Secret Key Genertion nd greement in UW Communiction Chnnels Msoud Ghoreishi Mdiseh, Michel L. McGuire, Stephen S. Neville, Lin Ci, Michel Horie Deprtment of Electricl nd Computer Engineering University of Victori Victori,.C. V8W 3P6, CND Emil: {msoudg,mmcguire,sneville,ci,horiem}@ece.uvic.c bstrct It hs been shown tht the rdio chnnel impulse response for pir of legitimte Ultr-wide bnd (UW) trnsceivers cn be used to generte secret keys for secure communictions. Pst proposed secret key genertion lgorithms under-exploited the vilble number of secret key bits from the rdio chnnel. This pper proposes new efficient method for genertion of the shred key where the trnsceivers use decoders to resolve the differences in their chnnel impulse response mesurements cused by mesurement noise. To ensure secret key greement, method of public discussion between the two users is performed using the syndrome from Hmming (7,3) binry codes. n lgorithm is proposed to check the equlity of generted keys for both legitimte users, nd ensure error-free secure communiction. The security of this lgorithm hs been verified by VISP. Comprisons re performed with previous work on secret key genertion nd it hs been shown tht this lgorithm relibly genertes longer secret keys in stndrd UW rdio chnnels. Index Terms Ultr Widebnd, Secret Key Genertion, Reciprocity,, Public Discussion, VISP. I. INTRODUCTION The continul development of fster utomtic informtion processing systems hs creted need for high dt rte communictions systems. Ultr-widebnd (UW) wireless communictions systems hve been proposed for next genertion wireless becuse of their high dt rte cpcity s wells s their robustness, cpbility for signl trnsmission through stndrd building mterils, nd simplicity of system design [1]. However, disdvntge of existing wireless communictions systems is the dnger of the integrity of the communictions being compromised. Wireless systems send electromgnetic wves through open spce tht pssive evesdroppers cn intercept. Thus, the security sub-system in wireless systems hs more importnt role thn in wireline systems. chllenge for the designers of UW wireless systems is to develop methods for dt integrity nd security. Recently, novel technique hs been developed to use direct UW chnnel chrcteriztion to generte the secret keys to provide security in the physicl lyer of wireless communictions systems [2], [3]. UW chnnel mesurements re used to crete shred cryptogrphic secret keys for ech given pir of communicting terminls. The utomted genertion of secret key is intrinsiclly sptilly nd temporlly specific, incresing security. Indoor UW chnnels hve been found to be independent for ntenn seprtion distnces of more thn 15.2 cm (6 inches) [4]. Therefore, if resonble distnce seprtes the evesdroppers from ech of the legitimte users, the chnnel impulse response between legitimte users becomes source of shred unique secret informtion. Fig. 1 shows the physicl scenrio of interest in this work. Users nd communicte vi n UW chnnel nd generte shred secret session key bsed on the mutul informtion of their respective chnnel chrcteriztions. There hs been gret del of work in the cryptogrphy community on secret key genertion from noisy observtions of common rndom process [2]. In our cse, the rndom process is rdio chnnel. The bsic ide is tht both legitimte users mke mesurements of rndom process visible to both of them. Then, the legitimte users must reconcile their observtions to reduce the effect of independent noise [5], nd then perform privcy mplifiction to remove cndidte secret key bits observble by third prties [6]. The key to this method is to perform this process nd obtin the highest number of secret key bits without leking informtion to third prties. Systems hve been previously proposed for the use of UW chnnel mesurements for secret key genertion [7]. However, it hs been shown tht these methods do not come close to obtining ll the vilble secret key bits from UW chnnel impulse response mesurements [8]. In this pper, new secret key genertion technique is proposed which genertes lrger numbers of secret key bits from observtions of stndrd UW chnnel models thn previously proposed techniques. The key to this technique is the use of decoders to increse the bit greement probbility between the legitimte users of the chnnel. Public discussion, using Hmming code decoder, llows the legitimte users to reconcile their independently generted secret keys without reducing the security of the generted finl key. The reminder of this pper hs been orgnized s follows. Section II provides n overview of the secret key genertion techniques for UW. The new method of key genertion is lso introduced in this section nd the benefits of this method re described. Section III proposed our verified method for checking the consistency of generted key in both legitimte users sides. In Section IV, the performnce of the proposed lgorithm from simultions is performed. In Section V the conclusions of this pper re given nd some possibilities for future work described.
