Mobility AssistedSecretKey GenerationUsingWirelessLink Signatures

JunxingZhang,SnehaK. KaseraEmail:

�junxing, kasera� @cs.utah.edu

Neal PatwariEmail: npatwari@ece.utah.edu

Abstract—We propose an approach where wir eless devices,interestedin establishinga secret key, samplethe channelimpulseresponse(CIR) spacein a physical area to collect and combineuncorrelated CIR measurements to generatethe secret key. Westudy the impact of mobility patterns in obtaining uncorrelatedmeasurements.Using extensive measurementsin both indoor andoutdoor settings, we find that (i) when movement step size islarger than one foot the measured CIRs are mostly uncorrelated,and (ii) more diffusion in the mobility resultsin lesscorrelation inthe measured CIRs. We develop efficient mechanismsto encodeCIRs and reconcilethe differ encesin the bits extracted betweenthe two devices. Our results show that our schemegeneratesvery high entropy secret bits and that too at a high bit rate. Thesecret bits, that we generateusing our approach,also passthe 8randomnesstests of the NIST test suite.

I . INTRODUCTION

Growing work shows physicallayer characteristicsof wire-less links such as multipath propertiesare different at dif-ferent locations,and can be consideredto be signaturesofwireless links. For example, Fig. 1 shows two channelim-pulse response(CIR)[1], [2] magnitudemeasurementstakenat different locations.From the figure, the two measurementsare quite different due to varied channelconditions at thetwo locations. The fact that these link signaturescan be

0 20 40 60 80 1000

0.5

1

1.5

2

2.5x 10

5

Time Delay

Mag

nitu

de

Channel impulse responsesat location AChannel impulse responsesat location B

Fig. 1. Multipath propertiesat two locations.

measuredalmostsymmetricallybetweentwo endsof a wire-less link [3], but cannotbe measuredfrom anotherdistinctlocation hasled researchersto suggestusing thesefor secretkey establishment[4], [5], [6]. Secret key extraction fromlink characteristicshasthepotentialto provide an inexpensivealternative to quantumcryptography[7], [8].

However, anadversarycanbeat oneof thegenuinewirelessendpoints’ locations and measurethe same link signature.

Once the adversary steals some signaturemeasurementsithas a good chanceto determinethe key generatedwith thelink signaturemeasurements.We call the attack launchedin this manner the location locking attack. To avoid thisproblem,existing work [5] hasrelied upon the movementinthe environmentor the movementof the devices exchangingthe keys to perturb the wirelesschannelin an unpredictablemanner. Such unpredictablechannelis expectedto produceunpredictablesecretkeys. Very interestingly, Janaet al. [9]showed that in static scenarios,an adversary can actuallycausepredictablemovementin the environmentandthusfoolthe endpointsto extract deterministic secretkeys that it canextractitself. Alternatively, insteadof dependingon movementin the environment, devices can themselves move to causevariations in the wireless channel that gets translatedintosecretkeys.However, thedevicemustcontinueto moveduringkey extraction.In this paper, we proposea differentapproach.Instead of extracting keys from the temporal variations inthe channel,the wirelessdevices measurethe wireless linksignaturesat different unpredictablelocations and combinethesemeasurementsto producestrong secretkeys. We usethe CIR as our wireless link signature1. Essentially, in ourapproach,the wireless devices sample the CIR space in aphysicalareato collect uncorrelatedCIR measurements.

To understandour approachat a high level, considertwodevicesAlice (A) andBob (B), asshown in Figure2. Assumethat thesedevices are mobile and are at different locationsat different times. Let ��� be the CIR measurementof thelink betweenA and B when they are at any pair (denoted�) of specific locations.Let ��� be measuredaccuratelyonly

by devices A and B and no other device that is not at thelocationof A or B or very closeby. The two devices,A andB, measurethe CIR at different locationpairs.Both A andBusea previously agreeduponandpublicly known function �of thesemeasurements,������ ����� ����� ������������ , to computethesharedkey. An importantassumptionhereis thatanadversarycan at best be at someof theselocationswhere the CIR ismeasuredbut not all andhencewill not beableto computethesecretkey if � is reasonablylarge.As long asthemovementofAlice andBob is not fully retraceable,the changeof locationdoes not need to happenat short time intervals. Note thatby using the samplesin the CIR space,we do not preclude

1In this paper, our CIR is actuallya vectorof 25 channelimpulseresponsesmeasuredover time.

2

the benefits of channel variations causedby movement inthe physical� environmentor that of A and B. Our novel useof spatialsamplingwill significantly strengthenany existingtechnique[5], [10] andmake themmore robust.

X1X2

Xn

Device A

Device B

Fig. 2. WirelessdevicesA andB areshown to bemeasuring�! s at differentlocations.

One of the important requirementsfor generatingstrongkeys is to pick ��� s that are uncorrelatedwith each other.However, thecorrelationamong� � s dependson themultipathcharacteristicsof the physical environment, the step size ofmovement,and in generalthe mobility model.We investigatethreemobility models- randomwalk, Brownian motion, andLevy walk, in thispaper. Wealsodevelopefficientmechanismsto encode CIRs and reconcile the differencesin the bitsextractedbetweenA and B. Specifically, we proposea newJigsaw encoding schemethat keeps the mismatch rate inreciprocalmeasurements,at A and B, low even when CIRsare quantizedwith increasingbit numbers.We adopt Reed-Solomonforwarderror correctionto reconcilethe bits thatdonot match at A and B, and also analyzethe computationalcomplexity of this process.Using extensive measurementsinbothindoorandoutdoorsettings,we find thatwhenmovementstepsize is larger thanone foot the measuredlink signaturesare mostly uncorrelated.When using step sizesdrawn fromcontinuousuniform, Levy, and Gaussiandistributions in theadoptedthree mobility models, we find more diffusion inthe model results in less correlation in the measuredlinksignatures.We also find that our schemegeneratesvery highentropy secretbits and that too at a high bit rate.The secretbits, that we generateusing our approach,also passthe 8randomnesstestsof the NIST testsuite [11] that we conduct.

