Puzzle: A Shape-based Secret Sharing Approach By Exploiting ChannelReciprocity in Frequency Domain

Yue Qiao, Kannan Srinivasan and Anish AroraDepartment of Computer Science and EngineeringThe Ohio State University, Columbus, OH 43210{qiaoyu, kannan, Anish}@cse.ohio-state.edu

abstract

In this paper we propose a shape-based approach in fre-quency domain to extract a shared key by exploitingthe observation that wireless channel is reciprocal dueto multi-path fading. Unlike the traditional quantiza-tion approach in time domain, no training sequences orpredetermined pulses are needed to be transmitted inour approach. The correlated power spectral density ofthe transmitted packets served as the common randomsource between Alice and Bob. We use Lowess smooth-ing to mitigate measurement errors and interference andthen use pattern matching to encode the shape of thespectrum. We name the technique as Puzzle for secretsare generated by finding right pieces(shape patterns) andthen putting them together. Implementation in software-defined radios (SDR) demonstrates the feasibility of ex-tracting a 6-bit secret per measurement with an averagebit mismatching rate 5% in a 20 MHz band. Experimentsshow that with eavesdropper near by, the leaked infor-mation of each secret bit generated by Puzzle is about0.05 bit, which is low in comparison with a RSSI-basedmethod ASBG.

1 Introduction

Secret communication is attractive and necessary formany applications. Public-private cryptography is themost widely used way to provide secret communication.However, due to the key distribution and maintenancecomplexities, such cryptographic techniques may not besuitable for many applications. Some applications in-clude wireless sensor networks, military ad hoc deploy-ments, smart dust, etc,. Therefore, symmetric key tech-nique is used as the alternative. In such a technique, ev-ery pair of nodes in the network would generate a keyand use it for communication between that pair of nodes.This paper, looks at such a symmetric pair-wise secretkey generation mechanism for wireless nodes.

There is an increasing interest in extracting shared se-crets from the wireless channel as the wireless channelitself can play as a shared random source. In wirelesscommunication , multi-path fading leads to the fact thatthe signal observed by a wireless receiver is the super-position of multiple copies of the transmitted signal thathas propagated over different paths and has encounteredobstacles and reflectors in the propagation wireless chan-nel. In other words, the output signal carries the informa-tion of the channel or propagation paths. As we can seein Figure 1, the paths of electromagnetic wave propaga-tion are identical in both directions between two com-municating ends (Alice and Bob). This phenomenon iscommonly known as channel reciprocity. For Alice andBob to exploit channel reciprocity, they need to trans-mit to each other relatively quickly so that the channeldoesn’t change over time. The time for which the wire-less channel remains almost the same is called coherencetime. Therefore, Alice and Bob need to observe the chan-nel between them within coherence time. Channel reci-procity, however, only guarantees that Alice and Bob willobserve the same channel. It doesn’t guarantee that aneavesdropper, Eve does not observe a similar channel asAlice and Bob.

Extensive theory and experiments have shown that theobserved wireless channel over space larger than half thewavelength of the transmitted signal frequency is uncor-related [12]. For a 2.4 GHz ISM band, half a wave-length is 6 cm. Said another way, at any location far-ther than 6 cm away from Bob, Eve will observe Al-ice’s signal through an uncorrelated channel at 2.4 GHz.Channel reciprocity and spatial uncorrelation, together,make wireless channel an excellent source for generatingshared secret keys. Note also that the observed wirelesschannel at the same location changes and has been shownto be uncorrelated beyond the coherence time. There-fore, the same pair of nodes (Alice and Bob), can extractpossibly very different keys over time. Thus, key man-agement is also possible.

1

Many techniques have been developed to implementthis secret sharing idea. Figure 1 shows that the directsignal (or the line-of-sight) component and the reflected(multipath) component arrive at different times as theytravel different distances. Multiple reflectors at differentdistances also arrive at different times. This makes up areceived signal that has very rich temporal components.There is extensive work in the literature that use this richtemporal information to extract secret keys [15, 9, 8, 17].The disadvantage of this technique is that the receiverbandwidth needed to parse out temporal multi-path com-ponents is quite large. Note that the signals reflectedby objects separated by half-a-wavelength will yield in-dependent temporal components. At 2.4 GHz, half-a-wavelength is 6 cm and maps to a separation in timeof 100 µs. Thus, these techniques are often used forultra-wideband communication over 500 MHz and arenot suitable for regular band transmissions as is the com-municating ends needs to sample at almost the same po-sitions of two similar signals. This synchronization prob-lem implies that the sampling rate should be very high.

Another set of techniques use the received signalstrength as the secret source [1, 7, 10, 11, 18]. Thesetechniques measure the received signal strength over dif-ferent coherent times to generate a sequence of receivedsignal strength. Here, within a coherence time, only onesignal strength measurement is possible as more mea-surements within that time will likely be similar. Next,they use various thresholding and quantizing techniquesto convert the signal strengths to a sequence of bits: sam-ples with RSSI values beyond the thresholds implies bit 1or bit 0, or multilevel quantizers based on different quan-tizers. Such techniques need training to choose a properthreshold between a pair so that reasonable number ofbits can be extracted from the channel. When the channelis not changing significantly, the threshold needs to besmall enough to detect small variations. However, choos-ing a very sensitive threshold can also result in large mis-matches between the bits extracted by Alice and Bob assmall variations in the channel symmetry can affect thebits generated. Thus, a small threshold can yield a lowmatching rate. However, if the threshold is too large thenthe variations observed between Bob and the eavesdrop-per (Eve) might not result in big changes in the bits Eveextracts. This rate is called leakage rate. Thus, for a largethreshold, the matching rate (between Alice and Bob)would increase, so will the leakage rate (between Boband Eve). Thus, there are the following shortcoming ofsignal strength based techniques. First, only one samplewithin a coherence time implies that bit extraction rate islow. Second, the choice of threshold and quantization ishighly sensitive needing training. These two issues alsomake this technique vulnerable to new Eavesdropper at-tacks [7]. An eavesdropper can introduce obstacles and

reflectors in the environment and cause a predictable bitsequence to be extracted by Alice and Bob. We observethis vulnerability in our experiments and present resultsin Section 5. In this paper, we use the signal strengthbased technique as the benchmark to compare our pro-posed technique.

