu,R.Miller,andW.Trappe,“Securingwirelesssystemsvia
isalsogiveninthedownsampledanddecorrelatedversions,cf.
lowerlayerenforcements,”inProceedingsofthe5thACMworkshopon
Figure 5(b) and Figure 6(b). This behavior is contradictory to Wirelesssecurity,LosAngeles,CA,USA,Sept.2006,pp.33–42.
theoreticalapproachesbasedonJake’sDopplerspectrum[20]. [2] R. Wilson, D. Tse, and R. Scholtz, “Channel Identification: Secret
Sharing Using Reciprocity in Ultrawideband Channels,” IEEE Trans.
The reason might be because the narrow band fading models
Inf.ForensicsSecurity,vol.2,no.3,pp.364–375,2007.
do not include coupling and near field effects between both [3] Y. Liu, S. Draper, and A. Sayeed, “Exploiting Channel Diversity in
antennas for the spatial evaluation of autocorrelation, cross- Secret Key Generation From Multipath Fading Randomness,” IEEE
Trans.Inf.ForensicsSecurity,vol.7,no.5,pp.1484–1497,Oct2012.
correlation, and power spectral density (cf. [13, Chapter 3.2]).
[4] A. Pierrot, R. Chou, and M. Bloch, “Practical limitations of secret-
TheboundaryBbetweenthenearfieldzoneandthefarfield key generation in narrowband wireless environments,” arXiv preprint
zone can usually be determined by the following relationship: arXiv:1312.3304,2014.
B ≥ 2D2, where D is the largest antenna size [21]. We [5] C. Chen and M. Jensen, “Secret Key Establishment Using Temporally
λ and Spatially Correlated Wireless Channel Coefficients,” IEEE Trans.
estimated the size of our antenna to be 6 cm. Therefore, the MobileComput.,vol.10,no.2,pp.205–215,2011.
boundary is ≈ 5.7 cm. Analyzing near field boundaries in [6] M. Madiseh, S. Neville, and M. McGuire, “Applying Beamforming to
Address Temporal Correlation in Wireless Channel Characterization-
detail is left for future work.
Based Secret Key Generation,” IEEE Trans. Inf. Forensics Security,
Compared to the cross-correlation behavior between the vol.7,no.4,pp.1278–1287,2012.
i.i.d. samples xds and yds (after downsampling), both mutual [7] M. McGuire and A. Movahedian, “Bounds on secret key rates in
k k fading channels under practical channel estimation schemes,” in IEEE
information I(X;Y) and R have very similar oscillating
sk InternationalConferenceonCommunications,Sydney,AUS,June2014,
behavior, shown in Subfigures c). The (minimum, maximum) pp.737–742.
values of the correlation are (0.980, 0.995) and the ones of [8] U. Maurer, “Secret key agreement by public discussion from common
information,”IEEETrans.Inf.Theory,vol.39,no.3,pp.733–742,1993.
the mutual information are (2.1, 2.75). By analyzing Eve’s
[9] R.AhlswedeandI.Csisza´r,“Commonrandomnessininformationtheory
observation,weseeonlyaslightsimilaritybetweenthemutual andcryptography.I.Secretsharing,”IEEETrans.Inf.Theory,vol.39,
informationI(X;Z)(andI(Y;Z))tothecorrelationbehavior no.4,pp.1121–1132,1993.
[10] J.Wallace,C.Chen,andM.Jensen,“KeygenerationexploitingMIMO
ofherobservationρ (andρ ).Thesimilaritycanbefound
XZ YZ channelevolution:Algorithmsandtheoreticallimits,”in3rdEuropean
by comparing the maximum absolute values. For instance, Conference on Antennas and Propagation (EuCAP), March 2009, pp.
the highest correlation occurs at 10 cm with a value of 0.5, 1499–1503.
[11] SuhasMathuretal.,“Radio-telepathy:extractingasecretkeyfroman
and corresponds to the highest mutual information of 0.5 bits
unauthenticatedwirelesschannel,”inMOBICOM2008,2008,pp.128–
per sample. However, the Bessel-like behavior is not evident. 139,formerlyknownas:mathur2008radio.
