Shared Secret Key Establishment Using Wireless Channel Measurements

SHARED SECRET KEY ESTABLISHMENT USING WIRELESS CHANNEL MEASUREMENTS

Jessica Erin Dudley Croft

A dissertation submitted to the faculty of The University of Utah in partial fulﬁllment of the requirements for the degree of

Doctor of Philosophy

Department of Electrical and Computer Engineering

The University of Utah

July 2011 Copyright c Jessica Erin Dudley Croft 2011

SUPERVISORY COMMITTEE APPROVAL

of a dissertation submitted by

Jessica Erin Dudley Croft

This dissertation has been read by each member of the following supervisory committee and by majority vote has been found to be satisfactory.

Chair: Neal Patwari

Sneha K. Kasera

Rong-Rong Chen

Cynthia Furse

John Regehr ACKNOWLEDGEMENTS

Very rarely does a project like this come together based solely upon the work of the author. Here is where I get to say thank you: Neal Patwari has put a great deal to time into explanations, editing and encour- agement. He is unfailingly optimistic and patient and I feel very fortunate to have had him as an advisor. The SPAN lab he created produces exciting ideas and inventions and he has fostered a distinctly collegial and collaborative spirit among its members. I am grateful to have found friends among my colleagues within the SPAN lab: Yang, Dustin, Piyush, Joey and Merrick. My parents, Jerry and Diana Croft, gave me a love of learning and a solid place to rest. They taught me that building or growing or creating something useful can be a source of great joy and satisfaction. Thank you. For a hug, or a laugh or a push when I need it, I thank my partner, Todd Bailey. He listened to me explain the same problem in diﬀerent ways (some much better than others) a thousand times in the last few years and never stopped trying to understand. ABSTRACT

Secret key establishment (SKE) is a method that allows two users, Alice and Bob, to obtain shared secret keys using randomness inherent in the wireless channel. Alice and Bob sample the channel many times, extract bits from those measurements and then use the bits to encrypt further communications. Even if an eavesdropper, Eve, were to overhear Alice and Bob measure the channel, she would still have no knowledge of the secret key because she does not measure the same channel as Alice and Bob. While the channel is reciprocal and random, measurements of the channel are temporally correlated and can include non-reciprocities caused by diﬀering transceiver characteristics and the inability of Alice and Bob to measure the channel simultaneously. The thesis aims to reduce or remove the non-idealities and noise of the reciprocal channel measurement process in order to increase secret key bit rate while maintaining an uncorrelated bit stream.

The first contribution of this thesis addresses correlated received signal strength (RSS) measurements and differing transceiver characteristics in the context of sensor nodes. Because typical sensor nodes are constrained both by available energy and computational power, balancing the decorrelation method with node resources and changing wireless environments is also addressed. Ranking and fractional delay interpolation are used to mitigate non-reciprocities associated with differing transceiver characteristics and the inability of the two nodes to measure the channel at identical points in time.

Second, bit extraction is applied to channel impulse response (CIR) measurements. We develop a novel, inexpensive switching system that allows existing single receiver/single transmitter channel sounding equipment to make bi-directional measurements. With this system it is possible to investigate non-reciprocal interference and experimentally evaluate bit extraction for CIR that takes advantage of both the time and spatial diversity of the wireless channel. Finally, non-uniform sampling caused by non-deterministic packet delay when sharing a wireless channel with other users is detrimental to bit extraction yet very common in practical wireless networks, especially for IEEE 802.11-based devices. Interpolation and regression are used to estimate the reciprocal fading signal given the non-uniform samples at Alice and Bob and the non-reciprocities caused by non- simultaneous channel measurements.

iii CONTENTS

ACKNOWLEDGEMENTS ...... i ABSTRACT ...... ii LIST OF FIGURES ...... vii LIST OF TABLES ...... x

CHAPTERS 1. INTRODUCTION ...... 1 1.1 Three General Extraction Methods ...... 4 1.2 Channel Measurements ...... 5 1.2.0.1 Received Signal Strength ...... 6 1.2.0.2 Channel Impulse Response ...... 6 1.3 Adversary Model ...... 7 1.4 Contributions ...... 7 2. ROBUST UNCORRELATED BIT EXTRACTION METHODOLOGIES FOR WIRELESS SENSORS ...... 11 2.1 Abstract ...... 11 2.2 Introduction ...... 11 2.3 Adversary Model ...... 14 2.4 Methodology ...... 14 2.4.1 Interpolation ...... 16 2.4.2 Ranking ...... 17 2.4.2.1 Motivation ...... 17 2.4.2.2 Algorithm ...... 18 2.4.3 Decorrelation ...... 19 2.4.4 Quantization ...... 20 2.5 Experimental Data Collection ...... 22 2.6 Enabling Channel Adaptation ...... 23 2.6.1 Previous Approach ...... 23 2.6.2 Selection of N ...... 24 2.6.3 Covariance Matrix and Correlation Coeﬃcient Estimation . . . . . 26 2.7 ARUBE Protocol ...... 29 2.7.1 Packet Transmissions ...... 31 2.7.2 Computational Complexity ...... 32 2.8 Results ...... 34 2.9 Discussion ...... 36 2.10 Conclusion ...... 37 3. BIT EXTRACTION FROM CIR USING A BI-DIRECTIONAL RADIO CHANNEL MEASUREMENT SYSTEM ...... 39 3.1 Abstract ...... 39 3.2 Introduction ...... 39 3.3 Related Work ...... 42 3.3.1 RF CIR Measurement ...... 43 3.3.2 Secret Key Establishment ...... 43 3.4 Analysis ...... 45 3.4.1 Power Loss ...... 46 3.4.2 Leakage ...... 46 3.4.3 System Design ...... 47 3.4.4 Example Realization ...... 49 3.5 Bi-Directional CIR Measurements ...... 51 3.5.1 Software Radio ...... 51 3.5.2 Measurements Collected ...... 53 3.6 Secret Key Extraction ...... 55 3.6.1 Adversary Model ...... 56 3.6.2 Method ...... 56 3.6.3 Results ...... 60 3.6.4 Discussion ...... 64 3.7 Conclusion ...... 66 4. RECIPROCAL FADING SIGNAL ESTIMATION METHODS FOR SECRET KEY ESTABLISHMENT ...... 68 4.1 Abstract ...... 68 4.2 Introduction ...... 68 4.3 Related Research ...... 70 4.4 Problem Statement ...... 71 4.5 Estimation Methods ...... 73 4.5.1 Polynomial Interpolation ...... 73 4.5.2 Fractional Delay Interpolation ...... 75 4.5.3 Gaussian Processes Regression ...... 76 4.5.3.1 Covariance Function ...... 77 4.5.4 Gaussian Processes Regression with Side Information ...... 78 4.5.4.1 Public Exchange of Side Information ...... 79 4.5.4.2 Setting γ2(i)...... 80 4.6 Experiment ...... 80 4.6.1 PHY layer and RSS Measurement ...... 80 4.6.2 Sample Variance ...... 81 4.6.3 Sampling Non-uniformity ...... 82 4.7 Results ...... 83 4.7.1 Performance Metrics ...... 83 4.7.2 GPRSI Parameter Selection ...... 84 v 4.7.3 Example ...... 84 4.7.4 Filter Response ...... 84 4.7.5 Normalized Root Mean Square Error ...... 85 4.7.6 Bit Extraction ...... 86 4.7.6.1 802.15.4 Sensor Nodes ...... 86 4.7.6.2 802.11 Smartphones ...... 87 4.8 Conclusion ...... 87 5. CONCLUSION ...... 100 5.1 Key Findings ...... 100 5.2 Future Work ...... 102 REFERENCES ...... 105

vi LIST OF FIGURES

1.1 Received signal strength measurements taken over time. Alice and Bob’s RSS measurements are correlated...... 10

2.1 ARUBE bit extraction ...... 15

2.2 Areas of bit agreement and bit disagreement for m(i) = 1...... 15

2.3 Spatial correlation vs. Pbd and m ...... 15

2.4 t-statistics for max ρzi,zj vs. N for three datasets and the threshold, γ.. 27

2.5 t-statistics for ρz, vs. N for three datasets and the threshold, γ...... 27 2.6 Packets sent for channel probing (—¿) and data transfer (- - -¿), computation (boxes) at either node, for overhead and bit extraction...... 30

2.7 Target Pbd vs. secret key bits per sample for ARUBE (black lines) and K HRUBE (gray lines), for N ∈ {17, 35}, K ∈ {128, 256}, and D = 2 , for averages of the best three datasets (-•-), the worst three (--), and the remaining 19 (-N-)...... 35 3.1 Redirecting the transmitted and received signals to measure both directions of the radio channel between antennas A1 and A2...... 50

3.2 Labeled switch diagram in state 1. The correct path for the signal is {G,I,J,L,F,D,B,A}, however three incorrect paths are possible: directly from transmitter to receiver (-.), {G,H,E,D,B,A}(- -), and {G,I,J,K,C,A} (..)...... 51

3.3 One RF switch. RF common can be connected to either RF 1 of RF 2. 52

3.4 Possible linear ranges of four sets of parameters. Given baseline Ipole = 50 dB, Iopen = 45 dB, Lcable = 2 dB, Lswitch = 2 dB and Itr = 111 dB, each plot other than baseline changes one parameter...... 52

3.5 Known attenuation between junctions F and L plotted against received power. Note that measurements and calculations were made assuming a transmitter frequency of 2.44 GHz...... 52

3.6 TX, RX, A1 and A2 locations. The TX and RX are next to opposite walls of a rectangular room. The two antennas centered between them along the two remaining walls...... 53 3.7 Bi-directional measurements for two data sets. Plots 3.7(a)and 3.7(c) and show 10 pairs of measurements. Power in dB is relative to transmit power. The dark plots are measurements from antenna A1 to A2. The light plots are measurements from antenna A2 to A1. The time between each measurement was 0.11s. Plots 3.7(b) and 3.7(d) show the mean and the mean plus and minus the standard deviation of 175 pairs of measurements...... 54 3.8 Example bi-directional measurements in the frequency domain for (a) dataset A and (b) dataset B...... 61 3.9 (a) When interference source is oﬀ, subsequent CIR measurements between A2 to A1 (tn = 37.4s) and from A1 to A2 (tn = 37.51s) are nearly identical. (b) When interference source is on, CIR measurements between A2 to A1 (tn = 48.84s) are unchanged while those from A1 to A2 (tn = 48.95s) show interference...... 62 3.10 Secret key bit extraction from CIR measurements involves synchronization (phase and time delay), interpolation (using fractional delay ﬁlter sc), decorrelation (across time delay τ and time t), and quantization (using multi-bit adaptive quantization)...... 63 3.11 Two CIR measurements made by Alice and Bob. Aligning the indices of the dominant multipath does not always align the signals...... 64 3.12 CIR measurements showing the random rotation which must be removed before bits can be extracted...... 64

3.13 (a) Number of bits extracted per measurement from |H| for various Pbd (b) Number of bits extracted per measurement from ∠H...... 65

3.14 Number of bits extracted per RSS measurement for various Pbd ...... 66 4.1 Diagram shows placement of Alice’s () and Bob’s ( ) measurements at times tc with the placement of interpolated values t∗ (k). (a) Fraction delay interpolation interpolates a value half way between Alice’s and Bob measurements if the sample period is constant. (b) With non- uniform measurements fractional delay interpolation results in unaligned interpolated time instants. (c) Polynomial interpolation and Gaussian processes regression are able to interpolate measurements at identical time instants...... 88 4.2 Distribution of measured RSSI values for datasets collected (a) by 802.15.4 2 based devices and (b) 802.11 based devices. The sample variance,σ ˆw for (a) is larger than that of the measurements of (b)...... 89 4.3 Distribution of sample periods for (a) two datasets made with 802.15.4 based wireless sensors and (b) two datasets from 802.11 based devices. . 90

4.4 NRMSE betweeny ˆa andy ˆb for GPRSI with diﬀerent values for Pa and Pd. Overall, GPRSI for 802.11 RSS measurements performs best with Pa ≈ 0.5 and Pd ≈ 15...... 92 viii 4.5 (a) Fractional delay interpolation used to estimate the reciprocal fading channel from non-uniformly sampled RSS measurements made by two 802.11 devices. (b) Polynomial interpolation. (c) Gaussian processes regression. Solid lines are the estimated signaly ˆc(t∗), dotted lines are the RSS measurements wc...... 93 4.6 Filter response for (a) fractional delay interpolation, (b) polynomial interpolation and (c) Gaussian processes regression at interpolated time instant t∗(i) = 0.60...... 94 4.7 (a) Polynomial interpolation used to estimate the reciprocal fading signal for 802.11 RSS measurements (b) Estimation using GPRSI. Root mean square error (RMSE) for the displayed data is (a)0.627 and (b)0.222. 95 4.8 Normalized root mean square error (NRMSE) for error between the original measurements at Alice, wa, and Bob, wb and error between the estimations of the reciprocal fading signal using polynomial interpolation (PI), fractional delay interpolation (FDI), Gaussian processes regression (GPR) and Gaussian processes regression with side information (GPRSI) for (a) 11 802.11 datasets and (b) 20 802.15.4 datasets . . 96 4.9 Plot of NRMSE as the probability of dropping a packet, p, increases for FDI (- -), GPR (..) and GPRSI (–), then plotting the average of the top seven datasets (?), middle six datasets (•) and bottom seven datasets (I) with respect to NRMSE ...... 97 4.10 Comparison of PI, FDI and GPR with (a) highest, (b) middle and (c) 2 lowest sample varianceσ ˆw. GPR is an improvement over FDI only at lower sample variances...... 98

4.11 Bits extracted per second vs. probability of bit disagreement (Pbd) for 13 datasets. Data processed using GPR (..), GPRSI ( - ) or FDI ( - - ) then plotting the average of the top four datasets (?), middle ﬁve datasets (•) and bottom four datasets (I) with respect to bits extracted per second. (a) Compares GPR and GPRSI (b) Compares FDI and GPRSI ...... 99

ix LIST OF TABLES

2.1 m =1bitMAQ ...... 27 2.2 t-statistics by method ...... 33 2.3 Number of Packets Transmitted ...... 33 2.4 Computational Complexity ...... 33 2.5 Bits per sample–Mathur et al...... 38 2.6 Average and Minimum Entropy Rates...... 38 2.7 Percentage of bits Eve gets correct...... 38 3.1 Switching System Components ...... 50 3.2 NIST p-values...... 61 3.3 Bits per Sample Comparison ...... 65 4.1 Datasets of decreasing sample variance ...... 88 CHAPTER 1

INTRODUCTION

Secret key establishment (SKE) is a method that allows two users, Alice and Bob, to obtain shared secret keys using randomness inherent in the wireless channel between them without an eavesdropper being able to obtain the key. Because the radio channel between Alice and Bob is reciprocal and varies randomly over space and time, Alice and Bob are able to measure some characteristic of the wireless channel many times then extract bits from those measurements to create matching secret keys. Even if a passive eavesdropper, Eve, were listening to Alice and Bob make measurements of the channel, she would be unable to measure the same channel as Alice and Bob and unable to create a matching secret key. Interest in SKE as an alternate method to ensure data privacy is due in part to perceived weaknesses in traditional public key cryptography which relies on assumptions about the computational strength of an attacker. One of the advantages of shared secret keys extracted from channel measurements is that such keys offer the possibility of information theoretic security as long as it is possible to obtain more bits in the secret key than there is information to send [64]. Such keys are considered secure even if an adversary is in possession of a computer with unbounded computing power [12] while keys created using traditional cryptographic methods, such as Diffie-Hellman key exchange, are considered secure only if the adversary has bounded computing power. This is the same impetus driving research in quantum cryptography, but because channel measurement methods are much less expensive, bit extraction is currently possible with common consumer wireless devices. Shared secret keys from channel measurements could also have advantages for resource constrained sensor nodes. Various methods of adapting traditional cryptography to sensor nodes have included predistribution of shared keys [13],[41] to 2 adapt to sensor node’s typical constrained power and exploration of elliptical curve cryptography [44] to adapt to a small storage area and limited computational power. Given that secret keys from channel measurements are cryptographically stronger than traditional methods, they might require less on-node storage space. For instance 112-bit key extracted from channel measurements is equivalent in cryptographic strength to a 2048-bit Diffie-Hellman key [39]. In addition, some SKE methods are less computationally complex than traditional cryptographic methods. Given these reasons for proceeding, SKE faces it’s own challenges and requirements. First, the radio channel must be changing. SKE would not work in a static free-space environment since it depends upon the presence of multipath fading as the source for randomness in the shared secret keys. This is counterintuitive since for most wireless communication applications fading is detrimental. Also, in an otherwise static channel, an attacker would be able to induce motion into the channel and thereby gain knowledge about the secret key The second major challenge is that while the wireless channel is reciprocal, measurements of the channel include non-reciprocities from many sources including:

• interference

• thermal noise

• quantization noise

• diﬀering transceiver characteristics

• time-division duplex (TDD) sampling

Many of these non-reciprocities can be seen in Figure 1.1. Because the channel is TDD, Alice and Bob are unable to sample the channel simultaneously and instead must take turns. During the time spent waiting to sample the channel can change resulting in differing measurements at Alice and Bob. Quantization noise is also a source of non-reciprocities. The devices used to measure RSS in Figure 1.1 quantize 1 dBm to 1 RSSI and while the major features of the fading signal are captured, 3 many smaller features are not. In addition, while an effort is made on the part of the hardware manufacturer to ensure 1 dBm is always quantized to 1 RSSI, some quantization bins are larger than others. Even with identical hardware, as was the case in Figure 1.1, differences in transceiver hardware are common. On average, Alice’s RSS measurements, always report just slightly less received power than Bob’s measurements. In practical applications, identical hardware cannot be assumed. These non-reciprocities have been addressed by a number of signal processing techniques including windowed filters [45, 71], interpolation [53], ranking [20] and Gaussian processes regression. Thirdly there are requirements about the characteristics of the secret key itself. Ideally the extracted bits would have a high entropy rate, no disagreement between the bits extracted at Alice and the bits extracted at Bob and because sampling the channel requires a packet to be transmitted, it is advantageous to be able to extract a large number of bits from each sample especially for energy poor devices. Also, in the context of information theoretic security every bit of information requires one secret key bit. The high entropy rate requirement is a heuristic for randomness. At minimum, the bits in the secret key need to be independent, but as shown in Figure 1.1, the measurements are temporally correlated. One way to ensure independence is to increase the sampling period, but this in many cases increases the time required to create a secret key. Another method is to decorrelate the measurements before extracting bits. While a high entropy is required to ensure a random key, it is not sufficient. The National Institute of Standards (NIST) has published a series of probabilistic tests [60] which can be used to verify the randomness of shared secret keys. It is difficult to have both a low probability of bit disagreement and a high bit extraction rate. Both of these factors influence the time required to perform SKE and the number of packets that must be transmitted. In order for encryption/decryption to work, the bits in the shared secret key at Alice and Bob must match perfectly. In the event that they do not, information reconciliation is performed where Alice and 4

Bob exchange information publicly to correct disagreements [11]. As the probability of bit disagreement increases, more information is leaked to an eavesdropper, Eve. Removing non-reciprocities before bits are extracted from the measurements can increase the number of bits that can be extracted while lowering the probability of bit disagreement. How these requirements and challenges and the resources needed to meet them are balanced is unique to each bit extraction method. In the remainder of this introduction I brieﬂy describe three bit extraction approaches and explain how the wireless channel is measured for bit extraction. I will then list describe the adversary model before listing my own contributions and the structure of the dissertation.

1.1 Three General Extraction Methods The simplest and least computationally complex bit extraction methods quantize the measured channel characteristic into two bins, one bin for values less than the mean and one bin for values greater than the mean, and then assign a 1 or a 0 to each measurement based upon the bin it falls in. While this is easy to implement, the trade-off is very low entropy. Modifications have been made that create high entropy keys, at the cost of a low bit extraction rate[45]. These methods aim to have no bit disagreement. A second general method [53] uses the Karhunen–Loéve transform (KLT) to remove the correlation between measurements before extracting a secret key. The number of bits extracted from each measurement is determined by a target percent of disagreeing bits and the correlation between Alice’s and Bob’s measurements. While this method is significantly more computationally complex than the first, by allowing a certain number of bits to disagree many more bits can be extracted. The bit disagreement is rectified in a later information reconciliation step such as Cascade [11]. This second general method has the advantage of a tunable probability of bit disagreement and high entropy secret keys at the cost of higher computational complexity. The third general method is composed of three steps: advantage distillation, 5 information reconciliation, and privacy amplification [9],[8]. Advantage distillation is another way to say that the two nodes sample some characteristic of the channel that is known to them, but not an adversary. This is identical to what the first two general methods do, but while the second method removes correlation between bits before quantization, this general method quantizes and performs information reconciliation before addressing the correlation between bits. The privacy amplification step is then used to ensure the key has a high entropy. Reported rates of extraction using this method are nearly 1 bits per sample for 802.11 based devices [30]. One of the disadvantages is that since the percentage of bit disagreements is not tunable, the information reconciliation step can be expensive in terms the amount of information potentially revealed to an eavesdropper.

1.2 Channel Measurements

The channel can be viewed as a reciprocal ﬁlter that varies over time and space. In general more information collected about the channel means a larger number of bits can be extracted, but some measurements require more time to take or the measurement equipment is expensive. Regardless of the equipment or measured statistic, however, all of these measurements are time-division duplex (TDD). To measure any characteristic, Alice must transmit to Bob who measures the channel and then transmits to Alice who also measures the channel. During the time between measurements, the channel has changed introducing non-reciprocities into the measurements.