Figure 1: Direct and reflective transmission paths in bothdirections are identical.

In this paper,we develop a novel technique which isfree of those concerns. Instead of quantizing the channelinformation in time domain, we extract information fromthe channel frequency response by encoding its shape.With the assumption that transmitted signals are randomand have a flat power spectrum in which the power ateach frequency is almost identical, the communicatingparties will know the effect of channel directly from thespectrum. To encode the channel frequency response,we propose a pattern matching technique to describethe shape of the response, rather than quantizing it di-rectly. Intuitively, one might suspect that quantizationextracts more mutual information from the shared ran-dom source than our proposed method. In practice, how-ever, quantization-based techniques require additionalfeedback bits to correct quantizing errors. Therefore,our shape-based technique does not produce fewer secretbits. Actually, according to our experiment, about 2.8-bit mutual information is preserved in a 20 MHz bandafter encoding the observations of two radios using ourmethord, which is of the same order as the theoreticalupper bound [15]. Another advantage of our techniqueis that the shape of channel frequency response is insen-sitive to noise and measurement errors. Therefore, nohardware calibration is necessary before setting up thesystem.

It is worthwhile noting that a complete secret sharingprotocol, based on channel reciprocity, typically involves

2

three phases: advantage distillation, information recon-ciliation and privacy amplification [2], while our paperonly focuses on the first phase. We generate a 6-bit codeper transmission in a 20MHz band with bit error ratesfrom 0.7% to 10% between two ends. The 6-bit code canbe used directly as a shared key or as a base for informa-tion reconciliation to extract more reliable secrets.

Recent work in extracting shared secrets from channelreciprocity is discussed and compared in Section 2. InSection 3 we discuss the system model. In Section 4 and5 we propose the details of our shaped-based techniqueand provide experimental validation. We make conclud-ing remarks and discuss further works in Section 7.

2 Related Work

Physical layer provides a good opportunity to enhancetraditional security mechanisms. A lot of security workhave been done by exploiting wireless channel proper-ties other than channel reciprocity. For example, the dis-tortion of the signals caused by wireless medium can beused to generate a fingerprint in authentication[16]. Vari-ability of wireless channel can also be used in generatingsecretes by creating erasure channels[6].

As noted in the previous section, key distributionagreement consists of three stages: advantage distilla-tion, information reconciliation and privacy amplifica-tion. A number of efforts have focused on the last twostages by transmitting eigenvector matrix, using LDPCcoding and so on [3]. Those technologies have beenwidely used in the recent papers of generating secret keysfrom channel reciprocity in order to achieve high uncor-relation and high bit matching rate. Since our algorithmis mainly about the first stage of secret key agreement, inthis section we focus only on the recent works done inthat phase.

Several metrics of channel measurement can be ex-ploited in encoding the channel, which plays the roleof a shared random source. They are mainly dividedinto two categories: RSSI-based [1, 7, 10, 11, 18] andCIR-based [15, 9, 5, 8, 17]. RSS-based approaches re-quire the two communicating nodes, Alice and Bob, totransmit probe signals alternately for a while so as togenerate enough mutual information. This requirementmakes the approach impractical in mobile environmentwhere connection is intermittent. Furthermore, probingincreases the communication overhead. Therefore theprobing rate has to be decided carefully in order to max-imize the key generation rate and to minimize the com-munication overhead in the mean time. One approach[13] tries to solve the problem by adopting a PID con-troller. Efforts are also made to improve the perfor-mance the quantization, as it has effect on both secretgenerating rate and bit mismatching rate. [1] proposes a

scheme of coding by locating the deep fades. [10] definestwo thresholds q+ and q− ,and encode the samples withRSSI values higher than q+ as 1, and lower than q− as0, whereq+ = mean+α ∗ std deviation, q+ = mean−α ∗ std deviation and 0 < α < 1. [7] develops thisidea to a technology called Adaptive Secret Bit Gener-ation(ASBG) by dividing samples into small blocks andthen calculate thresholds for each block. ASBG com-pares their performance with other RSSI-based methodsand shows that it is state of the art, therefore we chooseASBG as a benchmark in Section5 to compare with.CIR-based approaches also suffer from communicationoverhead but are more efficient than RSSI-based ones.CIR-based approaches require Alice and Bob to trans-mit predetermined pulses or training sequences so thatthey can derive the CIRs. The problem is to get match-ing CIRs, however, ultra-wideband is necessary as timedomain analysis asks for accurate synchronization. Forexample, one paper [9] uses bandwidth from 3.1 to 10.6GHz, and another one [15] generates a Gaussian mono-cycle with 10 dB bandwidth of about 2 GHz. All theRSSI-based and CIR-based approaches mentioned aboveencode the channel measurements basically by quantiza-tion in time domain. Quantization makes the protocolsvulnerable to interference and measurement errors. Evena small fluctuation of environment noise would make thequantization result quite different especially when SNRis low. More than that, empirical design of the quantizersis needed to achieve optimal key rate. Coarse quantiza-tion loses information of the CIR while fine quantizationwould ask for high rate of public feedback which yieldhigh communication overhead. The requirement of max-imizing the information preserved after quantization sub-ject to the constraint of the public communication rateadds extra complexity to the quantization-based secretsharing techniques.

