20. High-Rate Uncorrelated Bit Extraction for Shared Secret Key Generation From Channel Measurements

7/31/2019 20. High-Rate Uncorrelated Bit Extraction for Shared Secret Key Generation From Channel Measurements

1/15


2/15

IEEE TRANSACTIONS ON MOBILE COMPUTING 2

secret key. However, if multiple-access interference isinfrequent, and two nodes can receive many packetsfrom each other, they will have many measurementsof signal strength, marginally impacted by interference,with which to encode a secret key. This assumes that anacknowledgement protocol is applied so that two nodesagree on which packets are to be used in the proposedsystem.

We refer to these sources of non-reciprocity collectivelyas noise because they are the ultimate cause of bit dis-agreements between the secret keys generated at nodesa and b.

Bit extraction, i.e., the extraction of secret key bitsfrom noisy radio channel measurements at two nodessuch that the two secret keys reliably agree, is a majorstatistical signal processing problem in shared secretkey generation. As opposed to communications signalprocessing, it has no interest in obtaining the transmitteddata from another device. We refer to this problem asa radio channel signal processing problem since measure-

ments of the radio channel are the signal of interest. Thispaper contributes a statistical framework and algorithmfor bit extraction which extracts a high bit rate withgiven reliability and ensures a bit vector with nearly zerocorrelation. This framework is a significant improvementon the state-of-the-art in the research area.

Recent results have both suggested and demonstratedbit extraction from a variety of different radio channelmeasurement modalities (e.g., time delay, amplitude,phase, and angle). These results are reviewed in Section2. Several works limit the number of bits per measure-ment to one or zero. Several works have decreased themeasurement rate because correlation between measure-

ments leads to correlation between bits in the secret key,which is detrimental to the security of data encodedwith that key. Both compromises reduce the bit rateof generated secret keys. In addition, solutions are adhoc; each measurement modality requires a separatemethodology for secret key generation.

This work provides a framework for bit extractionusing three signal processing methods:

1) Fractional interpolation: Introduces different frac-tional delays at each node to account for the factthat the two directional measurements are not mea-sured simultaneously.

2) De-correlation transformation: Produces a mea-

surement vector with uncorrelated components viaa Karhunen-Loeve transformation of the originalchannel measurement vector.

3) Multi-bit adaptive quantization (MAQ): Convertsreal-valued channel measurements into bits adap-tively based on the measured value, using commu-nication so that both nodes agree on the quantiza-tion scheme.

The flow chart of the proposed method is shown inFigure 1. In this paper, we use these procedures in orderto transform correlated, real-valued radio channel signalmeasurements at two nodes into uncorrelated binary

data which has a high probability of bit agreement. Werefer to the combination of the methods as high rateuncorrelated bit extraction (HRUBE).

As discussed in Section 2, there are methods, calledinformation reconciliation methods, to resolve bit dis-agreements between two nodes without giving away theentire secret key. These methods do give away someinformation to an eavesdropper; if enough informationcan be obtained, an eavesdropper could perform a brute-force search to find the secret key. It is best to minimizethe number of bit disagreements and to know a priorithe probability of bit disagreement so that an informa-tion reconciliation method can be designed efficiently.This paper provides a theoretical framework to designsystems with low probability of bit disagreement.

Fig. 1. Flow chart of high rate uncorrelated bit extraction.

This paper is organized as follows. In Section 2, wediscuss the work in the area of secret key extraction fromradio channel measurements, and position this workin that frame. In Section 3, we provide an adversarymodel. In Section 4, we describe the fractional inter-polation method used to correct for non-simultaneousradio channel measurements. Section 5 presents thedecorrelation of the measured radio channel signal, andSection 6 presents the multi-bit adaptive quantization

method. Sections 4 through 6 provide the methodologyand analysis of high-rate uncorrelated bit extraction.In Section 7, the HRUBE method is implemented inwireless nodes and the bit disagreement rate is shownand compared to the analytical results. Finally, futurework and conclusions are presented in Section 8.

2 RELATED WOR K

There have been several papers on the topic of secretkey generation from radio channel measurements. Inthe earliest work [5], it was suggested to send twounmodulated continuous wave (CW) signals in bothdirections through a channel and measure and quantize

the phase difference between the two at each end ofthe link to generate a shared secret. Phase differences

between multiple channels have been further exploredin [6], [7].

Time delay and gain are also features of the radiochannel that are reciprocal and can be used for se-cret generation. The impulse response, in particular, theamplitude of multipath at many time delays, can beused as a shared secret [8], [9], [10]. While [8], [10] useultra-wideband (UWB) radios to measure the impulseresponse, [9] estimates channel gains and delays fromrelatively narrowband cellular signals.


3/15


Amplitude or channel gain is the most common recip-rocal channel feature used for secret generation in theliterature [11], [12], [13], [14], [15], [16], [17]. Amplitudecan be more easily measured than time delay or phaseon most existing hardware, and thus is more readilyapplicable to common wireless networks.

Angle-of-arrival (AOA) itself is not reciprocal theAOA at at the two ends of a link is different. However,steerable directional antennas can be used as in [14] tomeasure reciprocal channel gains, which are reciprocal,and generate shared secret keys. The antenna used in[14] is a relatively simple directional antenna, but re-quires access points to have additional physical spacefor a multi-element antenna.

In Section 7, we use measurements of amplitude for itsease of implementation. However, the HRUBE methodsare generally applicable across channel measurementmodalities discussed above.

A critical part of practical systems will be the abilityto generate arbitrarily long secret keys. Research has

addressed the use of multiple measurements to increasethe size of the secret. As mentioned, [14] used multipledifferent beam patterns to allow for multiple measure-ments. Multiple measurements can also be made atmany different frequencies [12]. Multiple measurementsover time are used in [11], [13], [15], [6], [16], [17] toincrease the number of bits in the secret. In this work,we provide a method to de-correlate an arbitrary vectorof collected measurements. Previous works have oftenused correlated measurements to generate the secret key,which may be less robust to attacks.

Significant research has addressed the more generaltopic of obtaining a shared secret key from observations

of correlated random variables [18], [19]. An eavesdrop-per can also observe a correlated random variable, andthe secrecy information rate is shown to be a functionof the mutual information between these three observedrandom variables. Analysis of the secrecy rate for UWBchannels in [8], [10] and for fading channels in [13] haveapplied this analysis to the case in which the correlatedrandom variables correspond to measured radio channelcharacteristics. Information theoretic results have shownthat two nodes cannot achieve an arbitrarily small bitdisagreement rate without communicating some infor-mation over a common channel [18].

