[research-article] p.

1/13

Journal of Computer Security 00 (20xx) 1–13 1

DOI 10.3233/JCS-15807
1 IOS Press 1
2 2
3 3
4
5
A secret key establishment protocol for 4
5
6
7
wireless networks using noisy channels 6
7
8 8

Albert Guan ∗ and Wen-Guey Tzeng

9 9

F
10 10
11
Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan 30050 11

O
12
E-mails: d9955801.cs99g@nctu.edu.tw, wgtzeng@cs.nctu.edu.tw 12
13 13

O
14
Abstract. An efficient protocol for establishing secret keys for neighboring nodes in a wireless network is presented in this 14
paper. The security of the key generated by our protocol is based on the unpredictability of the noises in binary symmetric
15 communication channels. The two nodes which try to establish a common secret key receive messages from a common source 15

PR
16 of random bit strings. Due to noises in the communication channel, the messages received by them, and most importantly 16
17 the messages received by the eavesdropper, are not the same. We show that the two nodes can modify their messages in an 17
efficient way to obtain a common string which contains enough uncertainty to the eavesdropper. Then, a secure universal hash
18 18
function is applied to compute a secret key for extracting randomness from the common string. We prove that the probability
19 for the eavesdropper to know the value of the key is negligible. One advantage of our proposed protocol is that the secret key 19
20 rate is better than the known scheme in other models, such as the bounded storage model. Furthermore, our proposed protocol 20
D
needs only to perform exclusive-or operations and compute hash values. Thus, it is a computationally light-weight protocol and
21 21
suitable for devices with limited computing resources, such as sensors in sensor networks.
22 22
Keywords: Key agreement, light-weight protocol, wireless network, random noise, binary symmetric channel
TE

23 23
24 24
25 25
EC

26 26
27 1. Introduction 27
28 28
29
Security is an important issue in many applications of wireless networks. Plain data sent through 29
R

30
public channels are vulnerable to attacks. Many techniques can be applied to protect sensitive data in the 30
31
communication. Private secure communication channels are usually very expensive. A more practical 31
R

32
method is to use encryption. Thus, encryption has become an essential tool to protect data in public 32
33
communication channels. In this paper, we design a light-weight protocol for any pair of nearby nodes 33
O

34
in a wireless network to establish a secret key for secure communication. 34
35
A wireless sensor network consists of a set of sensor nodes. Each sensor node has a set of devices 35
C

36
for sensing and collecting data and a small antenna for transmitting collected data to other nodes in 36
37
the network. In most cases, each sensor node has only limited computing power and limited storage. 37
N

38
Therefore, in the design of protocols for a sensor network, light-weight computation is very important. 38
One way to establish a secret key for secure communication is to pre-deploy a subset of secret keys
U

39 39
40
selected from a given key pool to each sensor node. Two sensor nodes can establish a key in the field if 40
41
the intersection of their pre-stored keys is not empty. However, in order to ensure non-empty intersection 41
42
between any pair of sensor nodes, the number of pre-stored keys in each node cannot be too small, 42
43
especially when the number of sensor nodes is large. This will cause problem for sensors with small 43
44
amount of memory. 44
45 * Corresponding 45
author. E-mail: d9955801.cs99g@nctu.edu.tw.
46 46

0926-227X/17/$35.00 © 2017 – IOS Press and the authors. All rights reserved
 [research-article] p. 2/13

2 A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels

1 Our proposed protocol does not need to pre-store a set of keys. Instead, we use unpredictable noises 1
2 in the communication channel as the main ingredient of security. Due to noises in the communication 2
3 channel, the messages received by the communicating sensor nodes, and most importantly the message 3
4 received by the eavesdropper, are unlikely the same. We design an efficient method for sensor nodes to 4
5 adjust their received messages so that the adjusted messages are the same with very high probability. 5
6 An eavesdropper can also adjust his received messages. However, we show that an eavesdropper must 6
7 have uncertainty on the messages agreed by the sensor nodes. Therefore, the eavesdropper does not have 7
8 enough information to compute the secret key. The security of our protocol does not depend on how 8
9 much computing power the eavesdropper can use. 9