Since Hershey ﬁrst proposed the idea of bit extraction for shared secret keys in [28], a large number of channel measurement types have been explored including angle of arrival [6], phase [28] [61] and received signal strength [45] [30] [53],[74],[56] which can include signal envelopes [7] [71] and level crossings [45]. In addition to these one-dimensional measurements, channel impulse response (CIR) has also been explored as a source for shared secret keys [79], [26], [75], [18]. 6

1.2.0.1 Received Signal Strength

Received signal strength (RSS) is by far the most commonly measured channel characteristic because RSS measurement capability is built in to most consumer wireless devices such as smartphones and laptops. Academic research has also focused on RSS bit extraction using 802.15.4 based sensor nodes [2, 56, 53, 20] due to the ease of access to wireless parameters. Hardware in the transceiver measures received power which is the squared magnitude of the complex baseband power. RSS, then, is the average received power over a single packet that is then converted to an integer number or RSS integer (RSSI). The conversion from the RSS measurement which is commonly in decibels (dB) varies depending up on the radio hardware. Often an increase in 1 dBm with respect to the mean received power corresponds to an increase of 1 RSSI.

Not all RSS measurements are created equal in terms of the number of bits it is possible to extract. A wider channel bandwidth has a detrimental eﬀect on the bit extraction rate. For instance, in IEEE 802.11 based devices, the RSS is calculated for a signal over a bandwidth 4 times as wide as IEEE 802.15.4 based devices, so the channel gain is not as aﬀected by narrowband fading. This reduces the number of bits it is possible to extract. Similarly, devices operating at higher frequencies are more susceptible to narrowband fading so the higher the frequency the more bits can be extracted all other parameters being equal.

Because RSS is an average of magnitude it does not provide any information about the phase of the signal nor about the individual multipath components. While RSS measurements are one-dimensional, they have been used them as part of a MIMO-like bit extraction algorithm using many cooperating nodes [56].

1.2.0.2 Channel Impulse Response

Another channel statistic used for shared secret keys is channel impulse response (CIR). Unlike RSS, CIR provides information about the magnitude, phase and arrival time of each multipath component. As such, many more bits can be extracted from each measurement. Simulated (CIR) measurements have been studied for use 7 with SKE [42, 75, 78, 73, 72]. Given the expense of the measurement equipment, however, very few truly bi-directional experiments have been conducted. Rather, many researchers use uni-directional measurements by making a CIR measurement in one direction and then swapping the position of the transmitter and receiver before making the second measurement in the reverse direction [79], [26], [75]. While this captures the spatial features for bit extraction, any time-related diversity in the channel is treated as noise. This is a very large compromise because in real-world situations the channel is changing over time and it would be greatly advantageous to use that randomness in the secret key.

1.3 Adversary Model The adversary model is very similar across SKE methods. First, we assume that there is a passive attacker, Eve, who is able to overhear legitimate users, Alice and Bob, making measurement of the channel between themselves. Eve is able to measure the channel between herself and Bob and measure the channel between herself and Alice, but is otherwise unable to interfere. Eve cannot jam the channel nor can she impersonate a legitimate user. Furthermore, Eve must be at least one half wavelength away from Alice and Bob. At 2.4 Ghz one wavelength is 12.5 cm. We assume that Eve has knowledge of the bit extraction method in use, any parameters used in the bit extraction method and that Eve can obtain any information publicly exchanged between Alice and Bob. This adversary model is very similar to that used in Diffie-Hellman key agreement in that neither Diffie-Hellman nor SKE natively offer authentication.

1.4 Contributions This research aims to reduce or remove the non-idealities and noise of the reciprocal channel measurement process in order to increase secret key bit rate while maintaining an uncorrelated bit stream. The following publications have resulted: 8

J. Croft, N. Patwari, and S.K. Kasera. Robust uncorrelated bit extraction methodologies for wireless sensors. In Proceedings of the 9th ACM/IEEE International Conference on Information Processing in Sensor Networks, pages 70–81. ACM, 2010.

J. Croft and N. Patwari. Bit extraction from CIR using a bi-directional radio channel measurement system. IEEE Transactions on Mobile Com- puting, 2010. (submitted).

J. Croft and N. Patwari. Estimation methods for bit extraction. IEEE Transactions on Mobile Computing, 2011. (to be submitted).

J. Croft, N. Patwari, and S.K. Kasera. Demonstration abstract: Bit extraction from received signal strength, 2010.

N. Patwari, J. Croft, S. Jana, and S.K. Kasera. High rate uncorrelated bit extraction for shared secret key generation from channel measurements. IEEE Transactions on Mobile Computing, pages 17–30, 2009.

The structure of this dissertation is as follows: Chapter 2 explores mitigation of non-reciprocities associated with diﬀering hardware characteristics and how to adapt bit extraction to changing wireless environments. The cost of bit extraction is found in terms of computational complexity and the total number of packets exchanged for a given key length. This method is applied to RSS measurements taken with 802.15.4-based sensor nodes. This method improved the bit extraction rate by 25 to 60% compared to a previous bit extraction method. Chapter 3 applies bit extraction to channel impulse response (CIR) measurements. In order to obtain bi-directional CIR measurements an inexpensive novel switching system was designed to allow existing single transmitter/single receiver hardware to make bi-directional measurements. A description and analysis of the system is included so that similar systems can be built. A new algorithm for CIR bit extraction is described and applied to the bi-directional CIR measurements. 9

Chapter 4 addresses problems found during the demonstration [19] of bit extraction in a very busy wireless environment using 802.11 devices. Ideal conditions for bit extraction ie. two users uniformly sampling a quickly varying channel, cannot be assumed. An estimation method using Gaussian processes regression with public discussion was found to improve the number of bits extracted by up to 50% in adverse conditions for 802.11 RSS measurements. Chapter 5 forms the conclusion and presents avenues for future research into shared secret keys from wireless channel measurements. 10

0 RSSI

−5

−10 Alice Bob −15 Eve 10.8 10.9 11.0 11.1 11.2 11.3 11.4 11.5 11.6 time (s)

Figure 1.1. Received signal strength measurements taken over time. Alice and Bob’s RSS measurements are correlated. CHAPTER 2

ROBUST UNCORRELATED BIT EXTRACTION METHODOLOGIES FOR WIRELESS SENSORS

2.1 Abstract This paper presents novel methodologies which allow robust secret key extraction from radio channel measurements which suﬀer from real-world non-reciprocities and a priori unknown fading statistics. These methodologies have low computational complexity, automatically adapt to diﬀerences in transmitter and receiver hardware, fading distribution and temporal correlations of the fading signal to produce secret keys with uncorrelated bits. Moreover, the introduced method produces secret key bits at a higher rate than has previously been reported. We validate the method using extensive measurements between TelosB wireless sensors.

2.2 Introduction For many applications of wireless sensor networks, data privacy is a key requirement. Since sensor nodes may be collecting private data, for example, in patient health monitoring networks, users must have guarantees of privacy. Without data privacy, patients will not be willing to participate and hospitals will not be in com- pliance with conﬁdentiality regulations. However, because of the limited energy and computational resources of sensor nodes, realistic methods for secure authentication and privacy face special challenges. 1

1This chapter ﬁrst appeared as J. Croft, N. Patwari, and S.K. Kasera. ”Robust uncorrelated bit extraction methodologies for wireless sensors” In Proceedings of the 9th ACM/IEEE International Conference of Information Processing in Sensor Networks. ACM, 2010. 12

To meet the critical need for secure communications, existing research has developed methods to address these multiple challenges. Existing work uses predistributed shared secret keys and public key methods adapted for use on resource constrained sensor nodes. Various methods of probabilistic predistribution [13] [41] have balanced security and limited on-device storage space. Public key methods have used elliptic curve cryptography [44] to create public keys within sensor node resources. Unlike traditional cryptography methods, we address the problem of secret key establishment between two wireless sensor nodes for secure communication using the time and space variations in the time-division duplex channel. The radio channel offers a unique opportunity to build alternate robust security solutions in a resource efficient manner. A key generated from radio channel characteristics [6] [30] [61] reflects the uniqueness of the time and space in which it was created. Two nodes, Alice and Bob, are able to measure a characteristic of the channel between them, each generates a key from those measurements, and then uses that key to encrypt further communications. Even if Eve, an attacker, were able to overhear legitimate users Alice and Bob during the collection of channel measurements, Eve would be unable to duplicate the key because she would not have measured the same channel as that between Alice and Bob. Using temporal and spatial variation in channel characteristics for secret key establishment is not a new idea. Key generation from channel characteristics was first described in [28]. Since then several existing efforts including our own have designed and evaluated bit extraction schemes using many different channel characteristics. Some of these characteristics are angle of arrival [6], phase [28] [61], received signal strength [45] [30] [53], signal envelopes [7] [71] and level crossings [45]. Of these, received signal strength (RSS), or channel gain, is most commonly available because of the low device cost and the requirement for inexpensive sensor nodes. To keep the cost low and to be able to use off-the-shelf hardware, we also use RSS in this paper. Unfortunately, existing methods have significant problems achieving high bit generation rates when required to achieve (1) a low probability of bit disagreement and (2) uncorrelated bits. Existing methods sacrifice bit generation rate to achieve low 13 bit disagreement rates. A low bit generation rate leads to high energy consumption as nodes repeatedly probe the channel to extract sufficient bits. This severely limits the lifetime of the node. The high rate uncorrelated bit extraction (HRUBE) method can achieve a high rate of uncorrelated bits with a reliably low probability of bit disagreement. However, it requires precise knowledge of the distribution and the temporal statistics of the radio channel. Sensor nodes are deployed in a wide variety of environments so such a priori knowledge is unrealistic. Further, if statistical assumptions are made that are incorrect, the benefits of the method are lost.

Here we present a method which comprehensively addresses these limitations. Our scheme implements a ranking method to remove the non-reciprocities that are inevitable as a result of wireless sensors having differing transceiver hardware characteristics. Ranking is more robust because even when the measured values at different nodes are of a different scale, the order of the measurements will be the same. For example, the method avoids the disagreements caused by differing transmit powers and RSSI circuit variations. Even in identical hardware, variations of scale exist, and with different hardware, differences will be greater. Ranking also makes the bit extraction process independent of fading distribution. Further, we test and develop protocols which adaptively determine the covariance structure of the measured data in order to reliably extract high entropy rate secret keys with a tunable probability of bit disagreement.

We experimentally test our method using TelosB wireless motes. We evaluate and compare schemes using data collected in three different environments in 25 data sets, totaling 450,000 RSS samples. The extensive data collection allows accurate characterization of important figures of merit, including extracted bits per sample and entropy rate. While the design of a robust and practical scheme is the main objective of this work, we also find that our scheme improves the rate at which secret bits can be extracted. The tested method can extract 40 bits per second at a probability of bit disagreement of 0.04. Compared to the HRUBE bit extraction method, this method is more robust to differences in hardware, adapts to the channel environment, can be implemented on a wireless mote and produces 30% more bits per 14 sample. The tested method produces the highest secret key extraction rate reported to date. The rest of this paper is organized as follows. Section 2.3 lays out the adversary model used in this paper. In Section 2.4 we will describe the Ranking HRUBE method. Section 2.5 describes our data collection process. In Sections 2.6 and 2.7 we address issues related to implementation on wireless sensors. Sections 2.8 and 2.9 contain a summary and discussion of our findings. Section 2.10 forms a conclusion.

2.3 Adversary Model We assume that the adversary, Eve, can listen to all the communication between Alice and Bob. Eve can also measure both the channels between herself and Alice and between herself and Bob at the same time when Alice and Bob measure the channel between them for key extraction. We assume that Eve is more than a few wavelengths away from Alice or Bob. We also assume that Eve knows the key extraction algorithm and the values of the parameters used in the algorithm. We assume that Eve cannot jam the communication channel between Alice and Bob. We also assume that Eve cannot cause a man-in-the-middle attack, i.e., our methodology does not authenticate Alice or Bob. In this aspect, the technique of key extraction from RSS is comparable with classical key establishment techniques such as Diﬃe-Hellman [22], which also use message exchanges to establish keys and do not authenticate Alice or Bob.

2.4 Methodology Key extraction benefits from the reciprocity of the channel gain (or loss) between two antennas and the fluctuations of the channel gain in a non-static channel. In a reciprocal channel, the multipath properties including gain, phase shifts and delays are identical in both directions of a link at any point in time. However, successful key extraction must account for the sources of non-reciprocities present in measurements of the channel gain, such as additive noise, and differences in hardware. These non- reciprocities are the source of bit disagreement, i.e. bits that do not match between the two generated keys. In addition, a good key has uncorrelated bits, despite the fact that fading is a temporally-correlated random process. The adaptive ranking- 15

Figure 2.1. ARUBE bit extraction

Figure 2.2. Areas of bit agreement and bit disagreement for m(i) = 1.

−1 10

−2 10

m=4 m=3 −3 m=2 10

Probability of Bit Disagreement m=1

0.9 0.99 0.999 Correlation Coefficient ρ

Figure 2.3. Spatial correlation vs. Pbd and m 16

based uncorrelated bit extraction (ARUBE) method uses four tools to address these challenges:

1. Interpolation removes non-reciprocities caused by the half-duplex nature of the channel.

2. Ranking reduces non-reciprocities caused by diﬀering hardware characteristics and outputs data with an a priori known distribution.

3. Decorrelation removes temporal correlation from the RSS fading signal.

4. Quantization extracts bits from interpolated, ranked and decorrelated RSS measurements.

A block diagram is shown in Figure 2.1. We expand upon these steps in the following sections.

2.4.1 Interpolation The half-duplex nature of the PHY layer (e.g., in 802.15.4) means that Alice and Bob are unable to simultaneously measure the channel gain. To compensate we use a ﬁnite impulse response (FIR) fractional delay ﬁlter, which interpolates to obtain an estimate of the channel gains in both directions of the link at a single point in th th time. The fractional delay between the i measurement by Alice, wa(i), and the i measurement made by Bob, wb(i), is,

1 τ (i) − τ (i) µ = b a (2.1) 2 T

th where τb(i) and τa(i) are the arrival times of the i packet at Bob and Alice respectively. We implement two fractional delay ﬁlters, one each at Alice and Bob. W.l.o.g. we th assume that τa(i) < τb(i) so that µ > 0. If we interpolate points in wa so that the i th sample is delayed by (1 + µ)T and interpolate points in wb so that the i sample is 17 delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays can be broken down into fractional, µ, and integer, n, delays. At each node:

µa = µ µb = 1 − µ na = 1 nb = 0 (2.2)

We implement the cubic Farrow ﬁlter [24]. For c ∈ {a, b}:

3 3 2 hc = µc /6 − µc/6, −µc /2 + µc /2 + µc, 3 2 3 2 T µc /2 − µc + 1, −µc /6 + µc /2 − µc/3

The ﬁltered signal, xc, becomes the input to the next step in the bit extraction process.

2.4.2 Ranking Ranking is used to remove the diﬀerences in the unknown transmitter and receiver characteristics which diﬀer between the two directions. As its output ranking also produces values with a uniform distribution.

2.4.2.1 Motivation As we note above, the channel gain is reciprocal, but each receiver actually measures RSSI, a voltage in the receiver IC. The RSSI has an aﬃne relationship with channel gain, denoted CG,

RSSI = c1CG + co (2.3) and c1, c0 ∈ R depend on the two nodes. The parameter c0 will vary due to differing transmit powers or differing battery voltages at the two nodes. Both c0 and c1 vary because the devices use different hardware or because manufacturing differences in identical hardware [52].

The device parameters c0 and c1 can be considered to be constant over the short periods time required to generate a secret key from the channel (tens of seconds). If the channel gain is reciprocal and the RSSI is given by (2.3), ranking will recover identical signals. 18

The ranking process also homogenizes the output distribution. As will be discussed in Section 2.4.4, it is required to know the distribution of the data input into the quantizer. Ranking does not provide a uniform distribution as input to the quantizer because decorrelation is performed in between ranking and quantization; however, ranking does eliminate the changes that would occur based on the particular environment. For example, narrowband fading statistics may be Ricean, Rayleigh, or Weibull distributed [27], however, the distribution of the output of the ranking operation will remain uniform.

2.4.2.2 Algorithm Next, we describe how to perform ranking for the ARUBE method. In short, we take each segment of K values from the continuous-valued, interpolated channel measurements and output discrete-valued numbers which indicate their order within the group of K. We also use a set of known “dummy values” to increase the randomness of the output of the ranking. However, for introductory purposes, we ﬁrst introduce ranking without dummy values, and then deﬁne the process of ranking with dummy values. (t) The input to the ranking operation are the K-length sub-vectors xc , for c ∈ {a, b}.

By sub-vectors, we mean that channel interpolated channel measurements, {xc(i)}i, are input to a serial-to-parallel converter that outputs sub-vectors of length K, which we denote xc(t). Speciﬁcally,

(t) T xc = [xc((t − 1)K + 1), . . . , xc(tK)] (2.4)

k K Ranking is a function R : Z → K0 , where K0 is a set of ﬁnite size with minimum

1 and maximum K. When there are no “ties” in input data, K0 = {1,...,K}, and th th xc(t) is ranked such that the j element of the t ranked sub-vector is

(t) (t) (t) rc (j) = |{k : xc (j) > xc (k)}| + 1 1 + |{k 6= j : x(t)(j) = x(t)(k)}| 2 c c (t) (t) When there are no ties in the input data, rc (j) is simply the order of xc (j) in a (t) (t) sorted list of xc . When there are ties, the value of rc (j) is the average of the order 19

of the tied values in the sorted list. For example, for K = 5 and this particular xc,

the vector rc would be output from the ranking method,

xc(i)i = [13, 11, 10, 14, 11, 12, 16, 17, 19, 15, 18, 17] | {z } | {z } x(1) x(2) c c (2.5) rc(i)i = [4, 2.5, 1, 5, 2.5, 1, 3, 4, 5, 2] | {z } | {z } (1) (2) rc rc

If the number of input values of {xc(i)}i cannot be evenly divided by K, the left over values are not used. Next we describe the introduction of “dummy values” to add randomness to the output of our ranking method. Ranking the measurements directly introduces non- randomness that could possibly be exploited by an attacker. If the first K − k measurements are known or guessed, for k K, it would be less difficult to accurately determine the ranks of the remaining k measurements. To avoid this problem, we introduce D dummy values into the input stream. The ranking with dummy values k K is a function R : Z → KD , where KD is a set of finite size with minimum 1 and

maximum K + D. When there are no ties in input data, KD = {1,...,K + D}. In the ARUBE method, we determine D dummy values from D evenly spaced quantiles of the distribution of {x (i)} . Speciﬁcally, we use F −1 n−0.5 for n = c i xc D

1,...,D, where Fxc (x) is the cumulative distribution function (CDF) of xc. Note that values are found independently at each node c ∈ {a, b}. th th (t) The j element of the t ranked sub-vector, rc , becomes,

(t) (t) (t) rc (j) = |{k : xc (j) > dc (k)}| + 1 1 + |{k 6= j : x(t)(j) = d(t)(k)}| 2 c c where T T 0.5 D − 0.5 d(t) = x(t) ,F −1 ,...,F −1 (2.6) c c xc D xc D

2.4.3 Decorrelation

Adjacent channel measurements in rc are correlated. In this paper we use the discrete Karhunen-Lo´eve transform (KLT) to convert the measured, interpolated, 20

ranked channel measurements in ra and rb into uncorrelated components. Given the covariance matrix of correlated data the KLT looks for an orthogonal basis that decorrelates the data. If the data is Gaussian, the decorrelated data will also be independent.

Assume that the input vector at node c ∈ {a, b}, rc, has mean µc, covariance matrix Rr and length N. The singular value decomposition (SVD) of Rr can be written, T 2 2 Rr = USU , where U is the matrix of eigenvectors, and S = diag{σ1, ..., σN }, is a diagonal matrix of the corresponding eigenvalues. We assume that the eigenvectors 2 2 2 have been sorted in order of decreasing eigenvalue, so that σ1 ≥ σ2 ≥ ... ≥ σN ≥ 0. T Note that U U = IN , where IN is the N × N identity matrix. The discrete KLT calculates yc as

T yc = U (rc − µc). (2.7)

It can be shown that Ry, the covariance matrix of yc is equal to S. Because S is

diagonal, yc has uncorrelated elements.

In Section 2.6 we discuss the online determination of Rr and the setting of parameter N.

2.4.4 Quantization

There is a tradeoﬀ between the probability of bit disagreement, Pbd, and the number of bits generated. Multi-bit adaptive quantization [53] (MAQ) achieves a

high rate of bits per sample for a desired Pbd. W.l.o.g. we choose Alice to be the ‘leader’ and Bob to be the ‘follower’. We ﬁrst

mi+2 mi quantize ya(i) into one of J , 2 = 4 × 2 equally likely quantization levels. We

determine the quantization levels based on the CDF of ya(i), Fi(y) = P [ya(i) ≤ y].

The thresholds, ηj, are calculated as,

−1 j ηj = Fi , for j = 1,...,J − 1. (2.8) 4 × 2mi

and η0 = −∞ and ηJ = ∞. 21

The quantization bins are then deﬁned by the thresholds. The jth quantization bin is the interval (ηj−1, ηj) for j = 1,...,J, so j(i) is given by

j(i) = max[j : ya(i) > ηj−1] (2.9) j

Next, we deﬁne the following binary variables:

• Deﬁne e(j), for j = 1,...,J as

1, (j mod 4) ≥ 2 e(j) = (2.10) 0, otherwise

mi • Create a Gray codeword with mi bits, that is, an ordered list of 2 possible

mi-bit codewords.

j−1 mi • Let f1(j) = b 4 c. Deﬁne d1(j) ∈ {0, 1} to be equal to the f1(j)th Gray codeword.

j+1 mod J mi • Let f0(j) = b 4 c. Deﬁne d0(j) ∈ {0, 1} to be equal to the f0(j)th Gray codeword.

These variables are shown in Table 2.1 for m(i) = 1. Multi-bit adaptive quantization proceeds as follows. The leader node, Alice in this case, quantizes ya(i) in the correct quantization k(i) for all components i. Alice then transmits the bit vector e = [e(j(1)), . . . e(j(N))]T to the follower node, Bob.

Both nodes encode their secret key using codeword d0 when e = 0, and codeword d1 when e = 1. Speciﬁcally the secret key for node c is

zc = [de(j(1))(j(1)), . . . , de(j(N))(j(N))] (2.11) where j(i) is given in Eq. 2.9. Figure 2.2 shows a graphic representation of the m(i) = 1-bit case.