3 System Model

Consider two wireless nodes, Alice and Bob, which wishto create a shared secret S within a coherence time dur-ing which the channel is stable. No pre-distributed se-crets are available for them. In other words, the wirelesschannel is the only random source they share. An adver-sary, Eve keeps eavesdropping the communication be-tween Alice and Bob. Our goal is to develop a secret bitsextraction algorithm that would introduce as less com-munication and computation overhead as possible andmake sure Eve obtain little information on S. Obviously,a measure of interest is the correlation of Eve’s observa-tion and the shared secret S of Alice and Bob, which willindicate Eve’s capability of breaking the security system.

In this section, the physical layer model is given first.Based on the model, we prove that the power spectral

3

density of random sequences are flat. This propertymeans that the observed spectrum does not depend onwhat is exactly transmitted. Then, we have a discussionabout the threat model so as to investigate the leakagebetween Eve’s observation and Alice and Bob’s sharedsecret in Section 5: The higher the leakage higher thenumber of common bits between Eve and Bob.

3.1 Physical Layer Model3.1.1 Channel model

Assume Alice and Bob operate in a Time-division du-plexing (TDD) system. If they talk to each other in co-herence time, the observed signals of Alice and Bob arerepresented by

yA(t) = (h∗ xA)(t)+nA(t) (1)

yB(t) = (h∗ xB)(t)+nB(t) (2)

where h(t) is the channel impulse response which is iden-tical in both directions, xA and xB are the signals trans-mitted by Alice and Bob respectively, nA(t) and nB areadditive white Gaussian noise with the same power spec-tral density N, and “∗” indicates convulution.

3.1.2 Channel reciprocity

Let { x0,x1, ...,xN−1 } be a complex sample sequence.Since the sequence is stationary and random, the auto-correlation of the sequence is

R(t1, t2) =PN×δ (t2− t1) (3)

where P is the power contained by the signal sequnce.Then the power spectral density the sequence is

F [R(τ)] =∫ +∞

−∞

PN×δ (τ)e− jωτ dτ =

PN

(4)

Equation 4 indicates that the power spectral density ofa random sequence of samples is identical over differ-ent frequencies. Now, let us take the effect of channelinto consideration and have a look at how channel reci-procity would alter the power spectral density of the re-ceived samples.

Assume the power spectral density of received signalsyA(t) and yB(t) are non-zero only over a bandwidth ofW centered at frequency fc. Then, we can write the fre-quency components of the received signals as

YA( f ) = H( f ) ·XA( f )+NA( f ),−W

2+ fc < f <

W2+ fc

(5)

YB( f ) = H( f ) ·XB( f )+NB( f ),−W

2+ fc < f <

W2+ fc

(6)

From 4 we know that

XA( f ) =PA

W(7)

XB( f ) =PB

W(8)

Combining equations 5 through 8 we get

YA( f ) ≈ H( f ) ·PA

W+N (9)

YB( f ) ≈ H( f ) ·PB

W+N (10)

According to the above equations, we conclude thatthe power spectral density of yA(t) is the same as that ofyB(t) as long as PA = PB. Figure 3 gives an illustra-tion of the similarity of the power spectral density sharedby Alice’s and Bob’s received signals. We placed Al-ice and Bob in different locations to create two differentchannels. The left two sub-figures show the power spec-tral density of the signals received by Alice and Bob incoherence time in one channel, while the right two sub-figures show the power spectral density in the other.

It is worth noting that even if PA = PB, the shapes ofAlice’s and Bob’s power spectral density are still similar.This property is remarkable because it can be extendedto the case in which Alice and Bob experience differ-ent levels of transmission power, noise or cross-band in-terference. In that case, the shapes still won’t changesignificantly. Since our secret-extracting algorithm isbased only on the shapes of the power spectral density,the property implies that our approach is robust againstdifferent levels of transmission powers, noise, and cross-band interference.

3.2 Threat ModelThis subsection presents the various threat models thatwe consider in our design.

3.2.1 Attacker’s capability

As our approach does not rely on any computationalhardness assumptions, there is no restriction on adver-sary’s computational ability in our security system. Fur-thermore, no channel assumption is needed since it doesnot matter whether Eve has a better wire-tapping chan-nel or not. To be conservative, let us assume that ad-versaries are able to successfully capture and decode allthe packets transmitted and received by Alice and Bob.Furthermore, collusion is allowed because we believethat shared observations make little contribution to ad-versaries’ knowledge of the channel between Alice andBob.

4

−10M −5M 0 5M 10M−140

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dBm

)

location A

(a) Location A

−10M −5M 0 5M 10M−140

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dBm

)

location B

(b) Location B

−10M −5M 0 5M 10M−140

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dBm

)

location C

(c) Location C

−10M −5M 0 5M 10M−140

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dBm

)

location D

(d) Location D

Figure 2: Frequency spectrum of received signals at different locations. The spectrum looks quite different at differentlocations.