Because of these results, most reported research has

used limited feedback [11], [9], [10], [13], [14], [6], [17]to correct small amounts of disagreement between thesecret generated a the two ends of a link. This com-munication is referred to as information reconciliation,public feedback, or error correction. In this paper weassume that information reconciliation will be part ofthe system design, but we do not explore its use. Weexplore minimizing the rate of bit disagreement in orderto reduce the quantity of information reconciliation thatmust be performed in order to reliably agree on a sharedsecret key.

As an alternative to information reconciliation, [7]

suggests that when bit disagreements are seen in a secretkey, nodes should simply regenerate a new secret untilthe secret key agrees. The work in [7] explores the energytradeoff between secret regeneration and transmit power(to increase the SINR at the ends of the link to reducethe probability of bit disagreement).

The majority of reported research has addressed sys-tem development from simulation and analysis usingstandard statistical channel models [8], [7], [11], [9], [10],[13], [15], [6]. Statistical channel fading models such asRayleigh, Ricean, and Gaussian have been applied. Thesemodels can be used to compute the probabilities of secretkey bit agreement, the probabilities that retransmissionis necessary, and the bit rate which can be generatedeither in theory or by a particular encoding algorithm.

Notably, several researchers have reported experimen-tal results and implementations [10], [12], [14], [16]. In[10], several bi-directional UWB measurements are madeand used to compute the number of secret key bits whichcould be generated. In [12], an implementation using the

universal software radio peripheral (USRP) and GNUsoftware radio generates and receives the required multi-carrier signal and evaluates the bit rate of the system.Two implementations in [16] use both off-the-shelf andtestbed 802.11a devices to implement secret sharing andachieve about a 1 bit per second rate. In [14], researchersuse a steerable directional antenna in combination withZigbee radio hardware to generate a secret betweentwo nodes and test what an eavesdropper would havereceived. This work also demonstrates its techniquesusing a Zigbee radio implementation, but the techniquesreported here are fundamentally unlike those reportedin [14]. This paper reports in detail a new method for

reliably estimating a high-rate uncorrelated bit streamfrom radio channel measurements.

We have not seen any secret key bit rate reported ashigh as achieved in our experiments, up to 22 bits/sec.In [16], an experimental implementation achieves abouta 1 bit/sec rate, for which the authors target a 108 bitdisagreement rate. In this paper, we report experimental

bit rates from 3 bits/sec at the lowest probability ofbit disagreement (0.04%) to a rate of 22 bits/sec at thehighest probability of bit disagreement (2.2%). There is atradeoff in secret key generation between high bit rate ofthe secret key and low probability of bit disagreement,and the proposed method can be used to provide a

variety of achieveable points, particularly at higher bitrates than previously reported.

3 ADVERSARY MODEL

In our adversary model we assume that the adversary,Eve, can listen to all the communication between Al-ice and Bob. Eve can also measure both the channels

between herself and Alice and between herself andBob at the same time when Alice and Bob measurethe channel between them for key extraction. We alsoassume that Eve knows the key extraction algorithm


4/15


and the values of the parameters used in the algorithm.However, we assume that Eve cannot be very close (lessthan a few multiples of the wavelength of the radiowaves being used [16]) to either Alice or Bob while theyare extracting their shared key. This will ensure that Evemeasures a different, uncorrelated radio channel [4]. Weassume that Eve cannot jam the communication channel

between Alice and Bob. We also assume that Eve cannotcause a man-in-the-middle attack, i.e., our methodologydoes not authenticate Alice or Bob. In other words,the proposed system works against passive adversaries.In this aspect, the technique of key extraction fromwireless signal strengths is comparable with classical keyestablishment techniques such as Diffie-Hellman, whichalso use message exchanges to establish keys and donot authenticate Alice or Bob. However, classical keyexchange techniques make use of unproven assumptionsabout the computational hardness of different problemssuch as the discrete logarithm problem. In contrast, theproposed key extraction technique provides information-

theoretic secrecy and does not assume any bounds on thecomputational power of the adversary.Even without an authentication mechanism, the Diffie-

Hellman scheme has found widespread use in networksecurity protocols and standards (e.g., for providing Per-fect Forward Secrecy, Strong password protocols, etc.).We expect that our scheme will provide a strong alterna-tive to the Diffie-Hellman scheme in wireless networks.There is a growing amount of work in authenticatingwireless devices based on their physical and radiometricproperties (e.g., [17], [20]). These and future authentica-tion mechanisms can be used in conjunction with oursecret key establishment scheme.

4 FRACTIONAL INTERPOLATION FILTERING

Channel measurements for secret key generation willalmost certainly be half-duplex, that is, the transmissionfrom node a to node b is not made at the same timeas the transmission from node b to node a. Standardtransceivers cannot transmit and receive simultaneously,so non-simultaneous measurements in the two directionsmust be dealt with regardless of the type of radiochannel measurements made. As described in Section 2,many methods use sequential measurements over timein order to generate arbitrarily long secret keys. In this

paper, we use fractional interpolation filters to allownodes to estimate what the measurements would have

been if they had been measured simultaneously.For channel measurement, we assume nodes repeat-

edly transmit packets in a TDD protocol1. Each nodereceives a packet from the other node and uses it tomeasure the channel characteristic. Let wa(i) be the ithchannel measurement at node a made at time a(i).We assume that the constant packet rate means the ith

1. Whether or not the transmission is a data packet or any arbitraryfinite-duration signal, we use the term packet to describe the trans-mission.

measurement is made at time a(i) = a(i 1) + TR,awhere TR is the time since the previous measurement.Similarly, node b makes ith measurement wb(i) at timeb(i) = b(i 1) + TR,b.

We assume that channel measurements are made atgreater than the Nyquist rate for the channel. For afading channel, the Nyquist rate is twice the maximumDoppler frequency, fd. Previous works have assumedthat channel probes in the two directions are much morefrequent than fd [16]. In this work, probing require-ments are relaxed somewhat because the signal can bereconstructed at simultaneous probe times as long as theprobes are taken more often than 1

2fd, i.e., we always

have TR,c 0. If node a delayed its ith sample by(1 + )TR, and simultaneously, node b delayed its sam-ples by (1

)TR, we would have had simultaneous

measurements. To estimate these delayed samples, wespecify a fractional delay c and integer delay mc foreach node:

a = b = 1 ma = 1 mb = 0

After using a fractional interpolation filter to delay itssignal by a = , node a will also add an additional unitsample delay. Node b uses its fractional interpolationfilter to delay its signal by b = 1 , and does notadd any additional unit delays.


