Secret Key Generation and Agreement in UWB Communication Channels 1 Masoud Ghoreishi Madiseh Dept. of Electrical and Computer Engineering University of Victoria P.O. Box 3055 STN CSC Victoria, B.C. V8W 3P6 CANADA Spring 2008 1 This work has been submitted to Globecom 2008 conference.
Abstract It has been shown that the radio channel impulse response for a pair of legitimate Ultra-wide band (UWB) transceivers can be used to generate secret keys for secure communications. Past proposed secret key generation algorithms under-exploited the available number of secret key bits from the radio channel. This report proposes a new efficient method for generation of the shared key where the transceivers use LDPC decoders to resolve the differences in their channel impulse response measurements caused by measurement noise. To ensure secret key agreement, a method of public discussion between the two users is performed using the syndrome from Hamming (7,3) binary codes. An algorithm is proposed to check the equality of generated keys for both legitimate users, and ensure error-free secure communication. The security of this algorithm has been verified by AVISPA. Comparisons are performed with previous work on secret key generation and it has been shown that this algorithm reliably generates longer secret keys in standard UWB radio channels.
Contents 1 Background 2 1.1 Introduction.............................. 2 1.2 RelatedWorks... 4 2 Theoretic Viewpoint 6 2.1 Mathematical Problem of Public Discussion............ 6 2.2 System Overview........................... 7 2.2.1 Key Generation Algorithm................. 8 2.3 Checking Key Consistency...................... 12 3 Experimental Viewpoint 14 3.1 Simulation Results.......................... 14 4 Summary 18 4.1 Conclusion.............................. 18 4.2 Future Work............................. 18 1
Chapter 1 Background 1.1 Introduction The continual development of faster automatic information processing systems has created a need for high data rate communications systems. Ultra-wideband (UWB) wireless communications systems have been proposed for next generation wireless because of their high data rate capacity as wells as their robustness, capability for signal transmission through standard building materials, and simplicity of system design [1]. However, a disadvantage of existing wireless communications systems is the danger of the integrity of the communications being compromised. Wireless systems send electromagnetic waves through open space that passive eavesdroppers can intercept. Thus, the security sub-system in wireless systems has a more important role than in wire-line systems. A challenge for the designers of UWB wireless systems is to develop methods for data integrity and security. Quantum Key Distribution (QKD) has been invented in 1984 by Charles Bennet and Giles Bassard. They constructed their security method on known laws of physic indtead of mathematical complexity of previous algorithem [2]. By relying on special physical property of the communication systems, every interception of any third party on the shared bits of information between legitimate users can be detected by them, so that part of secret information can be ignored [3]. In the 1940 s, Claude Shannon provided the information-theoretic basis for perfect secrecy. To achieve perfect secrecy, the information contained within the cryptographic key must be at least as large as the information within the message [4]. This form of encryption keys is known as a Vernam ciphers [5], also known as one-time pads to achieve perfect secrecy. Unfortunately, in practice, it is difficult to distribute the completely secret, completely random, one-time secret keys needed for Vernam ciphers, so they are not been widely adopted. Thus using the pure and virgin bits as key bits for Vernam ciphers, reaching Shannon s prefect secrecy is accessible. On contrary with public key distribution 2
techniques (i.e. Diffie and Hellman), by using laws of physics, QKD method supports information theoretic secrecy [3]. When we use these bits as key material for Vernam ciphers, we can achieve Shannon s ideal of perfect secrecy easily. In contrast with the unproven foundations of public-key techniques, QKD provides information theoretic secrecy firmly based on the laws of physics [3]. Recently, a novel technique has been developed to use direct UWB channel characterization to generate the secret keys to provide security in the physical layer of wireless communications systems [6, 7]. UWB channel measurements are used to create shared cryptographic secret keys for each given pair of communicating terminals. The automated generation of a secret key is intrinsically spatially and temporally specific, increasing