−10M −5M 0 5M 10M−140

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dBm

)

channel 1: Alice

(a) Alice on channel 1

−10M −5M 0 5M 10M−140

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dB m

)

channel 1: Bob

(b) Bob on channel 1

−10M −5M 0 5M 10M−140

−120

−100

−80

−60

−40

−20

Frequency (Hz)A

mpl

itude

(dB

m)

channel 2: Alice

(c) Alice on channel 2

−15M −10M −5M−140

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dBm

)

channel 2: Bob

(d) Bob on channel 2

Figure 3: Frequency spectrum of pair-wise nodes on different channels. The spectrum at Alice and Bob look verysimilar. Channel reciprocity exists.

Eve can be either be a passive or active attacker. By“passive” we mean that the attacker only overhears thecommunication between Alice and Bob, while by “ac-tive” we mean that, besides eavesdropping, she injectsher own traffic to jam the communication between orimpersonate Alice or Bob. To resist both the types ofattackers, the knowledge of Alice’s and Bob’s locationsare protected as secrets and are decided by physical lay-out of the reflectors in the environment. In theory, if Eveknows the location and the physical settings in the en-vironment, she could figure out the channel response forany location. To make it less likely to happen, we assumethe location information is hidden. This assumption isreasonable as, in practice, it’s hard for attackers to tracklegal nodes especially when nodes are mobile. For anactive attacker, additional secrecy mechanisms need tobe introduced. Jamming and impersonation are the twomain motivations driving an active attacker. Jamming isa kind of denial of service (DoS) attack, which remainsan open problem in wireless communication. In our sys-tem, jamming causes agreement abortion. This resultis acceptable to some extent as jamming does not helpeavesdroppers derive any secrets that might affect systemsecrecy. As for impersonation, additional secrecy mech-anisms like authentication need to be introduced. Theimplementation of such mechanisms depends on the ef-ficiency and secrecy requirement of the applications andprotocols which exploit our secret bits generation proto-

col.

3.2.2 Spatial variance

In our approach, to generate shared secrets between Al-ice and Bob, confidentiality is ensured by the fact thatAlice and Bob share a wireless channel that is uncor-related with the channel shared by Alice (or Bob) andEve, as long as Eve is placed at least half-a-wavelengthaway from the legal wireless nodes. For simplicity, letChAB denote the channel from Alice to Bob. Likewise,let ChAE denote the channel from Alice to Eve and so on.It is possible for Eve to derive ChAB from ChAE or ChBE ,but such a possibility is based on full knowledge aboutthe environment. In reality, that is not a very practicalassumption so we don’t view it as a main threat to oursystem. Instead, we focus on the spatial correlation ofthe secrets produced by our algorithm in this section.

Figure 2 shows the power spectral density of the re-ceived signals gotten by fixing the transmitter while plac-ing the receiver in many different locations. The figure isa straightforward example to demonstrate that ChAE andChAB would be quite different.

4 Secret Bits Generation

After getting the frequency response curve of the re-ceived samples by FFT, we smooth the curve and encode

5

the smoothed curve by segmenting it into several piecesand then mapping each of them to some predeterminedpatterns. In this section we first discuss the discrepanciesof the correlated curves and underlying reasons, and thenpropose the two main steps in our algorithm.

4.1 Curve DiscrepancyNote that although we can see channel reciprocity clearlywith the naked eyes in Figure 3, the frequency responsesare more or less shifting or zooming versions of theircorresponding partners. More than that, distinct localfluctuations exist. Those discrepancies are unavoidablebecause they are spontaneous consequences of hardwareimperfections and environment interferences. They pre-vent us from encoding the curves directly by their statisti-cal properties. Thus we develop a shape-based approachto solve the encoding problem.

Before we propose the whole procedure of algorithm,detailed discussion about the effect of environment inter-ferences and hardware imperfection is necessary for usto get a full understanding about the underlying reason-ing behind the steps in our algorithm. First let us havea look at the effects of environment interferences. Aswe know environment interferences mainly contributeto local fluctuations in the curves. Our approach over-comes the problem by smoothing the original obtainedfrequency response curves. Overall shapes of the spec-trum would be preserved while local variations are re-moved. As for hardware imperfections, the negative ef-fects of them can be alleviated by calibration, but suchkind of a solution imposes restrictions on the usabil-ity, portability and especially scalability of the system.Let us consider the situation where we want to createpair-wise keys among all nodes in a network, the over-head of hardware calibration can be very large. Fortu-nately, however, our shape-based solution is more ro-bust against hardware imperfections than quantizationbased ones because hardware imperfections mainly con-tribute to shifting, enlarging or shrinking the frequencyresponses curves while none of the effects would alterthe shapes of the curves significantly.