5/15


We use the Farrow filter, a finite impulse responseimplementation which introduces an arbitrary fractionaldelay [21]. Standard implementations of the Farrow filterare four-tap FIR filters which provide a parabolic orcubic interpolation between samples. Such filters areoften used in discrete-time implementations of receivertiming synchronization loops, and are well-suited forDSP implementation [22]. We implemented a cubic Far-row filter, parameterized by a or b. For c {a, b},

hc =

3c6

c6

, 3c

2+

2c2

+ c,

3c2

2c c2

, 3c

6+

2c2

c3

T(3)

Note that hc requires recalculation only when cchanges. The input of filter hc are the measurements{wc(i)}i, and we define the output as {xc(i)}i. These out-puts are estimates of the radio channel at simultaneousinstants, halfway between the original non-simultaneousmeasurements. These vectors xa and xb,

xa = [xa(1)T, . . . ,xa(N)

T]T

xb = [xb(1)T, . . . ,xb(N)

T]T,

where N is the desired length of the vector. These vectorsbecome the input for the de-correlation transformationdiscussed in the following section.

5 DE-CORRELATION TRANSFORMATION

In this paper, we use the discrete Karhunen-Loeve trans-form (KLT) to convert the measured channel vectors xaand xb into uncorrelated components. The KLT has beenapplied for many different types of signals for purposes

of noise reduction and data compression. We apply theKLT for the purpose of generating nearly uncorrelatedelements for our secret, which for robustness to attacks,should not contain significant correlation between ele-ments.

The discrete KLT provides an orthogonal basis whichde-correlates the input vector, assuming a known modelfor the covariance structure of the original vector. Forparticular classes of signals, we can find such statisticalmodels; e.g., for electrocardiogram signals [23], voicesignals, internet traffic measurements [24], and finger-prints [25], models have been developed from largesets of measurements. In this paper, we develop sucha covariance model using a large set of measurements,and use it to calculate the appropriate KLT.

In the discrete KLT, a linear transformation of aninput vector is taken, which results in a vector withuncorrelated elements. Assume that the (length N) inputvector at node c {a, b}, xc, has mean c and covariancematrix Rx 2. A linear transform of the data is

yc = AT(xc c),

2. We assume that the mean at each node can be different due to thedifferent transmit powers, but that the covariance matrix is the sameat both nodes.

where A is an N N matrix. The mean of yc is zero,and the covariance matrix ofyc, Ry, is given by

Ry = Eycy

Tc

= ATRxA (4)

Assume the singular value decomposition of Rx is,

Rx = U SUT, (5)

where U is the matrix of eigenvectors, and S =diag

21 , . . . , 2N

, a diagonal matrix of the correspond-

ing eigenvalues. We assume that the eigenvectors havebeen sorted in order of decreasing eigenvalue, so that21 22 2N 0. Note that UTU = IN, where INis the N N identity matrix.

The discrete Karhunen-Loeve transform simply as-signs A = U,

yc = UT(xc c). (6)

The vectors ya and yb for nodes a and b, respectively,become the input for the MAQ scheme described inSection 6. When simplifying (4) we have the result that,

Ry = UTRxU = UTU SUTU = S,

and the output vector yc in fact has a diagonal covari-ance matrix, indicating uncorrelated elements.

Note that uncorrelated is not the same as independent;while they are the same for Gaussian random vectors,they are not equivalent in general. The KLT guaranteeszero covariance between elements, but not higher-ordercross-moments. Uncorrelated but not independent bitsmay result in an a per bit entropy of less than 1.0;we show in Section 7.7 from experiments an entropyestimate of between 0.96 to 0.98. Depending on the true

joint distribution, it may be possible for an attacker

to use the higher-order cross-moments to predict onevalue from others. Investigation of this possibility mustinvolve extensive measurements to allow inference onthe joint distribution of the data yc, and we leave this tofuture research.

5.1 Bi-Directional Measurement Covariance

Although the elements ofyc are decorrelated by the KLT,there is still covariance between the yc and yc, wherec, c {a, b} and c = c. That is, c and c are the indices forthe opposite direction measurements of the link betweennodes a and b. In fact, a high positive correlation between

the two different directions of the link is what enablessecret sharing. We denote the covariance matrix of theoriginal measurements to be Rxc,xc ,

Rxc,xc E

(xc c)(xc c)T

= E

(xc c)(xc c)T

After the KLT, the vectors yc and yc have covariancematrix denoted as Ryc,yc ,

Ryc,yc Eycy

Tc

= UTRxc,xcU. (7)

The ith diagonal element of Ryc,yc , denoted here as[Ryc,yc]i,i, is the covariance of yc(i) and yc(i). The vari-ance ofyc is given by

2i and is equal to the variance of


6/15


yc since c, c {a, b}. So the correlation coefficient of theith component, denoted i, is

i =

[Ryc,yc]i,i

2i. (8)

The correlation coefficient i is effectively a measureof the SNR of the measurement of the bi-directional ith

component of y. When the noise contributing to bothya(i) and yb(i) is high, the value of [Ryc,yc ]i,i is lowcompared to 2i , and i is closer to zero. When there isvery little noise, i is close to 1. In Section 6.4, we showthat the value ofi is the critical component to determine

both how many bits to which the ith component canbe quantized, and the performance of the quantizationmethod, i.e., the probability that the bits generated agreeat the two nodes.

6 MULTI-BI T ADAPTIVE QUANTIZATION

The objective of this section is to describe the quantiza-

tion of the transformed vector yc, for c {a, b}, into asecret key bit vector. Quantization in this application hastwo conflicting goals:

1) Secret length maximization: Obtain as long of a secret(in bits) as possible.

2) Error minimization: Keep the probability that thesecret key will not match at nodes a and b as lowas possible.

We also must maintain zero covariance between ele-ments of secret key, and thus do not use vector quantiza-tion. Instead, we use scalar quantization on each elementof yc. Consider this tradeoff on a single component,component i. The quantizer for component i is a function

Qi : R {1, . . . , 2mi}, where mi is the number of bits towhich we quantize the ith component.