The rest of this paperis organizedas follows. In the nextsection, we provide estimationsof the size of the channelimpulse secretkey space.In Section III we define the ad-versarymodel. In SectionIV we presenta mobility assistedsecretkey establishmentprotocolandproposea new encodingschemeanddiscrepancy reconciliationmethodthatwork withthe protocol. Finally, in SectionV, we evaluatethe protocoland examine the impact of mobility and different mobilitymodels on signature randomnessand key extraction. Therelatedwork aregivenin SectionVI andconclusionsaredrawnin SectionVII.

I I . CHANNEL IMPULSE RESPONSE SECRET SPACE

Before developing our samplingand key extraction strate-gies, we first obtain an estimateof the size of CIR secret

Dataset1 "�#Dataset2 $�%Dataset3 $�&

TABLE ISI ZE OF SIGNATURE SPACE IN DIFFERENT ENVIRONMENT

space.This number tell us how many unique channelCIRmeasurementsare possiblein a given physical environment.For obtaining this number, we use the mutual informationbetweenthe CIR measurementand the location where themeasurementis taken. The details of the methodologytoobtain the mutual information from measurementdata aredescribedin [12] andnotacontributionof thispaper. Weapplythe methodologyto obtain mutual information to three datasetsthatwecollect.ThesedatasetsessentiallycontaintheCIRmeasurementsand the location information in threedifferentenvironments.Our measurementcampaignfor obtainingthesedata sets will be describedin Section V. Here, we onlypresentthe estimatesof the CIR secretspacefor the threeenvironments.

Table I shows the CIR secretspaceestimatesfor the threedatasetsin bits. An estimatedsizeof 34 bits meansthat ' �)(uniqueCIRs canbe obtainedfrom this physicalenvironment.Now, 34 bits by itself is not a very large numberand mostcomputerscan very quickly try out all the ' �*( possibilities.However, whenweusemultiple34bit valuesin thefunction � ,we canobtainmuchlongerkeys. For example,if we organizethe '�+ uncorrelatedmeasurements(ideally, theseshould be'�+ independentmeasurements)and permutethem2, we willincreasethe shared secret size by bits equivalent to '�+-, .This is becauseto break the secret an attacker will haveto try '�+., permutationsin the worst case.Using Stirling’sapproximation[13], '�+., correspondsto about 61 bits thusincreasingthesharedsecretspaceto roughly61+34= 95 bits.We can increasethe sizeeven moreby increasing� .

I I I . ADVERSARY MODEL

We consideran adversarythat can overhearall the com-municationbetweenthe two devicesA andB. Our adversarycanalsobe in someof the locationswherethe transmitterorthe receiver has been in the past or will be in the future,but the adversary does not know or cannot accessall thelocationsvisitedby thetransmitterandthereceiver. Weassumethat the adversarycannotcausea person-in-the-middleattack.Essentially, wedonotaddresstheissueof theauthenticationoftheendpoints(A and/orB) in this paper. We expectour secretkey extraction schemeto be usedin conjunctionwith someof the fingerprinting-basedauthenticationbeing developedelsewhere(e.g., [14], [15], [9]).

Our adversaryis alsonot interestedin causingany Denial-of-Serviceattacks.Someexisting approachesproposeto se-cure or hide the location where signaturemeasurementsaretaken. For example, in [6] the authorssuggestto define a

2This meansthat /102�43�56�87956�;:�5=<�<=<6�;>@?BAC�D3)EF�87�EF�G:9E1<�<�<=EF�!> .

3

threatregionaboutthelegitimateuserandphysicallyguaranteethatan attacker is not within this region. We do not make anysuchassumptions.

IV. MOBIL ITY ASSISTED KEY ESTABLISHMENT

In this section, we first describe the our simple secretkey establishmentprotocol betweenA and B that countersthe threat that may arise from the adversary describedinSection III. Next, we presentthe important building blocksof the protocolincludingCIR quantization,bit extraction,andencoding.Finally, we explain how to useReed-Solomon(RS)error-correctingcode to reconcilebit mismatchbetweenthetwo communicatingpartiesandensureinformation (key bits)confidentialityat the sametime.

A. Key Establishment Protocol

Our key establishmentprotocolbetweenA andB is dividedinto threephases.Fig. 3 shows the messageexchangeof theprotocol. In the first phase,called SIGGEN (short for signa-ture generation),A and B exchangeSIGGEN and SIGACKmessagesto allow them to measurea sufficient numberofreciprocal CIR. Note that due to hardware differencesandthe differencesin time instancesat which the channelmea-surementis performedat A and B, the measuredCIR is notperfectlyreciprocal.We will addressthis imperfectreciprocitybelow. Betweeneachpair of SIGGENandSIGACK messageexchange,A and B individually, or both move to a newlocation.

In the secondSIGCHK (short for signaturecheck)phase,upon receiving the SIGCHK messagefrom A, B quantizesall CIR it has measuredand removes any duplicates.Hethen encodesthe remainingquantizedCIRs to producebothmessagesymbolsand parity symbols.Next, in the SIGFEC(short for signatureforward error correction)phase,B sendsonly the parity symbolsto A in multiple SIGFECmessages.Upon receiving all the SIGFEC messages,A quantizesthecorrespondingCIRs that shehadmeasuredandencodesthemto producemessagesymbols.B informs A aboutwhich CIRmeasurementsto use.This is donewith the help of sequencenumbers.A then combinesher messagesymbolswith paritysymbolsshe receives from B to obtain a bit streamthat isidentical to that of B. In the final KEYGEN (short for keygeneration)phase,A and B generatea new secretkey withthe reconciledbit streamsandverify that they indeedhave thesamekey througha simplechallengeresponseexchange.

