Improving Privacy and Security in Multi-Authority Attribute-Based Encyption
Improving Privacy and Security in Multi-Authority Attribute-Based Encyption
Improving Privacy and Security in Multi-Authority Attribute-Based Encyption
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
1
Abstract—The one time pad (OTP) secure transmission relies Our communication and computer networks are currently
on the random keys to achieve perfect secrecy, while the unpre- protected by modern cryptography including public key cryp-
dictable wireless channel is shown to be a good random source. tography and symmetric encryption [5]. Even though they are
There is very few work of the joint design of OTP and key genera-
tion from wireless channels. This paper provides a comprehensive very mature, there are some concerns when quantum computer
and quantitative investigation on secure transmission achieved becomes available in the future. Public key cryptography
by OTP and wireless channel randomness. We propose two OTP relies on complicated mathematical problems such as discrete
secure transmission schemes, i.e., Identical Key-based Physical- logarithm that is not scalable, which may be cracked by the
layer Secure Transmission (IK-PST) and Un-identical Key-based quantum computer [6]. Therefore, this paper will revisit OTP
Physical-layer Secure Transmission (UK-PST). We quantitatively
analyze the performance of both schemes and prove that UK- which should be secure against quantum computer.
PST outperforms IK-PST. We extend the pairwise schemes to a In 1993, Ahlswede et al. and Maurer published their seminal
group of users in networks with star and chain topologies. We work of secret key agreement from common randomness [7],
implement prototypes of both schemes and evaluate the proposed [8], which is an ideal candidate for generating symmetric keys
schemes through both simulations and experiments. The results for OTP. Their pioneer work has triggered extensive investi-
verify that UK-PST has a higher effective secret transmission
rate than that of IK-PST for scenarios with both pairwise and gation to exploit the randomness residing in the reciprocal
group users. wireless channel [9], [10]. Various practical key generation
approaches have been proposed and verified on platforms with
Index Terms—One time pad; secret key generation; physical-
layer security; information reconciliation; group key distribution. a variety of wireless techniques, e.g., ZigBee [11], WiFi [12],
[13] and LoRa [14], [15]. In practice, key generation is subject
to impairments of channel measurements due to time delay in
TDD systems, hardware imperfection and noise [16]. Even
I. INTRODUCTION when various preprocessing approaches are adopted to im-
prove the similarity between channel characteristics [16] and
Information security has become the subject of scrutiny
quantization algorithms are improved to reduce the disagree-
after a number of notorious cyberattacks [1], [2]. Actually,
ments between quantized bit sequences, they cannot guarantee
it has been taken into account as early as the communications
to produce the same key. Hence, key generation protocol
technologies were born. Venman proposed one time pad (OTP)
requires information reconciliation to negotiate an identical
in 1919, which encrypts each message bit with a different key
key, which requires parity information exchanged over the
bit via exclusive OR (XOR) [3]. In 1949, Shannon mathemat-
public channel and error correction. The generated key can be
ically proved that OTP can achieve information-theoretically
used in any scenarios where common information is required.
security [4], i.e., perfect secrecy can be obtained even against
adversaries with infinite computational power. While OTP is For example, it can be used as a seed of a stream cipher for
bootstrapping many higher-layer security mechanisms [10].
able to provide perfect secrecy, its application is rather limited
Key generation usually works between a pair of legitimate
probably because the secure and efficient provision of keys
users, and it is later extended to a group of users with star,
for OTP is challenging. The OTP secure transmission system
ring and mesh topologies [17]–[21]. This is applicable to
requires one-time pre-shared random key which has at least the
scenarios where some confidential information needs to be
same length as the plaintext message being sent. Therefore, the
shared among group users. For instance, control centres need
realization of the OTP relies on the provision of secure keys.
to send confidential instructions to a group of soldiers in
This work was supported in part by the National Natural Science Foundation military operations [20].
of China under Grant 61801115 and 61941115, in part by the Zhishan Youth While most of existing work investigates the key gener-
Scholar Program of SEU (3209012002A3), in part by the Campus France ation protocols in a given environment, very few of them
PHC Cai Yuanpei 2019 project under Grant 44016XA, in part by the China
Scholarship Council. (Corresponding author: G. Li) focus on the joint design of key generation and OTP. A
G. Li and Z. Zhang are with the School of Cyber Science and Engineering, straightforward way will be cascading key generation and
Southeast University, Nanjing, China. (e-mail: guyuelee@seu.edu.cn.) OTP, which is termed as Identical Key-based Physical-layer
A. Hu is with the School of Information Science and Engineering, Southeast
University, Nanjing, 210096, China. (e-mail: aqhu@seu.edu.cn.) Secure Transmission (IK-PST). Two connecting wireless users
G. Li and A. Hu are also with the Purple Mountain Laboratories for firstly derive a pair of identical secret key from their channel
Network and Communication Security, Nanjing, 210096, China observations, and then add each bit of the plaintext to one bit
J. Zhang is with the Department of Electrical Engineering and Electronics,
University of Liverpool, Liverpool, L69 3GJ, United Kingdom. (email: from the OTP key using modulo-addition. Producing identical
junqing.zhang@liverpool.ac.uk.) key requires sophisticated information reconciliation and this
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
2
becomes more severe for group users. For example, in the identical key generation flow while UK-PST simplifies
work of Xu et al. [20], each node pair in the group need to the secure transmission processes.