Notably is the fact that the attackers observation z does [12] Suman Jana et al., “On the effectiveness of secret key extraction from
k
wireless signal strength in real environments,” in MOBICOM 2009,
not significantly impact R . Our results show that R is
sk sk 2009,pp.321–332.
mainly dependent on xk and yk. However, Eve’s antenna [13] A.Goldsmith,WirelessCommunications. CambridgeUniversityPress,
affects Alice’s and Bob’s observation and, therefore, affects 2005.
[14] J. Zhang, T. Q. Duong, A. Marshall, and R. Woods, “Key Generation
R . Table II summarizes our results.
sk FromWirelessChannels:AReview,”IEEEAccess,vol.4,pp.614–626,
2016.
V. CONCLUSION [15] X.He,H.Dai,W.Shen,P.Ning,andR.Dutta,“Towardproperguard
zonesforlinksignature,”IEEETrans.WirelessCommun.,vol.15,no.3,
Inthiswork,wehaveprovidedanimportantpillartobridge pp.2104–2117,March2016.
the gap between theory and practice-oriented approaches for [16] P.Vaidyanathan,TheTheoryofLinearPrediction. Morgan&Claypool,
2007. [Online]. Available: http://ieeexplore.ieee.org/xpl/articleDetails.
CRKG. Our experimental study helps to provide a better
jsp?arnumber=6813346
understanding of channel statistics in wireless environments [17] A. Kraskov, H. Sto¨gbauer, and P. Grassberger, “Estimating mutual
forsecurityapplications.Wepresentreproducibleresultsbased information,”PhysicalReviewE,vol.69,no.6,p.066138,2004.
[18] A.PapoulisandS.Pillai,Probability,RandomVariables,andStochastic
on a relevant environment which justifies the joint stationarity
Processes,ser.McGraw-Hillseriesinelectricalengineering:Communi-
of a random process. We show results of cross-correlation, cationsandsignalprocessing. TataMcGraw-Hill,2002.
[19] C. Zenger, J. Zimmer, and C. Paar, “Security analysis of quantization
schemes for channel-based key extraction,” in WiComSec-Phy 2015,
Workshop on Wireless Communication Security at the Physical Layer,
July22,2015,Coimbra,Portugal,2015.
[20] E.Biglieri,A.R.Calderbank,A.G.Constantinides,A.Goldsmith,and
A. Paulraj, MIMO Wireless Communications. Cambridge University
Press,2010.
[21] T. Dlugosz and H. Trzaska, “How to measure in the near field and in
the far field,” Communications and Network, vol. 2, no. 1, pp. 65–68,
2010.[Online].Available:http://dx.doi.org/10.4236/cn.2010.21010
APPENDIXA
FULLMEASUREMENT
0,51m 0,12m 0,12m 0,12m 0,12m 0,12m 0,12m 0,12m 0,12m
0,26m 3,29m 3,42m 5,87m X 3,47m 3,47m 3,47m 3,47m 3,61m
5,17m 3,42Rmo oXm 5 ,:1 7m 5,87Rmo oXm 5 ,:1 7mY & Z 3 , 4 7 Rmo oXm 5 ,:1 7 m 3,47Rmo oXm 5 ,:1 7m 3,47Rmo oXm 5 ,:1 7m 3,47Rmo oXm 5 ,:1 7m 3,61Rmo oXm 5 ,:1 7m
8,29m 3,29Rmo oXm 8 ,:2 9m
0,12m 1,71m 1,73m0 ,12m 1,80m 0,12m 4,42m 0,12m 11,09m 0,12m 1,86m 0,12m 4,96m
0,12m 5,41m
Room : Room : Room :
4,18m 3,29Rmo oXm 4 ,:1 1m 1,80m X 5,41 m 4,42m X 5,41m 11,09m X 5,41m
0,25m Down 0,12m2,02m 3,42m 0,12m 3,48m 0,12m 3,48m 0,12m 3,47m 0,12m 3,47m 0,12m 3,47m
7,16m 5,21m Room : Room : Room : Room : Room : Room :
3,42m X 5,21m 3,48m X 5,21m 3,48m X 5,21m 3,47m X 5,21m 3,47m X 5,21m 3,47m X 5,21m
0,26m 0,26m 3,41m 0,25m 3,42m 0,12m 3,48m 0,12m 3,48m 0,12m 3,47m 0,12m 3,47m 0,12m 3,47m 0,12m 4,96m
Fig. 8. The testbed includes several experimental setups for performance evaluation as well as for security analysis. Alice (X), Bob (Y) and Eve (Z) are
mountedonaautomatedantennapositioningsystem.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1
0.995
tne tne 3
ic ic
iffeoc noita0.5 26 326 6 62 iffeoc noita00.9.9895 26 326 6 62 edutingaM2 26 326 6 62