4.2 Curve SmoothingAs mentioned above, even though local details of apower spectral density pair are significantly different,channel reciprocity manifests itself by the similarityof the overall shapes between the pair. By plottingsmoothed points, much more information about the over-all shape can be revealed without worrying about lo-cal variations. In our algorithm we adopts Lowess (lo-cally weighted scatter plot smoothing [4]), a curve fit-ting method that calculates smoothed value by applying

Algorithm 1: CurveCodingInput:complex samples a[0, · · · ,n];number of segments mOutput:code [C1,C2, · · · ,Cm]Initializationdivide a[0, · · · ,n] into m segments b1,b2,· · · ,bm ;PatternGeneration(⌊n/m⌋, peak):generate 3 patterns of size ⌊n/m⌋: p1,p2,p3peak = {Max1(a[0, · · · ,n]) - Min1(a[0, · · · ,n])};for i← 1 to m do

temp = ∞;for j = 1→ 3 do

dis = Frechet(bi,p j);if temp > dis then

temp = dis;Ci = j;

endend

end

Algorithm 2: PatternGenerationInput:length k; peakOutput:3 patterns p1[1, · · · ,k], p2[1, · · · ,k], p3[1, · · · ,k]for i← 1 to k do

p1[i] =peak × i

k ;p2[i] = − peak × i

k ;p3[i] =

peak2 ;

end

locally weighted regression over a span. Figure 4 de-picts two power spectral density curves obtained by twocommunicating wireless nodes and their correspondingcurves after applying Lowess smoothing with a span of0.4. The span indicates the proportion of data used ineach fit. There is a tradeoff between the consistency ofthe correlated smoothed curves and the information pre-served in the curves. To be more specific, if the spanis larger, then the consistency is higher while the infor-mation is less. Another thing is that the larger the spanis, the more computation is needed. Empirical evidencegiven in section 5 shows that 0.4 is the optimal valueof the span. From Figure 4 we can see that the Lowesscurves almost coincide with each other although the orig-inal ones differ from each other in most of the locations,and in the mean while the overall shapes are preserved.

6

−10M −5M 0 5M 10M

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dBm

)

frequency spectrumlowess curve

(a) Lowess curve derived by Alice

−10M 5M 0 5M 10M

−120

−100

−80

−60

−40

−20

Frequency (Hz)

Am

plitu

de (

dBm

)

frequency spectrumlowess curve

(b) Lowess curve derived by Bob

Figure 4: Lowess curves derived by Alice and Bob in coherence time. Lowess curves are much more similar to eachother than the original power spectral density curves as local variations are removed.

4.3 Curve Encoding

By using curve smoothing, we get two highly similarcurves. Remember that our goal is to encode the curvesby the two communicating wireless nodes respectivelyin a way that makes their independently generated codesmatch each other with a rate as high as possible. Feed-back to correct the errors can be introduced in the laterstage of information reconciliation, but is not permittedin this stage of advantage distillation.

To solve the encoding problem, let us first have abrief investigation of several possible methods: 1) en-code in accordance with the approximating function thatdescribes the curve; 2) encode in accordance with thestatistical properties of the curve; 3) encode the curveby describing its shape. We adopts the third one forthe following reason: as mentioned in Section 4.2, chan-nel reciprocity is shown by the similarity of the overallshapes between curves. Hence, encoding by describingthe shape saves most of the information shared by the twoends. As a contrast, extracting secrets from the statisticalproperties will definitely suffer from losing much of themutual information. As for the approximation function,it cannot resist even small deviations while measurementerrors and interferences make such deviations quite com-mon.

Figure 5 gives an example of curve coding. The curvegotten in a certain band is treated as a block, which canbe divided different number of segments of equal length,and then the segments are mapped to one of three curvepatterns which are of the same length, as shown in Fig-ure 5. Section 5 gives the analysis of the relationshipbetween the number of segments and the performanceof Puzzle. The three patterns are indexed as 0, 1, and

2. The three “predetermined” patterns describe the as-cending, descending and steady trend of the curves re-spectively. By “predetermined” we mean that the indicesand the shapes of the patterns are well known to all wire-less nodes. The gradient of the ascending and descendinglines, however, is decided by each node according to themaximum and minimum value of the smoothed curve,and the length of the segment. Such pattern generation isdesigned to resist measurement errors and different de-vice settings. For example, two communicating nodesmay want to use different tx/rx gains that would amplifythe signals differently. Since each pattern is related toits own received signals, it describes the shape correctlywith no need to negotiate with each other for the twonodes. We set the gradient of the ascending pattern as

max−min# of samples in each segment , and likewise for the descendingpattern is − max−min

# of samples in each segment . Then the segment ismapped to the most similar one of the three patterns bymeasuring the discrete Frechet distance [14] δdF betweenthe segment and the patterns, which measures the simi-larity of two polygonal curves while taking the locationand ordering of the points along the curves into consider-ation. The smaller the distance, the more similarity twocurves share. If the smallest δdF is the one of the seg-ment and pattern 1, the segment must be more similar topattern 1 than other two patterns. Thus each segment isencoded as the index of the pattern that has the smallestdistance from it. The complete algorithm is proposed byAlgorithm 1 and Algorithm 2.

7

−10M −5M 0 5M 10M

−140

−120

−100

−80

−60

−40

−20

0

Frequency (Hz)

Am

plitu

de (

dBm

)

frequency spectrumLowess curve

Block

0 0 12

segment

Figure 5: An example of curve encoding. The shape of the power spectral density is encoded as 0021.

5 Experimental Validation

There are three important metrics that are relevant whenmeasuring the performance of a secret key extraction ap-proach: bit mismatching rate, entropy and leakage.

entropy:Entropy measures the unpredictaiblity of a randomvaraible X, which is defined as

H(X) = −n

∑i=1

p(xi) log2 p(xi)

where x1, · · · ,xn are possible values of X .

bit mismatching rate:Bit mismatching rate is defined as the ratio of thenumber of bits between Alice and Bob that do notmatch to the number of bits extracted from the shapeof the spectrum.

leakage:Assume pmis is the mismatching rate between Aliceand Eve, we define the leakage between them as

leakage =

{1− pmis

0.5 if pmis < 0.50 otherwise

This section first introduces the system setup and envi-ronment. Then, it presents the performance of Puzzle byshowing the mismathing rate and the entropy of of eachsegment. Section 5.2.2 compares the leakage betweenPuzzle and an RSSI-bsed method ASBG.