first generate a nearly uniformly distributed pairwise key with • We analyze the performance quantitatively and derive the
arbitrarily small error probability. For a ring network with four closed-form expressions of three metrics, namely com-
users, it needs four times of the information reconciliation. munication overhead, computation complexity and secure
Liu et al. used some information broadcast, joint with the transmission rate. We prove that UK-PST outperforms
observation phase in such a way that the subsequent one- IK-PST in terms of these metrics.
way public discussion involves merely a single broadcast for • We extend the OTP scheme to a group of users in net-
information reconciliation, hence reducing the delay at the works with star and chain topologies, respectively. UK-
expense of some sacrifice in the key rate [18]. PST does not need to produce identical pairwise keys,
We further think if it is feasible to use the non-reconciled and thus avoids multiple sophisticated information rec-
key for OTP, termed as Un-identical Key-based Physical- onciliation and privacy amplification. Therefore, system
layer Secure Transmission (UK-PST). The challenge is to complexity and communication overhead are significantly
decrypt the confidential message correctly when the OTP keys reduced.
of two parties are different but highly correlated. We deem • We implement prototypes of the OTP system with wire-
the XOR encryption and decryption modules along with the less motes and evaluate the proposed schemes through
physical channel as an equivalent cascade channel. Then, the both simulation and experiments. For both pairwise and
tiny differences between keys can be seen as part of the group users, UK-PST is verified to achieve higher effec-
transmission error, and thus can be corrected by the off-the- tive secret transmission rate than that of IK-PST and the
shelf channel coding with a stronger correction capability. gap expands with the increase of the disagreement ratio
There have been some preliminary explorations on OTP of channel quantization results. The results coincide with
with un-identical keys. Zheng et al. designed a modified the theoretical analysis.
OTP using keys generated from electrocardiogram signals for The rest of the paper is organized as follows. In Sec-
implantable medical devices [22]. There are also efforts from tion II, we present a detailed system model and attack model.
the wireless community. Peng et al. reused the error correction Section III proposes two OTP secure transmission protocols
capability of Polar codes for the key agreement [23]. It named IK-PST and UK-PST for a pair of users. We compare
designed an integrated wireless secret key based transmission the performance of the two proposed protocols from the per-
scheme to securing pairwise M2M transmissions, and is shown spective of communication overhead, computation complexity
to be simpler than the conventional counterpart by avoiding and secure transmission rate in Section IV. Next, we extend
information reconciliation. Subsequently, the work of [24] the protocols to group communication networks with star and
extended the UK-PST scheme to the scenarios with four-node chain topologies in Section V. We present the simulation
wireless networks to generate a shared group key. results and experimental results in Section VI and Section VII
This joint design can be applied in scenarios requiring concludes the paper.
low data rate but high security demands, as an OTP system
can provide incomparable strong security but may be limited
Notation and Outline
in secure transmission rate. For example, it is necessary to
share the secret spreading/hopping code in spread-spectrum Unless otherwise specified, we use the following notations
modulation such as CDMA or fast-frequency hopping [25]. throughout the manuscript: Upper (lower) bold-face letters
Another potential application is to use the OTP to help denote matrices (column vectors); I denotes the identity ma-
distribute the quantum key from the fixed quantum endpoint trix. Numeral subscripts of matrices and vectors, if needed,
to the mobile endpoints. The implementation of OTP in radio represent their sizes. Also, matrix superscripts ·( )H, (· )T , ( ·)∗
communication can protect them from disruption attacks. denote their conjugate-transpose, transpose, and conjugate,
Although both IK-PST and UK-PST schemes have the respectively. We use E{·} to denote ensemble expectation and
potential to realize the OTP secure transmission, neither of | · | to represent matrix determinant operations.