security. The underlying nature of UWB indoor radio propagation makes it difficult, if not impossible, for third parties to estimate the values of this secret key without being co-located with the legitimate users. Indoor UWB channels have been found to be independent for antenna separation distances of more than 15.2 cm (6 inches) [8]. Therefore, if a reasonable distance separates the eavesdroppers from each of the legitimate users, the channel impulse response between legitimate users becomes a source of shared unique secret information. Fig. 1.1 shows the physical scenario of interest in this work. Users A and B communicate via an UWB channel and generate a shared secret session key based on the mutual information of their respective channel characterizations. There has been a great deal of work in the cryptography community on secret key generation from noisy observations of a common random process [6]. In our case, the random process is a radio channel. The basic idea is that both legitimate users make measurements of a random process visible to both of them. Then, the legitimate users must reconcile their observations to reduce the effect of independent noise [9], and then perform privacy amplification to remove candidate secret key bits observable by third parties [10]. The key to this method is to perform this process and obtain the highest number of secret key bits without leaking information to third parties. Systems have been previously proposed for the use of UWB channel measurements for secret key generation [11]. However, it has been shown that these methods do not come close to obtaining all the available secret key bits from UWB channel impulse response measurements [12]. For more information on the cryptographic securing of digital communications, the curious reader is referred to [7, 13 19]. In this report, a new secret key generation technique is proposed which generates larger numbers of secret key bits from observations of standard UWB channel models than previously proposed techniques. The key to this technique is the use of LDPC decoders to increase the bit agreement probability between the legitimate users of the channel. Public discussion, using a Hamming code decoder, allows the legitimate users to reconcile their independently generated secret keys without reducing the security of the generated final key. The remainder of this report has been organized as follows. Section 2.2 provides an overview of the secret key generation techniques for UWB. The new method of key generation is also introduced in this section and the benefits of 3
Unsuccessful Eavesdropper C Secured UWB Channel A B Limited Regions of Close Proximity where Eavesdropping is Viable Figure 1.1: Physical scenario of A and B communicating over the UWB channel secured through the secret key generated directly from the UWB channel characteristics [12]. this method are described. Section 2.3 proposed our verified method for checking the consistency of generated key in both legitimate users sides. In Section 3.1, the performance of the proposed algorithm from simulations is performed. In Section 4.1 the conclusions of this paper are given and some possibilities for future work described. 1.2 Related Works Authors has previously derived bounds on the maximal length of the secret key that can be constructed from the physical properties of the UWB channel for given time durations, specifying the maximum rate for perfectly secure communications for these systems [12]. It was demonstrated that the nature of UWB systems allows for the generation of long shared keys for standard UWB communications channels over short time durations. Therefore, this approach of secret key generation from UWB radio channel measurements is suitable for secure high data rate communications. In [7], authors proposed a key generation platform, however in this work, the public discussion concept has not been considered. On the other hand, 4
in [20, 21], it has been proved that without reconciliation, secret sharing rate is zero. In [19] a key generation platform is proposed for a simple channel measurement model with an estimate of the eavesdropping channel. This last assumption is not practical for most secure communications systems. There has been previous work on the use of the radio channel impulse response measurements to generate secret keys [11]. These works successfully generated secret key bits but at a rate below the maximum rate available [12]. 5