Before showing the results of the experimental valida-tion, we want to make it clear that the performance of ourproposed secret-sharing method is mainly determined bythe variety of the multi-paths in the environment. There-fore, the results presented in the following parts are quiteenvironment-specific.

5.1 Environment and System

The measurement environment is a lab where there are 6cubicles. Data were collected during daytime (from 7:00am to 6:00 pm) when about one to four students wereworking. Human activities introduced some level of in-terference to the channel, but generally speaking, the in-terference level created by human is not very high. Inother words, the environment is quite stable and hencethe coherence time of the channel we used was long.We conducted the experiment in such a stable environ-ment because we wanted to see clearly the performancecomparisons without risking mismatches caused by thechanges of the channel itself. In theory, further imple-mentation in mobile environment would give lower mis-matching rate and higher secret bit extraction rate.

In our experiment, Alice’s and Bob’s antennas wereplaced in different locations to create different chan-nels. Eve’s antenna was kept from 10 cm to 50 cmaway from Bob’s antenna. This distance is larger thanhalf the wavelength of the carrier frequency (2.37 GHz)and yet reasonably close. Since Eve’s antenna is nearBob’s antenna, multi-path fading between Bob and Eveis weak.Therefore, we only care about the similarity ofchannels ChAB and ChAE . In this placement, we can

8

Figure 6: Schematic diagram of Puzzle

see clearly how much similarity that ChAB and ChAE canshare even if the eavesdropper is closely placed beside le-gal wireless nodes. All measurements of the power spec-tral density were done within coherence time.

The communication system consists of three software-defined transceivers. Each of their RF chains containsan XCVR2450 (RF front end), a NI-5781 (data con-verter module) and an NI PXIe-7965R (a Xilinx Virtex-5 FPGA). Two of the three transceivers output QPSKmodulated random data bits with a 20 MHz bit rate andtransmit at 2.37 GHz alternately. We can call the twotransceivers Alice and Bob. The third transceiver, Eve,keeps overhearing the communication. During reception,each transceiver records the I and Q samples at a sam-pling rate of 100 MHz and down converts to baseband.The received samples are then sent to NI PXIe-8133,a RTOS-based controller, through two direct-memory-access (DMA) channels which have data streaming rateas high as 800 MB/s. The power spectral density of10240 samples are calculated by the controller. AfterLowess smoothing, we get a curve consisting of 10240data points. Then we down sample the 10240 data pointsto 640 points, as a subset of the original data pointswould reserve the shape of the Lowess curve, while inthe mean time decrease the computation overhead in thenext step of pattern matching. Figure 6 shows the dia-gram of a secret bits generation subsystem.

5.2 Overall Performance5.2.1 Entropy and mismatching rate

In our algorithm, there are two programmable paramaters: smoothing parameter α and the number of segments ofeach block. Figure 7(a) illustrates the bit mismatchingrate under different α and the number of segments. Wecan see that, in all settings, the mismatching rate doesn’tvary much. On average, our system achieves a mismatch-ing rate 5%. This rate is low if taking the fact into con-sideration that no public communication is introduced tocorrect errors.

Figure 7(b) shows the effects of the number of seg-ments and the choice of α on the entropy per segment. It

is clear that the entropy keeps decreasing as the numberof segments is increasing. It is reasonable since the moresegments a block is divided into, the flatter each seg-ment would be. In other words, more segments would bemapped to the flat pattern. Then, the uncertainty of eachsymbol decreases. Figure 7(b) also points out that for theminimum number of segments, α = 0.4 ∼ 0.7 producesthe largest entropy. Since α decides the computationaloverhead in smoothing, we choose α as 0.4 as the opti-mal one. With 4 segments per block and α = 0.4, thesystem produces 1.4 bits information per segment.

5.2.2 Leakage

RSSI-based methods usually quantize the variation ofSNR over time to generate secrets. Most of them adopta single level quantizer as otherwise mismatching rate ishigh. Even using multilevel quantizer, due to the lim-itation of usual 10-20 dB SNR variation in practice, itis hard for RSSI-based methods to achieve a bit genera-tion rate as high as ours (about 6 bits per probe as eachprobe/block is divided into 4 segments and each segmentis mapped to 3 patterns. Therefore, the total number is4 ∗ log2 3). Another problem of the RSSI-based methodis that large variations can be easily introduced by an at-tacker by blocking the transmission every now and then.Thus, the secrets are predictable since the attacker knowsexactly at what time the SNR will drop and then increase.Even if there are no malicious attackers around, some un-intentional regular activities would also make the varia-tion public. For example, SNR in a corridor of a class-room buildings would be much lower after class than dur-ing class. Such variation will not contribute to a similarmulti-path fading at different locations. Therefore, Puz-zle is robust against the attack.