them has been well investigated yet. IK-PST is easy to
understand, but its practical usage may be compromised by II. SYSTEM OVERVIEW
additional transmissions and information leakage. On the other
A. System Model
hand, UK-PST abandons the information reconciliation and
privacy amplification, but it works at the expense of a stronger This paper investigated secure transmission achieved by
correction capability of the channel coding. Besides, it needs OTP and key generation. Specifically, a user i intends to
extra keys to encrypt the syndrome of the confidential data. transmit the confidential information to a user j without been
This paper aims to provide a comprehensive and quantitative known by a third party. OTP encrypts the plaintext with a
investigation on secure transmission achieved by OTP and random key at the transmitter via XOR operation, which can
wireless channel randomness. The main contributions of this achieve perfect secrecy. The receiver decrypts the message by
paper are listed as follows. XORing the ciphertext with its key. The keys are the same at
• We propose two schemes to realize OTP secure trans- transmitter and receiver, which is termed as IK-PST.
missions using the common randomness from wireless The key distribution for the OTP is challenging. This
channels. We found that IK-PST deploys an additional paper will employ physical layer key generation from wireless
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
3
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
4
L
where qj,i is the left Ld' -bit part and qRj,iis the right
Ls' -bit part of qj,i . Therefore, the lengths satisfy that
Lq = Ld' + Ls' . (12)
3-3. The ciphertext e′ is transmitted to user j over a public
channel.
3-4. Although user j does not have the identical bit sequence
for decryption, he has qi,j which has a high similarity
Fig. 2. Secure transmission scheme using un-identical keys.
with qj,i . User j decrypts e′ with qi,j by
d′con = e′ ⊕qi,j = dcon ⊕∆ = [d′ ⊕∆L , s′ ⊕∆R ], (13)
Steps 1-1, 1-2 and 1-3 are for information reconciliation. Eve
can deduce part of qj,i by accessing s, E ( ·) and D ( ·).
where ∆ = q i,j q⊕j,i illustrates the difference between
qi,j and qj,i . When a bit mismatch occurs, the XOR
The rest of the steps are designed for secure transmission.
result becomes ‘1’ in the corresponding position of ∆.
User i intends to transmit confidential message d to user j
over a public channel securely. 3-5. The user j recovers the confidential message d′ by
Channel coding is used to guarantee transmission reliability, d̂′ = D′ (d′con ) = d′ , (14)
which is illustrated by the Encoder 0 and Decoder 0 modules
as shown in Fig.1. where D′ is the decoding function of the ECC
(C′, n′, k′, t′). Note that, in the practical implementation,
2-1. The OTP theory uses XOR operation for encrypting the the interleaver and de-interleaver can be exploited to
data, which can be given as reduce the impact of burst errors. The elements in d′con
are firstly permuted via an interleaver before the ECC
e = d ⊕ k, (6) decoding, and after the ECC decoding, the elements in
where ⊕ represents the bitwise XOR operator. The length d̂′ are also permuted to the original order via a de-
of the data d is the same as the length of k, i.e., interleaver.
As shown above, UK-PST scheme has a relatively simple
L d = L k. (7) structure to realize OTP secure transmission as it does not
need an additional identical key generation flow.
2-2 User i transmits the ciphertext e to user j over a public
channel.
IV. PERFORMANCE ANALYSIS OF IK-PST AND UK-PST
2-3 User j decrypts the message d with his key by
In this section, we present a contrastive analysis of both
d̂ = e ⊕ k = d. (8) schemes in terms of communication overhead, computation
complexity and secure transmission efficiency.
The secure transmission is achieved.
As shown above, IK-PST scheme has a relatively complex
A. Communication Overhead
structure to realize OTP secure transmission as it deploys an
additional identical key generation flow. Firstly, we consider the communication overhead caused
by the information transmissions from user i to user j. IK-
PST needs two times of the information transmission (step
B. UK-PST Protocol 1-2 and step 2-2) while UK-PST only needs one information
Fig. 2 illustrates secure transmission using a pair of un- transmission (step 3-3). Following the previous work of [27],
identical keys, which contains five steps. We also assume qj,i we measure the communication overhead by the interaction
and qi,j as the quantization results of the channel measure- delay Tdelay. The delays for both schemes are calculated as
ments of user i and j and their lengths are both Lq. IK Ls + L0 dist L d + L0 dist
Tdelay =( + )+( + ) (15)
3-1. Private message d′ with a length of Ld' is first fed into B c B c
the channel encoder of user i and the output syndrome is L dist
= q + 2(T + ),
0 c
s′ = E′(d′), (9) and B
where E′
(·) represents the generation function of a L + L0 dist L dist ,
UK
Tdelay = q + = q + T0 + (16)
(C′, n′, k′, t′) ECC. B c B c
3-2. The confidential message d′ and syndrome s′ are con- respectively, where B is the system bandwidth, dist is the
catenated as transmission distance, c is the velocity of light, L0 is the
dcon = [d′, s′], (10) indispensable overhead in a frame, e.g., the synchronization
header, PHY header and frame payload and T0 = L0/B is
and encrypted using the key qj,i into the the ciphertext the time cost by transmitting these bits. As observed from
e′. The bits-stream encryption is realized by (15) and (16),
UK IK
e′ = dcon ⊕ qj,i = [d′ ⊕ qj,i
L
, s′ ⊕ qj,i
R
], (11) Tdelay < Tdelay . (17)
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
5
8.7
5
8.6
4 8.5
/s
8.4
lg(ζ)
delay
3
T
8.3
IK-PST,L =11bytes ζLB
0 IK
2 UK-PST,L =11bytes 8.2
0 ζUK
LB
IK-PST,L =31bytes
0 8.1 ζUB
IK
UK-PST,L =31bytes
1 0
ζUB
UK
8
0 7.9
0 200 400 600 800 1000 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45
L /bits ǫ
q q
Fig. 3. The communication delays of IK-PST and UK-PST as a function of Fig. 4. The upper and lower bounds of the decoder complexity of the UK-PST
the frame overhead L0. The bandwidth B = 1 MHz and dist = 100 meters. and IK-PST schemes. The error probability of the channel is є0 = 0.1.