Chapter 2 Theoretic Viewpoint 2.1 Mathematical Problem of Public Discussion The purpose for the public discussion is to allow Alice, A, and Bob, B, to discover what portion of their common bit sequences are identical by a public discussion without revealing what exactly these common bit sequence values are to an eavesdropper E. In this section the mathematical public discussion problem discuss mathematically. Also, the following declares the relationship between this problem and forward error control coding. Assume that N reference points, I = {I 1,I 2,..., I N }, being selected on the integer axes and everybody knows these reference points. also assuming two random real R a and R b which being written on a piece of paper and being put in boxes A and B respectively. For creating R a and R b, we know that creator used one of the integer values of the set I and added it with a random real variable e a and e b for A and B respectively. Suppose that e a and e b are independent and have zero mean normal distribution with variance σ 2 0. No body else except the creator of R a and R b knows these values. R a = I p + e a R b = I p + e b where I p I. Alice opens the box A and Bob opens the box B. They want to agree on an integer number, I p, together in front of Eve. Also they want to provide security of their agreement. In secrecy communication this discussion for agreement on a shared secret has been nominated public discussion (i.e. the discussion that is public and obvious to Eve but just help the legitimate users to agree and does not give any useful information to Eve about I p (what A and B want to agree on). 6
Suppose that Bob finds the nearest reference integer in I to its own number, R b, and announces the difference between R b and its selected reference, I b,to Alice. Alice looks for an I a I that minimizes I a + R b I b R a. I a + R b I b R a = (I a I b )+e (2.1) e = e b e a (2.2) In Eq. 2.2, e is a zero mean normal random variable with variance, 2σ0. 2 Suppose that I s members have at least separation d min so, as long as e is less than d min then the only value that makes I a I b + e minimum is I a = I b. In this case Alice and Bob agree on I s = I a = I b without giving any knowledge to Eve. The uncertainty or in the other words, probability that Eve can guess I s correctly is 1/N. By increasing the number of reference points (complexity of the public discussion subsystem), guessing I s for Eve becomes tougher. Also, probability of the event that Alice and Bob can agree on I s is equal to the probability that e is less than d min,whichis: ( ) dmin Pr(e <d min )=1 Q (2.3) 2σ0 Using error correction coding theorem and mapping the known refrence points to valid code words, the error which being announced from B to A is syndrome of the code. In this work, hamming (7,3) code has been used for public discussion. 2.2 System Overview The basis of the proposed key generation system is the electromagnetic theory of reciprocity, stating that when one of two antennas with no non-linear components radiates a signal, the received signal of the other antenna is independent of which antenna is the source antenna [22]. In other words, the radio channel from antenna A to antenna B is equal to the channel from antenna B to antenna A. Translating the electromagnetic antenna reciprocity theorem into communication system theory, the impulse response of the communication channel from AtoB,h AB (t), is equal to the impulse response channel from B to A, h BA (t). The reciprocity theorem indicates that for two UWB transceivers A and B, the impulse response of their shared radio channel is a source of shared information that they can use for generating a secret key to support secure communications. The only condition is that the time separation between when A and B measure the channel must be less than the channel coherence time, T c, defined as the maximum time duration that the radio channel impulse response is stable. The assumed indoor environment allows a coherence time of between 1 micro second and 10 micro seconds to be reasonable [23]. Also, for the indoor UWB radio channel, it has been shown that channel realizations are independent for antennas more than 15.2 cmfromeithera or B [8]. Therefore, it is difficult for 7
other radio receivers to obtain the same channel measurements, and thus obtain A and B s secret key. For secret key generation from mutual observations of a random process, such as the channel impulse response, it has been proven in [24] that the secret key rate, S(A; B E), available to A and B over an open broadcast channel with respect to an eavesdropper E is upper bounded by and lower bounded by S(A; B E) min[i(y A ; Y B ),I(Y A ; Y B Y E )], (2.4) S(A; B E) max [I(Y A ; Y B ) I(Y A ; Y E ), (2.5) I(Y A ; Y B ) I(Y B ; Y E )]. where I(Y A ; Y B ) is the mutual information between the channel impulse response measurements with Y A, Y B,andY E being the channel measurements for A, B and E respectively. This bound becomes tight when no mutual information exists between the channel measurements available to the eavesdropper E and those of A and B. As stated above, this case is realized when the eavesdropper is sufficiently far away from the legitimate users. Obviously, in such cases, the theoretic secret key rate is maximized. 