We describethe mechanismsto quantize link signaturesandextract bits andto performencodinganderror correctionin the following subsections.The estimateof the CIR secretspace(as in Section II) and the size of the requiredsecretkey determinehow many CIR measurementsarenecessaryforsecretkey extraction.To convert the bit streamobtainedfromtheCIR measurements,we utilize a key compressionfunction.This compressionfunction usesthe 2-universal hashfamilyto perform Privacy Amplification [16]. Privacy amplificationminimizesthe possiblecorrelationamonginput bits of the bitstreamandcompressestheraw bits to thechosenkey sizewith

Fig. 3. Mobility AssistedKey Establishment.The sequencenumbersusedby different messagesaredenotedasmsnandcsn.

a target function. We useSHA-256,SHA-384,andSHA-512asthetargetfunctionto producekeysof 256,384,and512bits.For agivenfadingenvironmentandprotocolconfiguration,notevery measuredCIR canbereconciled,soour protocolcannotensuresuccessfulsecretkey establishmentall the time andhenceis opportunistic.We usea Bloom filter3 [17] for findingduplicatesamongquantizedCIRsin anefficient mannerin theSIGCHK phaseabove.

B. Quantization and Bit Extraction

BecauseCIRs are continuousrandomvariables,we mustquantizethemin orderto usethemfor secretkey generation.Inthispaper, weadoptthewidely-useduniformquantization[18]to quantizeCIR measurements.In order to quantizeCIR intointeger vectors that can be easily converted to binary bits,we first normalizeeachCIR with its maximumelementvalue.Channelimpulseresponsenormalizationis alsoavoidsthe im-pactof the intentionalmanipulationof the transmittingpowerby an attacker or to filter out the effect of the slow temporalchangesin the averagesignal power. Next, to quantizethenormalizedCIR to 'IH discretevalues with equal intervals,we multiply thesevalueswith 'JH and thenround themto thenearestintegersin the rangeof K +B *'IHMLON�P . We simply convertintegers in the resultingvector to their binary representationto extract the initial bits that we use later for secret keygeneration.

C. Jigsaw Encoding

Although uniform quantizationis simple and easyto im-plement,we find whenincreasingthe quantizationbit numberQ from N to R , the rate of the discrepantelementsin thequantizedCIRs, that are not measuredthe sameat A and

3A Bloom filter is a space-efficient probabilisticdatastructurethat is oftenusedto testmembershipsin a set.

4

QuanBits S $ " # T U & VUniQuanMean W�< W�W�U�# W�< W�%�W�V W�< SX%�T�$ W�< "�U�U�W W�< #�V�$�# W�< U�#�&XU W�< &XT�U�W W�< V�#�#�VJigEncMean W�< W�W�"�$ W�< W�$�"�$ W�< W�"�W�& W�< W�"�&X# W�< W�"�&X$ W�< W�"�&X% W�< W�"�V�W W�< W�"�V�WJigEncStd W�< W�SX$�" W�< W�SX%�U W�< W�$�"�U W�< W�$�$�V W�< W�$�"�S W�< W�$�"�W W�< W�$�"�S W�< W�$�"�$

TABLE IIDISCREPANCY RATE IN RECIPROCAL LINK SIGNATURE MEASUREMENTS

0 5 10 15 20 25 300

5

10

15

20

25

30

35

Time Delay

Qua

ntifi

ed M

agni

tude

Link Signature from A to BLink Signature from B to A

8

(a) Uniform Quantization (b) Jigsaw Encoding

Fig. 4. Comparisonof the uniform quantizationandthe jigsaw encoding,showing (a) a pair of reciprocallink signaturesthat areuniformly quantized,and(b) onesignatureof the pair that is uniformly quantizedandthenencodedwith the Jigsaw scheme.The dark coloredpatternsrepresentrandomnumbersfromthe one-mapandthe light coloredpatternsstandfor numbersfrom the zero-map.

B, grows dramatically. Table II lists the discrepancy rate ina samplebi-directionalmeasurementset.The row “UniQuanMean” shows therateswith only uniform quantization.In thisrow the rateincreasesfrom +1� +�+�Y�Z to +B� R�Z�Z�R . Evenquantizedwith only [ bits, there are N�\1� ]�'.^ of elementsin eachpairof reciprocalCIRs that do not agreewith eachother. Becausereciprocalmeasurementsshouldbe very similar, theseresultssuggestthat the simple uniform quantizationcannotpreservereciprocityandevenincreasethediscrepancy ratein quantizedCIRs.