LB
Fig. 3 plots the delays of both schemes as a function of Lq in ζIK = ζ LB (C0 ) + ζ LB (C). (21)
a typical ZigBee scenario. The transmission range of ZigBee
for approximate calculation of complexity of IK-PST.
is usually below 100 meters, therefore we set the distance
dist = 100 m; the bandwidth B = 1 MHz. The propagation The UK-PST scheme uses only one BCH code (C′, n′, k′, t′)
delay is relatively smaller than other terms. According to the for the cascade channel with ϵeq [32], given as
frame format of IEEE 802.15.4 [30], the fixed overhead is ϵeq = ϵ0 + ϵq − 2ϵ0ϵq. (22)
11 bytes and there are 0 to 20 bytes for addresses and frame
payload. As observed from Fig. 3, the delay curves rise with When ϵ0 = 0, we find that ϵeq = ϵq and both schemes have
the increase of length Lq. The delays of UK-PST are smaller the same computational complexity. When ϵ0 > 0, we use
than that of IK-PST, which illustrates that UK-PST can reduce UB
ζUK = ζUB(C′), (23)
the communication overhead. The overhead increases linearly
with the rise of Lq. When the overhead L0 is higher, both
UB
ζLK = ζ LB
(C′ ). (24)
schemes have higher delays. When L0 = 31 bytes, the delay for approximate calculation of complexity of UK-PST.
of UK-PST is about half that of IK-PST. Fig. 4 shows that the bounds increase with ϵq and both the
decoder complexity upper bound and lower bound of UK-PST
B. Computation Complexity are lower than that of IK-PST, when the error probability of
Computation complexity is very important for resource- the physical channel is ϵ0 = 0.1.
constrained systems. UK-PST does not need the sophisticated
reconciliation phase, and instead uses un-identical binary se- C. Secure Transmission Rate
quences as the encryption and decryption keys. The disagree- The secure transmission rate is defined as the length of
ments between keys will bring in the errors in the recovery secure transmitted information divided by the time to produce
of d. The errors are similar to the transmission errors caused it, which is mathematically given by
by transmission distortion. Therefore, we can deem the errors Ld Ld
R= =
as part of the equivalent channel errors and couple the error T 2∆TL . (25)
q
correction task to the existing channel coding of the system.
The computational complexity is dominated by the decoder According to the OTP theory [4], the upper bound of the
complexity. This paper uses BCH code, as it has been widely secure transmission rate between user i and j satisfies that
used because of the low complexity. The decoder complexity 1
RUB = I(q i,j , qj,i ) (26)
bounds for a BCH code (C, n, k, t) can be given as [31] T
1
ζUB(C) = (45k2 + 4k)n2(log n)2, (18) = (H(qi,j ) − H(qi,j |qi,j )), (27)
T
LB 2 2 2 1 1 1
ζ (C) = 45k n (log n) . (19) = (1 + log(1 − ϵq) + ϵq). (28)
The IK-PST scheme uses two BCH codes, (C , n , k , t ) 2∆T 2 2
0 0 0 0
The bound rate is reached through the Slepian-Wolf source
for the physical channel with error probability ϵ0 and
encoding with random binning structure, which is complex
(C, n, k, t) for the information reconciliation with ϵq. There-
for implementation.
fore, we use
Then, we focus on the secure transmission rates of the IK-
UB
ζIK = ζUB(C0) + ζUB(C), (20) PST and UK-PST schemes.
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
6
IK-PST: In the step 1-1, a (C, n, k, t) ECC is used to Secure transmission rate
1
generate a syndrome s. In this case, k = Lq and the length
of s is denoted as L s = n − k. Besides, the disagreement 0.9
R/bpq
R UB
for IK-PST is given by 0.5
R UB,L =31bit
2∆T (1 − 2ϵq)Lq
UB
0.3 R ,L =1023bit
T IK q
R UB,L =1023bit
0.2
Proof: See Appendix A. UK q
UB
Remark 1: It is observed that RIK decreases against the 0.1
We compare these two bounds of the IK-PST and the UK- larity are extracted from the wireless channels between
PST schemes and prove the following theorem. every two legitimate users.