2.2.1 Key Generation Algorithm Fig. 2.1 shows the block diagram of the proposed key generation algorithm. This report proposes the use of a LDPC decoder to reduce the disagreements in the bit sequences of users A and B caused by the measurement noise. A Hamming(7,3) decoder is then used to support a required public discussion between A and B to confirm their independent generation of the identical secret key in a manner which does not expose the key to an eavesdropper. The following algorithm generates the secret key in an eight step process: Step 1- Transceiver A sends pulse s(t) to transceiver B and then transceiver B sends a pulse of the same shape to transceiver A. As was mentioned above, the time separation between the pulse transmission times must be less than the coherence time of the channel, T c, so both transceivers measure a signal resulting from the same channel impulse response. Step 2- So that the measurements are not affected by differences in the local clock phase, both transceivers use a non-coherent envelope detector. Both transceivers detect and sample the received signals resulting from the transmitted pulse, s(t), plus independent thermal noise and radio signal interference. Suppose that the impulse response of the channel for the time period of interest is h(t), then the received signal for A and B are y A (t) =s(t) h(t) +n A (t) and y B (t) =s(t) h(t)+n B (t) respectively where s(t) h(t) is the convolution of signals s(t) andh(t). The noise signals n A (t) andn B (t) are independent zero mean additive white Gaussian noise (AWGN) signals with mean powers of σ0 2 = N 0/2. 8
A transmitter Raised Cosine thin Pulse cos( 2 s(t) UWB Channel Step 1 Step 1 A f c t) cos( 2 t) B s(t) B transmitter f c Raised Cosine thin Pulse A receiver B receiver y A (n) y A Envelope Detector Envelope Detector y B y B (n) Step 2 Sampling Sampling Step 2 N A N B LMS Predictor LMS Predictor Step 3 Step 3 LLR computation Step 4 LDPC Decoder LDPC Decoder Step 4 LLR computation 1010110...... 1100010 Step 6 Max Likelihood Decision Standard array Hamming (7,3) decoder [01001...110] Step 8 Step 5 C a Reshape Stream to 7 bits blocks a 0a1a2 K A Step 5 C b [11011...100] Reshape Stream to 7 bits blocks K B b 0b1b 2 Step 8 Step 6 0011110...... 1110110 Compute Syndrome with Hamming (7,3) Decoder Step 7 Figure 2.1: Block Diagram of key generation platform The random processes, y A (t) andy B (t) are sampled at higher than their Nyquist rates, generating the discrete time random processes y A (kt)andy B (kt), respectively. 9
Step 3 & 4- The next two steps combined models a sigma-delta analog to digital conversion (ΣΔ-ADC) on the received noisy channel impulse response waveform. This allows for high resolution quantized version of the signal to be processed by the following error removal stages for key reconciliation. An ideal Σ Δ-ADC uses a linear predictor on an oversampled signal and then performs a single bit quantization on the resulting prediction error. It has been shown that this form of quantization can provide excellent quantization performance [25]. For our system, a Least Mean Square (LMS) predictor with three taps is used. Investigation on second degree statistics of the prediction error found that the three tap predictor gave excellent prediction error performance with little improvement seen with longer prediction filters. We replace the standard hard quantization with a soft output quantizer based on a Logarithm Likelihood Ratio (LLR) computation. An LDPC decoder is used in stage 5 to remove the effects of measurement noise. The use of soft LLR inputs, as opposed to a hard binary decisions, is standard practice for LDPC decoders [26]. The definition of LLR is: LLR(y i )=Ln ( ) { } Pr(ci =0 y i ) Q yi σ 0 =Ln ( Pr(c i =1 y i ) 1 Q yi σ 0 ) (2.6) where c i is the i-th bit of code word, y i is the i-th noisy symbol, Pr (c i = c y i ) is the probability that c i = c given the received measurement value y i,and Q(x) =1/ 2π x exp ( t 2 /2 ) dt. Step 5- To resolve the effects of thermal noise in each side, an error correction coding is required. By using more robust decoders the potential of removing error bits will be increased. In this paper, we propose the use of a Low Density Parity Check (LDPC) error correcting code s decoder for correcting discrepancies caused by thermal noise. LDPC codes are among the most powerful codes known. In this step, the LLR values from the previous step are blocked into frames of length equal to the code word length