Unsuccessful Evesdropper E trnsmitte r Rised Cosine th in Pu ls e cos( 2 s ( t ) UW Chnnel s ( t ) Step 1 St ep 1 f c t ) cos( 2 f c t ) trnsmitte r R is ed Co si ne thin Puls e Secured UW Chnnel receiver receiver y ( n ) y Envelope Detecto r Envelope Detecto r y y ( n ) Limited Regions of Close Proximity where Evesdropping is Vible Step 2 Smplin g LMS Predicto r Step 3 N N LMS Predicto r Step 3 Smplin g Step 2 LLR computtion Step 4 Step 4 LLR computtion Fig. 1. Physicl scenrio of nd communicting over the UW chnnel secured through the secret key generted directly from the UW chnnel chrcteristics [8]. II. SYSTEM OVERVIEW The bsis of the proposed key genertion system is the electromgnetic theory of reciprocity, stting tht when one of two ntenns with no non-liner components rdites signl, the received signl of the other ntenn is independent of which ntenn is the source ntenn [9]. In other words, the rdio chnnel from ntenn to ntenn is equl to the chnnel from ntenn to ntenn. Trnslting the electromgnetic ntenn reciprocity theorem into communiction system theory, the impulse response of the communiction chnnel from to, h (t), is equl to the impulse response chnnel from to, h (t). The reciprocity theorem indictes tht for two UW trnsceivers nd, the impulse response of their shred rdio chnnel is source of shred informtion tht they cn use for generting secret key to support secure communictions. The only condition is tht the time seprtion between when nd mesure the chnnel must be less thn the chnnel coherence time, T c,defineds the mximum time durtion tht the rdio chnnel impulse response is stble. The ssumed indoor environment llows coherence time of between 1 micro second nd 10 micro seconds to be resonble [10]. lso, for the indoor UW rdio chnnel, it hs been shown tht chnnel reliztions re independent for ntenns more thn 15.2 cm from either or [4]. Therefore, it is difficult for other rdio receivers to obtin the sme chnnel mesurements, nd thus obtin nd s secret key. For secret key genertion from mutul observtions of rndom process, such s the chnnel impulse response, it hs been proven in [11] tht the secret key rte, S(; E), vilble to nd over n open brodcst chnnel with respect to n evesdropper E is upper bounded by S(; E) min[i(y ; Y ),I(Y ; Y Y E )], (1) 1010110 1100010 Step 6 [ 01001... 110 ] Mx Likelihood Decision Stndrd rry Hmming (7,3) decoder Fig. 2. Step 5 Reshpe Strem to 7 bits blocks 0 1 2 Step 8 nd lower bounded by C K Step 7 b St ep 5 C [ 11011... 100 ] Reshpe Strem to 7 bits blocks K b b 0 1 b 2 Step 6 Compute Syndrome with Hmming (7,3) St ep 8 lock Digrm of key genertion pltform 0011110 1110110 S(; E) mx [I(Y ; Y ) I(Y ; Y E ), (2) I(Y ; Y ) I(Y ; Y E )]. where I(Y ; Y ) is the mutul informtion between the chnnel impulse response mesurements with Y, Y, nd Y E being the chnnel mesurements for, nd E respectively. This bound becomes tight when no mutul informtion exists between the chnnel mesurements vilble to the evesdropper E nd those of nd. s stted bove, this cse is relized when the evesdropper is sufficiently fr wy from the legitimte users. Obviously, in such cses, the theoretic secret key rte is mximized.. Key Genertion lgorithm Fig. 2 shows the block digrm of the proposed key genertion lgorithm. This pper proposes the use of decoder to reduce the disgreements in the bit sequences of users nd cused by the mesurement noise. Hmming(7,3) decoder is then used to support required public discussion between nd to confirm their independent genertion of the identicl secret key in mnner which does not expose the key to n evesdropper. The following lgorithm genertes the secret key in n eight step process: Step 1- Trnsceiver sends pulse s(t) to trnsceiver nd then trnsceiver sends pulse of the sme shpe to
trnsceiver. s ws mentioned bove, the time seprtion between the pulse trnsmission times must be less thn the coherence time of the chnnel, T c, so both trnsceivers mesure signl resulting from the sme chnnel impulse response. Step 2- So tht the mesurements re not ffected by differences in the locl clock phse, both trnsceivers use non-coherent envelope detector. oth trnsceivers detect nd smple the received signls resulting from the trnsmitted pulse, s(t), plus independent therml noise nd rdio signl interference. Suppose tht the impulse response of the chnnel for the time period of interest is h(t), then the received signl for nd re y (t) = s(t) h(t) +n (t) nd y (t) =s(t) h(t)+n (t) respectively where s(t) h(t) is the convolution of signls s(t) nd h(t). The noise signls n (t) nd n (t) re independent zero men dditive white Gussin noise (WGN) signls with men powers of σ 2 0 = N 0/2. The rndom processes, y (t) nd y (t) re smpled t higher thn their Nyquist rtes, generting the discrete time rndom processes y (kt) nd y (kt), respectively. Step 3 & 4- The next two steps combined models sigmdelt nlog to digitl conversion (ΣΔ-DC) on the received noisy chnnel impulse response wveform. This llows for high resolution quntized version of the signl to be processed by the following error removl stges for key reconcilition. n idel Σ Δ-DC uses liner predictor on n oversmpled signl nd then performs single bit quntiztion on the resulting prediction error. It hs been shown tht this form of quntiztion cn provide excellent quntiztion performnce [12]. For our system, Lest Men Squre (LMS) predictor with three tps is used. Investigtion on second degree sttistics of the prediction error found tht the three tp predictor gve excellent prediction error performnce with little improvement seen with longer prediction filters. We replce the stndrd hrd quntiztion with soft output quntizer bsed on Logrithm Likelihood Rtio (LLR) computtion. n decoder is used in stge 5 to remove the effects of mesurement noise. The use of soft LLR inputs, s opposed to hrd binry decisions, is stndrd prctice for decoders [13]. The definition of LLR is: LLR(y i )=Ln ( ) { } Pr(ci =0 y i ) Q yi σ 0 =Ln ( Pr(c i =1 y i ) 1 Q yi σ 0 ) (3) where c i is the i-th bit of code word, y i is the i-th noisy symbol, Pr (c i = c y i ) is the probbility tht c i = c given the received mesurement vlue y i, nd Q(x) = 1/ 2π x exp ( t 2 /2 ) dt. Step 5- To resolve the effects of therml noise in ech side, n error correction coding is required. y using more robust decoders the potentil of removing error bits will be incresed. In this pper, we propose the use of Low Density Prity Check () error correcting code s decoder for correcting discrepncies cused by therml noise. codes re mong From Chnnel ht ()*() st Fig. 3. Therml Noise n() t + + Therml Noise n() t Envelope Detector () xt Envelope Detector () xt Trnsceiver Signl DC DC Trnsceiver Signl lock Digrm of Mutul Chnnel Mesurements the most powerful codes known. In this step, the LLR vlues from the previous step re blocked into frmes of length equl to the code word length of the code selected nd sent into the decoder. The decoder removes discrepncies, returning vlid code word for the specified code. Some discrepncies will still remin between the two users sequences. It hs been shown tht without public discussion between nd, tht it is impossible for the two users to chieve 100 % greement on secret key [14]. Thus, it is proposed in this pper to use simple public discussion lgorithm bsed on Hmming decoder (7,3) to reconcile the bits. The mesurement model prior to reconcilition is summrized in Fig. 3. Users nd both observe the chnnel impulse, h(t), convolved with the trnsmitted pulse signl, s(t) contminted with independent noise. The resulting signls re converted to digitl signls vi ΣΔ-DC. The bit sequences of both users re sent into identicl decoders to reduce the number of differences between them. Step 6- In this step, the output bit strem from the decoder is grouped into blocks of length 7 nd fed into the decoder of (7,3) Hmming forwrd error correction code to support the public discussion stge of the key genertion lgorithm. Step 7 & 8 (Public Discussion)- efore public discussion, both trnsceivers nd hve nerly identicl bit sequences from the decoders. The purpose of the public discussion is to llow nd to discover wht portion of bit sequences they hve in common, without reveling wht exctly these common bit sequence vlues re to n evesdropper E. In this pper, the syndrome sequence clculted for Hmming binry error correction code is trnsmitted for the public discussion. It is known tht for dt signls contminted by dditive white Gussin noise, the syndrome sequence clculted by the decoder for liner error correction code is independent of the messge bits of the source code word [15]. In the other words, the syndrome sequence, which is trnsmitted over public chnnel nd is vilble to evesdroppers, does not give ny informtion bout the messge bits. sed on this observtion, this pper proposes public discussion bsed on Hmming (7,3) codes. These codes re esy to implement nd hve decoders with low computtionl complexity. In this step, trnsceiver sends the syndrome output of its Hmming decoder to trnsceiver. Trnsceivers then finds C C