Theorem 1: For any ϵq ∈[0, 0.5) and Lq > 0, the upper • Group phase: a confidential message is securely shared
bounds of secure transmission rates satisfy that between group users with protection of pairwise bit
sequences.
UK ≥ RIK.
RUB UB
(33) Next, we examine two typical topologies in wireless networks
The ∆R = R UKR− IK UB UB
increases with ϵq. The equality holds, when performing group UK-PST for multiple users.
if and only if ϵq = 0.
Proof: See Appendix C. A. Group UK-PST in a Star Network
Remark 3: Theorem 1 reveals that UK-PST scheme has In a star network with N users, the central user N is
a higher bound of secure transmission rate than that of IK- wirelessly connected with child users, 1, 2,· · · , N − 1, while
PST. In the UK-PST, the s′ is the syndrome of d′ and also every two child nodes are not directly connected. The group
encrypted before transmission over the public channel. In secure transmission protocol is summarized in Algorithm 1.
the IK-PST s is the syndrome of qj,i and transmitted in 1) Pairwise Phase: Firstly, the central user N broadcasts
cleartext. Therefore, under the same condition, UK-PST is able the probe and other users collect the measurements. The mea-
to provide higher efficiency for secure transmission. Besides, surement of the i-th user is rN,i, where ∈ i {1, 2, · · ·, N −1 } .
C′ has a shorter code length than that of C, which also verifies Next, users 1, 2, · · · , N − 1 broadcast the probe in order and
that the computation complexity of UK-PST is reduced. user N collects the measurements ri,N successively. To ensure
Fig. 5 shows the secure transmission rates of the bounds. We that rN,i and ri,N are highly correlated, the time delay should
set ∆T = 1, which means that the secure transmission rate is be deliberately kept smaller than the coherence time.
calculated per quantization bit. The secure transmission rates Secondly, the channel measurements are converted into bit
decrease with the increase of ϵq, while the rate of UK-PST is sequences using the same quantization method as shown in
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
7
With the help of the syndrome s, user i can correct the error
(1). The pairwise bit sequences q N,i and q i,N have high bits in d̂icon by:
similarity but are not identical. Denotes ∆q = q ⊕ q ˆ ˆi
as the difference between and i N,i i,N di = D(dcon). (37)
qN,i qi,N . Denote ϵqi as the
disagreement ratio To guarantee d̂i = d′ for arbitrary i, the syndrome s should
1 be capable to correct all errors even in the worst case with the
L ǁqN,i − qi,N ǁ1 ,
ϵqi = (34) highest disagreement ratio of ϵmax.
q
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
8
Ensure: The recovered messages d̂i at the user i, where i ∈ Performance IK-PST UK-PST
{ 1, 2, · · · , N − 1} . Transmissions
Star Chain Star Chain
Pairwise Phase: 2N 3N-2 N +1 2N-1
Reconciliation N −1 0
1: Users 1 ∼ N send the probe packets to their adjacent 1 L q−4cmaxL q−1 1 Lq(1−2cmax)−1
Secure Rate N ∆T (1−2cmax)Lq N ∆T Lq
users and collect the measurements.
2: All of the users carry out quantization according to (1).
Group Phase:
C. Discussion
3: User 1 encodes d′ using (9) as described in the step 3-
1and gets dcon. Table I compares the performance of IK-PST and UK-
4: User 1 sends the encrpypted result e′1 to user 2. PST for group scenarios from the aspects of the number of
5: for i ← 2, N − 1 do transmissions, the number of information reconciliation and
6: User i recovers messages d̂i and then broadcasts e′i . the secure transmission rate.
7: end for In a star network, IK-PST needs 2N transmissions, includ-
8: User N recovers messages d̂N .
ing N channel probing, N −1 information reconciliation and
one data transmission. UK-PST reduces it to N + 1, including
N channel probing and one data transmission. Similarly, in a
chain network, IK-PST needs 3N − 2 transmissions, including
These measurements are converted into bit sequences, as
N channel probing, N—1 information reconciliation and N− 1
described in (1). After the pairwise phase, user j has two bit
data transmission. UK-PST reduces it to 2N − 1, including N
sequences qj−1,j and qj+1,j . For endpoint users 1 and N , channel probing and N −1 data transmission.