Fig. 4(a) shows a pair of reciprocallink signaturesthat areuniformly quantized.It appearsthetwo link signaturesareverysimilar, whereasthey have 14 out of 25 elements(]�Y-^ ) thatdo not agree.The high discrepancy rate resultsfrom the factthat eachelementis representedonly by a single quantizedvalue. For example, the elementsat the delay R are '�[ and'�Z . They agreeon the first '�[ units anddiffer only at the lastunit. Becausethey arerepresentedwith thesumof theseunits,their similarity is hidden.To solve this problem,we proposetofurther encodeeachuniformly quantizedvalue with multiplevalues.We call thenew encodingschemeJigsaw Encoding. Inthis scheme,we make useof two randomnumbermapsthataresharedbetweenthetwo parties.Eachmapis a matrix of 'JHrows and L columnswhere Q is the quantizationbit numberand L is the link signaturelength. The matrix elementsarerandomnumbersof _ bits with the first bit as the sign bit.All randomnumbersin thefirst maphasthesignbit of onesoit is calledone-map.All randomnumbersin the secondmaphas the sign bit of zero so it is called zero-map.We patchthe two mapstogetherto form a jigsaw map. We definethejoint points of the jigsaw map by quantizedelementvalues

of the CIR. For example, the A-to-B link signaturein Fig.4(a) is encodedwith the new methodin Fig. 4(b). Becausethe elementat the delay R is '�Z in this signature,the methodencodesthis value in a column of randomnumberswith thefirst '�Z numberschosenfrom the one-map(depictedwithdark coloredpatterns)andthe last ` numbers(sincesignatureelementsarequantizedin K +1 =[.N9P ) from thezero-map(depictedwith light coloredpatterns).Thenumbersarechosenaccordingto their positionsin the RIacb columnsof the two maps.If weapply the samemethodto the B-to-A signaturein Fig. 4(a),at the time delay R they will have [�+ numbersagree(23 fromthe one-mapand 7 from the zero-map)and only N numberdiscrepant.Therefore,the additional Jigsaw encodinghelpsto exposereciprocalsimilarity greatly. The big improvementis illustrated by the discrepancy ratesat the secondrow ofTable II. This improvementis achieved by replacinga singlequantizedelementvalue with an array of randomsymbols.The original value is encodedas the partitioning index thatdividesthe arraysymbolsinto groupsfrom the two maps.Weutilize randomsymbolsinsteadof someconstantvaluefor tworeasons.First, we will encoderandomnumbersin the Jigsawmap further in the RS schemedescribedbelow which hasarequirementof thenumberof bitspersymbol.Second,becausethe RS schemetreats input symbolsas the coefficients of apolynomial to generateoutput symbols,if all input symbolsonly have two constantvalues,they would compromisetheerror-correctionstrengthof the scheme.

D. RS Error Correction

We adopt the RS forward error correction (FEC)scheme[19] to reconcileany discrepanciesin reciprocalmea-

5

surementsof CIR. FEC works by sendingredundantdata inadditionto messagessothatthereceivercandetectandcorrecterrors within some bound. Our adoptionof FEC is a littledifferent from its conventionaluse.We sendonly redundantdata(parity symbols)becausethe other party alreadyhasitsown encodedCIR, althoughwith someerrors.

The RS codeworks by determininga degree d�LeN poly-nomial and treatingevery d symbolsof the input messageasthe coefficientsof the polynomial. It encodesthe coefficientsby evaluating the polynomial at variouspoints. Each outputcodeword has f symbolsincluding d input symbolsfollowedby 'hgji parity symbols. i is the error-correctioncapabilityof the (p,k) RS code.This relation is describedin Eq. 14. Inaddition,the codeword length f is determinedby the symbolbit-number_ asshown in Eq. 2.

ilk fCLmd' (1)

f k 'JnoLpN (2)q k i

d (3)

In our adoptionof the RS code, the sendertransmitstheparitysymbolsof codewordsin thelink layerpayload.Becauselink layer error control (i.e. retransmissionof erroneouspack-ets)is providedin wirelessnetworks,weassumethesesymbolsarealwaysreceivedcorrectlyat theotherparty. Therefore,theinconsistentsymbols can only appearin the input messageportion (the reciprocalsignature)of the codewords.This situ-ation leadsto the definition of the link signaturediscrepancyrate q in Eq. 3.

ilkq gr�s' n LpN��Nutr'�g q (4)

v k ' H�wyx�z|{1}~)����� ' H�w��{-�~�� � ��� w��� { � (5)

Note that the use of FEC also has security implications.Thereare predominantlytwo concernswith the useof FEC.First, it might be possiblefor a third party to use the paritysymbols and correct its own CIR to match the actual CIRbetweenA and B. Second,the parity symbolsmight them-selvesgive away informationon theactualbits of theCIR. Weaddressthe first problemby constrainingthe error-correctioncapability i , for a givensymbolsize _ , to limit the reciprocalrate to q , as governedby Eq. 4. If the measuredCIR of theattacker hasmoreerrorsthanthe reciprocaldiscrepancy q , thepublic parity symbolswill not be able to turn the attacker’sCIR into the legitimateCIR. To addressthe secondproblem,we make thediscovery of thecodedlink signatureusingbruteforce and public parity symbols computationallyinfeasible.The reciprocalCIRs can have up to i inconsistentsymbolsamonga total of d symbols.This meansthat the two partiesshareat least d4Lri messagesymbolsin order to convert onesignatureinto the other. Without this sharedinformation, anattacker will have to find the joint points of ��� a� � columns

4For theconvenienceof analyticalreduction,we ignoretherequirementfor�to be an odd integer here.The approximationcan cause

�off by a value

smallerthan2.

( Q is the quantizationbit number)in the jigsaw mapto obtaind�Lmi correct symbols.Given 'IH possiblevalueseach jointpoint can take, to have all correct joint points at the sametime, the computationalcomplexity

vwould be as large as

definedin Eq. 5. For _�k�N9+ and Q k�] , it is larger than' ���)� . For _�k�N�+ and Q k�N� =' , it is in the order of ' (*�)� .It should be noted that due to the exponential decreaseof�� � the complexity dropsvery fastwith larger quantizationbitnumbers,andbecauseits maximumvalueis +B� ] , symbolsmusthave morethan8 bits to obtaina complexity larger than ' �s�)� .