The Pbd in MAQ is related to the correlation coeﬃcient between components and the number of bits extracted from each decorrelated component, ya(i). The correlation 22

th coeﬃcient of the i component, denoted ρi, can be determined from the covariance matrix of the decorrelated components. s [Ry]i,i ρi = 2 (2.12) σi

From the areas of bit disagreement in Figure 2.2, the analytical approximation of bit disagreement rate vs. correlation coeﬃcient in Figure 2.3 is derived [53]. The greater the correlation between components the more bits that can be extracted or the lower the percentage of bit disagreement. The total number of bits ex- PN tracted from each group of decorrelated measurements, yc is denoted M = i=1 m(i).

2.5 Experimental Data Collection For purposes of evaluation, we implement three wireless sensors capable of collecting RSS measurements. The TelosB mote is a low power wireless sensor module equipped with an IEEE 802.15.4 compliant RF transceiver (the TI CC2420), built-in antenna and a micro-controller. TinyOS/NesC software is written for the TelosB motes for measurement and communication. Nodes Alice (a) and Bob (b) take turns transmitting probing packets. Each probing packet contains a counter value and a unique node id number. When

node c ∈ {a, b} receives the ith packet, it (1) obtains the RSS of the packet, wc,i; (2)

stores the received counter value i and the RSS value wc,i; (3) increments its local counter value and (4) builds a new data packet containing the new counter value and its own node ID and sends it over the radio to nodec ¯ wherec ¯ ∈ {a, b} andc ¯ 6= c. The packet transmission rate of the device, and thus the RSS sampling rate, is 50 per second. The third node, Eve, designated the attacker node, overhears all of the packets being transmitted between the other two nodes, estimates the RSS of each packet and stores the data. Eve’s TelosB mote does not transmit any packets. Data is collected on a laptop to enable arbitrary application of the RSS measurements in secret key establishment. We collected 25 datasets with a total of 443, 600 samples. Most datasets had between 10,000 and 20,000 RSS samples while a few datasets had more than 50,000 23

or less than 5,000. At 50 samples per second it takes 5 minutes to collect 15,000 samples. The nodes were arranged in various geometries to evaluate the ability of Eve to obtain the same key as Alice and Bob and to see how the signal to noise ratio (SNR) might aﬀect the methods. For all datasets, Alice and Eve were placed on a ﬂat surface while Bob was rotated and moved randomly by an experimenter to introduce random fading into the channel. In the 16 datasets where Eve was present, she was λ at most 45cm from Alice and in few cases she was less than 6.25cm or 2 from Alice. Six datasets were collected where Bob was more than 1.5m from Alice and Eve. All signal processing was done in Python.

2.6 Enabling Channel Adaptation In [53] the authors presented HRUBE, a framework for bit extraction from channel measurements, but did not have a realistic method for implementation. This section presents methods to select the parameters of the ARUBE method. These parameters include the number of decorrelated components, N, the decorrelation matrix, U, and the number of bits per component, {m(i)}i. The selection of these parameters depends upon the radio channel between Alice and Bob. For example, in a quickly varying channel we would expect the covariance matrix to be diﬀerent than in a slowly varying channel. Also, the number of bits extracted from the channel would increase with signal to noise ratio.

2.6.1 Previous Approach

In the HRUBE method, the covariance matrix, Rx, was estimated as

C 1 X X T Rˆ = (x(i) − µˆ )(x(i) − µˆ ) (2.13) xc,xc 2C − 1 c c c c c∈{a,b} i=1

(i) th where xc is the i N-length measured RSS vector at node c, C is the total number of vectors and C 1 X µˆ = x(i). (2.14) c C c i=1 The N × N decorrelation matrix U is found by the SVD. The values, m(i), were

determined from the covariance matrix of xa and xb. The secret key, zc, was then 24

extracted from the same measurements as were used to estimate the covariance matrix.

2.6.2 Selection of N The computational complexity of estimating the covariance matrix and calculating the SVD are both dependent upon N as will be discussed in Section 2.7. Increasing N will decrease temporal correlation between bits in the secret key because more samples are simultaneously decorrelated. For example, setting N = 50 produced sufficiently decorrelated bits for the HRUBE method [53]. Because of the tradeoff between computational complexity and temporal decorrelation, finding a minimum range or value for N could significantly reduce the number of calculations. In order to test for uncorrelated bits, we look at two types of correlation coefficients:

1. Pair-wise bit correlation coefficients. We denote ρzi,zj as the correlation coeffi- th th cient between the i and j component of vector zc (Eq 2.11), for any particular M combination (i, j) where i 6= j. There are 2 different values of ρzi,zj .

2. Global bit correlation coeﬃcient. We denote ρz as the correlation coeﬃcient

between any pair of diﬀerent components of zc. Here we assume that the correlation coeﬃcient is identical across all combinations of (i, j) and we use

our data to estimate the single value of ρz.

M There are 2 diﬀerent pairwise correlation coeﬃcients, ρzi,zj , but because there are more of them, each one is estimated with few realizations, which we denote as n.

The global bit correlation coefficient, ρz, is a single number but it has many more realizations, n. By performing statistical tests on both correlation coefficients, we can reliably verify that bits are uncorrelated. To avoid confusion, it should be noted that we now have two types of correlation, spatial and temporal. The first, spatial, is ‘good’ correlation (Eq 2.12 and Figure 2.3)

between the decorrelated components ya(i) and yb(i). This spatial correlation is what makes bit extraction eﬀective. The second describes temporal correlation between 25

bits. Both ρzi,zj and ρz quantify temporal correlation that might allow an attacker to have a better chance of guessing subsequent bits given knowledge of some bits. We quantify the effect of N on temporal correlation in this section. Estimated correlation coefficients will never be precisely zero, even if ρ = 0. We use hypothesis tests to quantify if these non-zero correlation coefficients are likely to have been generated if the true ρ = 0. Formally, the decision is:

H0 :ρ = 0 (2.15) H1 :ρ 6= 0 The hypothesis test is performed on the t statistic [29],

r1 − ρˆ2 H1 t =ρ ˆ > γ (2.16) n − 2 < H0 whereρ ˆ is the correlation coefficient estimated from the data either ρzi,zj or ρz, n is the number of realizations used in the estimate and γ is a threshold. The threshold is set by choosing a desired false alarm rate, α, and applying knowledge of the distribution of t (t distribution with n − 2 degrees of freedom). In the limit for high n (n > 100) the distribution of t approaches the zero-mean unit-variance Gaussian distribution. We plot the t-statistics vs. N and the appropriate thresholds for three datasets in Figures 2.4 and 2.5. Each dataset has many pairwise correlation coefficients, so for simplicity we plot only the maximum pairwise correlation coefficients in Figure 2.4. For the datasets presented here, the minimum number of realizations is n = 833. We set the false alarm probability, α = 0.05, therefore we would expect even if ρ = 0 to see 5% of the values crossing the threshold. In all plots the target Pbd = 0.04, K = 256, and D = 128.

As shown in Figure 2.4, for N ≥ 15 the datasets u, s and t decide H0 more than

1 − α = 95% of the time. The global correlation, ρz, as shown in Figure 2.5, is dependent upon the dataset. H0 is decided for datasets u, s and t at N = 27, 25, 17 respectively. Based on the tests of ρzi,zj we may believe N > 15 is sufficient, however, because of the tests on ρz, we may wish to set N > 30. We also tested the effect of N on the number of bits extracted per sample. We tested the total number of bits per sample for a range of 5 ≤ N ≤ 50 and over the 26 same three datasets. We found that the choice of N does not have a significant effect on the number of bits extracted per sample. In addition, we tested the entropy of the bitstream vs. N. For N larger than 15, entropy slowly increases with N. These results are presented in Table 2.6.

2.6.3 Covariance Matrix and Correlation Coeﬃcient Estimation In the previous section we looked at the eﬀect of N on temporal correlation when the covariance matrix was estimated as in Eq. 2.13. In other words, the covariance matrix was estimated using all measurements made in both directions. If this were implemented, it would take many minutes to collect all of the RSS measurements. Alternatively the covariance matrix would be estimated and the KLT performed for every vector of samples collected. In either case, it would either computationally expensive or introduce high latency. We see three options in addition to the full method for calculating the covariance matrix:

1. Full: The covariance matrix is estimated on the nodes for all vectors of collected channel measurements using Eq. 2.13. The SVD of the covariance matrix is calculated on each node and the decorrelation matrix, U, is found.

2. Oﬄine: The covariance matrix is estimated oﬄine from previously collected data, the SVD of the covariance matrix is calculated and then the decorrelation matrix, U, is loaded onto both nodes prior to deployment.

3. Uni-directional: The covariance matrix is estimated by each node using only the measurements it has collected. In this case the covariance matrices at Alice and Bob would be,

C 1 X T Rˆ = (r(i) − µˆ )(r(i) − µˆ ) ra,ra C − 1 a a a a i=1

C 1 X (i) (i) T Rˆ = (r − µˆ )(r − µˆ ) rb,rb C − 1 b b b b i=1 27

Table 2.1. m = 1 bit MAQ Bin Codeword Interval j f1 f0 e of y(i) −1 1 0 0 0 (−∞,Fi (0.125)) −1 −1 2 0 0 1 (Fi (0.125),Fi (0.25)) −1 −1 3 0 1 1 (Fi (0.25),Fi (0.375)) −1 −1 4 0 1 0 (Fi (0.375),Fi (0.5)) −1 −1 5 1 1 0 (Fi (0.5),Fi (0.625)) −1 −1 6 1 1 1 (Fi (0.625),Fi (0.75)) −1 −1 7 1 0 1 (Fi (0.75),Fi (0.875)) −1 8 1 0 0 (Fi (0.875), +∞)

10 dataset u 9 dataset s dataset t 8

5 Statistic t 4

1 5 10 15 20 25 30 35 40 45 50 N-elements in KLT

Figure 2.4. t-statistics for max ρzi,zj vs. N for three datasets and the threshold, γ.

5 dataset u dataset s 4 dataset t

1 Statistic t 0

-1

-2 5 10 15 20 25 30 35 40 45 50 N-elements in KLT

Figure 2.5. t-statistics for ρz, vs. N for three datasets and the threshold, γ. 28

4. Partial: Alice and Bob collect and share Nc preliminary channel measurements,

wpa and wpb. Both vectors are interpolated and ranked then the covariance matrix is estimated at both nodes using the preliminary bi-directional data,

" Nc 1 X T Rˆ = (r(i) − µˆ )(r(i) − µˆ ) rc,rc¯ N − 1 pa pa pa pa c i=1

Nc # X (i) (i) T + (rpb − µˆpb)(rpb − µˆpb) (2.17) i=1 The SVD of the covariance matrix is calculated on each node to obtain U.

The advantages of each method are as follows. The full method will decorrelate the measurement vectors better than the other three, but is expensive in terms of time and computation. The offline method is much less computationally intensive since the KLT is not calculated online, but does not adapt to changes in the radio channel. The uni-directional method requires no additional data sharing between the two nodes other than probe packets and MAQ protocol, but is as computationally expensive as the the full method. The partial method, while more computationally expensive than the offline method, can adapt to changes in the wireless channel because it decorrelates the bit stream immediately after calculating U. To determine the effect of these four methods on temporal correlation we take one of the datasets, u, which was also used in the previous section and run the same hypothesis tests. Table 2.2 shows that none of the four methods results in correlation coefficients ρzi,zj or ρz which are significantly different than zero. For all methods,

Pbd = 0.04, K = 256 and D = 128. The effect of the covariance estimation method on the bits extracted per sample is also of concern. On average the partial method extracted 5% fewer bits per sample than did the offline, full or uni-directional methods. For the offline method we used dataset r as the dataset to compute the decorrelation matrix U. Dataset r was collected in similar channel conditions as dataset u. Rarely, the uni-directional method produced as much as 40% fewer bits per sample. This method suffers from the fact that the U matrix can be highly sensitive to noise. This is because the order of the eigenvectors and the sign of the eigenvectors can 29

be different at Alice and Bob. Other methods guarantee U will be identical at both nodes. To determine the number of bits to extract from each component, Alice and Bob must know the correlation coefficients ρ(i) (Eq. 2.12). In the uni-directional method, Alice and Bob cannot determine the correlation coefficients. In addition, in the offline method the values of the correlation coefficients are virtually certain to vary with differing channel conditions. In these two cases, Alice and Bob could do one of two things:

1. Make a conservative guess based on a metric like signal to noise ratio.

2. Exchange a subset of the decorrelated components, yc, and use them to calculate the correlation coeﬃcients similar to the partial method.

Although it would be cheaper both in terms of computation and time if the SVD was calculated offline, it would leave the nodes without any means of calculating a new U matrix or correlation coefficients if the nodes were deployed in an environment with significantly different wireless characteristics than the previously gathered samples. To allow adaptation, we use the partial method in the rest of this paper.

2.7 ARUBE Protocol In this section we describe the ARUBE protocol and ﬁnd the number of transmissions necessary to extract a secret key of length Lk. Figure 2.6 shows a diagram of the protocol. At a high level, the protocol has two parts separated by the dotted horizontal line in Figure 2.6. In the ﬁrst part (steps 1-3 in Figure 2.6) the two nodes estimate the covariance matrix and calculate the decorrelation matrix, U, and the bit vector, m. In the second part (steps 4-7) the nodes measure the channel and using U and m, extract bits for a secret key. The second part can be repeated as many times as necessary to obtain the desired number of bits in the secret key. The process can be described as follows: 30

Figure 2.6. Packets sent for channel probing (—¿) and data transfer (- - -¿), computation (boxes) at either node, for overhead and bit extraction.

1. Alice (the leader) and Bob (the follower) exchange Nc packets. The packets contain the RSS value of the last received packet at the respective node so that both nodes have a copy of the preliminary RSS measurement vectors.

2. Alice and Bob rank and interpolate both vectors.

3. Both nodes estimate bi-directional covariance matrix, calculate the SVD to ﬁnd the decorrelation matrix, U, and the bit vector, m.

4. Alice and Bob exchange K probing packets which contain no data. After packets are exchanged, Alice has a vector of RSS as measured from Bob to Alice and 31

Bob has a vector of RSS as measured from Alice to Bob.

5. Alice and Bob interpolate, rank and decorrelate their RSS vectors to obtain ya

and yb respectively.

6. Alice quantizes ya to obtain the secret key, za, and the e-vector. She sends the e-vector to Bob.

7. Bob, upon receipt of the e-vector from Alice, quantizes yb to obtain the secret

key zb.

The fourth through seventh steps are performed until the secret key is of desired length. If the channel changes substantially or the percentage of bit disagreement is higher than expected, the ﬁrst three steps can be performed again to obtain an estimate of current channel statistics. With the ARUBE protocol in mind we determine the number of transmissions needed to create a shared secret key of length Lk. We deﬁne the constants ˆ Nc = Samples required to calculate Rrpa,rpb N = Length of vector to be decorrelated K = Number of samples to rank

Be = Bits extracted per sample

We calculate the number of transmissions required to generate a key of length Lk and the computational complexity of each step with respect to N, K and Nc. The number of bits extracted per sample, Be, is dependent upon the environment where the bit extraction is performed.

2.7.1 Packet Transmissions

Table 2.3 shows the number of packets transmitted when Lk = 128, Nc = 1000,

K = 256 and Be = [0.4, 0.75] as the number of keys created increases. The number of packets transmitted is Lk Nt = Nc + K + G (2.18) BeK 32

Where G is the number of packets required for Alice to transmit the e-vector. G is dependent on the number of bits in a packet, P , and the number of components in

yc from which bits can be extracted Mn = |{i : m(i) 6= 0}|. L 1 G = k M (2.19) M n P

The number of bits extracted per sample, Be, has the greatest eﬀect on the number of packets transmitted. The transmissions above the dotted horizontal line in Figure 2.6 are overhead and are independent of the number or length of secret keys to be generated. The amount of transmission overhead is dependent only upon Nc. While the leader and follower nodes transmit nearly the same number of packets, the leader node will transmit more over time because of the e-vector packets.

2.7.2 Computational Complexity The gray boxes in Figure 2.6 indicate computations that are done on each respective node. The computational complexity of each step is listed in Table 2.4. While the calculation of the SVD has the highest order of any operation, it may be

possible to simplify the order. For example only Mn = |{i : m(i) 6= 0}| of eigenvectors need to be calculated. If Mn ≤ N it can be less computationally complex to calculate one eigenvector at a time and stop extracting eigenvectors when m(i) = 0. Depending upon the number and length of keys to be generated, the covariance matrix estimation and calculation of the SVD might not be the most significant portion of the required computation although they have the highest order. Although an exact comparison is difficult, we expect ARUBE to extract secret bits with fewer computations in comparison to the Diffie-Hellman secret key exchange. The main computation for the Diffie-Hellman scheme is the modular exponentiation, (ga mod p)b mod p [48]. Here, p is a large prime number, g is the generator of the ∗ order of p − 1, in the group < Zp, × >, and a and b are the secrets of Alice and Bob, respectively. This modular exponentiation has a time complexity of O(nM(k)) where n is the number of bits in p, k is the number of bits in a or b, and M(k) is the complexity of a chosen multiplication algorithm. Using the Karatsuba algorithm for multiplication [32], M(k) = O(k1.585). The time complexity of the ARUBE bit 33

Table 2.2. t-statistics by method ρ ρ Method zi,zj z N=17 N=3 N=17 N=35 Full 2.950 3.369 1.864 0.444 Oﬄine 2.825 2.194 0.533 1.159 Uni-directional 2.950 3.196 1.978 0.589 Partial Nc = 2.201 2.828 0.228 0.926 1000 Partial Nc = 2.952 2.851 0.366 1.440 2000

Table 2.3. Number of Packets Transmitted Be Node Overhead Key 1 Key 4 Key 7 Alice 1000 1263 2052 2841 0.4 Bob 1000 1256 2024 2792 Alice 1000 1264 1800 2336 0.75 Bob 1000 1256 1768 2280

Table 2.4. Computational Complexity Overhead Complexity

Interpolate O(Nc) Rank O(NclogK) ˆ 2 Calculate Rxpa,xpb O(N Nc) Calculate SVD O(N 3) Bit Extraction Complexity Interpolate O(K) Rank O(KlogK) Decorrelate O(NK) Quantize O(K) 34

extraction steps is O(NK). Considering k and K to be constant, and noting that a smaller symmetric key is equivalent in strength to a much larger Diffie-Hellman Key (e.g., 112-bit symmetric key is equivalent to 2048-bit Diffie-Hellman key [49]), ARUBE is computationally more efficient than the Diffie-Hellman key exchange.

2.8 Results In this section we quantify the performance of the ARUBE method. We look at three metrics: (1) secret bits per sample; (2) estimated entropy rate of secret key bits; and (3) resistance to a passive attack. Secret Bits per Sample: The number of secret key bits generated per sample directly impacts the latency and energy eﬃciency of key establishment. Figure 2.7 plots ARUBE (and for comparison, HRUBE) secret bits per sample vs. Pbd for N ∈ K {17, 35}, K ∈ {128, 256}, and D = 2 . We assume the best case the HRUBE method,

that it estimates the U and {m(i)}i on the same data set which it then uses to extract bits. Out of 25 data sets, we plot the average of the top three with respect to bits extracted per sample, the average of the bottom three and the average remaining 19 datasets. We show a comparable analysis with the same datasets for a bit extraction method developed by Mathur et al. [45] in Table 2.5. Unlike ARUBE, this method was developed solely to produce keys with Pbd = 0, with no expectation of information reconciliation. This method finds extrusions in a filtered vector of RSS measurements. An extrusion is where the values of a filtered RSS vector are above some threshold γ or below −γ. If an extrusion is at least m measurements long and exists on both directions of the link, it will be assigned as a 1 if it is above γ, or as a 0 if it is below −γ. To find the values in Table 2.5 we selected many values of γ between 0.1σ ≤ γ ≤ 1.5σ where σ is the standard deviation of the filtered RSS vector, and found the

maximum bits per sample that could be generated which had a Pbd less than a given value. Table 2.5 shows the average for the best three, worst three and remaining 19 datasets. While this method requires much less computation than ARUBE and 35

K=128 K=256

1.0 1.0

0.8 0.8

0.6 0.6 = 17

N 0.4 0.4

0.2 0.2 Secret bits per sample Secret bits per sample

0.0 0.0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.01 0.02 0.03 0.04 0.05 0.06 0.07 Target Bit Disagreement Rate Target Bit Disagreement Rate

1.0 1.0

0.8 0.8

0.6 0.6 = 35

N 0.4 0.4

0.2 0.2 Secret bits per sample Secret bits per sample

0.0 0.0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.01 0.02 0.03 0.04 0.05 0.06 0.07 Target Bit Disagreement Rate Target Bit Disagreement Rate

Figure 2.7. Target Pbd vs. secret key bits per sample for ARUBE (black lines) and K HRUBE (gray lines), for N ∈ {17, 35}, K ∈ {128, 256}, and D = 2 , for averages of the best three datasets (-•-), the worst three (--), and the remaining 19 (-N-). 36 unlike similar extraction methods produces keys with high entropy, the number of bits extracted per sample is very low. Even at small Pbd, ARUBE produces 4 times more bits per sample and up to 9 times more with larger Pbd. Entropy Rate: We estimate the entropy rate of the generated secret key bits, i.e., a quantiﬁcation of the uncertainty of the bit sequence. If generated bits are perfectly independent, they should achieve an entropy rate of 1. Although it is not suﬃcient for a secret key to have a high entropy in order to be secure, it is necessary.

We generate bits from datasets using Pbd = 0.04, K = 256, and D = 128, and then estimate the entropy rate using the approximate entropy test in the NIST’s statistical test suite for random number generators [60]. The average and minimum values over 23 of the 25 datasets are listed in Table 2.6. The remaining two datasets had < 500 bits, not enough to estimate entropy.