6.1 Related Work: Censoring Scheme

Several past works in bit extraction from channel mea-surements have quantized each measurement to one oftwo bins and a censor region [16], [17], [14], [15]. Inthese methods, when a measurement has a value nearzero, the measurement is not used in the secret, andotherwise, the measurement is quantized by its sign to a0 or 1. This one bit and censor method, as a standardmethod used in related work, provides a good point

of comparison for the MAQ method presented in thispaper.

In the standard censoring method, a low thresholdand a high threshold are specified, for example, [, ].The indices of the values that fall within the thresholdregion are not encoded. Specifically, node a forms the setTa = {i : xa(i) } and transmits the list of theelements in Ta to node b. Node b then similarly forms Tband transmits Tb \ Ta to node a. The union of both sets,T = TaTb are the indices not used in the shared secret.Let T = {1, . . . , N } \ T be the indices that will be usedin the secret, and let tj {1, . . . , N T} be the jth element

of T, where NT = |T |. Then the secret key bit vectorof node c {a, b} is given by zc = [zc(1), . . . , zc(NT)]T,where

zc(j) =

1, xc(tj) > 0, xc(tj) < (9)

We note that the work in [16] does not directly encodexc(i). Instead, only one sample from each excursion of{xc(i)}i is encoded. An excursion is any sequence of{xc(i)}i which are either all above the high thresholdor below the low threshold. This method allows highreliability in bit encoding while reducing correlation

between subsequent bits.

The benefit of the one bit and censor scheme in generalis that data that falls near zero, which would be likely tohave opposite sign at the opposite end of the link, is notused in the secret. The value of ya(i) would be knownto an eavesdropper to be either within or outside of thethreshold region, but this provides no information aboutwhether the value is above or below . If i T, themeasurement is not used in the secret, and if i / T, theeavesdropper has no information about whether ya(tj)is greater than or less than . So, the communicateddata does not reveal anything about the generated secretkey bits.

Compared to the method proposed in this paper, thecensoring scheme has two main drawbacks. First, the useof censoring causes loss of bits. The number of bits lostto censoring depends on the measured data. In order toensure a secret with a consistent number of bits, extrameasurements must be gathered prior to bit extraction.In numerical results related in Section 7.6, between 5% to27% of measurements are lost to censoring. The second

drawback is that it is not possible to generate more thanone bit from each real-valued measurement, that is, mi =1 for all i.

6.2 Formulation

We propose a multi-bit adaptive quantization (MAQ)scheme for secret sharing. The MAQ scheme adaptivelyquantizes each measurement to an arbitrary number of

bits without censoring. No fixed quantization scheme isable to achieve a low error rate because when ya(i) isvery near to a threshold, there is a high probability that

yb(i) crosses to the other side of that threshold. As asolution, we propose to change the quantization schemeat both a and b based on the measurement at one of thenodes. For this discussion, without loss of generality, weassume that node a is the leader node in the multi-

bit adaptive quantization scheme, and that node b is thefollower.

In the MAQ scheme, we first quantize ya(i) to K 2mi+2 = 4 2mi equally-likely quantization levels. Toachieve equally-likely quantization levels, we require thedistribution for ya(i). In general, let Fi(y) = P [ya(i) y]

be the cumulative distribution function (CDF) of ya(i).


7/15


8/15


Fig. 2. Diagram showing area of F1i (ya), F1i (yb) where

generated bits at a and b will agree (gray area) anddisagree (white area) for the 1-bit adaptive quantizationscheme.

Fi(y). The conditional CDF of yb(i) given ya(i) is writtenas FYb(i)|Ya(i)(yb

|ya).

We first discuss the probability of codeword disagree-ment, and then provide an approximation for the prob-ability of bit disagreement. The two are the same in themi = 1 case, but different in general.

For certain combinations of(ya(i), yb(i)), the codewordat node a will be encoded differently than at node b, andthese combinations can be viewed graphically on a 2-Dplot. Recall that node a is the leader node, and so yadecides the quantization scheme. Given ya(i), the valueof yb(i) thus decides whether or not a bit disagreementoccurs. For example, for the 1-bit adaptive quantiza-tion scheme displayed in Table 1, the combinations of(ya(i), yb(i)) which result in bit agreement are shownin Figure 2 as the gray shaded area. There is a widediagonal area, where ya(i) is close to or equal to yb(i),which would result in codeword agreement.

If we refer to the shaded area of the diagram (the bitagreement area) as A, then the probability of codewordagreement, denoted PCA , is

PCA =

A

fYa(i),Yb(i)(ya, yb)dyadyb.

Another way to write this equation is

PCA = yaP [CA|ya] fi(ya)dya (12)

where P [CA|ya] is the probability of code agreementgiven ya,

P [CA|ya] =ybA(ya)

fYb(i)|Ya(i)(yb|ya)dyb,

and A(ya) = {yb : (ya, yb) A}.

6.5 MAQ Performance in Gaussian Case

For the case that ya(i) and yb(i) are jointly Gaussian andzero mean, we can find a more direct expression for theprobability of code agreement. Note that we know that

the marginal variances of ya(i) and yb(i) are identical,which we denote as 2i . Let the correlation coefficientof ya(i) and yb(i) be i. Then the conditional pdf ofYb(i)|Ya(i) has mean iYa(i) and variance 2i (1 2i ).Thus, P [CA|ya] for the 1-bit adaptive quantization casecan be written as:

P [CA|ya]

F

1(ya) iyai

1 2i

F1(ya) iya

i

1 2i

(13)

where (x) is the unit variance Gaussian CDF, and yaand ya are the high and low limits for a given ya of thesegment ofyb which results in codeword agreement. Forthe 1-bit adaptive quantization case, it can be seen fromFigure 2 that

ya =

0.25, Fi(ya) 0.1250.5, 0.125 < Fi(ya) 0.3750.75, 0.375 < Fi(ya) 0.6251, 0.625 < Fi(ya)

ya =

0, Fi(ya) < 0.3750.25, 0.375 Fi(ya) < 0.6250.5, 0.625 Fi(ya) < 0.8750.75, 0.875 Fi(ya)

In general, for an mi-bit quantization scheme,

ya = min

1,

Fi(ya) + 2(mi+2)

2(mi+1)

ya = max

0,

Fi(ya) 2(mi+2)2(mi+1)

(14)

where we define the u-multiple floor and ceiling func-tions which return the highest multiple of u lower than

its argument, and the lowest multiple of u higher thanits argument, respectively:

xu = ux

u

, xu = u

xu

(15)

Equation (13) is less than or equal to the exactP [agreement] because we only consider the main diago-nal area of agreement. For example, we do not considerthe top-left area and bottom-right area in Figure 2. Thesenon-diagonal elements will typically have a very smallprobability, because they correspond to observing nearlyopposite values on the two directional measurements.Since the two measurements have high positive corre-lation, it is highly unlikely to observe nearly oppositevalues.