V. PROTOCOL EVALUATION

In this section,we evaluatethe proposedprotocol in threesteps. First, we assessthe impact of device mobility onmeasuredlink signatures.Then, we investigate its impacton key generation.Finally, we evaluate the quality of thegeneratedkeys.

A. Mobility Models

To study the impact of device mobility, we use threemobility models. These three models are among the mostpopularmobility modelsusedfor evaluatingwirelessresearch.Fig. 5 shows sampletrails of thesethree models.Fig. 5(a)exhibitsa trail of theRandomWalk model[20]. It is createdbystartingfrom a randomlocationin the specifiedarea,walkingtoward anotherrandomlyselectedlocationin the areain eachstep,andrepeating.Fig. 5(b) displaysa trajectoryof theLevyWalk model [21]. This model is alsocreatedwith a sequenceof steps. Each step is defined by a uniformly distributeddirection and a step size drawn from a Levy distribution asdefinedin the following Eq. 6. The exponent ��k�+1� R in thisexample.

���y�=�����k N'��

�

� � �� � ac¡ �£¢ ¤ a ¢¦¥J§ i (6)

When �¨k©' in the Eq. 6 the Levy distribution reducestoa Gaussiandistribution. Using this distribution for the stepsize,we cancreatea BrownianMotion modelasdemonstratedby Fig. 5(c). This model depicts the random movementofparticlessuspendedin a liquid or gas. It can be seenfromFig. 5 that the threemobility modelsdemonstratedecreasingdiffusion, so they form a valuablesuite to study the impactof device mobility. Although researchershave establishedthesimilarity betweenthe Levy Walk pattern and the outdoorhumanmobility, it will be valuable to study the other twosimpler models.Moreover, it is also known the Levy Walkmodeldoesnot accountfor socialconstraintsandgeographicrestrictions[21].

B. Measurement Campaign

We collect five setsof measurementsfor this study. Thefirst two setsarecollectedat multiple discretelocationsalongthe trails generatedby the threemobility models.We take thefirst set of measurementsin a large lobby of an engineeringbuilding on the University of Utah campus(IndoorTrail set).We collect the secondset of measurementson a flat square

6

0 5 10 15 20 250

5

10

15

(a) RandomWalk

0 5 10 15 20 250

5

10

15

(b) Levy Walk

0 5 10 15 20 250

5

10

15

(c) Brownian Motion

Fig. 5. ThreeMobility Models

outsideof thebuilding (OutdoorTrail set).We collectthenexttwo setsof measurementson two gridsof differentscales.Thefirst grid measures30 by 30 foot with a grid line distanceof1 foot, and the secondgrid is 14 by 26 inch with a grid linedistanceof 2 inch. Measurementsare taken at every crosspoint of the grids.We refer to measurementsin the first setasGrid measurementsand thosein the secondset as FineGridmeasurements.The last set of measurementsis taken at onefixed indoor location(Stationaryset).

We obtainall measurementswith a Direct SequenceSpreadSpectrum(DS-SS) transmitterand receiver. The transmittersendsa DS-SSsignalwith a 40 MHz chip rate,a 1024codelength, and a centerfrequency of 2443 MHz. Thesesignalsareessentiallyunmodulatedpseudonoisewhich spanthe USISM band.The receiver correlatesthe received signalwith heknown DS-SSsignal to estimatethe CIR. We rely on trailmeasurementsto accuratelyreflect the relationshipsbetweenmeasurementsat the various points in spacedeterminedbythe mobility models. Since we can sampleonly a limitednumberof trails, it is possiblethat somefeaturesdisclosedbytrail measurementsarenot universalto the movementpattern.Therefore,we alwaysusegrid measurementsto verify resultsobtainedfrom trail measurements.Becausegrid measurementscover grid areas with limited precision, we can generatenumerous‘quantized’ trails for testing.

C. Impact of Mobility on Link Signatures

In this subsection,we investigatehow various mobilitymodels affect correlation among measuredCIRs. For thispurpose,we use the correlationcoefficient betweenpairs ofCIRs, ��� and ��ª , definedas

« �y�F¬ ��­;k® �*�� � L°¯M�C�=�� ª L°¯M�±�*�² ��

However, insteadof using just a single value given by theabove equation,we plot the histogramof all the values �� � L¯ � �*���ª³Lj¯ � ��´ ² �� to study their distribution.

Fig. 6 and Fig. 7 show that the more diffusive a mobilitymodel is the lesscorrelatedits measurementsbecome.In Fig.6(a), the correlationamong the CIRs of the RandomWalkmodel lie in [0.6, 1], while that of the Levy Walk modeland the Brownian Motion model lie in [0.7, 1] and [0.9,1],respectively. Surprisingly, Fig. 6(b) doesnot show the similartrend in correlation. In comparisonto the two subfigures

of Fig. 6, we can notice the striking difference in theircorrelation distributions. The correlation valuesof the FineGrid measurementspredominantlyconcentrateto the right of0.6, whereasthe correlationvaluesof the Grid measurementsaremostly centeredat 0.4. This disparitysuggestsmostFineGrid measurementsarecorrelatedbut mostGrid measurementsare not. The lack of a trend in Fig. 6(b) can be explainedby measurementsoccurringat coarsely-quantizedmobile trailpoints,ratherthan the actualtrail points.