F
10 In the security analysis of our protocol, we apply Chernoff bounds and other techniques to derive an 10
11 upper bound for the number of correct bits computed by the eavesdropper. We formally show that, with 11

O
12 suitable selection of parameters, the eavesdropper does not have enough information to deduce the value 12
13 of the secret key established by two sensor nodes. Thus, the established key shared by two sensor nodes 13

O
14 is secure against the eavesdropper except leaking negligible amount of information about the secret key. 14
15 This paper is organized as follows. In Section 2, we survey related works. Our protocol is described 15

PR
16 in Section 3. Section 4 is devoted to the security analysis of our protocol. Section 5 shows how to select 16
17 17
parameters in our protocol so that the protocol can be executed efficiently and securely. Section 6 shows
18 18
the simulation result of our protocol. Finally, conclusions are given in Section 7.
19 19
20 20
D
21 2. Related works 21
22 22
TE

23 There are two commonly used types of schemes for establishing secret key among sensor nodes. The 23
24 first type is to pre-store a set of keys selected from a key pool. The other type is to compute the secret 24
25 key by using the same random source. For the first type, a set of keys need to be pre-distributed in the 25
EC

26 sensor nodes before they are deployed. For the second type, a random source must be accessible by the 26
27 two parties. 27
28 For the pre-deployment of keys, Eschenauer and Gligor proposed a method to assign a random subset 28
29 of the keys to each sensor node. They proved that two neighboring sensor nodes can establish a shared 29
R

30 key from their own key pools with very high probability [10]. Liu and Ning improved the basic random 30
31 31
key pre-distribution scheme of Eschenauer and Gligor by using multiple random key pools for each
R

32 32
sensor node [15]. Ren et al. discussed how to pre-distribute keys in large scale [19]. Miller and Vaidya
33 33
proposed a key pre-distribution scheme which assumes that the communication channels between sensor
O

34 34
nodes use the orthogonal frequency-division multiplexing technology [17]. Sensors with pre-stored keys
35 35
have some drawbacks. For example, when the number of sensors is large, to ensure that each pair of
C

36 36
sensors can share nonempty set of keys, the number of keys pre-stored in each sensor cannot be too
37 37
N

small.
38 38
Secret keys can also be established after these sensor nodes were deployed. Tsai, Tzeng, and Zhou
U

39 39
proposed a key establishment scheme for wireless sensor network in the bounded storage model [20].
40 40
Their first scheme requires special beacon node for broadcasting random bits. In their second scheme,
41 41
some sensor nodes play the role of beacon nodes. The security of this model is based on that the random
42 42
bits are too large to store in any available device which has only limited storage. √ For the purpose of
43 43
establishing a secret key with high probability, each sensor node needs to store 2 kα bits to ensure
44 44
that they have at least k bits in common, where k is the security parameter and α is the length of the
45 45
public random string. For k = 128 bits and α = 1015 bits, the number of established secret key bit per
46 46
 [research-article] p. 3/13

A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels 3
√
1 broadcast random bit (secret key bit rate) of their scheme is k/2 kα = 1.6 × 10−8 , which is very small. 1
2 Our protocol can achieve secret key bit rate 0.0105 under the condition p = 0.01, where p is bit error 2
3 probability. 3
4 Noisy channel plays an important role in cryptography. Crepeau and Kilian presented some general 4
5 techniques for establishing cryptographic strength of a wide variety of games. They showed that a noisy 5
6 telephone line is in fact a very sophisticated cryptographic device [8]. Claude Crepeau proposed bit 6
7 commitment and oblivious transfer schemes based on binary symmetric channels [7]. Crepeau, Morozov, 7
8 and Wolf proposed an oblivious transfer scheme from almost any Noisy Channel [9]. Imai, Morozov, 8
9 and Nascimento computed the OT capacity of the erasure channel for semi-honest adversary. For the 9

F
10 malicious adversary, they gave its lower bound [12]. Palmieri and Pereira proposed an OT protocol 10
11 based on channel delays only [18]. Cheong and Miyaji improved the scheme of Palmieri and Pereira to 11

O
12 obtain an OT protocol in the malicious model [6]. 12
13 Noisy channel can also be used to establish a common secret key. Wyner showed that the noise in 13