We designed an experiment to demonstrate that suchleakage of RSSI-based method is high. We comparedthe leakage performance of ABSG and Puzzle by mov-ing an object across the transmission path between Aliceand Bob, while placing an eavesdropper near Bob. Fig-ure 8 depicts part of the locations we placed Alice, Boband Eve in our experiments. Red, blue and black pointsrepresent Alice, Bob and Eve respectively. A gray lineindicates Eve tried to derive the secret bits generated bythe corresponding Bob by applying the same algorithm(Puzzle or ASBG). Since ABSG like many other RSSI-based methods asks the two communicating ends to dropsome RSSI values based on certain thresholds and ex-change the indices of those values, Eve knows exactlywhich RSSI probe is used by Bob but dropped by her-self. In this case, we assume that Eve does a randomguess about the quantization result with a successful rate50%. We calculate the mismatching rate of Eve’s andBob’s bits as the combination of the actual mismatch-

9

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

bit

mis

ma

tch

ing

ra

te

smoothing parameter a

seg = 4

seg = 5

seg = 6

seg = 7

seg = 8

seg = 9

(a) Bit mismatching rate under different α and number ofsegments. The bit matching rate is about 5% in differentsettings. The two programmable parameter do not affectthe mismatching rate.

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9en

tro

py

pe

r se

gm

en

t (b

its)

smoothing parameter a

seg = 4

seg = 5

seg = 6

seg = 7

seg = 8

seg = 9

(b) Entropy per segment contains under different α andnumber of segments. The more segments a block has, theless entropy per segment contains.

Figure 7: Perforemance of efficiency

Figure 8: The deployment of part of the experimentsdone in a testbed. The red, blue and black points rep-resent Alice, Bob and Eve respectively while the graylines indicate that the corresponding Eve was trying toguess Bob’s secret bits by overhearing the transmissionfrom Alice to Bob.

ing rate between them and the failure rate of the randomguess.

Fig 9(a) shows the leakage of our algorithm againstthat of ABSG over a distance from 10 centimetres to 50centimeters. Fig 9(b) shows the corresponding entropyof Bob’s each secret bit ovheard by Eve. It is clear thatPuzzle is much more insensitive to the threat of eaves-drppers near by. It is worth noting that 50 centimetresmight not sound like a large distance in practice, how-ever, our blocking object is not large either. The variationof certain patterns, like a train passing by or the examplementioned above, might impact a much larger distance

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

10cm 20cm 30cm 40cm 50cm

Lea

ka

ge

Distance

ASBG

Puzzle

(a) Leakage over distance between Bob and Eve. Puzzlehas a stable low leakage rate with no concern with thedistance.

0

0.1

0.2

0.3

0.4

0.5

10cm 20cm 30cm 40cm 50cm

lea

ke

d i

nf.

pe

r b

it (

bit

)

Distance

ASBG

Puzzle

(b) Leaked information in each secret bit generated byBob over distance between Bob and Eve. Puzzle leaksabout 0.05 bit at all distances while ASBG is quite vul-nerable to an eavesdropper nearby.

Figure 9: Performance of leakage.

10

in the real world.

6 Discussion

In this section we discuss the factors that might improvethe performance of Puzzle, and the potential integrationof our approach with 802.11.

6.1 Pattern SelectionThe three patterns we use in Puzzle are chosen because ofthe fact that 20 MHz band doesn’t contain much patterns.Therefore we decide to use the most simplest ones. Wedid try other patterns like different parts of sine wave, butexperiments show that the segments are rarely mappedto those more sophisticated patterns. If Puzzle is imple-mented in a larger band without any modification, wecan expect linear improvement in secret producing rateregarding to the growth of band as the number of seg-ments each band (block) can be divided into is linearlygrowing as the band grows. There is a chance, however,that more choices of patterns may push Puzzle beyond itscurrent capabilities. It is clear that the length of each seg-ment would be larger if more patterns could be seen in it.In other words there is a tradeoff between the entropy ofeach segment contains and the number of segments eachblock contains. Theoretical analysis is needed to help usunderstand whether our choice of three patterns is stilloptimal or not in a larger band.

6.2 System Latency and 802.11 IntegrationThe latency of our secret sharing method is composed ofthree parts:

• t1: the time to transfer signals from RF end to FPGA

• t2: the time to process signals in FPGA and transferthem to the controller

• t3: the time to do signal processing.

In our method, 10240 samples are sent to the controllerto calculate the power spectral density through a DMAchannel which has a data rate of 800 MB/s. Since eachsample contains a 16-bit I sample and a 16-bit Q sam-ples, t2 = (10240 samples)∗(2∗16 bit)

800 MB = 50 µs. As for t3,there are three stages in signal processing: calculatingthe power spectral density by doing FFT, smoothing databy Lowess, and pattern matching by measuring the dis-crete Frechet distances between segments and patterns.The last stage is much slower than the first two stages.Note that only a small part of samples is needed in pat-tern matching as down sampling would still preserve thesymmetry of a pair of Lowess curves. In our current C++

implementation of the signal processing, smoothing andpattern matching take about several milliseconds to fin-ish in a server. Generally speaking, so far the code canbe generated upon capturing the transmitted signals in acouple of milliseconds. As we know the ACK time-outin 802.11 is about 100 µs. Therefore if we want to inte-grate our protocol in 802.11 by taking advantage of theexchange of messages and ACKs in two direction, moreefforts are needed to decrease the latency of our system.Since further parallel implementation in FPGA will defi-nitely decrease t3 significantly, it is reasonable to believethat such integration is promising.

7 Conclusion and Future Work

In this paper, Puzzle, a shape-based and calibration-free secret-sharing algorithm in frequency domain hasbeen proposed for sharing secret keys from channel reci-procity. Experimental validation in 20 MHz band showsthat a 6-bit code can be generated in one channel mea-surement with an average bit matching rate as high as95%. It also shows that the entropy each 6-bit code con-tains is about 5.6 bits.