Thedistancebetweenmeasurementpointsin theGrid setis1 foot. We suspectthat this coarsegrid quantizationhas“ho-mogenized”thethreemobility models,andthusthecorrelationdistributionsin Fig. 6(b) doesnot show any differencesin thethree mobility models.On the other hand, becausethe linedistancein the Fine Grid is only 2 inch, the approximationleadsto smaller errors,and thus the different impact of thethreemodelsis preserved and reflectedon Fig. 6(a). Further,closeobservationof correlationdistributionsin Fig. 6(b)showssomemodeldifferences.Thecorrelationvaluesof theRandomWalk modelspreadwider thanvaluesof theothertwo models.TheLevy Walk modelalsohasa somewhatwider distributionthan the Brownian Motion model. The Brownian Motionmodel also shows more spikes with value close to one thanthe other two models.

When we turn our attention to Fig. 7 we see clearerindicationsof modelimpact.In IndoorTrail andOutdoorTrailsetsall measurementsare taken at the exact locationsof themodel trails, so thereis no lossof precision.Becauseindoorenvironmentsprovide rich multipath environmentscomparedto outdoorenvironments,at a given spatialseparation,indoormeasurementswill be lesscorrelated.The higher correlationin outdoorenvironmentmeasurementsobscuresthe effectsofmovement.

D. Impact of Mobility on Key Generation

In this subsection,we evaluatehow mobility modelsimpactthe generationof uniquequantizedCIRs (that we call binarysignatures).Fig. 8 comparesthe uniquebinary signatureratesin two data sets: the Stationary set where all signaturesare collected at the samelocation, and the Grid set wheresignaturesaretakenwhile devicecanbemovedto any locationof a grid. Our first discovery is that signaturesmeasuredwithout moving indeed have a large number of duplicates.When quantizedwith one bit the unique signaturerate is

7

0 0.2 0.4 0.6 0.8 10

100

200

Random Walk CorrelationP

air

Num

ber

0 0.2 0.4 0.6 0.8 10

100

200

Levy Walk Correlation

Pai

r N

umbe

r

0 0.2 0.4 0.6 0.8 10

100

200

Brownian Motion Correlation

Pai

r N

umbe

r

(a) Fine Grid measurements

0 0.2 0.4 0.6 0.8 10

100

200

Random Walk Correlation

Pai

r N

umbe

r

0 0.2 0.4 0.6 0.8 10

100

200

Levy Walk Correlation

Pai

r N

umbe

r

0 0.2 0.4 0.6 0.8 10

100

200

Brownian Motion Correlation

Pai

r N

umbe

r

(b) Grid measurements

Fig. 6. Impactof mobility on signaturecorrelationsin the two grid measurementsets.

0 0.2 0.4 0.6 0.8 10

20

40

60

Random Walk Correlation

Pai

r N

umbe

r

0 0.2 0.4 0.6 0.8 10

20

40

60

Levy Walk Correlation

Pai

r N

umbe

r

0 0.2 0.4 0.6 0.8 10

20

40

60

Brownian Motion Correlation

Pai

r N

umbe

r

(a) Indoor Trail measurements

0 0.2 0.4 0.6 0.8 10

1000

2000

Random Walk Correlation

Pai

r N

umbe

r0 0.2 0.4 0.6 0.8 1

0

1000

2000

Levy Walk CorrelationP

air

Num

ber

0 0.2 0.4 0.6 0.8 10

1000

2000

Brownian Motion Correlation

Pai

r N

umbe

r

(b) OutdoorTrail measurements

Fig. 7. Impactof mobility on signaturecorrelationsin the two trail measurementsets.

1 2 3 4 5 6 7 80

0.2

0.4

0.6

0.8

1

Quantification Bit Number

Uni

que

Link

Sig

natu

re P

erce

ntag

e

StationaryGrid

Fig. 8. Impactof mobility adoptionon uniquebinary signatures.

as low as 0.44%.Even when quantizedwith five bits, thereare 5% of duplicate signaturesin the Stationary data set.Theseresultscertainlyshow theneedfor removing duplicates.Accordingto Eq. 5 the computationfor an attacker to acquirea legitimate link signatureusingbrute force andpublic paritysymbolsdropsvery fastwith larger quantizationbit numbers.Thus, the duplicateratesat small quantizationnumbersplayan importantrole. We alsoobserve that theadoptionof device

mobility greatlyimprove theuniquesignaturepercentagewiththe averageimprovementof 31% asillustratedby the ratesofthe Grid measurementsat differentquantizationbit values.

1 2 3 4 5 6 7 80

0.2

0.4

0.6

0.8

1

Quantification Bit Number

Uni

que

Link

Sig

natu

re P

erce

ntag

e

BrownianLevy WalkRand Walk

Fig. 9. Impactof mobility modelson uniquebinary signatures.

Fig. 9 shows the impact of different mobility modelsonthe unique signaturerate. When comparingthis figure withFig. 8, it is clearthatany movementpatternwould help lowerthe duplicaterate and improve signaturerandomness.Whenquantizedwith one or two bits the three mobility modelsdemonstratesimilar trend in affecting the unique signature

8

rate as the trend shown in affecting the continuous-valuedsignature correlation. The Brownian Motion has the leastimpact in avoiding duplicatesignatures,the Levy Walk hasthe medium impact, and the RandomWalk has the largestimpact. However, when quantizedwith more than two bits,the Brownian Motion model suddenlyexhibits a little moreimpact than the Levy Walk model. This changemay reflectthat the Levy Walk model results in signatureswith biggerdifferencesthanthoseof the Brownian Motion but it doesnotnecessarilycreatemore changesthan the Brownian Motion.This situation is quite interestingsince it doesnot show upor is not clear in the continuous-valuedmeasurements.TheRandomWalk model,on theotherhand,consistentlyyieldsthehighestuniquesignatureratewith all quantizationbit numbers.