O
14 the communication channel can be used to provide security in message transmission [23]. Ahmadi and 14
15 Safavi-Naini focused on secret key capacity [2]. However, their model assumed that the eavesdropper 15

PR
16 has a binary symmetric channel with probability p2 , which is different from the channel use by Alice and 16
17 Bob. Alice and Bob communicate via a binary symmetric channel with error probability p1 and p1 < p2 . 17
18 For the case p1  p2 , only some special cases work. That is, at least one of the inverse DMBC’s is 18
19 in favor of Alice and Bob. A Discrete Memoryless Broadcast Channel (DMBC) (X, Y, Z, PY Z|X ) is a 19
20 channel that, for an input symbol x, returns two output symbols y and z according to the distribution 20
D
 DMBC is (Y, X, Z, PXZ|Y ) where PXZ|Y is calculated as PXZ|Y =
21 PY Z|X . Its corresponding inverse 21
22 (PX · PY Z|X )/PY and PY = x,z PX · PY Z|X . Therefore, the channel for the eavesdropper is a degraded 22
TE

23 23
version of Alice and Bob.
24 24
Mathur et al. proposed a method for two nodes to extract a secret key from a wireless channel [16].
25 25
Their protocol requires that the bit error probability pe to be extremely low, so that the probability pk
EC

26 26
that the key generated by the two parties does not match is acceptably small. For example, assuming
27
key length is 128 bits long, in order to have a key-mismatch probability of pk = 10−6 their bit-error 27
28
probability pe is at most 10−8 . Our scheme only requires p with 0.001  p  0.02, which is more 28
29 29
realistic than their scheme. Their protocol also requires that the eavesdropper is more than λ/2 away
R

30 30
from both Alice and Bob so that the eavesdropper experiences the fading channel effect, where Alice
31 31
and Bob are statistically independent of the fading, where λ is the wavelength [16]. In our scheme, the
R

32 32
eavesdropper may have the same ability as Alice and Bob’s. We do not have extra restriction on the
33 33
O

eavesdropper.
34 34
There were several schemes exploited physical properties of channels for establishing secret keys [3,4,
35 35
11,14,22]. Mathur et al. proposed a protocol that allows two parties to establish a common cryptographic
C

36 36
key by exploiting special properties of the channel: the underlying channel response between any two
37 37
N

parties is unique and de-correlates rapidly in space [16]. For our scheme, the amount of uncertainty is
38
from the noises over a public radio link. For 4G service at 1 gigabit per second with 4 × 4 transmit 38

diversity under EVA 5 HZ channel at SNR of 17 dB [21], it corresponds to bit error rate p = 10−6 and
U

39 39
40
each bit can generate 1.00002×10−6 entropy bits, so the amount of uncertainty is 0.000001×109 = 103 40
41 41
bits per second.
42 42
Our protocol exploits the noisy property of channels. We assume that the eavesdropper uses a binary
43 43
symmetric channel with the same error probability p, rather than a degraded one. Even the eavesdropper
44 44
uses a degraded channel, our protocol still works. In fact, it is easier for the sensor nodes to collect
45 45
common strings with enough uncertainty against the eavesdropper in a degraded channel.
46 46
 [research-article] p. 4/13

4 A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels

1 We do not study how random messages are sent and received by the two parties to obtain the random 1
2 bits. There are methods to do proper channel estimation to obtain “good” random bit strings [13]. 2
3 3
4 4
5 3. The protocol 5
6 6
7 Consider the scenario that a set of sensor nodes are deployed in a field randomly. Each sensor node 7
8 has no post-deployment knowledge about the other sensor nodes. All they can do is to communicate 8
9 with its neighboring sensor nodes via their antennas. 9
In the application level of a computer communication network, it is generally required that a receiver

F
10 10
11 can receive all messages in the communication without errors. However, errors may occur in the lower 11

O
12 level of real-world communication systems. Noises and other factors often make message communica- 12
13 tion less reliable. An error correction code or even re-sending some parts of a long message is required 13

O
14 to make sure that the received message is intact. 14
15 While in transmission of messages we try to reduce errors, in the secret key establishment, we use 15