CDF of greement Error 10-4 SNR= 5d SNR= 10d SNR= 15d SNR= 40d SNR= 45d Fig. 4. lock digrm of Key Vlidtion Process Fig. 5. CDF of key greement error versus key length for Chnnel model CM1 [10] for different SNR. decoder nd Hmming (7,3) codes being used for public discussion. the set of ll 7 bit long sequences which would result in the received syndrome from trnsceiver. It then selects the 7 bit sequences which hs the smllest Hmming distnce from its output from stge 6. This process is only minor vrition from the stndrd Hmming error correction code decoding lgorithm which is known to hve low computtionl cost. For exmple, the bit sequences for ech syndrome cn be found in dvnce nd stored in memory [16]. For public discussion, 4 bits re sent over the public chnnel to help mke key greement. While these 4 bits re now known to ny evesdroppers, the remining 3 messge bits of the Hmming codeword remin secret. These 3 bits form the bsis of the secret key shred between nd. oth nd itertively follow this process, storing the greed upon secret key bits into locl buffers, until the desired secret key length is chieved. III. CHECKING KEY CONSISTENCY t the end of key genertion process, the legitimte users nd hve to mke sure tht they hve generted the sme secret key before they use this key for secure communiction. To perform this check, the following three step lgorithm is proposed. The security of this method in the presence of pssive evesdropper hs been verified using the utomted Vlidtion of Internet Security Protocols nd pplictions (VISP) softwre [17]. First- Trnsceiver select rndom rel number R, encrypts it with its own key K, nd sends the encrypted vlue on the public chnnel, E K (R), to trnsceiver where E K (.) is encryption opertor with key K. Second- Trnsceiver decrypts the received vlue with their own key, does hshing opertion on it, encrypts it with K, nd sends E K (H(D K (E K (R)))) to trnsceiver on the public chnnel where D K (.) nd H(.) re decryption with Key K nd hshing opertors, respectively. Third- Trnsceiver decrypts received with K.Iftheresult is H(R) then trnsceivers sends n OK cknowledge to CDF of greement Error SNR=5d SNR=15d SNR=25d SNR=35d Fig. 6. CDF of key greement error versus key length for Chnnel model CM1 [10] for different SNR. Three bits quntizer nd (3,1) repetition code being used for public discussion [7]. trnsceiver which confirms tht both nd s keys re the sme. On the other hnd, if the result is not equl to H(R) then trnsceiver sends negtive cknowledgement to trnsceiver indicting tht the two trnsceiver s keys re not the sme. It should be noted tht E K (.), D K (.), ndh(.) re ll ssumed public. lso, R cnnot be reused nd must be uniquely generted ech time even if the reply ttck would exist ginst the lgorithm. For our lgorithm, the key checking lgorithm is run on ech block of the key generted from the lgorithm in Section II. In the next Section, we discuss the probbility of trnsceiver nd greeing to the sme key. IV. SIMULTION RESULTS In this work, our lgorithms for key genertion nd greement hs been simulted with two different decoding methods. The simulted communiction chnnel model is the UW chnnel model CM1 from the IEEE p802.15 stndrd [10]. The smple time hs been set to 0.167 nno-seconds. The detectors of this system re simple non-coherent envelope detectors. The
CDF of greement Error 10-4 Repetition Code (previous Method) nd Hmming decoders (New Method) Fig. 7. Comprison of CDF of key greement error versus key length for Chnnel model CM1 [10] in SNR =5d with new nd previous methods. trnsmitted pulse signl s(t) is rised cosine signl with pulse durtion of T =20ps with the energy vlue of E s =1. The code used to generte the decoder hs code rte of 1/2, code length of n = 64800, nd messge length of k = 32400. Fig. 5 shows the cumultive distribution function for key greement error versus different key length nd signl-energy-to-noise-power rtio (SNR). [ Here, we do not hve consistent definition of SNR with wht generlly is used in dt communiction systems. So tht, the signl is not trnmitted s dt but it is to mesure the chnnel chrcteristic.] When the SNR is incresed, the difference between the received signl for nd decreses so the probbility of key disgreement decreses. The key rte in this