Evaluation of Possible Attacker Success: In this paper we take a straight- forward, if simplistic, view of the ability of an eavesdropper to obtain Alice and Bob’s secret key. We provide one way to see how the ARUBE and HRUBE methods perform when under attack from a passive listener. For both methods, Eve performs bit extraction in the same manner as Alice and Bob. Eve overhears the Nc preliminary measurements and the RSS values contained within the packets sent between Alice and Bob to ﬁnd U and {m(i)}i. We assume Eve knows the constants N, K and Pbd that Alice and Bob use for bit extraction. The average percentages of bits Eve gets correct for the HRUBE and ARUBE methods over the 16 datasets (where Eve was present) are compared in Table 2.7.

2.9 Discussion Assuming the best case for the HRUBE method, that it estimates the U and

{m(i)}i on the same data set which it then uses to extract bits, we see that the ARUBE still outperforms the HRUBE. Both the ARUBE and HRUBE methods are resistant to a passive evesdropper, as shown in Table 2.7. The ARUBE method achieves higher entropy than the HRUBE method, and increasing N from N = 17 to N = 35 also increases the estimated entropy rate for both methods (Table 2.6). 37

ARUBE generates up to 60% more bits compared to HRUBE method (Figure 2.7) for low Pbd. For K = 256 and D = 128, the ARUBE achieves up to 25% more bits for medium and high Pbd. For most datasets, the ARUBE achieves higher bit rate

at a given Pbd. The greatest improvements occur in datasets with high SNR. The performance improvement is seen for both N = 17 and N = 35. We note that setting K too low reduces the beneﬁt of the ARUBE method, e.g., for K = 64 the two methods are approximately equivalent.

Note that K can be set to an arbitrary integer. For instance, if Be = 0.8 and the 1 desired key length is 128 bits, it would be faster to collect and rank K = 0.8 ∗128 = 160 samples. After U is determined, at 50 samples per second, it would take a wireless sensor 3.2 seconds to collect the required 160 samples for the secret key.

2.10 Conclusion We presented a new method of secret key generation, ARUBE, that adapts to the radio channel environment and the characteristics of the two wireless sensors in use. Further, for medium and high SNR channels, the ARUBE produces more bits per sample, thus reducing the number of transmissions (energy) required to produce a given length secret key. In comparison with the HRUBE, another uncorrelated bit extraction method, ARUBE extracts 30%-60% more bits in situations with high SNR. ARUBE is shown to produce uncorrelated bits, is resistant to a simple passive eavesdropper, and secret keys have an entropy rate above 0.97. The number of packet transmissions and computational complexity are presented. Future work should test simpliﬁcations and implementations of ARUBE. Algo- rithms to reduce the computational complexity of the KLT exist and should be tested. The oﬄine version of ARUBE is implemented in TinyOS, and current work is implementing the complete method. 38

Table 2.5. Bits per sample–Mathur et al. Pbd ≤ 0.0 0.0025 0.01 0.04 0.07 Best 0.074 0.077 0.082 0.088 0.089 Middle 0.055 0.064 0.072 0.074 0.076 Worst 0.0 0.032 0.05 0.057 0.057

Table 2.6. Average and Minimum Entropy Rates. N = 17 N = 35 Method Mean Min Mean Min ARUBE 0.9808 0.9653 0.9833 0.9757 HRUBE 0.9767 0.9433 0.9825 0.9712

Table 2.7. Percentage of bits Eve gets correct. Method Compared to Alice Compared to Bob ARUBE 50.19 50.53 HRUBE 50.64 50.76 CHAPTER 3

BIT EXTRACTION FROM CIR USING A BI-DIRECTIONAL RADIO CHANNEL MEASUREMENT SYSTEM

3.1 Abstract Experimental research in secret key extraction typically uses received signal strength (RSS) measurements as a source for secret keys. In this paper we perform experimental research using channel impulse response (CIR) measurements, one of the few reports of experimental CIR-based secret key generation. Usually, bi-directional CIR measurements require two channel measurement devices or a vector network analyzer (VNA). To obtain measurements for this research we developed a novel electronically controlled switching system that allows a single receiver and a single transmitter to alternate the direction of measurement between two antennas, which provides an inexpensive alternative for bi-directional channel measurement. We present a description and analysis of such switching systems. We also introduce and apply a new algorithm that extracts bits with high entropy from bi-directional CIR measurements. We ﬁnd that the rate of bit extraction from CIR measurements is up to eight times faster than from RSS measurements.

3.2 Introduction Concerns about the long-term security of public key cryptography have led to the development of new approaches for data encryption. 1 One approach is to establish a shared secret key between two transceivers based upon measurements of their shared

1This chapter is in second revision as J. Croft and N. Patwari. ”Bit extraction from CIR using a bi-directional radio channel measurement system.” IEEE Transactions on Mobile Computing 40 radio channel [28]. Significant work has addressed the theoretical bounds for the rate at which a secret key may be generated [72]. Fundamentally, this generation rate is a function of the correlation between the channel measurements at the two transceivers [47]. Experimental measurements are thus critical in order to determine this correlation, as a function of the band, interference level, channel measurement modality, and other channel parameters. Experimental data also allow development and testing of algorithms for secret key generation [30]. This paper contributes to two of these critical areas. First we investigate a novel means to make bi-directional measurements with only a single transmitter and receiver. Second we describe a new method of extracting bits from channel impulse response (CIR) measurements and experimentally demonstrate the method’s performance. Electromagnetic wave propagation between two antennas is, in fact, reciprocal [68]; that is, at the same frequency and same time, signals sent in opposite directions between two antennas experience identical changes in phase and amplitude. However, measurements of the received signal at the two antennas are not identical. First, additive thermal noise and interference from other devices on the same band contribute to each receiver differently. Second, typical radios do not transmit and receive simultaneously, and instead are time-division duplex (TDD). Thus measurements of the channel at the two transceivers occur separated in time, during which time the channel may change. To accurately design secret key establishment schemes to be used with practical TDD transceivers, which are subject to outside interference, one must have the capability to perform bi-directional channel measurements. Significant experimental secret key establishment research has been performed using measurements of received signal strength (RSS) [30, 71, 53, 79, 26, 45, 20, 6]. In contrast, the experimental use of channel impulse response (CIR) measurements in secret key establishment is relatively rare in the literature, even as theoretical results have shown promise [79, 26, 42, 75, 78]. In part, the relative scarcity of experimental research using CIR measurements 41 is due to the lack of inexpensive transceiver hardware with which to make the measurements. Standard receivers either do not calculate CIR or do not export CIR information to higher layers, thus specialized receivers must be designed or costly RF measurement equipment used for the purpose. A single software radio or vector signal analyzer / vector signal generator (VSA/VSG) can be used, but measuring a bi-directional link between two transceivers would require two such systems. A vector network analyzer (VNA) can also be used to measure the bi-directional radio channel. In either case, such equipment can cost many tens of thousands of US dollars which has limited their use in practice.

This paper has two main parts. In the ﬁrst part, we present an inexpensive electrically-controlled RF switch system that enables a single transmitter and single receiver to be used to make bi-directional radio channel measurements. Rather than using two transceivers, the system switches the direction of channel measurement between two antennas. This direction-alternation uses four voltage-controlled RF switches and a control system. The novelty of this switching system is that it removes the distinction between the transmit and receive antennas, allowing existing uni- directional equipment to make bi-directional measurements. The switching system is simple and useful for a variety of channel measurement studies, yet we are not aware of any prior published study of the characteristics or design of such a system. One implementation described in Section 3.4 allows channel measurement between 0-3 GHz using inexpensive, commercial oﬀ-the-shelf (COTS) RF and control hardware.

There are two major limitations of the switching system. The ﬁrst is that, if not designed correctly, the leakage power through the switching system can be higher than the desired power received through the wireless channel. We explore the design of the system to keep the leakage power low in Section 3.4. The second is that due to cable connections, the antennas cannot be separated by an arbitrary path length. Because of the path length limitations, this system will be useful in indoor, or short-range outdoor, radio channel measurement experiments. Many wireless networks are short range such as intra-vehicle communication and wireless body sensor networks. In the past these measurement studies have used a VNA [63], [65], [66], [3] but with the 42

proposed system a VNA is not required. Numerous studies of indoor propagation use single TX, single RX measurement equipment [31], [5], [16], [34], [76]. Given the similarity between this system and a vector network analyzer, we present this system as an economical alternative to a vector network analyzer if a single TX, single RX channel measurement system is available.

In the second part of this paper, we introduce and test a new algorithm for secret key establishment from CIR measurements. We apply the developed switching system to make bi-directional measurements of CIR in a time-varying channel and use the measurement results to evaluate the performance of secret key generation, including entropy, and the rate of generation of secret key bits. A key component of the developed algorithm is to decorrelate measurements across time delay and measurement time, so that the generated secret key bit stream has very high entropy rate. We ﬁnd that secret key bits can be generated from CIR measurements at eight times the rate compared to RSS measurements. Further, we ﬁnd that CIR phase information, compared to CIR magnitude information, is a relatively minor contributor to secret key establishment.

Section 3.3 summarizes research in the areas of channel impulse response measurement and secret key establishment. In Section 3.4, we describe the power loss, RF leakage and system limitations common to all four-switch systems and present an example implementation to show how the components used aﬀect the dynamic range of the system. Section 3.5 describes three sets of measurements. In section 3.6 we present the bit extraction method and show how it performs in terms of rate of bit extraction and entropy rate. Section 3.7 concludes.

3.3 Related Work This paper merges two typically disparate topics: RF channel impulse response measurement, and 2) secret key establishment. Research which addresses secret key establishment from CIR measurements has largely avoided experimental performance analysis from bi-directional measurements. Research in RF CIR measurement has presented few tools for bi-directional CIR measurement, except for the vector network 43

analyzer, which is extremely expensive and relatively slow. We describe both related research areas here.

3.3.1 RF CIR Measurement While measurement studies have characterized indoor and outdoor wireless channel characteristics including time of arrival and jitter [51, 54], channel impulse response [17, 21, 55], and spatial and temporal fading correlations [1, 23], key extraction from the wireless channel requires bi-directional measurements. With the exception of [51], the cited measurement studies employed a single transmitter and a single receiver. While a vector network analyzer (VNA) like in [51], does make bi-directional measurements, no prior research has used these measurements to generate secret keys. In this paper, we provide a new bi-directional channel measurement tool using a set of RF switches. The use of RF switches to extend the usefulness of wireless channel measurement equipment is not itself new. In general, transceivers use RF switches or circulators to enable the use of one antenna with a separate transmit and receive path. In addition, switched array wideband MIMO channel sounders like those in [43], [4], [36], [70], [35], use RF switches. In these M ×N MIMO systems, one switch at the TX and one switch at the RX are used to select one antenna element of the M or N antennas in the array to serially probe the M × N channels. In contrast, we use four switches to select which of two antennas the transmitted signal is sent and to connect the receiver to the opposite antenna. The contribution of this system’s use of RF switches is to remove the distinction between transmit and receive antennas completely. Further, we consider the resulting isolation issues and contribute simple engineering rules for system design.

3.3.2 Secret Key Establishment Even over very short path lengths, security is of concern. For instance, wireless body area sensor networks [3], [69] have path lengths of less than a meter and in a health care setting, government regulations can require the privacy of the data collected. In addition, in conﬁned spaces such as airplanes [66], buses [65] or automobiles [62] it might be desirable to keep information private from other passengers. 44

Secret key establishment uses the reciprocal nature of the wireless channel to generate shared secret keys at two nodes, Alice and Bob, without prior agreement. Because the channel is a time-varying, location specific filter, characteristics of the channel at Alice and Bob are different than those at an attacker node, Eve. To generate shared secret keys Alice and Bob measure some characteristic of the channel over time and then extract bits from those measurements. Because Eve cannot measure the same channel as Alice and Bob, she is unable to generate the same secret key. Secret keys extracted from channel measurements was first suggested by Hershey [28]. Since then, many channel characteristics have been used including measurements of phase [28, 61], channel impulse response [72, 79, 26, 42, 75, 78, 73], or amplitude gain [30, 53, 71, 45, 20, 6, 7, 40]. Challenges for bit extraction include 1) the time correlated nature of channel measurements, which reduce the cryptographic strength of the key unless accounted for in algorithm design, and 2) the non-reciprocities which occur due to the half-duplex nature of the channel measurements (since both transceivers cannot measure the channel simultaneously). For the latter, in order to guarantee complete agreement between the two generated secret keys, information reconciliation [11] is often used to correct a small number of discrepancies without giving away the entire secret key. For those papers with experimental results, received signal strength (RSS) is the most common measurement modality because of its ease of collection. Equipment used to measure the channel for secret key extraction include software radios [40], wireless sensor nodes [53, 20], or wireless cards in laptops [30]. Nearly all of these experimental results used one-dimensional data sources for key extraction with the exception of [79, 26]. While [45] did collect CIR data, only the magnitude of the dominant multipath component is encoded as bits for a secret key. Simulated channel impulse response measurements have been used as a source for secret keys [42, 75, 78, 73, 72]. Models for the simulated channels came from [25] and ITU cellular channels, among others. Many of these papers establish upper bounds for the maximum number of bits that can be extracted. For instance, [78] and [73] 45

both found the maximum number of bits extracted per measurement is aﬀected by the assumptions made about the signal to noise ratio and number of paths in the channel. Finally, [79], [26], and [75] (to a lesser extent) use experimental uni-directional CIR measurements as the source for shared secret keys. In order to approximate bi-directional measurements, the researchers collected data, switched the position of transmitter and receiver and then collected more data. Both [79] and [26] make the problematic assumption that the channel does not change between reciprocal measurements and instead use movement of the transmitter and receiver in a static channel as the sole source of randomness. In real-world situations, the channel is dynamic, changing due to the movement of people, vehicles, tree leaves, etc. The dynamic nature of the channel is both a beneﬁt, when it is used to increase the rate of secret key bit generation, and a source of bit disagreement, when it happens more quickly than Alice and Bob can measure [30]. Bi-directional CIR measurements are clearly important to the experimental evaluation of CIR-based secret key establishment.

3.4 Analysis In this section we present a bi-directional switching system which uses four RF switches to alternate the direction of measurement between two antennas as shown in Figure 3.1. The path of the transmitted signal is dictated by the system state. In short, in state 1 the channel is measured from A2 to A1, while in state 2, the channel is measured in the opposite direction. Compared to a single transmitter and receiver that measure the wireless channel in only one direction, the bi-directional switching system has more sources of power loss due to the multiple switches and cables. These extra components may also introduce non-reciprocities into the measurements due to uneven power loss. Further, it is possible for the transmitted power to take a “wrong” path through the switches to reach the receiver without traveling across the wireless channel. In this section we explore the process of choosing system parameters based on design requirements. 46

3.4.1 Power Loss First we consider the power loss between TX and RX in Figure 3.2. In addition to path loss between antennas A1 and A2, further signal attenuation can be attributed to switch insertion loss and loss in the cables. Traveling from TX to RX the signal is attenuated by four switches and two cables. At this point we assume that switch insertion loss is identical at each switch, denoted Lswitch in dB, and that the four cables are identical in length and have loss Lcable in dB. While design equations can be complicated by dB units, most speciﬁcations are reported in dB. Therefore, unless otherwise noted, we will also use dB. The worst case total attenuation in dB suﬀered by the signal arriving at RX, Lsignal, can be written as:

Lsignal = Lpath + 2Lcable + 4Lswitch (3.1)

where Lpath is the dB radio channel path loss between points F and L in Figure 3.2.

3.4.2 Leakage Two types of leakage are possible. The ﬁrst is leakage through the wireless channel directly from the transmitter to the receiver, possibly due to imperfect shielding of TX and RX components. The other type of leakage is through the switches. Referring to Figure 3.3, switch leakage can either be across an open switch, either RF 1 or RF 2, to RF Common or through a switch from RF 1 to RF 2. As such, one switch has two types of isolation. We call the dB isolation between RF 1 and RF 2, the two poles of the switch, Ipole, and the dB isolation between RF Common and the open connection, Iopen. At this point we assume that the switches have the same Ipole and

Iopen, but we remove this assumption when discussing the example realization at the end of this section. Figure 3.2 shows three diﬀerent leakage paths. Consider the two leakage paths through the switches. Both paths include two cables, Lcable, one RF 1-RF 2 isolation

Ipole, and one RF 1-RF Common isolation, Iopen. The isolation along one of the switch leak paths is:

Ileak = Ipole + Iopen + 2Lcable (3.2) 47

Leakage directly from RX to TX also needs to be considered. We call the isolation between RX and TX, Itr. The total power arriving at the receiver in dB, Pr, is the sum of the signal power and the leakage power which add together in linear terms,

L signal Ileak Itr − 10 − 10 − 10 Pr = Pt + 10 log10 10 + 2 · 10 + 10 (3.3)

where Pt is the transmit power in W.

We plot Pr versus Lpath for various switch and isolation characteristics in Fig- ure 3.4. Depending on these characteristics there is non-linearity in the received

power equation. In particular, as Lpath → ∞, Pr approaches a constant.

3.4.3 System Design In order to design the system such that the linear range of (3.3) contains the range of path losses we desire to measure, we must choose appropriate components. In this section we provide guidelines for the selection of switches and system design parameters. First we provide a rule of thumb for switch selection, and then we discuss the requirements for TX/RX isolation.

As path loss, Lpath, increases, at some point the signal power will become domi- nated by leakage power. Rewriting Equation 3.3 we have:

Pr = Pt − Lsignal + 10 log10 (1 + Esw + Etr) (3.4)

where,

−Ipole−Iopen+Lpath+4Lswitch Esw = 2 · 10 10 (3.5)

−Itr+Lpath+2Lcable+4Lswitch Etr = 10 10 (3.6)

Both Esw and Etr are error terms which cause non-linearity in the system response.

The error term Esw corresponds to the non-linearity that can be controlled by choice of switch, while the error term Etr corresponds to the non-linearity that is aﬀected

by the TX/RX isolation, Itr.

As we can see from (3.4), if Esw and Etr are zero, then the received power is linearly

related to the transmit power and the path loss. The extra losses, 2Lcable + 4Lswitch, from (3.3) can be measured and removed in calibration. 48

Ignoring for the moment error contributed by the TX/RX isolation (Etr = 0), the system response will be less than 3 dB in error due to switch leakage when Esw ≤ 1. Setting (5) ≤ 1, −Lleak+Lpath+2Lcable+4Lswitch 2 · 10 10 ≤ 1 (3.7)

Simplifying and replacing Lleak with switch parameters,

Ipole + Iopen − 4Lswitch ≥ 3 + Lpath (3.8)

This equation relates switch parameters with measured path loss. When selecting a switch, we must ensure that the left hand side of (3.8), Ipole + Iopen − 4Lswitch, is greater than 3 dB plus the maximum path loss we expect to be able to measure. For some applications, 3 dB error is likely to be acceptable since it is similar to errors for typical path loss measurements, but for small scale fading, a more accurate limit might be 1 dB. In that case,

−Lleak+Lpath+2Lcable+4Lswitch 2 · 10 10 ≤ 0.25 (3.9)

Simplifying and replacing Lleak with switch parameters,

Ipole + Iopen − 4Lswitch ≥ −3 + Lpath (3.10)

Similarly, to quantify the requirements for TX/RX isolation, Itr, we can evaluate

Etr. If Etr ≤ 1, then the system response will be less than 3 dB in error due to TX/RX leakage. This requirement along with (6) leads to,

Itr − 2Lcable ≥ Lpath + 4Lswitch (3.11)

The system response will be less than 1 dB in error due to TX/RX leakage when

Itr − 2Lcable ≥ Lpath − 6 + 4Lswitch (3.12)

Itr is a function of the TX and RX equipment used with the four switch system. It can be measured by disconnecting the RF output of the TX and the RF input of the RX and measuring received power. If Itr needs to be increased, the TX and RX should be separated by a greater distance or extra shielding added. 49

The diﬃculty in increasing the distance between TX and RX is that it will require longer cables and thus Lcable will also increase, decreasing the linear range of the system. It will be important to use low loss cable as the length of the cable increases in order to maintain an acceptable dynamic range. In summary, a system designer should select a switch using the maximum expected path loss and (3.8). Then the system designer should select cable and evaluate if Itr is suﬃcient based on (3.11).

3.4.4 Example Realization In this section we experimentally validate the desired dynamic range of the four switch system. The individual components and nominal values for component parameters are listed in Table 3.1. To validate the dynamic range, we put increasing amounts of attenuation between points F and L in Figure 3.2 using cable and a variable attenuator. Figure 3.5 shows power at the receiver, Pr vs. the known attenuation Lpath.

This is compared to the analytical Pr using (3.3) and measured values for loss and isolation. These values ranged between 1.54 and 2.39 dB for Lswitch and between

44.84 and 53.21 dB for Iopen. We used Ipole = 50 dB as cited in the datasheet. As discussed we found Itr = 111 dB. When taking this measurement, the noise ﬂoor of the receiver was −125 dB. Because the insertion loss and isolation characteristics vary slightly between the two sides of any switch, the dynamic response in the two states are slightly diﬀerent. This is especially evident at the bottom of the dynamic range. Figure 3.5 shows that the linear range of the bi-directional measurement system paired with our software radio has a dynamic range of 40 dB to around 85 dB. Within that dynamic range, received power in state 1 and state 2 are nearly identical. The non-linearity at the top of this range is caused by saturation of the A/D converter of the software radio. The measurements we present in this paper are at path losses much less than 85 dB, typically 70 dB. At 70 dB of path loss, leakage causes 0.11 dB of error in our measurements. This is much smaller than typical path loss measurement errors. 50

(a) State 1. A2 is Transmitter

(b) State 2. A2 is Receiver

Figure 3.1. Redirecting the transmitted and received signals to measure both directions of the radio channel between antennas A1 and A2.