PR
16 errors to derive secret key so that the eavesdropper cannot obtain the information about the secret key. 16
17 Thus, we need raw data in the noisy communication channel. Nevertheless, this is required only in the 17
18 first step of our protocol. 18
19 Our protocol assumes that the broadcast channel is a binary symmetric channel. The raw data bits 19
20 received by a sensor node may be different from the broadcast bits. In a binary symmetric channel, the 20
D
21 probability for a bit 0 to be received as 1 is the same as the probability for a bit 1 to be received as 0. 21
22 They are both equal to p, 0 < p < 1. 22
TE

23 Let K denote the secret key to be established by A and B for encryption, such as AES. Let s be the 23
24 length of the key K. The value of s is usually regarded as the security parameter of the system. For 24
25 example, the value of s can be 128, 192, or 256 for AES cryptosystem. 25
Our protocol is shown in Figs 1 and 2. Figure 1 contains the basic steps of establishing a common
EC

26 26
27 string of m bits between A and B. Figure 2 is the main protocol of computing K from r common m-bit 27
28 strings between A and B. 28
29 In the basic steps (Fig. 1), A and B receive broadcast random bits by the same beacon node at the same 29
R

30 time. Let the m bits received by A be x1 x2 . . . xm and the m bits received by B be y1 y2 . . . ym . Next, they 30
31 compute pairwise parity bits for the received random bit stream. That is, A computes z1 z2 . . . zm/2 and B 31
R

32 also computes z1 z2 . . . zm/2


, where zi = x2i−1 ⊕ x2i and zi = y2i−1 ⊕ y2i . A sends parity bits z1 z2 . . . zm/2 32
33 to B in a clear channel. Having received the parity bits from A, B compares them with his parity bits 33
O

34 and tells A which parity bits are different. For each unmatched parity bit, B resets the corresponding two 34
35 35
C

36 (1) Two sensor nodes A and B receive random bits broadcast by the beacon node at the same time. 36
37 Let m be an even number. Let the m bits received by A be x1 x2 . . . xm and the m bits received 37
N

38 by B be y1 y2 . . . ym . 38

(2) A computes Z = z1 z2 . . . zm/2 , where zi = x2i−1 ⊕ x2i , and sends Z to B.

U

39 39
40 (3) B compares the parity bits and set I = {i | zi = zi }, where zi = y2i−1 ⊕ y2i . Then B sends the 40
41 set I to A. 41
42 (4) B resets the bits y2k−1 = y2k = 0 for every k ∈ I . 42
43 A resets the bits x2k−1 = x2k = 0 for every k ∈ I . 43
44 44
45 45
Fig. 1. Basic steps of the protocol.
46 46
 [research-article] p. 5/13

A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels 5

1 1
2
(1) Repeatedly run the basic steps of the protocol r runs to obtain a common string w of mr bits. 2
3
(2) Sensor A computes T = g(x1 x2 . . . xmr ) and sends it to B. 3
4
(3) Sensor B computes T  = g(y1 y2 . . . ymr ) and sends it to A. 4
5
(4) If T = T  , then w = (x1 x2 . . . xmr ) = (y1 y2 . . . ymr ) with very high probability. Set the secret 5
6
key 6
7 7
8
K = f (x1 x2 . . . xmr ) = f (y1 y2 . . . ymr ). 8
9 9
Otherwise, T = T  , the protocol aborts.

F
10 10
11 11

O
12
Fig. 2. The main protocol. 12
13 13
bits to 00. A also resets the corresponding two bits to 00. The unmatched bits can be discarded or set to

O
14 14
any fixed value. After the basic steps, A and B have a common string of m bits with high probability.
15 15
Step 1 in the main protocol, shown in Fig. 2, repeatedly executes the basic steps in Fig. 1 r times to

PR
16 16
establish a common bit string of mr bits (r common m-bit strings). A and B apply a cryptographically
17 17
strong hash function g to check whether their common string is the same or not. Finally, they apply a
18 18
universal hash function f to extract a secret key.
19 19
Note that, in the basic steps of our protocol, if z1 z2 . . . zm/2 = z1 z2 . . . zm/2