Using (12) and (13) we can solve for a lower boundon the probability of agreement. We note that for theGassian case, F1i (x) = i

1(x) where 1(x) is theinverse of the zero-mean unit variance CDF. A substitu-tion of v = ya/i results in the expression,

PCA v=

1[iv] iw

1 2i

1[iv] iv

1 2i

ev

2/2

2

dv (16)


9/15


0.9990.990.9

103

102

101

Correlation Coefficient

ProbabilityofBitDisagreement

m=4m=3m=2m=1

Fig. 3. Analytical approximation for the probability of bit

disagreement from (17) as a function of number of bitsper codeword, m, and correlation coefficient, .

Note that (16) is not a function of i, the variance of theith component ofy. Instead, it is solely a function of iand mi. Note that the probability of code disagreementPCD = 1PCA, from the lower bound in (16), we have anupper bound on PCD . Borrowing from digital commu-nications analysis of Gray coded symbol constellations,for low PCD , we can approximate the probability of bitdisagreement, PBD , as

PBD PCD/mi. (17)This expression (16) is solved numerically, and resultsfor the PBD are plotted in Figure 3.

6.6 Censoring Scheme Performance in Gaussian

Case

The multi-bit adaptive quantization scheme offers thepossibility of encoding a component with more thanone bit, which is not possible in the existing censoringscheme. However, for the mi = 1 case, we can comparethe two bit extraction schemes and evaluate their relative

benefits.We begin by formulating the probability of bit dis-

agreement in the censoring scheme. The bit is censoredwhenever either a or b measures a value between and . Agreement occurs whenever both ya(i) < andyb(i) and yb(i) > .

These cases are shown in Figure 4, which is analogousto Figure 2 for the 1-bit MAQ scheme.

Assuming a joint Gaussian distribution for (ya, yb), asassumed in Section 6.5, we can calculate the probabilityof censoring, P [Cens], and the probability of bit dis-agreement.

P [Cens] =

v

P [Cens |v] ev2/2

2

dv (18)

P [Cens |v] =

1, if i v i

0, o.w.

(19)

The performance of the censoring scheme should bejudged on the probability of bit disagreement given thatthe bit is used in the secret (is not censored). This is whythe conditional probability of bit disagreement is divided

by the factor of (1 P [Cens]). The result is plotted inFigure 6.

6.7 Performance Discussion and Comparison

We can compare the results in Figure 6 to the m = 1 linein Figure 3. For low thresholds , the censoring scheme


10/15


0.9990.990.9

103

102

101

Correlation Coefficient

Prob

abilityofBitDisagreement

= /20

= /10

= /5

Fig. 6. Analytical probability of bit disagreement from (19)vs. and censoring threshold , given that the bit is notcensored.

results in a higher probability of bit disagreement thanthe 1-bit MAQ scheme. At high (e.g., the / = 0.2case) censoring can provide a lower bit disagreement

probability than 1-bit MAQ. However, at high , manybits are censored. For example, for / = 0.2 and = 0.96, the censoring scheme achieves conditionalprobability of bit disagreement of 0.01 compared to 0.03for the 1-bit MAQ scheme, but the censoring schememust censor 24.7% of components.

For a moment, ignoring the loss of bits caused bythe censoring scheme, we consider when to use thecensoring scheme instead of the MAQ scheme. Whenthe correlation coefficient is low, the threshold can beset high, and the conditional probability of bit disagree-ment can be made lower in the censoring scheme. Forexample, if one wishes to design for highest possible bit

rate with PBD 0.04, one would choose m = 1 for0.95 < < 0.98, m = 2 for 0.98 < < 0.993, and m = 3for 0.993 < < 0.998. For the m = 1 case, the censoringscheme could be used in order to lower the probabilityof bit disagreement at the expense of higher probabilityof censoring. In this example, if we have components iwith i > 0.98, the MAQ scheme offers more bits permeasurement component.

7 EXPERIMENTAL IMPLEMENTATION

In this section, we present the collection of a set oftestbed RSS measurements on a bi-directional link and

use the data to provide an example of the implementa-tion and performance of the HRUBE method.

7.1 Setup

We use Crossbow TelosB wireless sensors which areconnected via a USB connection to a laptop in orderto record the collected data for post-processing andanalysis. The TelosB mote is a low power wireless sen-sor module equipped with an IEEE 812.15.4-compliantRF transceiver (the TI CC2420), built-in antenna anda micro-controller. In general, wireless sensors are de-signed for low data rate and low computation and

memory capabilities, and the TelosB can send 250 kbps.We choose the hardware to show the ability of simplehardware devices to collect channel data useful for secretkey exchange.

We program the TelosB 802.15.4 radios to transmit andreceive packets which are used as channel probes. Ingeneral, any data could be sent in the probe packets,

including application data. In our implementation, thepackets include only minimal data: the packet header,a node id, and a sequence number. When one radioreceives a packet, it measures and records the RSS andstores it with the packet sequence number. Then, it in-crements the sequence number and replies with a packetwith the incremented sequence number. This processrepeats until the two nodes have collected enough probedata. Each packet contains a total of 10 bytes and thushas a duration of 40 s. Processing time dominates thepacket duration, and the channel is measured at a rateof approximately 100 probe packets per second, or 50probes per node.

In any implementation, the RSS value measured bya receiver is device-specific. On the TelosB, the RSS isa signed 8-bit integer value, a value proportional tothe measured average received power over the durationof the packet, in decibel milliwatts (dBm). While thisinteger value could be converted to a dBm value, it isunnecessary for our purposes, since all testbed radiosare TelosB devices and thus have the same RSSI charac-teristic.