of the LDPC code selected and sent into the decoder. The LDPC decoder removes discrepancies, returning a valid code word for the specified LDPC code. Some discrepancies will still remain between the two users sequences. It has been shown that without a public discussion between A and B, that it is impossible for the two users to achieve 100 % agreement on a secret key [21]. Thus, it is proposed in this paper to use a simple public discussion algorithm based on a Hamming decoder (7,3) to reconcile the bits. The measurement model prior to reconciliation is summarized in Fig. 2.2. Users A and B both observe the channel impulse, h(t), convolved with the transmitted pulse signal, s(t) contaminated with independent noise. The resulting signals are converted to digital signals via a ΣΔ-ADC. The bit sequences of both users are sent into identical LDPC decoders to reduce the number of differences between them. Step 6- In this step, the output bit stream from the LDPC decoder is grouped into blocks of length 7 and fed into the decoder of a (7,3) Hamming forward 10
Thermal Noise n () t A Transceiver A Signal From Channel ht ()*() st + + Envelope Detector () xt Envelope Detector () xt ADC ADC LDPC Decoder LDPC Decoder C A C B Thermal Noise n () t B Transceiver B Signal Figure 2.2: Block Diagram of Mutual Channel Measurements error correction code to support the public discussion stage of the key generation algorithm. Step 7 & 8 (Public Discussion)- Before public discussion, both transceivers A and B have nearly identical bit sequences from the LDPC decoders. The purpose of the public discussion is to allow A and B to discover what portion of bit sequences they have in common, without revealing what exactly these common bit sequence values are to an eavesdropper E. In this paper, the syndrome sequence calculated for a Hamming binary error correction code is transmitted for the public discussion. It is known that for data signals contaminated by additive white Gaussian noise, the syndrome sequence calculated by the decoder for a linear error correction code is independent of the message bits of the source code word [27]. In the other words, the syndrome sequence, which is transmitted over a public channel and is available to eavesdroppers, does not give any information about the message bits. Based on this observation, this paper proposes public discussion based on Hamming (7,3) codes. These codes are easy to implement and have decoders with low computational complexity. In this step, transceiver B sends the syndrome output of its Hamming decoder to transceiver A. Transceivers A then finds the set of all 7 bit long sequences which would result in the received syndrome from transceiver B. It then selects the 7 bit sequences which has the smallest Hamming distance from its output from stage 6. This process is only a minor variation from the standard Hamming error correction code decoding algorithm which is known to have low computational cost. For example, the bit sequences for each syndrome can be found in advance and stored in memory. 4 bits have been sent over the public channel to help make a key agreement. While these 4 bits are now known to any eavesdroppers, the 3 message remaining bits for the Hamming decoder output remain secret. These 3 bits form the basis of the secret key shared between A and B. Both A and B feed these bits in a buffer to generate more secret bits until the key length which stored in the buffer 11
Decrypt with K A EK B (R) Random Generator R Hash Function H D ( E ( R)) K A KB R Hash Function H Encrypt with K B Encrypt with K A H ( D ( E ( R))) K A K B E K A ( H ( D ( E ( R)))) K A KB D KB Decrypt with K B ( E ( H ( D ( E ( R))))) K A K A KB Positive Acknowledge 0 Decision 0 H (R) Negative Acknowledge Figure 2.3: Block diagram of Key Validation Process is sufficient for the agreed encryption protocol. 2.3 Checking Key Consistency At the end of key generation process, the legitimate users A and B have to make sure that they have generated the same secret key before they use this key for secure communication. To perform this check, the following three step algorithm is proposed. The security of this method in the presence of a passive eavesdropper has been verified using the Automated Validation of Internet Security Protocols and Applications (AVISPA) software [28]. First- Transceiver B select a random real number R, encrypts it with its own key K B, and sends the encrypted value on the public channel, E KB (R), to transceiver A where E K (.) is encryption operator with key K. Second- Transceiver A decrypts the received value with their own key, does a hashing operation on it, encrypts it with K A, and sends E KA (H(D KA (E KB (R)))) to transceiver B on the public channel where D K (.) andh(.) are decryption with Key K and hashing operators, respectively. 12