Table 3.1. Switching System Components Component Type Parameters Switches Mini-Circuits ZX80-DR230+ Iopen = 48dB, Ipole = 50dB, Lswitch = 1.7dB Output Controller ADAM-4050 Max. Switching Frequency = 83Hz Cables 8 m LMR-400 coax 0.2 dB/m loss @ 2.4 Ghz 51

Figure 3.2. Labeled switch diagram in state 1. The correct path for the signal is {G,I,J,L,F,D,B,A}, however three incorrect paths are possible: directly from transmitter to receiver (-.), {G,H,E,D,B,A}(- -), and {G,I,J,K,C,A} (..).

3.5 Bi-Directional CIR Measurements In this section we describe the bi-directional measurements made using our implementation of the measurement system presented in Section 3.4. For completeness, a description of the channel sounding equipment used is included.

3.5.1 Software Radio Any existing radio channel measurement equipment could be used in conjunction with the four switch system described in this paper; we use the Sigtek ST-515 software radio. Among other characteristics, the ST-515 can measure the time delay, phase and amplitude of multipath in the radio channel. It has two parts, a TX and an RX. In normal operation, the TX is in a ﬁxed position while the RX is mobile. The TX consists of a direct sequence spread spectrum (DSSS) generator, up converter (2.400 to 2.483 GHz) and a power ampliﬁer. The RX contains a down converter, snapshot digitizer and a computer running Matlab for control and computation, and can collect nine measurements per second. ˆ The RX measures the channel impulse response (CIR) over time, h(tn, τ),

ˆ jθ X jφi(tn) h(tn, τ) = e αi(tn)e η(τ − τi(tn)) (3.13) i

where αi(tn), τi(tn) and φi(tn) are the amplitude, delay and phase shift, respectively, of th the i multipath component measured at time tn and η(τ) is the autocorrelation of the 52

Figure 3.3. One RF switch. RF common can be connected to either RF 1 of RF 2.

Baseline

Ipole=60

Itr=100 40 L =1 switch

Received Power .

100

(dB relative to transmit power)

0 20 40 60 80 100 120 Known Attenuation (dB)

Figure 3.4. Possible linear ranges of four sets of parameters. Given baseline Ipole = 50 dB, Iopen = 45 dB, Lcable = 2 dB, Lswitch = 2 dB and Itr = 111 dB, each plot other than baseline changes one parameter.

measured state 1 30 measured state 2

40 calculated state 1

calculated state 2

Received Power .

100

(dB relative to transmit power) 110 0 20 40 60 80 100 120 140 Known Attenuation (dB)

Figure 3.5. Known attenuation between junctions F and L plotted against received power. Note that measurements and calculations were made assuming a transmitter frequency of 2.44 GHz. 53

PN code signal. The PN autocorrelation function is a ﬁnite-bandwidth approximation of the Dhirac impulse function. Due to the fact that RX and TX are not phase- 2 synchronous, θ is a uniform random 0, π variable.

3.5.2 Measurements Collected We present measurements from an indoor oﬃce environment with the objective of characterizing the non-reciprocities that would exist in measurements of the radio channel that two transceivers would experience during secret key establishment. While the channel is reciprocal, measurements of the channel are not. Using the four switch system in experiments allows us to characterize the channel that two transceivers would utilize.

Figure 3.6. TX, RX, A1 and A2 locations. The TX and RX are next to opposite walls of a rectangular room. The two antennas centered between them along the two remaining walls.

In these experiments, the antennas are approximately 3.5 m apart as shown in Figure 3.6 and are stationary. The type of motion in the wireless channel is changed between datasets. In dataset A (Figure 3.7(a) and 3.7(b)), nothing is moving in the room. In dataset B (Figure 3.7(c) and 3.7(d)), an experimenter is walking between the antennas. 54

-70

( )

¢ £

( ) + ( )

£ ¤ £ -80 ¢

( ) ( ) ¥

¢ £ ¤ £ -90

-100

-110 Power (dB) -120

-130

0.0 0.1 0.2 0.3 0.4 0.5 0.6

Time Delay, , ( s)

¡ (a) (b)

-70

( )

¢ £

( ) + ( )

£ ¤ £ -80 ¢

( ) ( ) ¥

¢ £ ¤ £ -90

-100

-110 Power (dB) -120

-130

0.0 0.1 0.2 0.3 0.4 0.5 0.6

Time Delay, , ( s)

¡ (c) (d)

Figure 3.7. Bi-directional measurements for two data sets. Plots 3.7(a)and 3.7(c) and show 10 pairs of measurements. Power in dB is relative to transmit power. The dark plots are measurements from antenna A1 to A2. The light plots are measurements from antenna A2 to A1. The time between each measurement was 0.11s. Plots 3.7(b) and 3.7(d) show the mean and the mean plus and minus the standard deviation of 175 pairs of measurements. 55

The first two plots of Figure 3.7 show that measurements of channel impulse response do not change significantly over time when there is no movement. However, during movement in the wireless channel (Figures 3.7(c)- 3.7(d)) the measured CIR varies. The results are similar in the frequency domain. Figure 3.8 plots two subsequent channel frequency response measurements from dataset A and two from dataset B. The time between the two measurements is 0.11s. In the final experiment we introduce time-varying interference into the channel. We place three wireless sensors close to one of the antennas. The wireless sensor modules have an IEEE 812.15.4 transmitter which is programmed to transmit at a center frequency of 2.440 GHz at a transmit power of 0 dBm. The synchronized wireless sensors alternate between 10 seconds of continuous packet transmission and 10 seconds of radio silence.

Figure 3.9 shows the magnitude of individual channel impulse responses. At tn > 45s the wireless sensor modules next to A2 are transmitting and interference is only present on one side of link.

3.6 Secret Key Extraction In this section we present a method of extracting bits from bi-directional measurements to create shared secret keys. Tools for extraction of uncorrelated secret key bits from RSS measurements are devleoped in [53] and [20]. This paper further develops a method to generate uncorrelated secret key bits from channel impuse response measruements. As with RSS measurements, the challenge for bit extraction is to extract as many uncorrelated bits as possible with low probability of bit disagreement between the keys generated at two transceivers. For the sake of notational simplicity and in keeping with other work in this area, we designate two nodes, Alice or “a”, and Bob or “b”, as the legitimate users. In this case, Alice is at antenna A1 and Bob is at antenna A2. When we speak of Alice measuring the channel we mean that she records the channel impulse response when Bob is transmitting. After N measurements are made at each antenna, Alice and 56

Bob each have matrix Hc where,

ˆ ˆ Hc = [hc(1),..., hc(N)] (3.14)

ˆ ˆ Each CIR measurement, hc(n, k) = h(tn, kT ) from (3.13) as measured at node c ∈ {a, b}, has K measured time delays and is deﬁned as,

ˆ ˆ ˆ T hc(n) = [hc(n, 1),..., hc(n, K)] (3.15)

Signal processing is used to remove correlation between subsequent channel measurements and to mitigate non-reciprocities caused by the half-duplex nature of channel and the unsynchronized TX and RX. This method has four steps: 1) synchronize 2) interpolate 3) decorrelate 4) quantize. We describe each step in Section 3.6.2, and a block diagram is given in Figure 3.10.

3.6.1 Adversary Model We assume that the adversary, Eve, can listen to all communications between Alice and Bob. Eve can also measure both the channels between herself and Alice and between herself and Bob at the same time when Alice and Bob measure the channel between them for key extraction. We assume that Eve is more than a few wavelengths away from Alice or Bob. We also assume that Eve knows the key extraction algorithm and the values of the parameters used in the algorithm. We assume that Eve cannot jam the communication channel between Alice and Bob. We also assume that Eve cannot cause a man-in-the-middle attack, i.e., our methodology does not authenticate Alice or Bob.

3.6.2 Method Synchronize: The lack of time synchronization between transmitter and receiver introduces non-reciprocities between measurements made by Alice and those made by Bob in both the magnitude and phase of the signal. One simple method to synchronize time delay is to shift the measurement so that the dominant (highest power) multipath is at a known time delay, but if two paths of equal strength are measured this will occasionally fail to align the signals, as shown in Figure 3.11. In 57 addition, the signals have a random rotation caused by slight differences in the carrier frequencies (Figure 3.12). In order to maximize the number of bits extracted we need to align the signals both along τ and in phase. To correct the shift along τ we use the median of the magnitude of the signal in th ¯ linear units. The median of the n measurement, kn, is the value of the first index ˆ 1 PK ˆ where the cumulative sum of |hc(n)| is greater than 2 k=1|hc(n, k)|. If this median is significantly different than the index of the maximum, the signal is shifted. ¯ − + We encode CIR samples from before and after the peak kn. Let k and k denote the number of CIR samples before and after the peak to be encoded, respectively. From our measurements, we find that k− = 10 and k+ = 40 capture the samples that are typically above the noise floor, and thus K = 51. We can correct the phase offset by rotating each measurement so that the angle of the sum of the channel impulse response is equal to zero. We find the offset, θc(n), as K X ˆ θc(n) = −∠ hc(n, k) (3.16) k=1 where c ∈ {a, b}. Then for each measurement we shift, truncate and rotate. For n = 1,...,N,

¯ ˆ ¯ − ˆ ¯ + T jθa(n) fa(n) = [ha(n, kn − k ),..., ha(n, kn + k )] e

¯ ˆ ¯ − ˆ ¯ + T jθb(n) fb(n) = [hb(n, kn − k ),..., hb(n, kn + k )] e ¯ We can extract bits from either the phase or magnitude information in fc. When ¯ we refer to the encoding of magnitude information, we let fc = |fc|, and when we ¯ refer to the encoding of phase information, we let fc = unwrap(fc). The next three ¯ steps, interpolation, decorrelation and quantization are performed once for |fc| and ¯ once more for ∠fc. We use unwrap(x) to denote the phase unwrapping of complex vector x.

Finally, we denote matrix Fc as,

Fc = [fc(1),..., fc(N)] (3.17)

Interpolate: Like most transceivers, the presented bi-directional measurement system is incapable of making simultaneous measurements in opposite directions. In 58

other words, it is not possible to measure from antenna A1 to A2 and measure the channel from A2 to A1 at the same time. The time between measurements introduces non-reciprocities. We use a fractional delay interpolation ﬁlter to obtain an estimate of the channel in both directions at a single point in time. The fractional delay between the nth measurement made by Alice and the nth measurement made by Bob 1 t (n) − t (n) µ = b a (3.18) 2 T

th where tb(n) and ta(n) are the arrival times of the n signal at Bob and Alice respectively. We implement two fractional delay ﬁlters, one for each side of the link. W.l.o.g. we

assume that ta(n) < tb(n) so that µ > 0. The ﬁlters are applied to rows in Fc, where T Fc = [f1c,..., fkc] and c ∈ {a, b}. If we interpolate points in fka where k = 1 ...K so

each sample is delayed by (1+µ)T and interpolate points in fkb so that each sample is delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays can be broken down into fractional, µ, and integer, i, delays. At each node:

µa = µ µb = 1 − µ ia = 1 ib = 0 (3.19)

We implement the cubic Farrow ﬁlter [24]. For c ∈ {a, b}:

3 3 2 sc = µc /6 − µc/6, −µc /2 + µc /2 + µc, 3 2 3 2 T µc /2 − µc + 1, −µc /6 + µc /2 − µc/3

T For each time delay, k = 1,...,K, we convolve fkc with the filter to obtain gkc = fkc∗sc T and Gc = [g1c,..., gkc] . The matrix of filtered signals Gc where c ∈ {a, b}, becomes the input to the next step in the bit extraction process. Decorrelate: Bits extracted from correlated measurements are likely to also be correlated, thereby reducing the strength of the secret key. A valid solution would be to sub-sample measurements far enough apart in time or space such that the measurements are no longer correlated. However, this could reduce the rate of bit extraction. Instead of sub-sampling, we use the Karhunen-Loéve transform to obtain decorrelated measurements. 59

There are KN elements of Gc. The covariance matrix for all elements of Gc would have K2N 2 elements. To avoid dealing with such a large matrix, we decorrelate along the columns of Gc = [gc(1),..., gc(N)] and then along the rows.

Given one synchronized, interpolated measurement, gc(n) we decorrelate by

T yc = Ug (gc(n) − µg) (3.20)

where µg is the mean of gc(n) and Ug is the decorrelation matrix. The decorrelation

matrix, Ug, is found from the singular value decomposition (SVD) of the covariance T matrix, Rg = cov(gc(n)), such that, Rg = UgSgUg , where Sg is a diagonal matrix of

eigenvalues. The decorrelated vectors, yc are the columns of Yc = [yc(1),..., yc(N)]. Decorrelation of the components in time is very similar to the above step. However, T because each of the K rows of Yc = [y1c,..., ykc] are correlated diﬀerently over time, we need to estimate a covariance matrix and calculate the SVD to ﬁnd a decorrelation th matrix for each row. Given the k row at node c, ykc, we decorrelate by

T zkc = Uk (ykc − µk) (3.21)

where µk is the mean of ykc and Uk is a matrix that transforms ykc into uncorrelated

components. The decorrelation matrix, Uk is found from the SVD of the covariance T matrix, Ry = cov(ykc) such that Ry = UkSkUk . The covariance matrices are estimated using measurements made in both directions. In order for Alice and Bob to each have a copy of all measurements this data must be exchanged between them over an unsecured channel. Since an evesdropper would be expected to overhear this exchange, preliminary measurements used to estimate the covariance matrices are not used for secret key bit extraction. Then further measurements are collected and decorrelated for bit extraction. Quantization: The next step is to quantize the decorrelated measurements. While we want to maximize the number of bits extracted from each decorrelated

value, we also want to limit the probability of bit disagreement, Pbd. We apply multi-bit adaptive quantization [53] (MAQ), which achieves a high rate of bits per

sample for a desired Pbd. The number of bits extracted from each zkc depends on the

correlation between the reciprocal components and the desired, or target, Pbd. 60

3.6.3 Results Data: We collected 3200 pairs of bi-directional CIR measurements using the four switch system described previously. The dataset was split in half, with 1600 pairs of measurements used to estimate the covariance matrices and 1600 pairs from which bits were extracted. The antennas were placed 3 meters apart. An experimenter walked at a slow pace (0.1 meters per second) in a circle between the antennas while the measurements were conducted. Bits Extracted: The above bit extraction method was applied separately to the magnitude and then to the phase of the measurements. The number of bits extracted per measurement for a range of Pbds are plotted in Figure 3.13. A wideband estimate of RSS can be found from the CIR measurements by ﬁnding the area under the magnitude of the CIR signal [57]

K X ˆ 2 r(n) = 10 log10 |h(k, n)| (3.22) k=1

for n = 1 ...N. For comparison we applied a similar bit extraction method to these calculated RSS values. The bits per measurement vs. the probability of bit disagreement for the calculated RSS values are plotted in Figure 3.14. Key Strength: We used NIST’s approximate entropy test from the randomness test suite [60] to ﬁnd the entropy rate of keys generated using this bit extraction method. The average entropy rate was 0.9847 for magnitude and 0.9870 for phase. For comparison the average entropy rate for keys generated from the RSS data was 0.9846. An ideal bit stream has entropy rate 1.0. While high entropy is necessary for a strong key, it is not suﬃcient since the key must also be random. We used additional tests from NIST’s randomness test suite to help determine if the keys were random. Each of the 11 tests is a hypothesis test that evaluates randomness based on a characteristic of the sequence. The p-values

for these tests are in Table 3.2 for two target Pbd = 0.4, 0.75 for CIR magnitude data

and Pbd = 0.04 for estimated RSS data. A p-value of greater than 0.01 is considered as passing, though values closer to 1 are judged to be more random. 61

-40 State 1 State 1 -60 State 2 State 2 -60

-80 -80

-100 -100

-120 -120 Attenuation (dB) Attenuation (dB) -140 -140 -160 2.420 2.425 2.430 2.435 2.440 2.445 2.450 2.455 2.460 2.420 2.425 2.430 2.435 2.440 2.445 2.450 2.455 2.460 Frequency (GHz) Frequency (GHz) (a) (b)

Figure 3.8. Example bi-directional measurements in the frequency domain for (a) dataset A and (b) dataset B.

Table 3.2. NIST p-values CIR RSS NIST Test Pbd = .04 Pbd = .075 Pbd = .04 Approx. Entropy 0.752 0.833 0.146 Block Freq. 0.998 1.0 0.911 Cum.Sum Forward 1.0 1.0 0.942 Cum.Sum Reverse 1.0 1.0 0.737 FFT 0.751 0.974 0.854 Freq. 0.989 0.992 0.643 Linear Comp. 0.423 0.313 0.677 Template 0.763 0.506 0.394 Rank 0.791 0.626 0.742 Runs 0.642 0.483 0.765 Serial 0.584 0.569 0.655 62

60 ¢ t =37.4s

70 n ¢ tn =37.51

80 ¢

90 ¢

100 ¢

110 ¢

120 ¢ Received Power .

130 ¢

140 ¢ (dB relative to transmit power) 150 ¢ 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6

Time Delay, , ( s)

¡ (a)

60 ¢ t =48.84s

70 n ¢ tn =48.95s

80 ¢

90 ¢

100 ¢

110 ¢

120 ¢ Received Power .

130 ¢

140 ¢ (dB relative to transmit power) 150 ¢ 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6

TimeDelay, , ( s)

¡ (b)

Figure 3.9. (a) When interference source is oﬀ, subsequent CIR measurements between A2 to A1 (tn = 37.4s) and from A1 to A2 (tn = 37.51s) are nearly identical. (b) When interference source is on, CIR measurements between A2 to A1 (tn = 48.84s) are unchanged while those from A1 to A2 (tn = 48.95s) show interference. 63 ), and quantization (using t and time τ ), decorrelation (across time delay c s . Secret key bit extraction from CIR measurements involves synchronization (phase and time delay), interpolation (using fractional delay ﬁlter Figure 3.10 multi-bit adaptive quantization). 64

0.09

Alice |

) 0.08

n Bob ( ˆ h

| 0.07

0.06

0.05

0.04

0.03

0.02

0.01 Normalized Magnitude, 0.00 20 40 60 80 100 120 τ index, k

Figure 3.11. Two CIR measurements made by Alice and Bob. Aligning the indices of the dominant multipath does not always align the signals.

0.15

0.10

0.05

Imaginary Part CIR 1 0.00 CIR 2 CIR 3 CIR 4 −0.05 −0.06 −0.04 −0.02 0.00 0.02 0.04 0.06 Real Part

Figure 3.12. CIR measurements showing the random rotation which must be removed before bits can be extracted.

3.6.4 Discussion Using the presented bit extraction method, we can extract 3.89 times more bits

for a Pbd = 0.1 from CIR measurements than from RSS measurements and 7.84 times for a Pbd = 0.04 (Table 3.3). Keys extracted from CIR measurements using the above method have a high entropy rate and have been tested by the NIST randomness test suite to have characteristics consistent with random bit sequences. 65

Bits per Measurement (magnitude) 0 0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07 Probability of Bit Disagreement (a) Bits from Magnitude

1.2

1.0

0.8

0.6

0.4

0.2 Bits per Measurement (phase) 0.0 0.00 0.02 0.04 0.06 0.08 0.10 Probability of Bit Disagreement (b) Bits from Phase

Figure 3.13. (a) Number of bits extracted per measurement from |H| for various Pbd (b) Number of bits extracted per measurement from ∠H.

Table 3.3. Bits per Sample Comparison Bits Extracted Per Sample From: Improvement Pbd CIR Mag CIR phase RSS 0.01 1.0 0.09 0.28 389% 0.02 1.9 0.18 0.42 495% 0.04 4.8 0.38 0.66 784% 66

1.4

1.2

1.0

0.8

0.6

Bits per Measurement 0.4

0.2 0.00 0.02 0.04 0.06 0.08 0.10 Probability of Bit Disagreement

Figure 3.14. Number of bits extracted per RSS measurement for various Pbd

With this algorithm many more bits are extracted from the magnitude of CIR measurements than the phase. This is due in part to the aliasing nature of the (−π, π) phase signal. Although the phase was unwrapped, the unwrapping algorithm ˆ ˆ was ignorant of the relationship between hc(n) and hc(n+1). This could have caused discontinuities between subsequent measurements that may have introduced non- reciprocities in some measurement pairs.

3.7 Conclusion This paper presents a four switch system built from oﬀ-the-shelf hardware that economically extends the usefulness of pre-existing radio channel measurement equipment. By alternating the direction of measurement using RF switches, this system allows a software radio with a single TX and single RX to make bi-directional measurements. We presented design equations that take switch, channel and cable characteristics into account in order to ensure that the leakage power is kept low. These design equations can be applied to any similar four switch system. Using these equations we showed the eﬀect of switch characteristics on the expected linear range of the system. The switching system allowed the collection of bi-directional channel impulse response measurements which were used to evaluate a new bit extraction algorithm. 67

This bit extraction method does not rely on the assumption of a static channel with moving transmitters and receivers. Instead, it can take advantage of the dynamic nature of the channel itself. We found that the bit extraction method produces bits with a high entropy rate and characteristics consistent with those of random bit sequences. The rate of bit extraction from CIR measurements is nearly 8 times greater than the rate of bit extraction from RSS measurements for a 0.04 probability of bit disagreement. CHAPTER 4

RECIPROCAL FADING SIGNAL ESTIMATION METHODS FOR SECRET KEY ESTABLISHMENT

4.1 Abstract Methods for secret key establishment (SKE) from bi-directional radio channel measurements have largely assumed that measurements are made simultaneously. Practical time-division duplex (TDD) transceivers measure the two directions of a radio link at diﬀerent times. Further, other users of the channel create multiple access delays which result in random and irregular measurement times. In this paper we explore estimation methods which allow two TDD transceivers on multiuser channels to reduce the disagreement between their channel measurements, which improves their ability to extract shared secret key bits from them. We present a novel estimation method which uses side information to increase the bit extraction rate up to 50% compared to without side information.