E. Quality of Key Generation

We evaluatetwo aspectsof the quality of key generation- the quality of keys, and the efficiency of key extraction.We assessthe quality of keys using two methods.First, werun 8 testsfrom the NIST test suite [11] on the secretbitsgeneratedusing the indoor Levy walk data.Table III showsthe resultsthat we obtain from the NIST tests.BecausetheP-valuesin all testsare larger than the threshold,+B� +.N , oursecretkey bits show goodrandomnessaccordingto the tests.Next, we compute the entropy values of the secret keys.Fig. 10 shows the entropy for differentdatasets.All entropyvalues of our keys are very close to N�� + indicating a highdegreeof uncertainty. For comparison,we also calculatetheentropy valuesof keys generatedusinganexisting method[5]proposedby Mathur et al. All entropy valuesfrom Mathur’smethodare in the rangeof K +B� YB *+B� R�P . Therefore,our methodgenerateskeys with higherentropy in comparisonto Mathur’smethod.

RW LV BM ORW OLV OBM0

0.1

0.2

0.3

0.8

0.5

0.6

0.7

0.8

0.9

1

Measurement Sets

Ent

ropy

Jigsaw RSMathur

Fig. 10. Entropy comparisonbetweenMathur’s methodandours.RW, LV,andBM representthe indoor randomwalk, levy walk, andBrownian motionmeasurementsets.ORW, OLV, andOBM areoutdoormeasurementsetsfromthe respective models

To assessthe the efficiency of key extraction, we use ametric called SecretBit Rate that defined as the averagenumberof secretbits extractedfrom eachchannelresponse.Our protocol compressesreconciledsignatureraw bits to akey size determinedby the user. The userneedsto estimate

this size accordingto the information entropy of the signa-ture spacein the measuredenvironment. Becausethere isno well recognizedway to estimatethis size yet, for ourevaluationpurposewetakeasimpleandconservativeapproachto estimatea lower bound of this size. In Fig. 11, we plotthe entropy valuesof the bit streamgeneratedwith differentquantizationbit numbers(per channelresponse).We find inall six measurementsets, the entropy values monotonouslyincreasewith growing quantizationbit numbersuntil theyreacha saturationpoint, after which they fluctuatemildly. Itseemsbeforethe saturationpoint, increasein the size of thekey would increaseentropy while after the saturationpointadding more bits will not necessarilyresults in increasedentropy. Basedon this observation, we considerthe key sizegeneratedwith quantizationbit number immediately beforethe saturationpoint as a lower bound of the real key size.Using the lower bound key size we computethe secretbitratesin differentmeasurementsetsandplot them in Fig. 12.We also plot the secretbit ratesfrom the existing Mathur’smethodusing the samemeasurementsets.As illustrated inthe figure, while the existing methodgenerates+B�cN�+�Lm+B�cN�\bits per link signature,our methodgenerates'B� ]�\µL�] bits persignature,which is more thanoneorderof significance(notethe logarithmy axis) higher than the existing method.

1 2 3 4 5 6 7 80.8

0.82

0.84

0.95

0.88

0.9

0.92

0.94

0.96

0.98

1

Quantization Bit Number

Ent

ropy

RWLVBMORWOLVOBM

Fig. 11. Entropy comparisonbetweenbits generatedwith different quanti-zationbit numbers.

RW LV BM ORW OLV OBM10

−2

10−1

100

101

102

Measurement Sets

Sec

ret B

it R

ate

MathurJigsaw RS

Fig. 12. Secretbit ratecomparisonbetweenMathur’s methodandours.

9

QuanBits S $ " # T U & VFrequency W�< V�S W�< T�S W�< #�% W�< #�V W�< $�" W�< $�% W�< SXV W�< T�"Block Frequency W�< &XV W�< %�$ W�< #�U W�< U�# W�< "�W W�< T�V W�< U�S W�< V�UCumulative sums(Fwd) W�< V�T W�< V�W W�< &X" W�< "�T W�< $�W W�< "�V W�< $�U W�< #�%Cumulative sums(Rev) W�< %�% W�< T�U W�< "�V W�< V�$ W�< #�$ W�< $�V W�< "�S W�< &XWRuns W�< W�" W�< #�$ W�< %�% W�< $�% W�< U�" W�< &XU W�< T�$ W�< SX#Longestrun of ones W�< T�T W�< %�& W�< SX% W�< T�S W�< T�" W�< $�W W�< W�# W�< U�SFFT W�< V�% W�< V�% W�< %�$ W�< &�& W�< %�V W�< V�% W�< S�& W�< W�&Approx. Entropy W�< #�S W�< W�" W�< S�& W�< &�& W�< %�S W�< %�W W�< W�U W�< SXWSerial W�< T�%�5cW�< &X$ W�< T�W�5W�< &XT W�< U�#�56W�< "�& W�< "�#�5cW�< "�& W�< %�U�56W�< V�V W�< %�W�5cW�< %�V W�< $�$�56W�< "�% W�< SXU�56W�< SXW

TABLE IIINIST STATISTICAL TEST P-VALUES OF THE GENERATED KEYS.

VI. RELATED WORK

There is a large amountof literature on extracting secretkey bits from variations in received signal strength (RSS)measurements(e.g., [9], [5], [22], [23]). Theseexisting worksdependuponmovementof the devicesor in the surroundingsto causethe variations.They do not considerthe variationsofRSSin space.Similarly, a few of otherexistingapproaches[5],[10], [24], although use the CIR, extract keys from shortterm temporal variations of the CIR. We use CIR in ourresearchas well. As in [10], we also use forward errorcorrectionfor reconcilingany mismatchin bits at Alice andBob. However, our work differs from theseexisting worksin the following significant ways. First, we use movementonly to samplethechannelimpulseresponsespaceat differentlocationsand thencombinetheseto generatestrongkeys. Aslong as this movementis not fully retraceable,the changeoflocationdoesnot needto happenat shortintervals.Second,weexaminedifferentmobility modelsto seewhich onesaremoreeffective in giving usuncorrelatedsamples.Third, we proposea new Jigsaw encodingschemethat keepsthe mismatchratein reciprocalmeasurements,at the two parties interestedinestablishinga secret,low even when channelresponsesarequantizedwith increasingbit numbers.Last, we evaluateourapproachusingextensive measurementsin real environments.