, we conclude that the two
20 20
sequences x1 , x2 , . . . , xm and y1 , y2 , . . . , ym are equal with very high probability. Nevertheless, there is
D
21 21
a very small probability for the two strings to be different. For security reasons, the protocol does not
22 22
check if they are equal or not in the basic steps. The checking will be done by using a cryptographic
TE

23 23
hash function g (in Steps 2 and 3 of the main protocol) after A and B collect r such strings.
24 24
In the last step of the protocol, a universal hash function f is applied to their common bit string
25 25
to extract randomness for the shared secret key K. The universal hash function f , from Zmr s
2 to Z2 , is
EC

26 26
randomly selected from the universal class of hash family.
27 27
28 28
29 29
4. Analysis of the protocol
R

30 30
31 Let T be the number of times that the full protocol in Fig. 2 is executed until the common secret key 31
R

32 K is established. The following theorem gives the expected value of T . 32

33 33
O

34 Theorem 1. Let T be the random variable for the number of times executed until sensor nodes A and 34
35 B successfully establish a common string of length mr in the protocol. Then the expected value of T is 35
C

36 1/((1 − 4p 2 (1 − p)2 )mr/2 ). 36

37 37
N

38 Proof. Since the bit-flip probability is p, the probability that the two bits of A and B are different is 38
q = 2p(1 − p). The only case that zi is correct but xi−1 xi and yi−1 yi are different is that both bits
U

39 39
40 xi−1 xi (or yi−1 yi ) are flipped. The probability that these two bits are flipped is q 2 . Since there are m bits 40
41 at each run, the probability that the mr bits that A received are the same with B’s is (1 − q 2 )mr/2 . Let 41
42 p = (1 − q 2 )mr/2 . We have Pr[T = t] = p (1 − p )t−1 . Hence, 42
43 43
∞
 ∞
44  t−1  t−1 1 44
45
E(T ) = tp 1 − p = p t 1 − p = . 45
t=1 t=1
p 
46 46
 [research-article] p. 6/13

6 A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels

1 Table 1 1
2 The average number T of times required for m = 320 2
3 r = 20 r = 30 r = 40 3
4 p = 0.010 3.51 6.57 12.30 4
5 p = 0.015 16.37 66.23 267.99 5
6 p = 0.020 137.14 1606.07 18808.42 6
7 7
8 Table 2 8
9 The communication cost in bits for m = 320 and p = 0.01 9

F
10 r = 20 r = 30 r = 40 10
11 Communication cost 22464 63072 157440 11

O
12 12
13 13
Table 1 shows the expected number of times T that the whole protocol needs to be executed. This

O
14 14
number depends on the common string length m, the number of runs r and the bit-flip probability p.
15 15
Here we assume that m = 320. The values in Table 1 can be obtained from Theorem 1 for 1/T =

PR
16 16
(1 − 4p2 (1 − p)2 )mr/2 .
17 17
Table 1 shows that our protocol can be executed very fast for p  0.01. For example, for p = 0.01,
18 18
m = 320, r = 30, the total number of communication cost is mrT = 320 × 30 × 6.57 = 63702 bits.
19 19
For current WSN with 250 kbits/sec Zigbee, it can be done within 0.25 seconds. Even for p = 0.02,
20 20
m = 320 and r = 20, the total number of communication bits is mrT = 320 × 20 × 137.14 = 877696
D
21 21
22
bits, it can be done within 3.5 seconds. 22
TE

23
Now we shows that the corresponding m-bit string of the adversary in Fig. 1 is different from A’s and 23
24
B’s by at least some amount. Since the bit-flip probability is p, the probability that the two bits of A 24
25
and B are different is q = 2p(1 − p). On average, the sensor node B has mq different bits from the 25
sensor A. The adversary also has mq bits different from what the sensor A has on average.
EC

26 26
27
If the ith parity bit of B is different from A’s parity bit, then the eavesdropper knows the value of the 27
28 corresponding two bits, which will be reset to 00. On the other hand, if the ith parity bits of A and B are 28
29 equal, and the eavesdropper’s parity bit is different from A’s and B’s, the eavesdropper will know that 29
R