le 0 le 1
rro rro
C C
0.98
0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.9. Evaluationresultsofvk.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position0.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1
0.995 3
tn tn
eic eic 2.5
iffeoc noitale0.05 26 326 6 62 iffeoc noitale00.9.9895 26 326 6 62 edutingaM1.125 26 326 6 62
rroC rroC 0.98 0.5
0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.10. Evaluationresultsofvkds.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position0.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1 0.98
tne0.8 tne0.97 2.5
ic ic
iffeoc noita000...246 26 326 6 62 iffeoc noita000...999456 26 326 6 62 edutingaM1.125 26 326 6 62
le le
rro 0 rro0.93 0.5
C C
0.92
-0.2 0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.11. Evaluationresultsofvkde.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position0.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1
tne0.8 tne 3
ic ic 0.99 2.5
iffeoc noitale000...246 26 326 6 62 iffeoc noitale0.985 26 326 6 62 edutingaM1.125 26 326 6 62
rroC 0 rroC 0.98 0.5
-0.2 0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.12. Evaluationresultsofvk.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position1.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1 3
tneiciffeoc noitalerroC0000....02468 26 326 6 62 tneiciffeoc noitalerroC0000....99996789 26 326 6 62 edutingaM012...12555 26 326 6 62
-0.2 0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.13. Evaluationresultsofvkds.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position1.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1
tne0.8 tne0.97 2.5
iciffeoc noita00..46 26 326 6 62 iciffeoc noita00..9956 26 326 6 62 edutingaM1.125 26 326 6 62
lerro0.2 lerro0.94 0.5
C C
0 0.93 0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.14. Evaluationresultsofvkde.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position1.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1 0.996
tn tn
e e0.994 3
ic ic
iffeoc noita0.5 26 326 6 62 iffeoc noita00.9.9992 26 326 6 62 edutingaM2 26 326 6 62
lerro 0 lerro0.988 1
C C
0.986
0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.15. Evaluationresultsofvk.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position2.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1
tn tn0.995 3
eic eic 2.5
iffeoc noitale0.05 26 326 6 62 iffeoc noitale00.9.9895 26 326 6 62 edutingaM1.125 26 326 6 62
rroC rroC 0.98 0.5
0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.16. Evaluationresultsofvkds.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position2.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1 3
tne0.8 tne0.98 2.5
ic ic
iffeoc noitale000...246 26 326 6 62 iffeoc noitale00..9967 26 326 6 62 edutingaM1.125 26 326 6 62
rroC 0 rroC 0.5
0.95 0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.17. Evaluationresultsofvkde.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position2.
;XY ;XZ ;YZ ;XY Rsk I(X;Y) I(X;Z) I(Y;Z)
1 0.994
tne tne0.992 3
ic ic 2.5
iffeoc noitale0.05 26 326 6 62 iffeoc noitale000..99.988968 26 326 6 62 edutingaM1.125 26 326 6 62
rroC rroC0.984 0.5
-0.5 0.982 0
30 25 20 15 10 5 0 30 25 20 15 10 5 0 30 25 20 15 10 5 0
Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm] Distance between Bob and Eve " [cm]
BE BE BE
(a) (b) (c)
Fig.18. Evaluationresultsofvk.In(a)and(b)thecross-correlationsisgiven;in(c)themutualinformationaswellasRsk isgiven.Position3.