4.2 Introduction Secret key establishment (SKE) from bidirectional channel measurements is a method for two wireless devices to obtain a shared secret key without communicating any information about the key to an eavesdropper. The two transceivers make measurements of the multipath fading channel, which serves as a joint source of randomness between them that is not known by an eavesdropper at a different location, because the channel reflects the uniqueness of the time and space in which it was created [6, 30, 61]. SKE is a tool for information theoretic security, which, in 69 contrast to computational security, makes no assumptions about the computational limitations of an eavesdropper, but may require a secret key rate as high as the information rate of the secret message being exchanged [64]. Thus increasing the rate at which secret key bits can be reliably extracted from bidirectional channel measurements is a critical requirement for practical systems. This paper provides methods to increase the agreement between the two directional measurements and thus increase the extraction rate. The radio channel at the same frequency and same time is reciprocal, however, bidirectional measurements of the channel are not. First, additive noise, interference, and hardware differences cause errors in the channel measurements. Second, time- division duplex transceivers are unable to transmit and receive simultaneously, thus one cannot sample the two directions of the channel at the same time. In packet- switched networks, measurements are made only when the devices are able to access the channel to send a packet. In a multiuser channel, packets are delayed non- deterministically by other users’ traffic, and thus measurements are made at random and irregular intervals[58]. The non-identical, irregular measurement times in multiuser channels can cause severe degradation in the performance of bit extraction methods. We first experienced these problems during a demonstration of SKE on two 802.11 devices at the ACM MOBICOM conference in 2010 [19]. While our SKE implementation worked well in the lab, among a high density of active 802.11 devices in the demo session, our devices experienced many very long multiple access delays, and as a result the bit extraction rate was very low. Our work addresses the practical, real-world problems caused in SKE from the use of noisy channel measurements taken at non-identical, irregular sample times. These problems are common to TDD devices which operate in multiple access channels. We study, in particular, the estimation of what we term the reciprocal fading signal, that is, the channel state between two transceivers which is measured in noise and at different, potentially irregular, sample times at the two different devices. We compare different interpolation and regression methods, including fractional delay 70 interpolation (FDI), polynomial interpolation (PI), and Gaussian processes regression (GPR), which estimate the value of the reciprocal fading signal at common times. FDI is used in related research [53], and we show it is insufficient in the case when channel measurements are noisy and irregular. We also investigate the use of side information (obtained from public discussion) at the two transceivers to increase performance, in a method we call GPR with side information (GPRSI). We evaluate performance using experimental measurements made with Nexus One phones (802.11) and TelosB wireless sensors (802.15.4). We show, for example, that GPRSI can achieve a bit extraction rate up to 50% higher than GPR. We provide a short summary of related research in Section 4.3. In Section 4.4 we set up the problem. In Section 4.5 we examine four methods of estimating the reciprocal fading signal using interpolation and regression. Section 4.6 describes the differences in the two testbeds we use to experimentally evaluate the four estimation methods. In Section 4.7 we show how these methods affect the bit extraction and the error between Alice’s and Bob’s estimation. Section 4.8 forms the conclusion.

4.3 Related Research Shared secret key extraction from channel characteristics was first described in [28]. Since then several efforts have designed and evaluated bit extraction schemes using many different channel characteristics. Some of these characteristics are angle of arrival [6], phase [28, 61] and received signal strength [45, 30, 53] ,[7, 71], [45]. Of these, received signal strength (RSS) is most commonly studied because RSS measurement capability is ubiquitous in standard commercial devices. While signal processing has been used to increase the bit extraction rate in SKE methods reported in the literature. Most of the signal processing techniques have been computationally inexpensive such as a low pass filter [45, 71] fractional delay interpolation [53] or ranking [20]. In all cases, these techniques have been performed independently at the two nodes. Public discussion between two parties is an important means to reliably establish secret keys from shared random variables [46]. Usually this has included sharing 71 information about the collected measurements. Information has been shared to facilitate various quantization methods [45, 53, 15] and for information reconciliation [11] which corrects a small number of discrepancies between the shared secret keys. How much of this information is exchanged and in what manner is carefully addressed to keep the secret key safe from eavesdroppers. In this paper, we study the use of a particular example of public discussion, that is, the exchange of one bit of information about the measurement, in order to improve reciprocal fading channel estimation.

While public discussion for other tasks within bit extraction is common, few estimation methods have taken advantage of information publicly shared between Alice and Bob. In this paper we present a way for Alice and Bob to estimate the reciprocal fading signal using Gaussian processes regression. Gaussian processes regression (GPR) is a useful tool for wireless sensor networks that has been used mainly to estimate a spatial ﬁeld using data collected by sensors nodes. Examples include GPR for environmental sensor networks [50], adaptive sampling [33] and sensor network deployment [37]. GPR estimates the value of a signal at unobserved points in time based upon observed measurements and a covariance function and, unlike some interpolation techniques such as fractional delay interpolation, GPR can take noisy measurements into account. Since it is possible for the two nodes to share the covariance function as well as some information about the noise of each measurement with respect to the actual fading signal, GPR can be used to improve reciprocal fading channel estimation.

4.4 Problem Statement We assume that Alice and Bob make measurements of a reciprocal channel. These measurements are not identical due to noise and the inability of Alice and Bob measure the channel at identical times. The object is to estimate the underlying reciprocal fading signal, y(t), from these noisy, oﬀset measurements.

Many channel characteristics can be used for secret key establishment (SKE), but received signal strength (RSS) is most common. To measure the RSS, Alice and Bob exchange n packets as fast as possible. Upon receipt of Alice’s ith packet, Bob 72 measures the RSS and sends a packet to Alice, who also measures RSS. After data collection ends, Alice and Bob each have a vector of RSS values,

wc = [wc(1), . . . , wc(n)] (4.1) where c ∈ {a, b}. We use subscripts a or b to refer to Alice and Bob respectively. These measurements were made at times

tc = [tc(1), . . . , tc(n)] (4.2)

We assume that Alice and Bob are time synchronized and that error in measuring the times tc or error due to clock-skew is much less than the smallest sample period,

T = tc(i + 1) − tc(i). Alice and Bob also collect Nc calibration measurements that are shared between the two nodes. Since the RSS values are exchanged over an unsecured channel, we assume that an eavesdropper has knowledge of these measurements and so they are not used as part of the secret key.

While the channel is reciprocal, Alice and Bob’s measurements, wc, are noisy, so that,

wc(tc(i)) = y(tc(i)) + (tc(i)) (4.3) where y(t) is the reciprocal fading signal sampled at times tc(i) and (t) is noise at time tc(i). We assume that y(t) is a wide-sense stationary (WSS) process.

Equation 4.3 makes it clear that non-reciprocities, the reasons that wa(i) 6= wb(i), come from two sources:

1. Alice and Bob are unable to measure the channel at identical points in time.

2. The measurements themselves are noisy.

The problem studied in this paper is to have Alice and Bob separately or with some shared knowledge estimate the reciprocal RSS signal y(t) at common points in time.

We denote these common times as t∗,

t∗ = [t∗(1), . . . , t∗(n)] (4.4) 73

th th where t∗(1) < ··· < t∗(n), and generally the i common time is between the i sample times of Alice and Bob, ta(i) ≤ t∗(i) ≤ tb(i). The problem then is for Alice and Bob to estimate yˆc, where

yˆc = [ˆyc(t∗(1)),..., yˆc(t∗(n)) (4.5) for c ∈ {a, b}. Throughout this paper values of t∗ are calculated as, 1 t = (t + t ) (4.6) ∗ 2 b a This paper explores polynomial interpolation, fractional delay interpolation and Gaussian processes regression as ways of increasing the number of bits that can be extracted by mitigating non-reciprocities in Alice’s and Bob’s measurements.

4.5 Estimation Methods Interpolation and noise reduction with non-uniform samples is a general problem with wide applicability. These problems are experienced regardless of measurement type and regardless of the bit extraction methodology as long as the measurements are TDD. While some systems can be designed to prioritize transmission and reception for secret key extraction, practical systems will need to be robust to non-uniformity in order to operate on general-purpose devices, in multiple-user interference and at very low received power. In this section we describe four methods for mitigating noise in bi-directional TDD channel measurements that can be categorized as interpolation or regression. In broad terms, interpolation is used to align sample instances or to ﬁnd the value of a signal at unobserved points in time when the signal is bandlimited, sampled above it’s Nyquist rate with no noise, c(i) = 0. Regression, on the other hand, is used to estimate the real signal in the presence of noise. Since the measurements of the reciprocal fading signal are both unaligned in time and noisy, it is possible that both interpolation and regression are needed depending upon the wireless environment.

4.5.1 Polynomial Interpolation

In order to estimate the value of a signal at unobserved points in time t∗, polynomial interpolation (PI) ﬁts a polynomial of order q to measured values. For 74 band-limited signals, a cubic polynomial (q = 3) is often used since it is a reasonable approximation of a sinc function [24]. The polynomial used to estimate the reciprocal fading signal can be written as,

3 2 yˆ(t∗(i)) = a3t∗(i) + a2t∗(i) + a1t∗(i) + a0 (4.7)

The polynomial coeﬃcients, a = [a1, a2, a3, a4], are found by solving a system of equations:

Πa = wc (4.8) where Π is  3 2  tc(1) tc(1) tc(1) 1 3 2 tc(2) tc(2) tc(2) 1  3 2  (4.9) tc(3) tc(3) tc(3) 1 3 2 tc(4) tc(4) tc(4) 1

T and wc = [wc(1), wc(2), wc(3), wc(4)] Solving for a,

−1 a = Π wc (4.10) the estimated reciprocal fading signal becomes,

3 2 −1 yˆ(t∗(i)) = t∗(i) , t∗(i) , t∗(i), 1 Π wc (4.11)

PI −1 where the coefficients of the polynomial filter are hc = t∗Π and assuming Π is PI invertible. The filter coefficients hc are only dependent upon the time at which the reciprocal fading signal is estimated t∗(i) and the times at which the fading signal was measured, tc.

If all adjacent sample instants, tc(i) and tc(i + 1), are the same distance apart and the time value to be interpolated is delayed by the same amount with respect to tc, the system of equations only has to be solved once. This is referred to as fractional delay interpolation [24]. However, if tc(i + 1) − tc(i) is not a function of i, the system of equations must be solved for each set of four adjacent samples and new

ﬁlter coeﬃcients found for each new interpolated time, t∗(i). The advantage of PI is that it is able to interpolate any t∗(i) even with non-uniform samples. 75

4.5.2 Fractional Delay Interpolation

If the sampling period is constant, ie., T = tc(i+1)−tc(i) for all i and for c ∈ {a, b}, then a fractional delay interpolation (FDI) ﬁlter can be used to mitigate half-duplex noise. FDI ﬁlters have been used to synchronize sampling in digital modems and in sound recording [38]. Similarly to PI, we want to to estimate the value of the reciprocal fading signal, y(t), at unobserved points in time, t∗. The estimated signal is,

FDI FDI yˆ(t∗(i)) = hc (4)wc(i − 2) + hc (3)wc(i − 1) + (4.12)

FDI FDI hc (2)wc(i + 1) + hc (1)wc(i + 2)

The polynomial interpolator is a general case for FDI. If Alice and Bob are sampling at the same rate, the fractional delay between the th th i measurement by Alice, wa(i), and the i measurement made by Bob, wb(i), is, 1 t (i) − t (i) µ = b a (4.13) 2 T

th where tb(i) and ta(i) are the arrival times of the i packet at Bob and Alice respectively and T is the (constant) sample period. We implement two fractional delay ﬁlters, one each at Alice and Bob. W.l.o.g. we th assume that ta(i) < tb(i) so that µ > 0. If we interpolate points in wa so that the i th sample is delayed by (1 + µ)T and interpolate points in wb so that the i sample is delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays can be broken down into fractional, µ, and integer, d, delays. At each node:

µa = µ µb = 1 − µ da = 1 db = 0 (4.14)

We implement the cubic Farrow ﬁlter [24]. For c ∈ {a, b}:

FDI 3 3 2 hc = µc /6 − µc/6, −µc /2 + µc /2 + µc, 3 2 3 2 T µc /2 − µc + 1, −µc /6 + µc /2 − µc/3 (4.15)

Assuming a uniform sample period t∗ = ta + µ = tb + T − µ. Figure 4.1(a) shows a diagram of the sampled and interpolated time instances for uniform measurements. 76

For non-uniform samples, Figure 4.1(b), the interpolated times are no longer aligned

at Alice and Bob and ta + µ 6= tb + T − µ. Polynomial interpolation and Gaussian processes regression, which we discuss in the following sections, are able to interpolate values that even with non-uniform samples are aligned in time as shown in Figure 4.1(c). To make a fair comparison between those and fractional delay interpolation

we will assume that t∗ is still half way between Alice’s and Bob measurements as in (4.6)

4.5.3 Gaussian Processes Regression Gaussian process regression (GPR), known as kriging in the ﬁeld of geostatistics, can be used for interpolation or regression. A Gaussian process is completely speciﬁed

by its mean function and covariance function [59]. While wc is not exactly Gaussian, previous analysis using the assumption of a Gaussian distribution for similar data has been demonstrated to be experimentally accurate [53]. The mean function m(t) and the covariance function k(t, t0) of a real process y(t) are deﬁned as,

m(t) = E[y(t)] (4.16)

k(t, t0) = E[(y(t) − m(t))(y(t) − m(t)0)] (4.17)

If we could measure the real y(t), and given m(t) = 0, the joint distribution of the n observations, yc at times tc, and the n∗ targets or unobserved points ˆy∗ =

[ˆy∗(i),..., yˆ∗(n∗)], at times t∗ = [t∗(1), . . . , t∗(n∗)] is,

y K(t, t) K(t, t ) ∼ N 0, ∗ (4.18) y∗ K(t∗, t) K(t∗, t∗)

where [K(t, t∗)]ij = k(t(i), t∗(j)) and [K(t, t)]ij = k(t(i), t(j)). Essentially, K(t1, t2)

is the covariance matrix of y(t1) and y(t2)), for some vectors of sample times t1, t2. If noise is present, the function y(t) cannot be accurately determined and instead

a noisy version is obtained: wc(i) = y(tc(i)) + . If the additive noise, , is i.i.d 2 Gaussian noise with variance σ , the prior on the noisy observations becomes,

cov(wc) = K(tc, tc) + K (4.19) 77

2 where K = σ I and assuming and y(t) are uncorrelated. The joint distribution of the observed values, wc = [wc(1), . . . , wc(n)], and the target values under the prior are w K(t , t ) + K K(t , t ) c ∼ N 0, c c c ∗ (4.20) y∗ K(t∗, tc) K(t∗, t∗) From this distribution, predictive equations for the target values can be derived as

y∗|wc ∼ N (y¯∗, cov(y∗)) (4.21)

−1 y¯∗ = K(t∗, tc)[K(tc, tc) + K] wc, (4.22)

−1 cov(y∗) = K(t∗, t∗) − K(t∗, tc)[K(tc, tc) + K] K(tc, t∗) (4.23)

where ¯y∗ in (4.22) is the predicted mean value of y(t) at times t∗. We use ¯y∗, which is the minimum mean square error (MMSE) estimator [77], as our estimate of the real

fading signal, ˆy(t∗). While it would be possible, if computationally expensive, to perform Gaussian processes regression over an entire dataset, similar results can be obtained if the dataset is split into subvectors and GPR performed over each subvector. The length of a subvector is determined in part by the estimated covariance function. We chose a subvector length of J = 200 for the 802.11 RSS data and J = 100 for the 802.15.4 RSS data.

4.5.3.1 Covariance Function For time-series data, the covariance function relates how much two variables change together verses separation in time. If the covariance function is not known it is to common to use a general covariance function such as the Mat´ernor Euclidean functions [67]. However, for RSS data, we are able to ﬁnd a covariance function for

each dataset using the Nc calibration measurements that Alice and Bob have shared between themselves. For uniformly sampled wide sense stationary data, estimating the covariance function k(t) is straight forward. First ﬁnding the covariance matrix as

1 hPj (i) (i) T Kwa,wb = 2j−1 i=1(wa − µa)(wa − µa) + (4.24)

(i) (i) T i (wb − µb)(wb − µb) 78

(i) th where µc is the mean value of wc and wc is the j sub vector of length j = 200 at j node c. The covariance function k(t) is the 2 row of Kwa,wb . For non-uniformly sampled data, we can use the Wiener-Khintchine theorem to estimate the covariance function. The Wiener-Khintchine theorem relates the power spectral density (PSD) of a signal, w(t), to its autocorrelation function. The cross spectral density of wa(ta) and wb(tb) is,

K h N S (f) = 1 P P w (n + k)e−j2πfta(n1+k) (4.25) a,b NK k=1 n1=1 a 1 N i P w (n + k)e−j2πf[tb(n2+k) n2=1 b 2

where f is the frequency of interest and wc is wide sense stationary. The auto

covariance function Ra,b(τ), is then calculated as the inverse Fourier transform of

Sa,b(f), by the Wiener-Khintchine theorem [77]

4.5.4 Gaussian Processes Regression with Side Information Many forms of exchange of information between Alice and Bob are used in SKE research to improve the reliability and secrecy of extracted keys, including methods called information reconciliation [11] and public discussion [46]. We suggest that such methods can be used to improve the estimate of the reciprocal fading channel. In order to investigate this, we propose one method based on Alice and Bob exchanging one bit of information, which we call an ”e-value”, about their measurements In order to improve reciprocal fading channel estimation, Alice and Bob publicly

exchange one bit of information about each wc(i) measurement and incorporate this measurement in GPR. This one bit of information will allow Alice and Bob to decide if their measurements are likely to agree when quantized. Then, based on this side 2 2 information they alter their K matrix in (4.20 - 4.23) to K = diag([γ (1), . . . , γ (n)]). How γ2(i) is set is explained below. Although this method is based on GPR, due to the incorporation of side information it is not rigorously GPR for two reasons. First, knowing one bit of information changes the distribution of the measurements so the measurements can no longer be assumed to resemble a Gaussian distribution. Second, knowledge of the side 79

information received by Alice and Bob alters the conditional covariance of wc and y∗

in a very complicated way. Although the actual covariance matrix of wc and y∗ given the side information has every element altered compared to (4.20), for simplicity,

we alter only the variance of the elements of wc, that is, the diagonal elements of

Cov(wc). We show in the results that the incorporation of this side information, although a heuristic in some sense, allows us to better estimate y(t) at both Alice and Bob in order to extract more bits.

4.5.4.1 Public Exchange of Side Information

Alice and Bob each quantize their measurements, wa and wb, into K number of bins and assign each measurement an e-value based on the bin. The measurements that fall into odd numbered bins are 0’s and the measurements that fall into the even numbered bins are assigned 1’s. Alice and Bob then exchange their vectors of e-values. The bins must be determined so that Eve does not learn anything about the expected value of wc(i) given e(i). There are many possible ways to achieve this,

but here we place values in bins based upon the distribution of wc. The bin thresholds are found so that the probability of a single measurement being assigned an e-value of 0 or 1 is equally likely. We look at the cumulative distribution function (CDF) of the measurements to determine the thresholds. Lef

Fi(w) = P [wa(i) ≤ w] be the CDF of wa. For K is odd, the bin thresholds, ηk, are determined as 2k − 1 η = F −1 , for k = 1,...,K − 1 (4.26) k 2(K − 1)

−1 1 −1 3 and η0 = −∞ and ηK = ∞. If K = 3 then η = [−∞,F ( 4 ),F ( 4 ), ∞]. The n

measurements, wc, are then quantized so that

k(i) = max{k s.t. wa(i) > ηk} (4.27) k

and we deﬁne e(i) as e(i) = k(i) mod 2 (4.28)

for each measurement, i = 1, . . . , n. 80

If K odd it is possible to assign bins without the e-values giving away information

about the expected value of wc(i), although it can be said that measurements with e = 1 have a higher sample variance than measurements with e = 0. We do not consider the case of K even because it is not possible to assign e-values without

giving information about the expected value of wc(i).

4.5.4.2 Setting γ2(i)

2 2 The values of γ (i) where ea(i) 6= eb(i) should be larger than γ (i) the values 2 where ea(i) = eb(i). To that end we use two parameters Pa and Pd and deﬁne γ (i) as σ2 1 for e (i) = e (i), 2 Pa a b γ (i) = 2 (4.29) σ Pd for ea(i) 6= eb(i)

2 where σ can be estimated as

n 1 X σˆ2 = (w (i) − w (i))2 (4.30) n a b i=1

We discuss these parameters further in Section 4.7.

4.6 Experiment In this section, we describe the RSS data sets which we have collected using two diﬀerent transceiver hardware testbeds. We collect 31 total data sets from the two testbeds, a total of 213,000 samples of the RSS over 75 minutes of data collection. This extensive experimental data allows us to provide, in Section 4.7, a quantitative analysis analysis of the performance of methods propose in Section 4.5.

4.6.1 PHY layer and RSS Measurement To ensure broad applicability of the results to RSS-based SKE, we use hardware from two common TDD wireless standards in our experimental evaluation. The ﬁrst testbed uses commodity IEEE 802.15.4 radio hardware (MEMSIC TelosB devices), similar to that previously used in experimental SKE papers [53, 20, 56, 2]. The second testbed uses two smartphones (Google / HTC NexusOne phones) which are programmed to communicate via IEEE 802.11b/g. 81

To collect the 20 802.15.4 radio hardware datasets, one node was placed on a desk while the second node was moved randomly to induce narrow band fading. The distance between the two nodes was slightly over 1 meter. Half of the 20 datasets collected using the 802.15.4 radio hardware were made in the presence of 802.15.4 interference. To create interference, three additional TelosB sensor nodes were programmed to take turns transmitting on the same channel as Alice and Bob. Also, the transmit power was also varied. Fifteen datasets had a transmit power greater than -5 dBm and ﬁve had a transmit power lower than -10 dBm. Using the IEEE 802.11-based smartphones we collected 11 data sets each with 6000 measurements. One smartphone, Alice, was placed on a desk, while the second phone Bob was moved randomly to induce narrowband fading in the channel. The distance between Alice and Bob was approximately 0.75 meters. All 11 data sets were collected in the same manner with no changes to the default transmit power.