To improve the matching rate of our approach, somebetter smoothing methods and curve comparison metricswould be helpful. By “better” we mean smoothing meth-ods that eliminating local details while preserving overallshape information as much as possible, and curve com-parison metrics that would give more accurate result ofthe similarity between two curves. Careful pattern se-lection is also worth studying if we use Puzzle in largerbands as larger bands provides more choices of patterns.

Further study is also required in investigating the per-formance under different conditions, such as differentdistances between Alice and Bob, different levels ofSNR, different bandwidths and different coherence time.Performance in a mobile environment is the most inter-esting one because we believe that mobile environmentmust have a positive effect on the secret generation ratewhile negative one on the matching rate. Thus synchro-nization needs to be investigated in a mobile environ-ment, which will help reduce the discrepancy that fast-changing channel would bring. Consequently, the capa-bility of eavesdroppers should be taken into considera-tion with those different settings accordingly.

Moreover, as we point out in Section 1, this paperonly focuses on the phase of advantage distillation ofkey distribution. Additional investigation on forward er-ror correction (FEC) technique is needed to completethe second phase of information reconciliation. Infor-mation reconciliation should be carefully considered forwe want to maximize the mutual information which ishidden from eavesdroppers.

11

References[1] AZIMI-SADJADI, B., KIAYIAS, A., MERCADO, A., AND

YENER, B. Robust key generation from signal envelopes in wire-less networks. In Proceedings of the 14th ACM conference onComputer and communications security (New York, NY, USA,2007), CCS ’07, ACM, pp. 401–410.

[2] BENNETT, C., BRASSARD, G., AND MAURER, U. M. Gener-alized privacy amplification. IEEE Transactions on InformationTheory 41 (1995), 1915–1923.

[3] CACHIN, C., AND MAURER, U. Linking information recon-ciliation and privacy amplification. Journal of Cryptology 10, 2(1997), 97–110.

[4] CLEVELAND, W. S. Robust locally weighted regression andsmoothing scatterplots. Journal of the American Statistical As-sociation 74 (1979), 829–836.

[5] HAMIDA, S.-B., PIERROT, J.-B., AND CASTELLUCCIA, C. Anadaptive quantization algorithm for secret key generation usingradio channel measurements. In New Technologies, Mobility andSecurity (NTMS), 2009 3rd International Conference on (2009),pp. 1–5.

[6] IRIS SAFAKA, CHRISTINA FRAGOULI, K. A. S. D. Creatingsecrets out of erasures. MobiCom ’13.

[7] JANA, S., PREMNATH, S. N., CLARK, M., KASERA, S. K.,PATWARI, N., AND KRISHNAMURTHY, S. V. On the effective-ness of secret key extraction from wireless signal strength in realenvironments. In Proceedings of the 15th annual internationalconference on Mobile computing and networking (New York, NY,USA, 2009), MobiCom ’09, ACM, pp. 321–332.

[8] MADISEH, M. G., HE, S., MCGUIRE, M. L., NEVILLE, S. W.,AND DONG, X. Verification of secret key generation from uwbchannel observations. In Proceedings of the 2009 IEEE inter-national conference on Communications (Piscataway, NJ, USA,2009), ICC’09, IEEE Press, pp. 593–597.

[9] MADISEH, M. G., MCGUIRE, M. L., NEVILLE, S. S., CAI,L., AND HORIE, M. Secret key generation and agreement inuwb communication channels. In Proceedings of the GlobalCommunications Conference, 2008. GLOBECOM 2008, New Or-leans, LA, USA, 30 November - 4 December 2008 (2008), IEEE,pp. 1842–1846.

[10] MATHUR, S., TRAPPE, W., MANDAYAM, N., YE, C., ANDREZNIK, A. Radio-telepathy: extracting a secret key from anunauthenticated wireless channel. In Proceedings of the 14thACM international conference on Mobile computing and net-working (New York, NY, USA, 2008), MobiCom ’08, ACM,pp. 128–139.

[11] PATWARI, N., CROFT, J., JANA, S., AND KASERA, S. K. High-rate uncorrelated bit extraction for shared secret key generationfrom channel measurements. IEEE Transactions on Mobile Com-puting 9, 1 (Jan. 2010), 17–30.

[12] RAPPAPORT, T. Wireless Communications: Principles and Prac-tice, 2nd ed. Prentice Hall PTR, Upper Saddle River, NJ, USA,2001.

[13] WEI, Y., ZENG, K., AND MOHAPATRA, P. Adaptive wirelesschannel probing for shared key generation based on pid con-troller. IEEE Transactions on Mobile Computing 99, PrePrints(2012).

[14] WIEN, T. U., EITER, T., EITER, T., MANNILA, H., AND MAN-NILA, H. Computing discrete frchet distance. Tech. rep., 1994.

[15] WILSON, R., TSE, D., SCHOLTZ, R. A., AND FELLOW, L.Channel identification: Secret sharing using reciprocity in uwbchannels. IEEE Transactions on Information Forensics and Se-curity (2007), 364–375.

[16] XIONG, J.AND JAMIESON, K. Securearray: Improving wirelesssecurity with fine-grained physical layer information. MobiCom’13.

[17] YE, C., REZNIK, A., STERNBERG, G., AND SHAH, Y. On thesecrecy capabilities of itu channels, 2007.

[18] ZENG, K., WU, D., CHAN, A., AND MOHAPATRA, P. Exploit-ing multiple-antenna diversity for shared secret key generationin wireless networks. In INFOCOM, 2010 Proceedings IEEE(2010), pp. 1–9.

12