Our experimental tests involve two nodes, a and b,about 0.5 meters apart, measuring link (a, b). The originalchannel measurement vectors wa and wb are the lists

of measured RSS values at nodes a and b, respectively.Figure 7 shows an example of wa and wb measuredover the course of 100 channel probes. It shows somedifferences between the two directional measurements,

but the large-scale changes of the two signals over timeare remarkably similar. The tests also include the mea-surement at an eavesdropper node e which receives butnever transmits. Node e is located about 1.5 m from nodeb and can measure the RSS on the channels (a, e) and(b, e). Figure 7 also shows the measurement of RSS onlink (a, e). The signal at the eavesdropper is qualitativelyvery different from the true link measurements.

Motion of one of the nodes is used to generate fading

changes in the RSS measurements, which is critical to ob-serving fading during short-term experiments in indoorenvironments. During the experiment, the experimentercontinuously moves one of the nodes in a randommanner, above, below, and around its starting position.Three experiments are conducted, each for a duration ofabout 1000 seconds. In this paper, we chose to measurevectors with length N = 50. Since measurements aretaken approximately 50 per second, each vector takes1 second to record. The long duration of the experimentensures that we have enough data to characterize meanand covariance statistics.


11/15


200 220 240 260 280 300

20

15

10

5

0

5

Counter Value

RSSInteger

Fig. 7. Raw measured RSS values from a to b (+), from bto a (o) and from b to e (*).

7.2 Interpolation

Our measurement protocol lacks explicit time-synchronization, but the protocol approximately

achieves a fractional time offset of 1/2 at all times. Theprotocol is synchronized in the sense that each nodetransmits a packet as soon as it finishes receiving aprobe packet from the other node. The delay betweenreception and transmission is nearly the same at eachnode, because they have the same hardware and runthe same software. Packets can be delayed or droppeddue to interference (nodes operate in the same bandas WiFi), but we ignore these effects. We assume thatb(1)a(1)

TRis approximately equal to 1/2. That is, node

bs probes are sent halfway in between the previous andsubsequent node a probes. This leads to a = 0.25 in(2). Our measured values wa and wb are run through

the interpolation procedure described in Section 4 andthe synchronized data xa and xb are then formed using(4).

s

7.3 Data Model

We use the measured data from the first experiment(of three) to estimate the mean vectors xa and xb ,and covariance matrix Rx of the data vectors, which isestimated as:

xa =

1

C

Ci=1

x

(i)

a , xb =

1

C

Ci=1

x

(i)

b

Rx =1

2C 1

Ci=1

(x(i)a a)(x(i)a a)T

+Ci=1

(x(i)b b)(x(i)b b)T

(20)

where x(i)c is the ith 50-length measured RSS vector at

node c, and W = 49951 is the total number of RSS vectorswhich can be formed from the measured data at eachnode.

5 10 15 200

300

600

900

1200

Variancei2

5 10 15 20

0.999

0.99

0.9Corr.

Coef.

Component

Fig. 8. Variances 2i and correlation coefficients i of first20 components of y.

Next, we also calculate the covariance between ameasurement and the same measurement on the reverselink:

Rxc,xc = 12C 1 Ci=1

(x(i)a a)(x(i)b b)T

+

Ci=1

(x(i)b b)(x(i)a a)T

. (21)

7.4 De-Correlation Transform

From Rx, we calculate the SVD as given in (5). Weplot the eigenvalues of each eigenvector (the varianceof each component) in the top subplot of Figure 8.Then, using the KLT matrix U, we calculate the cross-directional covariance matrix from (7) and use it to

calculate the correlation coefficients i as given in (8).These correlation coefficients are plotted in the bottomsubplot of Figure 8. The highest correlation coefficient is0.9965; there are seven components with > 0.98 andfourteen components with > 0.95.

Figure 9 shows the first nine eigenvectors of Rx, thecolumns of U, both in the time domain and in thefrequency domain. The results show that the eigen-vectors are nearly pure sinusoids. For short periodsof time (our measurement vectors are recorded withinone second), we can consider the fading signal to bea wide-sense stationary (WSS) random process, and assuch, its eigenvectors should be complex exponentials.

For longer periods of time, motion may not be WSSbecause of changes in the nature of the motion in thechannel or of the nodes themselves. Future work shouldaddress the stationarity of the fading process duringsecret generation. Future implementations may also wishto use an FFT of the measured RSS values rather thanthe KLT in order to reduce computational and memorycomplexity.

Next, we apply the data model to experimental datasets two and three. We transform the measured datavectors xc from these latter two data sets using the KLTto compute the values ofyc = UT(x c), for c {a, b}.


12/15


13/15


7.6 Experimental Performance

Finally, we run each system through the data collectedexperimentally. The experimental bit disagreement rateis computed by counting the number of bits for whichnodes a and b disagree and dividing by the total numberof bits generated in the course of the experiments. Table3 shows the results. In each system design, the actual

bit disagreement rate is lower than the PBD for whichthe system was designed. Since mi is chosen conserva-tively, as described in Section 7.5, we expect the designspecification to be an upper bound on PBD .

The system designs also show that a large number ofbits can extracted from the channel measurements. Atthe highest PBD , we can extract 22 bits per second. Thiscompares well to [16] which describes an implementa-tion which achieves approximately one bit per second.

Note that the secret key generation rates from theHRUBE method, including the 22 bits/sec system, arenot reconciled; at a bit disagreement rate of 2.2%, onaverage, one out of the 22 bits will disagree about 40% of

the time. Other research has used information reconcili-ation procedures to reveal small amounts of information

between two nodes that permitted correction of limitednumbers of bit disagreements, as discussed in Section 2.We assume that such reconciliation will be implementedas part of a secret key generation system which reliablyfinds keys which agree at the two ends of a link.

7.7 Statistical Tests of Correlation

We have designed the HRUBE method so that, any pairof bits within secret key vector z has zero correlation.In this section, we use our large set of measured data

to estimate the correlation coefficient between bits andtest for non-zero correlation. We estimate two types ofcorrelation coefficients:

1) Pair-wise bit correlation coefficients. We denote zi,zjas the correlation coefficient between the ith and

jth component of vector z, for i = j.2) Global bit correlation coefficient. We denote z as the

correlation coefficient between all pairs of differentcomponents ofz. A single correlation coefficient isonly valid if the correlation between any pair of

bits in z is assumed identical.