each has one bit sequence, q2,1 and qN−1,N respectively. In both star and chain networks, UK-PST does not need
2) Group Phase: User 1 firstly encodes d′ and then broad- to produce the identical pairwise key, and thus avoids so-
casts the ciphertext e′1, which is obtained by phisticated information reconciliation. This is at the cost of
e′1 = q2,1 ⊕ dcon = q2,1 ⊕ [d′, s′], (38) a stronger channel coding to correct an equivalent error rate
of ϵeq = ϵ0 + ϵmax −2ϵ0ϵmax. Following (29) and (31), the
where s′ is the syndrome of d′. We also assume that e1 can be secure transmission rates of IK-PST and UK-PST for a group
received correctly. Since user 2 has the corresponding pairwise of users are
bit sequence q1,2, therefore he can speculate d′ and s′ by 1 L − 4ϵmaxLq − 1 (45)
′
RUB = N ∆T q(1 − 2ϵ max)Lq
ˆ2 IK,G
dcon = q1,2 ⊕ e1 = ∆q1,2 ⊕ dcon, (39)
and
where ∆q1,2 = q1,2 ⊕ q2,1 reflects the difference between 1 Lq(1 − 2ϵmax) − 1
RUB
UK,G
= , (46)
q1,2 and q 2,1. N ∆T Lq
Likewise, user 2 can correct the error bits in d̂2con by: respectively.
d̂2 = D(d̂2con ). (40)
VI. SIMULATION AND EXPERIMENTAL VALIDATION
Subsequently, the bit sequences q2,1 is recovered by: This section evaluated the performance of the IK-PST and
UK-PST schemes through both simulations and experiments.
q̂2,1 = [d̂2 , E(d̂2 )] ⊕ e′1 , (41)
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
9
0.9
0.8
0.7
0.8
0.6
RIK,t=1
0.5 R UK,t=1
0.7
RIK,t=2
R UK,t=2
0.4 RIK,t=1
RIK,t=3
R UK,t=1
0.6 R UK,t=3
UB
R ,t=1
IK
0.3 UB
R ,t=1
UK
0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 0.1 0 0.005 0.01 0.015 0.02 0.025 0.03 0.035 0.04
ǫ ǫ
q q
Fig. 8. Performance of effective secure transmission rate and upper bounds Fig. 9. Performance of effective secure transmission rate versus є q for a pair
versus є q for a pair of users. of users with different t.
Star Network
where R is the secure transmission rate defined in Section IV-C 100
RIK,ǫq =0.05
and ηf represents the probability of failure. Due to the inaccu-
Effective Secret Transmission Rate
RUK,ǫq=0.05
rate estimation of ϵq and burst errors, the designed BCH code RIK,ǫq =0.1
cannot always correct all the disagreements. Therefore, we R UK,ǫq =0.1
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
10
0.5
ǫ
0.04
0.25
0.02
10-1
0 0
1 2 3 4 5 6
Scenario
2 3 4 5 6 7 8 9 10
Fig. 13. Effective secure transmission rate under various scenarios.
User Number
Fig. 11. Performance of effective secure transmission rate versus the user
number in a chain network, t = 1.
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
11
Star Network
APPENDIX A
0.6
PROOF OF PROPOSITION 1
R , Scenario = 3
IK
0.5
R , Scenario = 3
UK For the ECC (C, n, k, t), it should satisfy that n —k ≥ 2t+1,
Effective Secret Transmission Rate
0.8
Chain Network and then
R , Scenario = 4 Lq − 4ϵqLq − 1
Ld ≤ Lq − Ls =
IK
0.7 R , Scenario = 4 . (53)
UK
1 − 2ϵ q
Effective Secret Transmission Rate
0.6
Therefore, the upper bound of the secure transmission rate of
0.5 the IK-PST scheme is
LUB 1 Lq − 4ϵqLq − 1
UB
0.4
RIK = d = . (54)
T ∆T (1 − 2ϵq)Lq
0.3
0.2 APPENDIX B
PROOF OF PROPOSITION 2
0.1
For the ECC (C′, n′, k′, t′), it should satisfy that n′ — k′ ≥
0
2 3 4 5 6 2t′ + 1, which indicates that
User Number
k′ = Ld' , n′ = Lq. (55)
Fig. 16. Effective secure transmission rate versus the user number in a chain
network, t = 1. Assuming that C reaches the bound of the correction capability,
then
t′ t
VII. CONCLUSION ϵq = ′ = , (56)
n Lq
This paper investigated the OTP secure transmission by which means that
exploiting the randomness residing in the reciprocal wireless
channel. We proposed two approaches, IK-PST and UK-PST. t′ = ϵq L′q. (57)
IK-PST uses the same pairwise key at both ends while UK-
Further, we can derive that
PST employs un-identical keys. Although IK-PST is intuitive
to understand, its performances are inferior to UK-PST from Ls' ≥ 2t′ + 1 = 2ϵ qLq + 1, (58)
the perspective of communication overhead, computation com-
plexity and secure transmission rate. The performance gap and
expands when both schemes are extended to a group of users.