30 one of his two eavesdropped bits is correct and the other is incorrect. Nevertheless, he does not know 30
31 which one is correct and which one is incorrect. He can only guess the correct value of the two bits. With 31
R

32 probability 1/2 he can make a correct guess. If the eavesdropper’s parity bit is equal to A and B, then 32
33 the two eavesdropped bits is the same as A’s and B’s with probability (1 − q)2 . 33
O

34 Since the probability for the ith parity bit of B being different from A is 2q(1 − q) and the probability 34
35 for the ith parity bit of B being equal to A is q 2 + (1 − q)2 , the probability that the eavesdropper 35
C

36 eavesdrops the correct corresponding two bits is 36

37
   37
N

38 2q(1 − q) + q 2 + (1 − q)2 2q(1 − q)1/2 + (1 − q)2 . 38

U

39 39
40 Therefore, the eavesdropper has at most 40
41 41
   
42
l = 2q(1 − q) + q 2 + (1 − q)2 2q(1 − q)1/2 + (1 − q)2 m 42
43 43
44 44
correct bits for the common m-bit string of A and B on average. We show that the probability that the
45 45
eavesdropper knows up to (l/m + ε)m bits is negligible, where 0 < l/m + ε < 1.
46 46
 [research-article] p. 7/13

A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels 7

1 Theorem 2. Let C ⊂ {1, 2, . . . , m} be the set of indices of the bits received by the eavesdropper and 1
2 these bits are the same as A’s and B’s. Then 2
3 3
  ε 2
4 Pr |C|  (l/m + ε)m  e−(l/m)m( l/m ) /3 . 4
5 5
6
Proof. Let Xi be the indicator random variable for the ith bit. Xi = 1 if the eavesdropper gets the 6
7
correct value for the ith bit and Xi = 0, otherwise. 7
8 8

9
  
m 9

F
10 Pr |C|  (l/m + ε)m = Pr Xi  (l/m + ε)m 10
11 i=1 11

O
12 
 12

m
ε ε 2
−(l/m)m( l/m
13
= Pr Xi  (l/m)m 1 + e ) /3
. 13

O
14
i=1
l/m  14
15 15

PR
16 In the proof of the above theorem, we use the Chernoff bound to show that the probability that the 16
17 adversary obtains information by a certain amount on average is very small. The Chernoff bound can 17
18 be described as follows. Let Xi be a set of independent and identically
 distributed random Boolean 18
19 variables with E(Xi ) = θ , 1  i  t. Then, almost all values of ti=1 Xi are around its mean 19
20 20
 t
D
21  21
22 E Xi = tθ. 22
TE

23 i=1 23
24 24
25 More precisely, for any 0 < ε  1, 25
EC

26
 t 26
27  27
Xi  (1 + ε)tθ  e−tθε /3 .
2
28 Pr 28
29 i=1 29
R

30 30
31
The next theorem estimates the amount of uncertainty about the corresponding two bits x2k−1 x2k when 31
the eavesdropper has his own parity bits zk and sensor node A’s parity bits are zk , 1  k  m/2.
R

32 32
33 33
O

34
Theorem 3. Let S = {00, 01, 10, 11}. X ∈ S is a random variable for the two bits corresponding to the 34
35
parity bit zk . Then, the eavesdropper has uncertainty 35
C

36
2
36
 2  (1 − p)2 (1 − p)2 + p2 p2 (1 − p)2 + p
37
3q −3q +1 + +q(1−q) 37
N

log log
38 (1 − p)2 + p2 (1 − p)2 (1 − p)2 + p2 p2 38
U

39 39
40 for X, where q = 2p(1 − p). 40
41 41
42 Proof. Let Y be the random variable such that 42
43
(1) Y = 0 if the eavesdropper’s parity bit zk is not equal to A’s parity bit zk , 43
44 44
(2) Y = 1 if the eavesdropper’s parity bit is equal to zk , and
45 45
(3) Y = ⊥, if A and B have different parity bit.
46 46
 [research-article] p. 8/13

8 A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels

1 Then 1
2 2
3 H (X|Y ) = Pr[Y = 1]H (X|Y = 1) 3
4 4
+ Pr[Y = 0]H (X|Y = 0)
5 5
6 + Pr[Y = ⊥]H (X|Y = ⊥). 6
7 7
8 The eavesdropper knows the two bits when A and B have different parity bit because these two bits will 8
9 be 00. This implies that 9