4.6.2 Sample Variance In free-space with a static channel, bit extraction would be ineﬀective. The source of the bits in the secret key is the randomness in the channel due to narrowband fading. The more the channel varies over time, the more bits it is possible to extract. 2 We can estimate the variance of the sampled reciprocal fading signal, σw, as

n 1 X σˆ2 = (w (i) − µˆ )2 (4.31) w n c w i=1

where the mean, µw, is estimated from

n 1 X µˆ = w (i) (4.32) w n c i=1 The sample variances for 802.15.4 RSS measurements in Figure 4.2(a) was around 40, while the sample variances for 802.11 RSS measurements in Figure 4.2(b) was about 14 on average. 2 The reason for the diﬀerence inσ ˆw for 802.15.4 and 802.11 is the channel bandwidth – 20 Mhz for 802.11 and 5 Mhz for 802.15.4. With 802.11, the RSS is calculated for a signal over a bandwidth 4 times as wide so the channel gain is not as aﬀected by 82 narrowband fading. Since the fading signal is the signal of interest, the signal power is reduce when wideband RSS measurements “average out” the fading. Counterintu- itively this reduces the number of bits can be extracted. The RSS quantization levels for the two devices are identical – an increase of 1 dB received power with respect to the mean produces an increase of 1 RSSI.

4.6.3 Sampling Non-uniformity Sampling non-uniformity in 801.11 devices can be related to a large body of research that looks at packet delay caused by the distributed coordination function (DCF) [10, 14]. The DCF uses channel sense multiple access with collision avoidance to maximize channel throughput and ensure every user has equal access. While most packets are transmitted with relatively short delays, other packets suﬀer a much higher delay than average due to the exponential increase in backoﬀ period when transmission fails. For the purposes of bit extraction, one sample period, ie. the time between two adjacent measurements by Alice, is composed of:

1. Time delay, δa, for Alice to send a packet to Bob

2. Time, δo, for Bob to receive and process packet. This is assumed constant.

3. Time delay, δb, for Bob to send a packet to Alice

The distribution of time delays, δa and δb, are essentially the same as the distribution of packet delay in [10, 14] which is affected by the number of users wishing to transmit and the maximum backoff period, Wi. Figure 4.3 shows the difference between the distribution of sample periods for 802.15.4 and 802.11 devices. In our experiments, the 802.15.4 devices are operated on a channel (26) that does not interfere with 802.11 b/g traffic – thus these devices operate largely without outside interference and the majority of sample periods are reliably between 15-17 ms, as shown in Figure 4.3(a). In contrast, the 802.11 devices experience significant multi-user interference, particularly in buildings with many deployed WiFi access points, as is the case in our experiments. Due to the 802.11 MAC layer, the delay for a device transmitting a packet can be very significant. As 83

shown in Figure 4.3(b), while the 802.11 devices can sample up to two times faster than the 802.15.4 devices the maximum time between sample points is as much as

six times greater than the average. The distribution for δa + δb + δo in Figure 4.3(b) is very close to the distribution found in [58]. It is very heavy tailed and has a large variation in sample period.

4.7 Results In this section we look at the these four estimation methods, fractional delay interpolation (FDI), polynomial interpolation (PI), Gaussian processes regression (GPR) and Gaussian processes regression with side information (GPRSI), qualitatively and

quantitatively. First we determine how to set parameters Pa and Pd for GPRSI using

the normalized root mean square error betweeny ˆa(t∗) andy ˆa(t∗), as a metric. Then

we plot the estimated reciprocal fading signal,y ˆc(t∗), and compare the results over a very small set of points to qualitatively show under what conditions each of these methods performs best. Since all four methods can be viewed as a ﬁlter, we the compare the frequency response and show that while FDI and GPRSI ﬁlters have frequency responses that tend to match, PI does not. Then we look at the error

betweeny ˆa(t∗) andy ˆa(t∗) for FDI, PI, GPR and GPRSI. Finally we compare the four methods with respect to a bit extraction method.

4.7.1 Performance Metrics While it is not possible to calculate the root mean square error (RMSE) between

the noisy measurements, wc, and the reciprocal fading signal y(t), we can evaluate

the error between Alice’s estimate of y(t), ˆya(t∗), and Bob’s estimate of y(t), ˆyb(t∗). Because GPR and GPRSI tend to reduce the range of values and therefore the apparent RMSE, we use normalized RMSE. NRMSE is RMSE scaled by the standard

deviation ofy ˆa. s PN 2 i=1(ˆya(i) − yˆb(i)) NRMSE(ˆya, yˆb) = PN 2 i=1(ˆya(i) − µa) While increasing the number of bits extracted is the ﬁnal goal of these estimation methods, the bit extraction algorithm adds another layer of complexity. We use 84

NRMSE to make analysis of these results applicable to other bit extraction methods, not just the one used in a following subsection.

4.7.2 GPRSI Parameter Selection Figure 4.4 shows the NRMSE between Alice’s and Bob’s estimate of y(t) for

values of parameters Pa and Pd using the 802.11 based devices. Given this plot we choose Pa ≈ 0.5 and Pd ≈ 15. These values are approximate since there is very little diﬀerence in the NRMSE for Pa = 0.5 and Pa = 1 or between diﬀerence values of Pd when Pd > 10.

4.7.3 Example Figure 4.5 shows data collected by the 802.11 devices and the interpolated data using (a) FDI, (b) PI, and (c) GPRSI. Because the interpolating polynomial for

PI yc(t∗(i) (4.11), is constrained to go through the sampled points, noise in those measurements over larger gaps in the data can cause the sampling polynomial at Alice to be very diﬀerent from Bob’s. However, using FDI or GPR, Alice’s and Bob’s estimated signals match quite well. The results for GPR and GPRSI are very similar, so GPR is not shown. Unlike, PI and FDI, GPR and GPRSI can be used for regression. Figure 4.7 shows data that has been estimated using (a) PI and (b) GPR. Because the interpolating polynomial is constrained to go through the sampled points, it cannot be used to mitigate quantization noise. On the other hand, because noisy measurements can be accounted for in GPR, some of the quantization noise can be removed.

4.7.4 Filter Response Each of these four methods can be viewed as a ﬁlter and characterized in terms of frequency response. The frequency response is found using a non-uniform discrete Fourier transform (NDFT) which is deﬁned as:

N−1 X −jtc(n)2πf(k) H(f(k)) = hc(n)e (4.33) n=0 85 where hc are the filter coefficients, tc are the times over which the filter is applied and f(k) is the kth frequency at which the Fourier transform is evaluated. For PI and FDI, N = 4. The filter coefficients for FDI are printed in (4.15). Filter coefficients −1 for GPR are found from the K(t∗, tc)[K(tc, tc) + K] term of (4.22). Because GPR and GPRSI is applied over subvectors of length 200, N = 200.

The frequency response for the FDI filter is shown in Figure 4.6(a) for t∗(i) = 0.60. The filter response at Alice is very similar to Bob’s filter. The frequency response for the PI filter is shown in Figure 4.6(b). It becomes a high pass filter over long gaps between samples, but the larger problem is that the two filters at Alice and Bob do not match. The frequency response for GPR is shown in Figure 4.6(c). Although not identifiable as a particular type of filter, the responses at Alice and Bob match quite well.

4.7.5 Normalized Root Mean Square Error

Figure 4.8 (a) shows the cumulative distribution function (CDF) of the NRMSE over the 802.11 datasets of the original RSS measurements, wc, and the reciprocal fading signal estimated using PI, FDI, GPR and GPRSI. Of these methods, PI increases the NRMSE between Alice and Bob’s measurements compared to the unprocessed measurements. FDI, GPR and GPRSI all reduce the NRMSE compared to the original measurements for all datasets, except for one dataset in the case of GPR. In all cases, GPRSI performs better than the other methods.

The same type of analysis is shown in Figure 4.8 (b) for the 802.15.4 datasets. Again, PI increases the NRMSE compared to the original measurements. The difference in FDI vs. the Gaussian processes methods is not as apparent in the 802.15.4 datasets, although GPR and GPRSI are an improvement. The difference between GPR and GPRSI is negligible. One conclusion we can draw from the differences between Figure 4.8 (a) and Figure 4.8 (b) is that given the smaller amount of improvement in GPRSI vs. FDI, the non-reciprocities in reciprocal 802.15.4 RSS measurements are due in greater proportion to the inability of Alice and Bob to measure the channel simultaneously than those in 802.11 RSS measurements. 86

In the second experiment we simulated dropped packets in 802.15.4 measurements by removing the ith sample from wa and wb with probability p. The removal probability for samples i and j, where i 6= j, are independent. Increasing variability in the range of sample periods results as the probability of dropping a packet increases. We plot the bits per sample extracted using GPR, GPRSI, FDI and PI as p increases from 0 to 0.6 vs. NRMSE disagreement in Figure 4.9. As p increases, the performance of FDI degrades more rapidly than GPR and GPRSI.

4.7.6 Bit Extraction Adaptive ranking based uncorrelated bit extraction ARUBE [20] has been used with RSS measurements made by 802.15.4 based wireless sensors. It has four steps: interpolation, ranking, decorrelation and quantization. The effectiveness of this method can be evaluated by looking at the number of bits extracted per sample or the number of bits extracted per second against the probability of bit disagreement, Pbd. Fewer samples must be collected to create a shared secret key if the bits extracted per sample is high, saving both the energy required to transmit a packet and the time required to so do. Because information must be publicly exchanged to correct bit disagreement, a lower Pbd will keep more information secret from Eve. It is difficult to obtain a high rate of bit extraction and a low Pbd. While judging the performance of estimation methods is made more complex by using the number of bits extracted as a metric, inclusion of this section is important. A simple low pass filter would also reduce the NRMSE, but at the expense of removing information in the signal that could be used as bits in the secret key.

4.7.6.1 802.15.4 Sensor Nodes In the ﬁrst experiment with 802.15.4 sensor nodes we decremented the transmitted power over 17 datasets. At very low received power, RSS data collected by 802.15.4 based sensor nodes has some of the same properties as the 802.11 RSS data: low 2 sample variance,σ ˆw, and non-uniform sampling. As the sample variance decreases, Gaussian processes regression becomes more useful. Figures 4.10(a,b,c) show the averge of (7, 4, 6) datasets respectively of decreasing 87 sample variance for PI, FDI and GPR. Table 4.1 shows the average sample variance 2 σˆw for each ﬁgure. We used these groupings to keep datasets with similar sample variance together. As the received power decreases, the number of dropped packets increases, the noise due to quantization increases and there is a greater non-uniformity in sampling instants. The decrease in bits per second as the sample variance decreases is due not only to fewer bits being extracted but to the decrease in the number of samples per second collected by the nodes because of the dropped packets. By comparing the ’Bits per Second’ and ’Bits per Sample’ axes of the three plots we can see that, 0.6 bits per sample results in 24, 14 and 11 Bits per Second as the sample variance decreases.

4.7.6.2 802.11 Smartphones We found that for this bit extraction method, polynomial interpolation produces worse results than using the original measurements, so we only compare GPR, GPRSI and FDI.

Figure 4.11 (a) shows the bits extracted per second for yˆc(t∗) using GPR and GPRSI. Unlike the 802.15.4 datasets the inclusion of side information increases the number of bits extracted for most datasets. The greatest improvement in bits extracted per second is seen in datasets that produce the least number of bits. These are the datasets that also have the smallest sample variance and the largest quantization noise. Comparing GPR to FDI in Figure 4.11(b), GPRSI can improve the number of bits extracted per second by up to 50% for some datasets.

4.8 Conclusion In real-world wireless networks, SKE must extract bits from noisy measurements taken at irregular intervals. In these situations, we show that standard SKE methods perform poorly. In this paper we investigate four methods that allow legitimate users Alice and Bob to obtain improved estimates of the reciprocal fading channel. We found that in cases with high SNR, even those with moderate non-uniform sampling characteristics, fractional delay interpolation performs very well, reducing the NRMSE between Alices and Bobs estimates and increasing the bit extraction 88

-Alice samples -Bob samples - new times, t * ...... (a) ...... time

...... (b) ...... time

...... (c) ...... time

Figure 4.1. Diagram shows placement of Alice’s () and Bob’s ( ) measurements at times tc with the placement of interpolated values t∗ (k). (a) Fraction delay interpolation interpolates a value half way between Alice’s and Bob measurements if the sample period is constant. (b) With non-uniform measurements fractional delay interpolation results in unaligned interpolated time instants. (c) Polynomial interpolation and Gaussian processes regression are able to interpolate measurements at identical time instants.

Table 4.1. Datasets of decreasing sample variance 2 # of Datasets Averageσ ˆw Figure 4.10 (a) 7 36.2 Figure 4.10 (b) 4 17.9 Figure 4.10 (c) 6 7.4 89

0.12 dataset f 0.10 dataset n

0.08

0.06

Probability 0.04

0.02

0.00 −20 −15 −10 −5 0 5 10 15 20 RSSI, mean removed (a)

0.16 dataset A 0.14 dataset B

0.12

0.10

0.08

Probability 0.06

0.04

0.02

0.00 −20 −15 −10 −5 0 5 10 15 20 RSSI, mean removed (b)

Figure 4.2. Distribution of measured RSSI values for datasets collected (a) by 2 802.15.4 based devices and (b) 802.11 based devices. The sample variance,σ ˆw for (a) is larger than that of the measurements of (b). 90

0.40 dataset f 0.35 dataset n

0.30

0.25

0.20

Probability 0.15

0.10

0.05

0.00 0.005 0.010 0.015 0.020 0.025 0.030 0.035 0.040 Sample Period (s) (a)

0.40 dataset A 0.35 dataset B

0.30

0.25

0.20

Probability 0.15

0.10

0.05

0.00 0.005 0.010 0.015 0.020 0.025 0.030 0.035 0.040 Sample Period (s) (b)

Figure 4.3. Distribution of sample periods for (a) two datasets made with 802.15.4 based wireless sensors and (b) two datasets from 802.11 based devices. 91 rate. For signals with low signal power, or with highly variable sample periods, GPR performs better in terms of NRMSE and the number of bits extracted at the expense of much more computation. We present a reciprocal fading channel estimation method which uses side information obtained from public discussion, which we call GPRSI, and show that it is able to extract secret key bits at a rate up to 50% higher than with GPR. The computation required by GPRSI is more signiﬁcant than with FDI, but GPRSI can extract secret key bits more quickly. Future work may address the tradeoﬀ between communication energy and time saved by the increased bit rate of GPRSI, versus the lower energy used in computation in FDI. In addition, adaptive methods may be developed which allow devices to change estimation method based on the multi-user access delays or packet error rate they experience. 92

0.175

Pa =0.1

Pa =0.5 0.170 Pa =1

) Pa =3 b y ˆ

, 0.165 a y ˆ (

0.160 NRMSE

0.155

0.150 0 20 40 60 80 100 Pd

Figure 4.4. NRMSE betweeny ˆa andy ˆb for GPRSI with diﬀerent values for Pa and Pd. Overall, GPRSI for 802.11 RSS measurements performs best with Pa ≈ 0.5 and Pd ≈ 15. 93

FDI ˆya (t ∗)

4 FDI ˆyb (t ∗)

0 RSS

−2

−4

−6 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 time (s) (a)

PI ˆya (t ∗)

4 PI ˆyb (t ∗)

0 RSS

−2

−4

−6 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 time (s) (b)

GPRSI ˆya (t ∗)

4 GPRSI ˆyb (t ∗)

0 RSS

−2

−4

−6 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 time (s) (c)

Figure 4.5. (a) Fractional delay interpolation used to estimate the reciprocal fading channel from non-uniformly sampled RSS measurements made by two 802.11 devices. (b) Polynomial interpolation. (c) Gaussian processes regression. Solid lines are the estimated signaly ˆc(t∗), dotted lines are the RSS measurements wc. 94

2.0 FDI Ha FDI Hb

| 1.5 ) f ( H |

1.0

Magnitude, 0.5

0.0 0 10 20 30 40 50 Frequency, Hz (a)

4.0 PI Ha 3.5 PI Hc

| 3.0 ) f (

H 2.5 |

2.0

1.5

Magnitude, 1.0

0.5

0.0 0 10 20 30 40 50 Frequency, Hz (b)

2.0 GPRSI Ha GPRSI Hb

| 1.5 ) f ( H |

1.0

Magnitude, 0.5

0.0 0 10 20 30 40 50 Frequency, Hz (c)

Figure 4.6. Filter response for (a) fractional delay interpolation, (b) polynomial interpolation and (c) Gaussian processes regression at interpolated time instant t∗(i) = 0.60. 95

4 w 3 a wb 2 PI ˆya (t ∗) PI 1 ˆyb (t ∗)

RSS −1

−2

−3

−4

−5 31.04 31.06 31.08 31.10 31.12 31.14 time (s) (a)

4 w 3 a wb 2 GPRSI ˆya (t ∗) GPRSI 1 ˆyb (t ∗)

RSS −1

−2

−3

−4

−5 31.04 31.06 31.08 31.10 31.12 31.14 time (s) (b)

Figure 4.7. (a) Polynomial interpolation used to estimate the reciprocal fading signal for 802.11 RSS measurements (b) Estimation using GPRSI. Root mean square error (RMSE) for the displayed data is (a)0.627 and (b)0.222. 96

1.0

0.8

0.6

0.4 wc PI ˆy(t ∗)

FDI ˆy(t ∗) 0.2 GPR ˆy(t ∗)

GPRSI ˆy(t ∗) Cumulative Distribution Function 0.0 0.12 0.14 0.16 0.18 0.20 0.22 0.24 0.26 0.28 0.30 Normalized RMSE (yˆa ,yˆb ) (a)

1.0

0.8

0.6

0.4 wc PI ˆy(t ∗)

FDI ˆy(t ∗) 0.2 GPR ˆy(t ∗)

GPRSI ˆy(t ∗) Cumulative Distribution Function 0.0 0.2 0.4 0.6 0.8 1.0 Normalized RMSE (yˆa ,yˆb ) (b)

Figure 4.8. Normalized root mean square error (NRMSE) for error between the original measurements at Alice, wa, and Bob, wb and error between the estimations of the reciprocal fading signal using polynomial interpolation (PI), fractional delay interpolation (FDI), Gaussian processes regression (GPR) and Gaussian processes regression with side information (GPRSI) for (a) 11 802.11 datasets and (b) 20 802.15.4 datasets 97

0.55

0.50

0.45 ) b y ˆ

, 0.40 a y ˆ ( 0.35

0.30 NRMSE 0.25

0.20

0.15 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Probability of Packet Drop, p

Figure 4.9. Plot of NRMSE as the probability of dropping a packet, p, increases for FDI (- -), GPR (..) and GPRSI (–), then plotting the average of the top seven datasets (?), middle six datasets (•) and bottom seven datasets (I) with respect to NRMSE 98

45 PI 40 GPR 1.0 35 FDI 0.8 30

25 0.6 20

15 0.4 Bits per Second Bits per Sample 10 0.2 5

0 0.0 0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07 Probability of Bit Disagreement, Pbd (a)

20 0.8 PI GPR 0.7 FDI 15 0.6

0.5

10 0.4

0.3 Bits per Second Bits per Sample 5 0.2

0.1

0 0.0 0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07 Probability of Bit Disagreement, Pbd (b)

16 PI 0.8 14 GPR 0.7 FDI 12 0.6 10 0.5 8 0.4

6 0.3 Bits per Second Bits per Sample 4 0.2

2 0.1

0 0.0 0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07 Probability of Bit Disagreement, Pbd (c)

Figure 4.10. Comparison of PI, FDI and GPR with (a) highest, (b) middle and (c) 2 lowest sample varianceσ ˆw. GPR is an improvement over FDI only at lower sample variances. 99

15 Bits per Second 10

0 0.00 0.02 0.04 0.06 0.08 0.10 Probability of Bit Disagreement, Pbd (a)

15 Bits per Second 10

0 0.00 0.02 0.04 0.06 0.08 0.10 Probability of Bit Disagreement, Pbd (b)

Figure 4.11. Bits extracted per second vs. probability of bit disagreement (Pbd) for 13 datasets. Data processed using GPR (..), GPRSI ( - ) or FDI ( - - ) then plotting the average of the top four datasets (?), middle ﬁve datasets (•) and bottom four datasets (I) with respect to bits extracted per second. (a) Compares GPR and GPRSI (b) Compares FDI and GPRSI CHAPTER 5

CONCLUSION

This chapter will summarize key ﬁndings before suggesting areas for future work.