VI I . CONCLUSIONS

We proposeda new approachfor secretkey establishmentbetweentwo wirelessdeviceswherethe two devicesmeasurethe CIRs at different locationsand combinethesemeasure-mentsto producea strongsecretkey. We studiedtheimpactofthreemobility modelsin obtaininguncorrelatedCIRs.We alsodevelopedefficient mechanismsto encodeCIRsandreconcilethe differencesin the bits extractedbetweenthe two devices.Our evaluationsshowed that our schemegeneratedvery highentropy secretbits at a high bit rate. In the future, we planto implementour schemeon the Universal Software RadioPeripherals(USRPs) for real time experimentation,and tobuild a thoroughunderstandingof thestrengthsandlimitationsof our methods.

REFERENCES

[1] T. S. Rappaport,Wireless Communications: Principles and Practice.New Jersey: Prentice-HallInc., 1996.

[2] H. Hashemi,“The indoor radio propagationchannel,” Proceedings ofthe IEEE, vol. 81, no. 7, pp. 943–968,July 1993.

[3] A. Goldsmith,Wireless communications. CambridgeUniv Pr, 2005.[4] A. SayeedandA. Perrig,“Securewirelesscommunications:Secretkeys

throughmultipath,” Acoustics, Speech and Signal Processing, pp. 3013–3016,31 2008-April 4 2008.

[5] S. Mathur, W. Trappe,N. B. Mandayam,C. Ye, andA. Reznik,“Radio-telepathy: extracting a secret key from an unauthenticatedwirelesschannel.” in MOBICOM. ACM, 2008,pp. 128–139.

[6] Z. Li, W. Xu, R. Miller, and W. Trappe,“Securing wirelesssystemsvia lower layer enforcements,” in Proc. 5th ACM Workshop on WirelessSecurity (WiSe’06), Sept.2006,pp. 33–42.

[7] C. Bennett,F. Bessette,G. Brassard,L. Salvail, andJ. Smolin, “Experi-mentalquantumcryptography,” Journal of cryptology, vol. 5, no. 1, pp.3–28,1992.

[8] S. Wiesner, “Conjugatecoding,” ACM Sigact News, vol. 15, no. 1, pp.78–88,1983.

[9] S. Jana, S. P. Nandha, M. Clark, S. K. Kasera, N. Patwari, andS. Krishnamurty, “On the effectivenessof secretkey extraction usingwirelesssignalstrengthin real environments,” in Mobicom, 2009.

[10] C. Ye,A. Reznik,andY. Shah,“Extractingsecrecy from jointly gaussianrandom variables,” in Information Theory, 2006 IEEE InternationalSymposium on, July 2006,pp. 2593–2597.

[11] NIST, “A statistical test suite for the validation of random numbergeneratorsand pseudorandom number generatorsfor cryptographicapplications,” December2008.

[12] N. Patwari and S. K. Kasera,“Temporal link signaturemeasurementsandmodelsfor locationdistinction,” submittedto IEEE TransactionsonMobile Computing.

[13] R. B. Paris and D. Kaminsky, Asymptotics and the Mellin-BarnesIntegrals. CambridgeUniversity Press,2001.

[14] B. Danev, T. S. Heydt-Benjamin,andS. Capkun,“Physical-layeriden-tification of rfid devices,” in Usenix Security Symposium, 2009.

[15] V. Brik, S. Banerjee,M. Gruteser, and S. Oh, “Wirelessdevice identi-fication with radiometricsignatures,” in Proceedings of the 14th ACMinternational conference on Mobile computing and networking, 2008.

[16] R. Impagliazzo,L. A. Levin, andM. Luby, “Pseudo-randomgenerationfrom one-way functions,” in STOC’89, 1989.

[17] B. H. Bloom, “Space/timetrade-offs in hash coding with allowableerrors,” Commun. ACM, vol. 13, no. 7, pp. 422–426,1970.

[18] J. ProakisandM. Salehi,Digital communications. McGraw-Hill NewYork, 1995.

[19] S. Wicker andV. Bhargava, Reed-Solomon codes and their applications.Wiley-IEEE Press,1999.

[20] L. Breslau, D. Estrin, K. Fall, S. Floyd, J. Heidemann,A. Helmy,P. Huang, S. McCanne,K. Varadhan,Y. Xu, and H. Yu., “Advancesin network simulation(ns),” IEEE Computer, 2000.

[21] I. Rhee,M. Shin, S. Hong, K. Lee, and S. Chong,“On the levy-walknatureof humanmobility,” INFOCOM 2008. The 27th Conference onComputer Communications. IEEE, pp. 924–932,April 2008.

[22] B. Azimi-Sadjadi,A. Kiayias, A. Mercado,andB. Yener, “Robust keygenerationfrom signalenvelopesin wirelessnetworks,” in CCS, 2007.

[23] M. A. Tope and J. C. McEachen,“Unconditionally securecommuni-cationsover fading channels,” in Military Communications Conference(MILCOM 2001), vol. 1, Oct. 2001,pp. 54–58.

[24] R. Wilson, D. Tse, and R. Scholtz, “Channel identification: Secretsharing using reciprocity in UWB channels,” IEEE Transactions onInformation Forensics and Security, 2007.