F
10 10
11 H (X|Y = ⊥) = 0. 11

O
12 12
13 Thus 13

O
14 14
15 H (X|Y ) = Pr[Y = 1]H (X|Y = 1) + Pr[Y = 0]H (X|Y = 0). 15

PR
16 16
17 We have, 17
18 18
19 Pr[Y = 1] = 3q 2 − 3q + 1, 19
20 20
D
21 and 21
22 22
TE

23 Pr[Y = 0] = q(1 − q). 23

24 24

25 Without loss of generality, we assume that the two received bits by the eavesdropper is X = 00. By 25
the above analysis, we can obtain the following probabilities: For the probability that x2k−1 x2k = 00,
EC

26 26
27 conditioned on the eavesdropper’s parity bit zk equal to zk , 27
28 28
29 (1 − p) · (1 − p) · ((1 − p) + p )
2 2 2 2 29
Pr[X = 00|Y = 1] =
R

30 (1 − p)2 · ((1 − p)2 + p2 )2 30

31 31
R

(1 − p)2
32 = 32
33 (1 − p)2 + p2 33
O

34 34
35 For the probability that x2k−1 x2k = 11, conditioned on the eavesdropper’s parity bit zk equal to zk , 35
C

36 36
p2 · (1 − p)2 · ((1 − p)2 + p2 )
37
Pr[X = 11|Y = 1] = 37
N

38 (1 − p)2 · ((1 − p)2 + p2 )2 38

U

39 39
p2
40 = 40
(1 − p)2 + p2
41 41

For the probability that x2k−1 x2k is 01, conditioned on the eavesdropper’s parity bit zk not equal to zk ,
42 42
43 43
44 44
p(1 − p) · (1 − p) · 2p(1 − p)
2
1
45 Pr[X = 01|Y = 0] = = . 45
46
(1 − p) · (2p(1 − p))
2 2 2 46
 [research-article] p. 9/13

A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels 9

1 For the probability that x2k−1 x2k is 10, conditioned on the eavesdropper’s parity bit zk not equal to zk , 1
2 2
3 p(1 − p) · (1 − p) · 2p(1 − p)
2
1 3
Pr[X = 10|Y = 0] = = .
4
(1 − p)2 · (2p(1 − p))2 2 4
5 5
6 Thus, 6
7 7
8 (1 − p)2 (1 − p)2 + p2 p2 (1 − p)2 + p2 8
H (X|Y = 1) = log + log ,
9 (1 − p)2 + p2 (1 − p)2 (1 − p)2 + p2 p2 9

F
10 10
11 and 11

O
12 12
13 H (X|Y = 0) = 1. 13

O
14 14
15 This implies that 15

PR
16
16
  (1 − p)2 (1 − p)2 + p2
17
H (X|Y ) = 3q 2 − 3q + 1 log 17
18 (1 − p)2 + p2 (1 − p)2 18
19  19
p2 (1 − p)2 + p2
20 + log + q(1 − q) 20
(1 − p)2 + p2 p2
D
21 21

22  2  (1 − p)2 (1 − p)2 + p2 22
= 3q − 3q + 1
TE

log
23
(1 − p)2 + p2 (1 − p)2 23
24  24
p2 (1 − p)2 + p2
25
+ log + q(1 − q). 25
(1 − p)2 + p2 p2 
EC

26 26
27 27
28
Therefore, the amount of uncertainty to the eavesdropper for a common m-bit string (in Fig. 1) is 28
29
h = mH (X|Y )/2. If we have r such common strings, the amount of uncertainty to the eavesdropper is 29
R

30
hr. 30
31
In the next theorem, with proper parameter setting, we show that the key K established by A and 31
R

32
B is s-bit secure against the eavesdropper. Note that K = f (W ) is the extracted key from the mr-bit 32
33
common string W between A and B. W is established in Step 1 of Fig. 2. In proving the next theorem, 33
O

34
we need privacy amplification. 34
35
Let F be a random variable for a function f randomly chosen from the universal hash family f : 35
C