5.1 Key Findings While the wireless channel has the requisite conditions as a source for shared secret keys, namely randomness and reciprocity, practical considerations such as the time- division duplex nature of channel sampling, differing hardware characteristics between users, temporal correlation between measurements and the necessity of sharing the channel with other users are continuing challenges. This research aims to reduce or remove the non-idealities and noise of the reciprocal channel measurement process in order to increase secret key bit rate while maintaining an uncorrelated bit stream. Wireless sensor networks have a intrinsic need for a way of securing communications that does not involve a central server or an excessive use of on node storage space. By using randomness inherent in the wireless channel, it is possible to avoid the predistribution of shared keys, which for large networks becomes a strain on limited storage space, and the need for a central server which depending upon network conditions may not be connected to the network. One of the challenges of bit extraction is that in order to measure the channel the two nodes must communicate which for sensor nodes communication is energy intensive. To extend the life of the network it is advantageous to extract as many bits as possible from each measurement. To that end, various methods of mitigating non-reciprocities in the measurement were explored including fractional delay interpolation and ranking. Ranking addresses the differences in hardware that will be inevitable in heteroge- neous networks and are present even in supposedly identical transceivers. As long as the relationship between received power and RSS is monotonically increasing, ranking 101 will remove non-reciprocities between radios that result from differing transmit powers and RSSI circuit variations. The introduction of ranking increased the number of bits extracted from 802.15.4 TelosB RSS measurements by up to 30%. Temporal correlation between measurements is another limiting factor that was addressed which is useful both for sensor nodes and devices which are less resource constrained. Correlated bits which can result from correlated measurements weaken the strength of the shared secret keys. In order to prevent this, measurements can be decorrelated before bit extraction. Decorrelation is a relatively computationally complex operation in comparison to other bit extraction steps, so it is necessary to find the minimum number of measurements that can be decorrelated while ensuring an independent bit stream. For 802.15.4 RSS measurements it is possible maintain an uncorrelated bit stream if more than about 35 samples or 0.7 seconds of data are decorrelated at a time. Experimental research into bit extraction from channel impulse response (CIR) measurements is scarce compared to research into RSS measurements. Much of the difference can be attributed to the expense of channel sounding equipment. It is possible however, to build a inexpensive electronically controlled switching system that allows existing single transmitter/single receiver equipment to make bi-directional measurements. The components of this system are easy to obtain and with the design equations a similar system is straight forward to build. The hope is that this design will allow further work into bit extraction for CIR measurements. CIR measurements include both magnitude and phase information. The number of bits extracted from the magnitude information was 8 times greater than the number of bits extracted from the phase information. A large part of the discrepancy is that phase wraps from 2π to 0. While the CIR measurements are two-dimensional (time and time delay), the unwrapping algorithm for phase only operated along the time delay axis and did not take the second dimension into account. A demo using 802.11-based smartphones brought to light differences in 802.11 and 802.15.4-based wireless devices. Devices using 802.11 must share the channel with other users which can result in a non-deterministic packet delay. In a very 102 busy wireless environment, the distribution of packet delay is heavy-tailed which means that measurements of the reciprocal fading signal become very non-uniform. In addition, Alice and Bob are unable to measure the channel simultaneously due to the half-duplex nature of the wireless channel. Previous research used fractional delay interpolation to correct this offset, however fractional delay interpolation degrades quickly in the presence of highly variable sample periods. Unlike fractional delay, Gaussian processes regression can be used to estimate the true fading signal in the presence of non-uniform sampling. In addition, it is possible to incorporate public discussion between Alice and Bob to obtain a more accurate estimation of the true reciprocal fading signal. Using this method Alice and Bob to extract 50% more bits from 802.11 RSS measurements.

5.2 Future Work

The ﬁeld of secret key establishment has many possible avenues for future research. Continuing to increase the bit extraction rate either by using signal processing techniques, quantization and coding methods or hardware improvements, is one of the obvious avenues. It is important because in order to maintain information theoretic security the secret key bit rate must match or exceed the information bit rate. The keys must be random, so another avenue is determining if and when the wireless channel can be considered random. Finally, even with advances in nailing down what does work, a usable, widely available implementation of SKE does not yet exist, but smartphones oﬀer a great platform for future implementation.

The research that forms this thesis and the majority of papers on SKE have focused extensively on the problem of extracting more bits from a given set of measurements in a shorter amount of time, with a lower probability of bit disagreement and with a higher entropy. The way this thesis accomplished the ﬁrst two of these goals was to remove non-reciprocities associated with the measurements. However this is just one way to approach the problem. Another possibility for increasing the number of bits extracted for a given time period is to make the channel measurements more accurate. For RSS this could be accomplished by using a higher transmit power for 103

SKE than for normal communications. Alternately, increasing the accuracy of RSS measurement by increasing the number the quantization levels would be a hardware based solution. For instance an increase of 1 dBm would correspond to 2 RSSI rather than just in increase of 1 RSSI. Even with a more efficient or faster bit extraction method, a compromise between information theoretic security and traditional cryptographic methods may have to be reached before an implementation of SKE comes into wider use. For RSS data collected by 802.15.4-based sensor nodes the mutual information in each pair of samples made at Alice and Bob was around 5 bits. At 50 samples per second this is only 250 bits per second or about 31 ascii characters. A device wishing to use SKE for reasons associated with information theoretic security would probably have to decide what information is most sensitive, encrypt that using SKE and leave the remaining data to a traditional cryptographic key. SKE depends upon randomness in the channel created by a user moving one of the radios, by movement in the channel or both. It has been shown that it is possible for an active eavesdropper to create deterministic non-random movement in an otherwise static channel and so have some knowledge of the measurements. One avenue for investigation is to determine how much randomness exists in user movements of the radio. When asked to move something randomly, many, if not most, people will eventually settle into some pattern of movement that feels random, but really isn’t. One question that needs to be asked is, is this semi-random movement, plus some minimal movement in the channel, enough to guarantee random secret bits over a long period of time. Smartphones offer a very rich testbed for SKE. They can serve as a platform on which to implement SKE and a way to augment SKE with additional sensors. One application for an SKE implementation would be to exchange sensitive information between two smartphones without involving cellular carriers. The two phones would perform SKE in WiFi ad-hoc mode then encrypt and transmit the data. While the building blocks are there, a downloadable software application to perform SKE does not yet exist. Other researchers have suggested using accelerometer data to 104 authenticate two users. This type of authentication could be used with SKE on smartphones. A usable implementation of SKE on a smartphone, laptop or similar device would have to adapt to changing channel conditions. This means being able to determine when the channel is changing by analyzing the channel measurements or by sens- ing when movement of the device is sufficient to ensure random bits by analyzing accelerometer data. Changing channel conditions also includes the number of users sharing the same channel since this will affect how quickly and uniformly Alice and Bob can measure the channel. Finally, smartphones could also be a showcase for SKE as well as a way to collect information about users’ ideas of random movement. An interesting, easily used software application could record both accelerometer readings and RSS measurements in many different wireless environments for many different users. With this large amount of information it might be possible to determine how to give instructions or feedback to a user that will maximize the randomness of the users’ movements as well as providing a large dataset for experimental evaluation of bit extraction methods. Secret key establishment offers a unique opportunity for consumer devices to create and use shared secret keys that provide information theoretic security. Unlike quantum cryptography, SKE does not require specialized hardware and is currently within reach of devices that many people carry in their pockets. As data privacy becomes more of a concern to people and businesses, SKE could provide a decentralized, secure method of protecting sensitive information. REFERENCES

[1] L. Ahumada, R. Feick, R. Valenzuela, and C. Morales. Measurement and characterization of the temporal behavior of ﬁxed wireless links. IEEE Trans. Vehicular Technology, 54(6):1913–1922, November 2005.

[2] S.T. Ali, V. Sivaraman, and D. Ostry. Secret key generation rate vs. reconciliation cost using wireless channel characteristics in body area networks. In 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, pages 644–650. IEEE, 2010.

[3] A. Alomainy, Y. Hao, X. Hu, CG Parini, and PS Hall. UWB on-body radio propagation and system modelling for wireless body-centric networks. In Com- munications, IEE Proceedings-, volume 153, pages 107–114. IET, 2006.

[4] JB Andersen, JO Nielsen, GF Pedersen, K. Olesen, P. Eggers, EH Sorensen, and S. Denno. A 16 by 32 wideband multichannel sounder at 5 GHz for MIMO. In IEEE Antennas and Propagation Society International Symposium, 2004, volume 2, 2004.

[5] C.R. Anderson and T.S. Rappaport. In-building wideband partition loss measurements at 2.5 and 60 GHz. IEEE Transactions on Wireless Communications, 3(3):922–928, 2004.

[6] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka. Wireless secret key generation exploiting reactance-domain scalar response of multipath fading channels. IEEE Transactions on Antennas and Propagation, 53(11):3776–3784, Nov. 2005.

[7] B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener. Robust key generation from signal envelopes in wireless networks. In CCS ’07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 401–410, Nov. 2007.

[8] Bennett, Brassard, Crepeau, and Maurer. Generalized privacy ampliﬁcation. In ISIT: Proceedings IEEE International Symposium on Information Theory, sponsored by The Information Theory Society of The Institute of Electrical and Electronic Engineers, 1994.

[9] Charles H. Bennett, Gilles Brassard, Claude Cr´epeau, and Ueli Maurer. General- ized privacy ampliﬁcation. IEE Transaction on Information Theory, 41(6):1915– 1923, November 1995. 106

[10] G. Bianchi. Performance analysis of the ieee 802.11 distributed coordination function. Selected Areas in Communications, IEEE Journal on, 18(3):535–547, 2000.

[11] G. Brassard and L. Salvail. Secret-key reconciliation by public discussion. In Advances in CryptologyEUROCRYPT93, pages 410–423. Springer, 1994.

[12] D. Catalano. Contemporary cryptology. Birkhauser, 2005.

[13] H. Chan, A. Perrig, and D. Song. Random Key Predistribution Schemes for Sensor Networks. In In IEEE Symposium on Security and Privacy, 2003.

[14] P. Chatzimisios, V. Vitsas, and AC Boucouvalas. Throughput and delay analysis of ieee 802.11 protocol. In Networked Appliances, 2002. Liverpool. Proceedings. 2002 IEEE 5th International Workshop on, pages 168–174. IEEE, 2002.

[15] C. Chen and M.A. Jensen. Improved channel quantization for secret key establishment in wireless systems. In Wireless Information Technology and Systems (ICWITS), 2010 IEEE International Conference on, pages 1–4. IEEE, 2010.

[16] J.M. Conrat, P. Pajusco, and J.Y. Thiriet. A Multibands Wideband Propagation Channel Sounder from 2 to 60 GHz. In Instrumentation and Measurement Tech- nology Conference, 2006. IMTC 2006. Proceedings of the IEEE, pages 590–595, 2006.

[17] D. Cox. Delay Doppler characteristics of multipath propagation at 910 MHz in a suburban mobile radio environment. IEEE Trans. on Ant. & Prop., AP- 20(5):625–635, Sept. 1972.

[18] J. Croft and N. Patwari. Bit extraction from CIR using a bi-directional radio channel measurement system. IEEE Transactions on Mobile Computing, 2010. (submitted).

[19] J. Croft, N. Patwari, and S.K. Kasera. Demonstration abstract: Bit extraction from received signal strength. In Proceedings of the 16th annual ACM international conference on Mobile computing and networking. ACM New York, NY, USA, 2010.

[20] J. Croft, N. Patwari, and S.K. Kasera. Robust uncorrelated bit extraction methodologies for wireless sensors. In Proceedings of the 9th ACM/IEEE In- ternational Conference on Information Processing in Sensor Networks, pages 70–81. ACM, 2010.

[21] D. Devasirvatham. Time delay spread and signal level measurements of 850 MHz radio waves in building environments. IEEE Trans. on Ant. & Prop., AP-34(11):1300–1305, Nov. 1986.

[22] W. Diﬃe and M. Hellman. New directions in cryptography. IEEE Transactions on information Theory, 22(6):644–654, 1976. 107

[23] G. Durgin, V. Kukshya, and T. Rappaport. Wideband measurements of angle and delay dispersion for outdoor and indoor peer-to-peer radio channels at 1920 MHz. IEEE Trans. Antennas and Propagation, 51(5):936–944, May 2003. [24] C Farrow. A continuously variable digital delay element. In IEEE International Symposium on Circuits and Systems, 1988., pages 2641–2645, 1988. [25] J. Foerster et al. Channel modeling sub-committee ﬁnal report. IEEE P, pages 15–02, 2003. [26] S.T.B. Hamida, J.B. Pierrot, and C. Castelluccia. An adaptive quantization algorithm for secret key generation using radio channel measurements. In Proceedings of the 3rd international conference on New technologies, mobility and security, pages 59–63. IEEE Press, 2009. [27] H. Hashemi. The indoor radio propagation channel. Proceedings of the IEEE, 81(7):943–968, 1993. [28] J. Hershey, A. Hassan, and R. Yarlagadda. Unconventional cryptographic keying variable management. IEEE Trans. Commun., 43(1):3–6, Jan. 1995. [29] W. W. Hines, D. C. Montgomery, D. M. Goldsman, and C. M. Borror. Probability and Statistics in Engineering 4th ed. John Wiley & Sons, 2003. [30] S. Jana, S.N. Premnath, M. Clark, S.K. Kasera, N. Patwari, and S.V. Krishna- murthy. On the eﬀectiveness of secret key extraction from wireless signal strength in real environments. In Proceedings of the 15th annual international conference on Mobile computing and networking, pages 321–332. ACM, 2009. [31] J. Jemai and T. Kurner. Broadband WLAN channel sounder for IEEE 802.11 b. IEEE Transactions on Vehicular Technology, 57(6):3381–3392, 2008. [32] A. Karatsuba. The complexity of computations. In Proceedings of the Steklov Institute of Mathematics, volume 211, pages 169–183, 1995. [33] J. Kho, A. Rogers, and N.R. Jennings. Decentralized control of adaptive sampling in wireless sensor networks. ACM Transactions on Sensor Networks (TOSN), 5(3):19, 2009. [34] J. Kivinen, TO Korhonen, P. Aikio, R. Gruber, P. Vainikainen, and S.G. Haggman. Wideband radio channel measurement system at 2 GHz. IEEE Transactions on Instrumentation and Measurement, 48(1):39–44, 1999. [35] M. Kmec, J. Sachs, P. Peyerl, P. Rauschenbach, R. Thom, and R. Zetik. A novel ultra-wideband real-time MIMO channel sounder architecture. XXVIIIth General Assembly of URSI, 2005. [36] V.M. Kolmonen, J. Kivinen, L. Vuokko, and P. Vainikainen. 5.3-GHz MIMO radio channel sounder. IEEE Transactions on Instrumentation and Measurement, 55(4):1263–1269, 2006. 108

[37] Andreas Krause, Carlos Guestrin, Anupam Gupta, and Jon Kleinberg. Near- optimal sensor placements: Maximizing information while minimizing communication cost, 2006.

[38] TI Laakso, V. Valimaki, M. Karjalainen, and UK Laine. Splitting the unit delay [ﬁr/all pass ﬁlters design]. Signal Processing Magazine, IEEE, 13(1):30–60, 1996.

[39] A.K. Lenstra and E.R. Verheul. Selecting cryptographic key sizes. Journal of Cryptology, 14(4):255–293, 2001.

[40] Z. Li, W. Xu, R. Miller, and W. Trappe. Securing wireless systems via lower layer enforcements. In Proc. 5th ACM Workshop on Wireless Security (WiSe’06), pages 33–42, Sept. 2006.

[41] D. Liu, P. Ning, and W. Du. Group-based key predistribution for wireless sensor networks. ACM Transactions on Sensor Networks (TOSN), 4(2):11, 2008.

[42] M.G. Madiseh, M.L. McGuire, S.W. Neville, and A.A.B. Shirazi. Secret key extraction in ultra wideband channels for unsynchronized radios. In Commu- nication Networks and Services Research Conference, 2008. CNSR 2008. 6th Annual, pages 88–95. IEEE, 2008.

[43] B. Maharaj, J. Wallace, M. Jensen, and L. Linde. A Low-cost open-hardware wideband multiple-input–multiple-output (MIMO) wireless channel sounder. IEEE Transactions on Instrumentation and Measurement, 57(10):2283–2289, 2008.

[44] DJ Malan, M. Welsh, and MD Smith. A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography. In Sensor and Ad Hoc Communications and Networks, 2004, pages 71–80, 2004.

[45] S. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik. Radio-telepathy: extracting a secret key from an unauthenticated wireless channel. In Proceedings of the 14th ACM international conference on Mobile computing and networking, pages 128–139. ACM, 2008.

[46] Ueli M. Maurer. Secret key agreement by public discussion from common information. IEEE Trans. Info. Theory, 39(3):733–742, May 1993.

[47] Ueli M. Maurer and Stefan Wolf. Unconditionally secure key agreement and the intrinsic conditional information. IEEE Trans. Info. Theory, 45(2):499–514, 1999.

[48] A.J. Menezes, P.C. Van Oorschot, and S.A. Vanstone. Handbook of Applied Cryptography. CRC, 1996.

[49] National Institute of Standards and Technology. Special Publication 800-57: Recommendation for Key Management. 2007. 109

[50] M.A. Osborne, SJ Roberts, A. Rogers, SD Ramchurn, and N.R. Jennings. Towards real-time information processing of sensor network data using computationally eﬃcient multi-output gaussian processes. In Proceedings of the 7th international conference on Information processing in sensor networks, pages 109–120. IEEE Computer Society, 2008.

[51] K. Pahlavan, P. Krishnamurthy, and J. Beneat. Wideband radio propagation modeling for indoor geolocation applications. IEEE Comm. Magazine, 36:60–65, April 1998.

[52] N. Patwari and P. Agrawal. Localization Algorithms and Strategies for Wireless Sensor Networks, chapter Calibration and Measurement of Signal Strength of Sensor Localization. IGI Global, 2009.

[53] N. Patwari, J. Croft, S. Jana, and S.K. Kasera. High rate uncorrelated bit extraction for shared secret key generation from channel measurements. IEEE Transactions on Mobile Computing, pages 17–30, 2009.

[54] N. Patwari, A. Hero III, M. Perkins, N. Correal, and R. O’Dea. Relative location estimation in wireless sensor networks. IEEE Trans. Signal Process., 51(8):2137– 2148, Aug. 2003.

[55] R. Pirkl and G. Durgin. Optimal sliding correlator channel sounder design. IEEE Trans. Wireless Communications, 7(9):3488–3497, September 2008.

[56] S.N. Premnath, S.K. Kasera, and N. Patwari. Secret key extraction in mimo- like sensor networks using wireless signal strength. ACM SIGMOBILE Mobile Computing and Communications Review, 14(1):7–9, 2010.

[57] T.S. Rappaport. Wireless communications: principles and practice. Prentice Hall, 1996.

[58] P. Raptis, V. Vitsas, K. Paparrizos, P. Chatzimisios, and AC Boucouvalas. Packet delay distribution of the ieee 802.11 distributed coordination function. In Proceedings of the Sixth IEEE International Symposium on World of Wireless Mobile and Multimedia Networks, pages 299–304. IEEE Computer Society, 2005.

[59] C.E. Rasmussen and C.K.I. Williams. Gaussian Processes for Machine Learning. The MIT Press, 2006.

[60] A. Rukhin, J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh, M. Levenson, M. Vangel, D. Banks, A. Heckert, et al. A Statistical Test Suite for the Validation of Random Number Generators and Pseudo Random Number Generators for Cryptographic Applications. NIST Special Publication, pages 800–822, 2001.

[61] A. Sayeed and A. Perrig. Secure wireless communications: Secret keys through multipath. In Acoustics, Speech and Signal Processing, 2008. ICASSP 2008. IEEE International Conference on, pages 3013–3016. IEEE, 2008. 110

[62] M. Schack, R. Geise, I. Schmidt, R. Piesiewiczk, and T. Kurner. UWB channel measurements inside diﬀerent car types. In 3rd European Conference on Antennas and Propagation, pages 640–644. IEEE, 2009.

[63] M. Schack, J. Jemai, R. Piesiewicz, R. Geise, I. Schmidt, and T. Kurner. Measurements and analysis of an in-car UWB channel. In IEEE Vehicular Technology Conference, pages 459–463, 2008.

[64] C.E. Shannon. Communication Theory of Secrecy Systems. Journal, vol, 28(4):656–715, 1949.

[65] D. Singh, Z. Hu, and R. Qiu. UWB channel sounding and channel characteristics in rectangular metal cavity. In Southeastcon, 2008. IEEE, pages 323–328. IEEE, 2008.

[66] C.G. Spiliotopoulos and A.G. Kanatas. Path-Loss and Time-Dispersion Parame- ters of UWB Signals in a Military Airplane. Antennas and Wireless Propagation Letters, IEEE, 8:790–793, 2009.

[67] M.L. Stein. Interpolation of Spatial Data: some theory for kriging. Springer Verlag, 1999.

[68] W. Stutzman and G. Theile. Antenna Theory and Design. John Wiley & Sons, 1981.

[69] K. Takizawa, T. Aoyagi, H.B. Li, J. Takada, T. Kobayashi, and R. Kohno. Path loss and power delay proﬁle channel models for wireless body area networks. In Antennas and Propagation Society International Symposium, 2009. APSURSI’09. IEEE, pages 1–4. IEEE, 2009.

[70] RS Thom, D. Hampicke, A. Richter, G. Sommerkorn, and U. Trautwein. MIMO vector channel sounder measurement for smart antenna system evaluation. Eu- ropean Transactions on Telecommunications, 12(5), 2001.

[71] Michael A. Tope and John C. McEachen. Unconditionally secure communications over fading channels. In Military Communications Conference (MILCOM 2001), volume 1, pages 54–58, Oct. 2001.

[72] J. Wallace. Secure physical layer key generation schemes: Performance and information theoretic limits. In Communications, 2009. ICC’09. IEEE International Conference on, pages 1–5. IEEE.

[73] J.W. Wallace, C. Chen, and M.A. Jensen. Key generation exploiting mimo channel evolution: Algorithms and theoretical limits. In Antennas and Propagation, 2009. EuCAP 2009. 3rd European Conference on, pages 1499–1503. IEEE.

[74] M. Wilhelm, I. Martinovic, and J.B. Schmitt. Secret keys from entangled sensor motes: implementation and analysis. In Proceedings of the third ACM conference on Wireless network security, pages 139–144. ACM, 2010. 111

[75] R. Wilson, D. Tse, and R. Scholtz. Channel identiﬁcation: Secret sharing using reciprocity in UWB channels. IEEE Transactions on Information Forensics and Security, 2(3):364–375, Sept. 2007. [76] H. Yang, P.F.M. Smulders, and M.H.A.J. Herben. Indoor channel measurements and analysis in the frequency bands 2 GHz and 60 GHz. In IEEE 16th Inter- national Symposium on Personal, Indoor and Mobile Radio Communications, 2005. PIMRC 2005, volume 1, 2005. [77] R.D. Yates and D.J. Goodman. Probability and stochastic processes. Wiley, 1999. [78] C. Ye, A. Reznik, G. Sternberg, and Y. Shah. On the secrecy capabilities of itu channels. In Vehicular Technology Conference, 2007. VTC-2007 Fall. 2007 IEEE 66th, pages 2030–2034. IEEE, 2007. [79] J. Zhang, S.K. Kasera, and N. Patwari. Mobility assisted secret key generation using wireless link signatures. In INFOCOM, 2010 Proceedings IEEE, pages 1–5. IEEE, 2010.