simultion is the code rte of decoding, 1/2, times the code rte of Hmming decoding, 3/7, is equl 3/14. From ech 14 bits of chnnel smples, 3 bits cn be shred secret bits for the secret key. To clculte the probbility of error the lgorithm hs been run 100 times nd the number of key disgreements ws recorded. For comprison, the result of the uthors previous work [7] hs been shown in Fig. 6. In this lgorithm three bits liner quntizer hd been used insted of LLR computtion nd decoder blocks. In this prior work, (3,1) repetition code ws used for public discussion insted of the Hmming (7,3) code proposed in this work. with the bove mentioned codes, the syndrome hs two bits length. The key rte of this lgorithm is 1/3. In Fig. 7 the CDF of greement error for SNR =5d with new nd previous methods hs been shown. with the comprison of the results of the two lgorithms, it is obvious tht there is n improvement in key greement lgorithm with nd hmming (7,3) lgorithm. In this method the probbility of error hs been decresed 10 times with respect to the previous lgorithm, three bits quntizer nd (3,1) repetition code. V. CONCLUSION The proposed method for key genertion provides n order of mgnitude improvement over previously reported key genertion methods. This improvement is the result of decoder for reducing the therml noise effect nd Hmming (7,3) decoder which hs been used for public discussion. lso, with secure protocol which hs been proposed for checking the equlity of generted keys in legitimte users sides, the integrity nd security of dt communiction on min chnnel will be gurnteed. CKNOWLEDGMENT This work hs been prtilly supported by reserch grnts from the Cndin Ntionl Science nd Engineering Reserch Council (NSERC). REFERENCES [1] M.Ghvmi,M.L..,ndK.R.,Ultr Widebnd Signls nd Systems in Communiction Engineering, 2nd ed. John Wiley & Sons, 2007. [2] R. hlswede nd I. Csiszr, Common rndomness in informtion theory nd cryptogrphy prt I: Secret shring, IEEE Trnsctions on Informtion Theory, vol. 39, no. 4, pp. 1121 1132, 1993. [3]. Hssn, W. Strk, J. Hershey, nd S. Chennkeshu, Cryptogrphic key greement for mobile rdio, Digitl Signl Processing, cdemic Press, vol. 6, pp. 207 212, 1996. [4] C. Prettie, D. Cheung, L. Rusch, nd M. Ho, Sptil correltion of uwb signls in home environment, Ultr Widebnd Systems nd Technologies, 2002. Digest of Ppers. 2002 IEEE Conference on, pp. 65 69, 2002. [5] G. rssrd nd L. Slvil, Secret-key reconcilition by public discussion, Lecture Notes in Computer Science, vol. 765, p. 410, 1994. [6] ennett, rssrd, Crepeu, nd Murer, Generlized privcy mplifiction, IEEE Trnsctions on Informtion Theory, vol. 41, no. 6, pp. 1915 1923, 1995. [7] M. Ghoreishi Mdiseh, Key Genertion Technique sed on Wireless Chnnels Chrctristics, Mster s thesis, Irn University of Science nd Technology, Tehrn,Irn, July 2007. [8] M. Ghoreishi Mdiseh, M. McGuire, S. Neville, nd. eheshti Shirzi, Secret key extrction in ultr widebnd chnnels for unsynchronized rdios, in Proc. CNSR08 IEEE Computer Society Press, My 2008, pp. 175 182. [9] G. Smith, direct derivtion of single-ntenn reciprocity reltion for the time domin, ntenns nd Propgtion, IEEE Trnsctions on, vol. 52, no. 6, pp. 1568 1577, June 2004. [10] J. Foerster, Chnnel modeling sub-committee report (finl), Feb. 2003. [11] U. M. Murer, Secret key greement by public discussion from common informtion, IEEE Trnsctions on Informtion Theory, vol. 39, no. 3, pp. 733 742, My 1993. [12] R. Schreier nd G. Temes, Understnding Delt-Sigm Dt Converters. Wiley-IEEE Press, 2004. [13] R. Gllger, Low-Density Prity-Check Codes. MIT press, 1963. [14] N. Vereshchgin, new proof hlswede - Gcs - Korner theorem on common informtion, Moscow Stte University, September 2002. [15] S. Wicker, Error Control Systems for Digitl Communiction nd Storge. Englewood Cliffs, NJ: Prentice Hll, 1995. [16] S. Prdhn nd K. Rmchndrn, Distributed source coding using syndromes (discus): design nd construction, Informtion Theory, IEEE Trnsctions on, vol. 49, no. 3, pp. 626 643, Mr 2003. [17]. rmndo, D. sin, Y. oichut, Y. Chevlier, L. Compgn, J. Cuellr, P. Drielsm, P. Hem, O. Kouchnrenko, J. Mntovni, S. Mdersheim, D. von Oheimb, M. Rusinowitch, J. Sntigo, M. Turuni, L. Vign, nd V. L., The VISP tool for the utomted vlidtion of internet security protocols nd pplictions, Proc. Computer ided Verifiction, Lecture Notes in Computer Science, vol. 3576, pp. 281 285, 2005, http://www.visp-project.org/.