From the measured data, we generate n = 833 re-alizations of the vector z from our data, from which

estimated pair-wise bit correlation coefficients {zi,zj}i,jrange from -0.10 to +0.12. The estimated global bitcorrelation coefficient z is -0.0036.

Clearly, the estimated correlation coefficients will neverprecisely zero, even if = 0 exactly. So, for the givennumber of realizations, we provide hypothesis tests toquantify if these non-zero correlation coefficient esti-mates are likely, or unlikely, to have been generated ifthe true = 0. Formally, the decision is:

H0 : = 0 (22)

H1 : = 0

The hypothesis test is performed on statistic t [26],

t =

1 22

n 2H1> 100 is high enough for this approximationto hold.

For the pair-wise bit correlation coefficients, the esti-mated t-statistics for each pair are group-tested; that is,the threshold is set so that the total probability of falsealarm is 5%. For the given parameters, = 3.70. For thethree systems in Table 3, all of the correlation coefficientszi,zj have t < . The global bit correlation coefficient,z, has t = 1.74, below the threshold = 1.96 chosen for

false alarm rate 5%.We also estimate the entropy of the bit sequence

output from the HRUBE system, using the NIST randomgenerator test suite [27]. For systems 1, 2, and 3 (shownin Table 3), the experimental entropies are estimated to

be 0.959, 0.981, and 0.981, respectively, per generated bit.

7.7.1 Discussion

Both tests indicate that the correlation coefficient be-tween bits in z is not statistically significantly differentfrom zero. The best estimate of z is -0.0036. We have

similarly run tests on other sets of collected data; somedata sets pass the correlation test and decide H0, thosethat decide H1 cross the threshold only by a smallmargin. It is fair to say that there may exist smallcorrelations, perhaps || < 0.01, but when given a highnumber of realizations n, a test may detect these smallcorrelations.

Non-zero correlations can be caused by imperfectknowledge of the covariance matrix of the interpolatedRSS sample vector x. Small changes in the covariancestructure over time may occur, and when this occurs,the KLT based on a static transformation matrix U in(6) does not produce a completely uncorrelated sample

vector output. Future work should develop methods toadaptively update the KLT from recently measured datato further reduce correlations in bit outputs.

Note that subsequent bit vectors z are not designedfor zero correlation with each other. The HRUBE de-correlates a set ofN RSS samples and then produces a bitvector z. A later set of N RSS samples produces another

bit vector z which may be correlated with the first vectorz. A system designer should either (1) set N high enoughsuch that enough bits can be obtained from one bit vectorz, or (2) allow time to pass between the first and secondset of RSS samples such that the two sets of samples


14/15


are uncorrelated. This is a tradeoff between latency,computational complexity, and correlation, which must

be studied prior to system deployment.

8 CONCLUSION

This paper provides a general framework, which wecall HRUBE, for the extraction of secret uncorrelated bit

vectors from a series of radio channel measurements. Theframework includes interpolation, de-correlation trans-formation of the data, and then an adaptive quantizationscheme to allow each component to be quantized to anarbitrary number of bits. Analysis has been developedto calculate the probability of bit disagreement usingthe HRUBE scheme, which is used to design systemswith a given bound on probability of bit disagreement.Numerical results are reported for the case of bi-variateGaussian measurements. We show, via an implementa-tion of HRUBE, some examples of the bit rate vs. PBDtradeoff, including the possibility of achieving 22 bits persecond at a bit disagreement rate of 2.2%, or achieving10 bits per second at a bit disagreement rate of 0.54%.Experimentally, pairs of bits within one bit vector showa correlation coefficient of -0.0036, close to perfect de-correlation.

Future work must apply the HRUBE method to othermodes of radio channel measurements and improvethe distributional assumptions. In particular, the jointdistribution of ya(i) and yb(i) should be thoroughlyinvestigated using large sets of measured data. Manyof the system design choices (distribution parameters,number of bits per component) might be trained in real-time from initial measurements, and research should

investigate such methods. For example, quantizationlevels {k} could be determined by each node on its ownfrom measured vectors y; or nodes could periodically(perhaps once per secret) communicate to set them.Research should also investigate adaptive update of theKLT in order to achieve even lower correlation between

bits. Of course, additional research should be performedfrom an attackers perspective: to attempt to breaksecret keys generated from extraction methods which areseen as weak; or to deny the ability of two radios to agreeon a secret key. Research must design key generationsystems to be as robust as possible to such attacks.The general problem of bit extraction for secret key

generation, i.e., translating radio channel measurementsinto shared secret key bits, is generally an open statisticalsignal processing problem, and one that may have directimpact for the improvement of wireless network security.

REFERENCES

[1] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin,Experimental quantum cryptography, J. Cryptol., vol. 5, no. 1,pp. 328, 1992.

[2] S. Wiesner, Conjugate coding, SIGACT News, vol. 15, no. 1, pp.7888, 1983.

[3] L. Greenemeier, Election fix? Switzerland tests quantum cryp-tography, Scientific American, October 2007.

[4] G. D. Durgin, Space-Time Wireless Channels. Prentice Hall PTR,2002.

[5] J. E. Hershey, A. A. Hassan, and R. Yarlagadda, Unconventionalcryptographic keying variable management, IEEE Trans. Com-mun., vol. 43, no. 1, pp. 36, Jan. 1995.

[6] A. A. Hassan, W. E. Stark, J. E. Hershey, and S. Chennakeshu,Cryptographic key agreement for mobile radio, Elsevier DigitalSignal Processing, vol. 6, pp. 207212, 1996.

[7] A. Sayeed and A. Perrig, Secure wireless communications: Secretkeys through multipath, in IEEE Int. Conf. Acoustic, Speech &

Signal Processing (ICASSP08), April 2008, pp. 30133016.[8] M. G. Madiseh, M. L. McGuire, S. W. Neville, and A. A. B. Shirazi,

Secret key extraction in ultra wideband channels for unsynchro-nized radios, in 6th Annual Conference on Communication Networksand Services Research (CNSR2008), May 2008.

[9] C. Ye, A. Reznik, G. Sternberg, and Y. Shah, On the se-crecy capabilities of ITU channels, in IEEE Vehicular TechnologyConf. (VTC07-Fall), Oct. 2007, pp. 20302034.