We conducted simulations and implemented prototypes of the Ld' ≤ Lq − Ls' = Lq(1 − 2ϵq) − 1. (59)
two schemes. Both simulation and experimental results show
that UK-PST can achieve higher effective secret transmission Therefore, the upper bound of the secure transmission rate of
rate than that of IK-PST and the gap expands with the increase the UK-PST scheme is
of the disagreement ratio of channel quantization results, LUB'
1 L (1 − 2ϵ ) − 1
which verify the theoretical analysis. R UB = d = q q
. (60)
UK
T ∆T Lq
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004451, IEEE Internet of
Things Journal
12
APPENDIX C [16] G. Li, A. Hu, J. Zhang, L. Peng, C. Sun, and D. Cao, “High-agreement
PROOF OF THEOREM 1 uncorrelated secret key generation based on principal component analy-
sis preprocessing,” IEEE Trans. Commun., vol. 66, no. 7, pp. 3022–3034,
2018.
[17] Q. Wang, H. Su, K. Ren, and K. Kim, “Fast and scalable secret key
UK − R IK
∆R = RUB UB (61) generation exploiting channel phase randomness in wireless networks,”
in Proc. IEEE INFOCOM, Shanghai, China, Jun. 2011, pp. 1422–1430.
1 Lq(1 − 2ϵq) − 1 Lq − 4ϵqLq − 1 [18] H. Liu, J. Yang, Y. Wang, Y. J. Chen, and C. E. Koksal, “Group secret
= ∆T ( − )
Lq (1 − 2ϵq)Lq key generation via received signal strength: Protocols, achievable rates,
1 (L (1 − 2ϵ )2 − 1 + 2ϵ ) − (L − 4ϵ L — 1) and implementation,” IEEE Trans. Mobile Comput., vol. 13, no. 12, pp.
= ( q q q q q q
) 2820–2835, 2014.
[19] H. Liu, Y. Jie, W. Yan, and Y. Chen, “Collaborative secret key extraction
∆T (1 − 2ϵq)Lq leveraging received signal strength in mobile wireless networks,” in
1 2ϵq + 4ϵq2 Lq Proc. IEEE INFOCOM, Orlando, FL, USA, May 2013, pp. 927–935.
= ( ) [20] P. Xu, K. Cumanan, Z. Ding, X. Dai, and K. K. Leung, “Group secret
∆T (1 − 2ϵq)Lq key generation in wireless networks: algorithms and rate optimization,”
Since ϵq ∈ [0, 0.5) and Lq > 0, we can get RUK
UB
− RUBIK ≥ 0
IEEE Trans. Inf. Forensics Security, vol. 11, no. 8, pp. 1831–1846, 2016.
[21] C. D. T. Thai, J. Lee, J. Prakash, and T. Q. S. Quek, “Secret group-key
and when ϵq = 0, the equality holds. The first-order partial generation at physical layer for multi-antenna mesh topology,” IEEE
derivative Trans. Inf. Forensics Security, vol. 14, no. 1, pp. 18–33, 2019.
[22] G. Zheng, G. Fang, R. Shankaran, and M. A. Orgun, “Encryption
∂∆R = −2 + 2(1 + Lq) > 0 (62) for implantable medical devices using modified one-time pads,” IEEE
∂ϵq Lq(1 − 2ϵq) Access, vol. 3, pp. 825–836, 2015.
[23] L. Peng, G. Li, J. Zhang, and A. Hu, “Securing M2M transmissions
UB
Therefore, the gap of ∆R = RUK − RUB
IK increases with ϵ q.
using nonreconciled secret keys generated from wireless channels mea-
surements,” in Proc. IEEE GLOBECOM Workshop Trusted Commun.
with Physical Layer Security (TCPLS), Abu Dhabi, UAE, Dec. 2018,
REFERENCES pp. 1–6.
[24] G. Li, L. Hu, and A. Hu, “Lightweight group secret key generation
[1] E. Marin, D. Singelée, F. D. Garcia, T. Chothia, R. Willems, and leveraging non-reconciled received signal strength in mobile wireless
B. Preneel, “On the (in) security of the latest generation implantable networks,” in Proc. IEEE ICC Workshops WPLS, Shanghai, China, May.
cardiac defibrillators and how to secure them,” in Proc. 32nd Annual 2019, pp. 1–6.