Third- Transceiver B decrypts received with K B. If the result is H(R) then transceivers sends an OK acknowledge to transceiver A which confirms that both A and B s keys are the same. On the other hand, if the result is not equal to H(R) then transceiver B sends a negative acknowledgement to transceiver A indicating that the two transceiver s keys are not the same. It should be noted that E K (.), D K (.), and H(.) are all assumed public. Also, R cannot be reused and must be uniquely generated each time even if a replay attack would exist against the algorithm. For our algorithm, the key checking algorithm is run on each block of the key generated from the algorithm in Section 2.2. In the next Section, we discuss the probability of transceiver A and B agreeing to the same key. 13
Chapter 3 Experimental Viewpoint 3.1 Simulation Results In this work, our algorithms for key generation and agreement has been simulated with two different decoding methods. The simulated communication channel model is the UWB channel model CM1 from the IEEE p802.15 standard [23]. The sample time has been set to 0.167 nano-seconds. The detectors of this system are simple non-coherent envelope detectors. The transmitted pulse signal s(t) is a raised cosine signal with a pulse duration of T =20ps with the energy value of E s =1. The LDPC code used to generate the decoder has a code rate of 1/2, a code length of n = 64800, and a message length of k = 32400. The parity check matrix of the Hamming (7,3) code used is: H = 0 1 1 1 0 0 0 1 0 1 0 1 0 0 1 1 0 0 0 1 0 1 1 1 0 0 0 1 (3.1) Fig. 3.1 shows the cumulative distribution function for key agreement error versus different key length and signal-to-noise ratio (SNR). When the SNR is increased, the difference between the received signal for A and B decreases so the probability of key disagreement decreases. The key rate in this simulation is thecoderateofldpcdecoding,1/2, times the code rate of Hamming decoding, 3/7, is equal 3/14. From each 14 bits of channel samples, 3 bits can be shared secret bits for the secret key. To calculate the probability of error the algorithm ha been run 100 times and the number of key disagreements was recorded. For comparison, the result of the authors previous work [11] has been shown in Fig. 3.2. In this algorithm a three bits linear quantizer had been used instead of LLR computation and LDPC decoder blocks. In this prior work, a (3,1) repetition code was used for public discussion instead of the Hamming (7,3) code proposed in this work. The parity check matrix of (3,1) repetition code 14
CDF of Agreement Error 10-1 10-2 10-3 10-4 SNR= 5dB SNR= 10dB SNR= 15dB SNR= 40dB SNR= 45dB 0 16 32 48 64 80 96 112 128 Key Length (bits) Figure 3.1: CDF of key agreement error versus key length for Channel model CM1 [23] for different SNR. LDPC decoder and Hamming (7,3) codes being used for public discussion. that was used for public discussion is: [ ] 1 0 1 H = 0 1 1 (3.2) with the above mentioned codes, the syndrome has two bits length. The key rate of this algorithm is 1/3. In Fig. 3.3 the CDF of agreement error for SNR =5dB with new and previous methods has been shown. with the comparison of the results of the two algorithms, it is obvious that there is an improvement in key agreement algorithm with LDPC and hamming (7,3) algorithm. In this method the probability of error has been decreased 10 times with respect to the previous algorithm, three bits quantizer and (3,1) repetition code. 15
CDF of Agreement Error 10-1 10-2 10-3 0 16 32 48 64 80 96 112 128 Key Length (bits) SNR=5dB SNR=15dB SNR=25dB SNR=35dB Figure 3.2: CDF of key agreement error versus key length for Channel model CM1 [23] for different SNR. Three bits quantizer and (3,1) repetition code being used for public discussion [11]. 16
CDF of Agreement Error 10-1 10-2 10-3 10-4 Repetition Code (previous Method) LDPC and Hamming decoders (New Method) 0 16 32 48 64 80 96 112 128 Key Length (bits) Figure 3.3: Comaparison of CDF of key agreement error versus key length for Channel model CM1 [23] in SNR =5dB with new and previous methods. 17
Chapter 4 Summary 4.1 Conclusion The proposed method for key generation provides an order of magnitude improvement over previously reported key generation methods. This improvement is the result of LDPC decoder for reducing the thermal noise effect and Hamming (7,3) decoder which has been used for public discussion. Also, with secure protocol which has been proposed for checking the equality of generated keys in legitimate users sides, the integrity and security of data communication on main channel will be guaranteed. 4.2 Future Work For future work, the following areas will be investigated: (a) verifying reciprocity in real world indoor UWB systems, (b) exploring the use of privacy amplification methods so this secret key generation technique is secure in non-indoor environments where the eavesdropper channel has some correlation to the main channel, and (c) exploring alternative methods of supporting the required public discussion. 18