[10] R. Wilson, D. Tse, and R. A. Scholtz, Channel identification: Se-cret sharing using reciprocity in UWB channels, IEEE Transactionson Information Forensics and Security, vol. 2, no. 3, pp. 364375,Sept. 2007.

[11] B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener, Robustkey generation from signal envelopes in wireless networks, inCCS 07: Proceedings of the 14th ACM Conference on Computer andCommunications Security, Nov. 2007, pp. 401410.

[12] Z. Li, W. Xu, R. Miller, and W. Trappe, Securing wireless systems

via lower layer enforcements, in Proc. 5th ACM Workshop onWireless Security (WiSe06), Sept. 2006, pp. 3342.

[13] C. Ye, A. Reznik, and Y. Shah, Extracting secrecy from jointlyGaussian random variables, in 2006 IEEE International Symposiumon Information Theory (ISIT06), July 2006, pp. 25932597.

[14] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka,Wireless secret key generation exploiting reactance-domainscalar response of multipath fading channels, IEEE Trans. An-tennas & Propagation, vol. 53, no. 11, pp. 37763784, Nov. 2005.

[15] M. A. Tope and J. C. McEachen, Unconditionally secure com-munications over fading channels, in Military CommunicationsConference (MILCOM 2001), vol. 1, Oct. 2001, pp. 5458.

[16] S. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik,Radio-telepathy: Extracting a secret key from an unauthenticatedwireless channel, in ACM Intl. Conf. on Mobile Computing andNetworking (Mobicom 2008), Sept. 2008, (to appear).

[17] S. Jana and S. K. Kasera, On fast and accurate detection of unau-

thorized access points using clock skews, in ACM Intl. Conf. onMobile Computing Networking (Mobicom08), Sept. 2008.

[18] U. M. Maurer and S. Wolf, Unconditionally secure key agreementand the intrinsic conditional information, IEEE Trans. Info. The-ory, vol. 45, no. 2, pp. 499514, 1999.

[19] U. M. Maurer, Secret key agreement by public discussion fromcommon information, IEEE Trans. Info. Theory, vol. 39, no. 3, pp.733742, May 1993.

[20] V. Brik, S. Banerjee, M. Gruteser, and S. Oh, PARADIS: Physical802.11 device identification with radiometric signatures, in ACM

Mobicom, pp. 116127, Sep. 2008.[21] C. Farrow, A continuously variable digital delay element, in

IEEE Intl. Symposium on Circuits and Systems, vol. 3, June 1998,pp. 26412645.

[22] M. Rice, Digital Communications: A Discrete-Time Approach. Pear-son Prentice Hall, 2009.

[23] A. Nasir and K. R. Rao, Orthogonal Transformations for Digital Signal

Processing. Springer Verlag, 1975.[24] A. Lakhina, M. Crovella, and C. Diot, Diagnosing network-widetraffic anomalies, in ACM SIGCOMM, Aug. 2004.

[25] A. Luminia, D. Maioa, and D. Maltoni, Continuous versusexclusive classification for fingerprint retrieval, Elsevier PatternRecognition Letters, vol. 18, no. 10, pp. 10271034, Oct. 1997.

[26] W. W. Hines, D. C. Montgomery, D. M. Goldsman and C. M. Bor-ror, Probability and Statistics in Engineering, Wiley, 4th ed., 2003.

[27] NIST. A statistical test suite for random and pseudorandomnumber generators for cryptographic applications.http://csrc.nist.gov/publications/nistpubs/800-22/sp-800-22-051501.pdf.


15/15


PLACEPHOTOHERE

Neal Patwari received the B.S. (1997) and M.S.(1999) degrees from Virginia Tech, and thePh.D. from the University of Michigan, Ann Arbor(2005), all in Electrical Engineering. He wasa research engineer in Motorola Labs, Florida,between 1999 and 2001. Since 2006, he hasbeen at the University of Utah, where he isan Assistant Professor in the Department ofElectrical and Computer Engineering, with anadjunct appointment in the School of Computing.

He directs the Sensing and Processing AcrossNetworks (SPAN) Lab, which performs research at the intersectionof statistical signal processing and wireless networking. His researchinterests are in radio channel signal processing, in which radio channelmeasurements are used for purposes of security, localization, andnetworking. Neal has served on technical program committees for IEEEconferences SECON, ICDCS, DCOSS, and ICC, and MILCOM. He is anassociate editor of the IEEE Transactions on Mobile Computing.

PLACEPHOTOHERE

Jessica Croft received a B.A. in physics anda B.Music from the University of Montana, Mis-soula in 2004. She received a M.S.E.E. fromMontana Tech, Butte in 2007. She has interned

at the Idaho National Lab. Since Fall 2007 shehas been pursuing a Ph.D. in electrical engi-neering at the University of Utah. Her current re-search is in security in wireless sensor networks.

PLACEPHOTOHERE

Suman Jana received his bachelors degree incomputer science from Jadavpur University, In-dia. He is currently pursuing his Masters degreeat the School of Computing in the University ofUtah. His primary research interests are in thefields of network security and computer systems.

PLACEPHOTOHERE

Sneha Kumar Kasera is an Assistant Professorin the School of Computing at the University ofUtah in Salt Lake City. From 1999-2003, he wasa member of technical staff in the Mobile Net-working Research Department of Bell Laborato-ries. Earlier, he received a Ph.D. in ComputerScience from the University of MassachusettsAmherst, and a Masters degree in Electrical

Communication Engineering from the Indian In-stitute of Science Bangalore. He has held re-search and development positions at Wipro In-

fotech and Center for Development of Advanced Computing at Banga-lore, India. Dr. Kaseras research interests include computer networksand systems encompassing mobile and pervasive systems and wirelessnetworks, network security and reliability, social network applications,overload and congestion control, multicast communication, Internetmeasurements and inferencing. He is a recipient of the 2002 Bell LabsPresidents Gold Award for his contribution to wireless data solutions.He has served in many technical program committees including those ofACM Mobicom, ACM Sigmetrics, IEEE Infocom, IEEE ICNP, and IEEESECON, among others. He is an associate editor of ACM SigmobileMC2R, and also serves in the editorial boards of ACM/Springer WINETand Elsevier COMNET journals.

20. High-Rate Uncorrelated Bit Extraction for Shared Secret Key Generation From Channel Measurements

Documents

Transcript of 20. High-Rate Uncorrelated Bit Extraction for Shared Secret Key Generation From Channel Measurements