Conf. Computer Security Applications, Los Angeles, CA, USA, Dec. [25] M. Zafer, D. Agrawal, and M. Srivatsa, “Limitations of generating a
2016, pp. 226–236. secret key using wireless fading under active adversary,” IEEE/ACM
[2] E. Ronen, A. Shamir, A.-O. Weingarten, and C. O’Flynn, “IoT goes nu- Trans. Netw., vol. 20, no. 5, pp. 1440–1451, 2012.
clear: Creating a ZigBee chain reaction,” in Proc. 2017 IEEE Symposium [26] L. Peng, G. Li, J. Zhang, R. Woods, M. Liu, and A. Hu, “An investigation
on Security and Privacy (SP), 2017, pp. 195–212. of using loop-back mechanism for channel reciprocity enhancement in
[3] G. S. Vernam, “Secret signaling system,” U.S. Patent 1 310 719, Jul. 12, secret key generation,” IEEE Trans. Mobile Comput., vol. 18, no. 3, pp.
1919. 507–519, 2019.
[4] C. E. Shannon, “Communication theory of secrecy systems,” Bell System [27] G. Li, Z. Zhang, Y. Yu, and A. Hu, “A hybrid information reconciliation
Technical J., vol. 28, no. 4, pp. 656–715, 1949. method for physical-layer key generation,” Entropy, vol. 21, no. 7, p.
[5] W. Stallings, Cryptography and Network Security: Principles and Prac- 688, 2019.
tice, 6th ed. Prentice Hall, 2013. [28] R. Guillaume, F. Winzer, A. Czylwik, C. T. Zenger, and C. Paar,
[6] C. Cheng, R. Lu, A. Petzoldt, and T. Takagi, “Securing the internet of “Bringing phy-based key generation into the field: An evaluation for
things in a quantum world,” IEEE Commun. Mag., vol. 55, no. 2, pp. practical scenarios,” in Proc. IEEE VTC, Boston, MA, USA, Jan. 2015,
116–120, 2017. pp. 1–5.
[7] R. Ahlswede and I. Csiszar, “Common randomness in information theory [29] G. Li, A. Hu, C. Sun, and J. Zhang, “Constructing reciprocal channel
and cryptography – Part I: Secret sharing,” IEEE Trans. Inf. Theory, coefficients for secret key generation in FDD systems,” IEEE Commun.
vol. 39, no. 4, pp. 1121–1132, Jul. 1993. Lett., vol. 22, no. 12, pp. 2487 – 2490, 2018.
[8] U. M. Maurer, “Secret key agreement by public discussion from common [30] E. Karapistoli, F.-N. Pavlidou, I. Gragopoulos, and I. Tsetsinas, “An
information,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733–742, May overview of the IEEE 802.15. 4a standard,” IEEE Commun. Mag.,
1993. vol. 48, no. 1, pp. 47–53, 2010.
[9] J. Zhang, T. Q. Duong, A. Marshall, and R. Woods, “Key generation [31] B. G. Bajoga and W. Walbesser, “Decoder complexity for BCH codes,”
from wireless channels: A review,” IEEE Access, vol. 4, pp. 614–626, in Proceedings of the Institution of Electrical Engineers, vol. 120, no. 4.
Mar. 2016. IET, 1973, pp. 429–431.
[10] G. Li, C. Sun, J. Zhang, E. Jorswieck, B. Xiao, and A. Hu, “Physical [32] T. M. Cover and J. A. Thomas, Elements of information theory. John
layer key generation in 5G and beyond wireless communications: Wiley & Sons, 2012.
Challenges and opportunities,” Entropy, vol. 21, p. 497, 2019.
[11] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka, “Wireless
secret key generation exploiting reactance-domain scalar response of
multipath fading channels,” IEEE Trans. Antennas Propag., vol. 53,
no. 11, pp. 3776–3784, Nov. 2005.
[12] S. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik, “Radio-
telepathy: extracting a secret key from an unauthenticated wireless chan-
nel,” in Proc. 14th Annu. Int. Conf. Mobile Computing and Networking
(MobiCom), San Francisco, California, USA, Sep. 2008, pp. 128–139.
[13] J. Zhang, R. Woods, T. Q. Duong, A. Marshall, Y. Ding, Y. Huang, and
Q. Xu, “Experimental study on key generation for physical layer security
in wireless communications,” IEEE Access, vol. 4, pp. 4464–4477, Aug.
2016.
[14] J. Zhang, A. Marshall, and L. Hanzo, “Channel-envelope differencing
eliminates secret key correlation: LoRa-based key generation in low
power wide area networks,” IEEE Trans. Veh. Technol., vol. 67, no. 12,
pp. 12 462–12 466, 2018.
[15] H. Ruotsalainen, J. Zhang, and S. Grebeniuk, “Experimental investiga-
tion on wireless key generation for low power wide area networks,”
IEEE Internet Things J., vol. 7, no. 3, pp. 1745 – 1755, Mar. 2020.
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University College London. Downloaded on July 07,2020 at 08:22:59 UTC from IEEE Xplore. Restrictions apply.