Bibliography [1] M.Ghavami,M.L.B.,andK.R.,Ultra Wideband Signals and Systems in Communication Engineering, 2nd ed. John Wiley & Sons, 2007. [2] C. H. Bennet and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in Proc. Intel Conf. Computers, Systems & Signal Processing, CS Press, 1984, pp. 175 179. [3] C. Elliott, Quantum cryptography, IEEE Security and Privacy Magazine, vol. 2, pp. 57 61, 2004. [4] C. Shannon, Communication theory of secrecy systems, Bell System Technical Journal, vol. 29, pp. 656 715, 1949. [5] G. Vernam, Cipher printing telegraph for secret wire and radio telegraphic communications, J. Am. Inst. Electrical Eng., vol. 45, pp. 109 115, 1926. [6] R. Ahlswede and I. Csiszar, Common randomness in information theory and cryptography part I: Secret sharing, IEEE Transactions on Information Theory, vol. 39, no. 4, pp. 1121 1132, 1993. [7] A. Hassan, W. Stark, J. Hershey, and S. Chennakeshu, Cryptographic key agreement for mobile radio, Digital Signal Processing, Academic Press, vol. 6, pp. 207 212, 1996. [8] C. Prettie, D. Cheung, L. Rusch, and M. Ho, Spatial correlation of uwb signals in a home environment, Ultra Wideband Systems and Technologies, 2002. Digest of Papers. 2002 IEEE Conference on, pp. 65 69, 2002. [9] G. Brassard and L. Salvail, Secret-key reconciliation by public discussion, Lecture Notes in Computer Science, vol. 765, p. 410, 1994. [10] Bennett, Brassard, Crepeau, and Maurer, Generalized privacy amplification, IEEE Transactions on Information Theory, vol. 41, no. 6, pp. 1915 1923, 1995. [11] M. Ghoreishi Madiseh, Key Generation Technique Based on Wireless Channels Charactristics, Master s thesis, Iran University of Science and Technology, Tehran,Iran, July 2007. 19
[12] M. Ghoreishi Madiseh, M. McGuire, S. Neville, and A. Beheshti Shirazi, Secret key extraction in ultra wideband channels for unsynchronized radios, in Proc. CNSR08 IEEE Computer Society Press, May 2008, pp. 175 182. [13] M. A. Tope and J. C. McEachen, Unconditionally secure communications over fading channels, in in Proc. MILCOM. IEEE, 2001. [14] I. Csiszar and P. Narayan, ommon randomness and secret key generation with a helper, Information Theory, IEEE Transactions on, vol. 46, no. 2, pp. 344 366, Mar 2000. [15] R. Ahlswede and I. Csiszar, Common randomness in information theory and cryptography. ii. cr capacity, Information Theory, IEEE Transactions on, vol. 44, no. 1, pp. 225 240, Jan 1998. [16] U. M. Maurer, Protocols for secret key agreement by public discussion basedoncommoninformation, Advances in Cryptology - CRYPTO 92, Lecture Notes in Computer Science, vol. 740, pp. 461 470, Aug 1993. [17] J. Muramatsu, Secret key agreement from correlated source outputs using ldpc matrices, in in Proc. ISIT2004, Chicago, USA, July 2004. [18] M. Bloch, J. Barros, M. Rodrigues, and S. McLaughlin, Wireless information-theoretic security - part i - theoretical aspects. [19], Wireless information-theoretic security - part ii: Practical implementation. [20] P. Gcs and J. Krner, Common information is far less than mutual information, Problems of Control and Information Theory, vol. 2, pp. 149 162, 1973. [21] N. Vereshchagin, A new proof Ahlswede - Gacs - Korner theorem on common information, Moscow State University, September 2002. [22] G. Smith, A direct derivation of a single-antenna reciprocity relation for the time domain, Antennas and Propagation, IEEE Transactions on, vol. 52, no. 6, pp. 1568 1577, June 2004. [23] J. Foerster, Channel modeling sub-committee report (final), Feb. 2003. [24] U. M. Maurer, Secret key agreement by public discussion from common information, IEEE Transactions on Information Theory, vol. 39, no. 3, pp. 733 742, May 1993. [25] R. Schreier and G. Temes, Understanding Delta-Sigma Data Converters. Wiley-IEEE Press, 2004. [26] R. Gallager, Low-Density Parity-Check Codes. MIT press, 1963. 20
[27] S. Wicker, Error Control Systems for Digital Communication and Storage. Englewood Cliffs, NJ: Prentice Hall, 1995. [28]A.Armando,D.Basin,Y.Boichut,Y.Chevalier,L.Compagna,J.Cuellar, P. Drielsma, P. Hem, O. Kouchnarenko, J. Mantovani, S. Mdersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Vigan, and V. L., The AVISPA tool for the automated validation of internet security protocols and applications, Proc. Computer Aided Verification, Lecture Notes in Computer Science, vol. 3576, pp. 281 285, 2005, http://www.avispa-project.org/. 21