36
{0, 1}n → {0, 1}s , s < n. It can be shown that 36
37 37
N

38
Theorem 4 (Privacy amplification [5]). For any δ > 0, for all sufficiently large n, random R and W , W 38
is a common n = mr-bit string with entropy s between A and B, v = n(Hb (p) − δ) − s,
U

39 39
40
  2 −v 40
41 H F (W )| BSp (R), F  s − . 41
42
ln 2 42
43 Theorem 5. Suppose that A and B have collected a common string which contains s bits of uncertainty 43
44 to the eavesdropper. Assume that the hash functions f is randomly chosen from a universal hash family. 44
45 Then, after the protocol, the eavesdropper has almost s bits of uncertainty about the value of key K. 45
46 46
 [research-article] p. 10/13

10 A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels

1 Proof. Let R be the random variable for the random string broadcast by the beacon node. Let BSp (R) be 1
2 the random variable for the string received by the eavesdropper. W is the agreed mr-bit string between 2
3 A and B. 3
4 Because H (F (W )| BSp (R), F ) = s means that given BSp (R) and F , the eavesdropper almost has 4
5 s-bit uncertainty about F (W ). The last term is exponentially close to 0. 5
6 We cannot use the privacy amplification theorem directly to prove the security for K = F (W ) because 6
7 A has sent the parity bits in the protocol. However, we can apply the theorem with some modification. 7
8 For any δ > 0, for all sufficiently large n = mr, for v  = n(h − δ) − v, where 8
9 9

1  2 

F
10 (1 − p)2 (1 − p)2 + p2 10
h= 3q − 3q + 1 log
11
2 (1 − p)2 + p2 (1 − p)2 11

O
12   12
p2 (1 − p)2 + p2
13
+ log + q(1 − q) 13

O
14 (1 − p)2 + p2 p2 14
15 15

PR
16 and q = 2p(1 − p), the entropy about the key F (W ) to the eavesdropper is bounded by 16
17 17

18   2−v 18
H F (W )|Z, BSp (R), F  s − ≈ s.
19 ln 2 19
20 20

D
21 Note that our hash function f is from mr bits to s bits. 21
22 22
TE

23
It can be seen in Theorem 5 that the hash functions f can be public, even to the eavesdropper. The 23
24
privacy amplification theorem provides a lower bound on the entropy of the hash value f (W ) = K under 24
25
the condition of knowing f and noisy input BSp (R). Although partial information about the common bit 25
string W is known by the eavesdropper, we actually use the hash of the common bit string. By the privacy
EC

26 26
27
amplification theorem, the eavesdropper’s information about K is reduced to a very small amount. 27
28 28
29 29
R

5. Selecting parameters
30 30
31 31
R

The purpose of the repeated execution of the basic steps in Step 1 of Fig. 2 is to accumulate sufficient
32 32
uncertain bits against the eavesdropper. The value r should be properly chosen so that the mr-bit com-
33 33
O

mon string of A and B will have at least s uncertain bits to the eavesdropper. Table 3 shows entropy for
34 34
some possible r and p = 0.010, 0.015, 0.020.
35 35
C

The values in Table 3 can be derived from Theorem 3. First we compute the uncertainty to the eaves-
36 36
dropper for a single run. Then we multiply it by the number of runs r to get the final result.
37 37
N

For example, for r = 30 and bit-flip probability p = 0.01, after executing the protocol, the common
38 38
string will have 100 bits of uncertainty to the eavesdropper. This is the security of the established key K
U

39 39
40 Table 3 40
41 The entropy of the r m-bit common string to the eavesdropper 41
42 42
Entropy r = 20 r = 30 r = 40
43 43
p = 0.010 67 100 134
44 p = 0.015 101 151 202 44
45 p = 0.020 135 203 271 45
46 46
 [research-article] p. 11/13

A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels 11

1 between A and B. In general, for our protocol to run successfully for s = 160, it is always possible to 1
2 select the parameters for m = 320, when 0.001  p < 0.02. This shows that our protocol is practical 2
3 in current technology. For the case that the error rate is very small, i.e. p < 0.001, the two sensor nodes 3
4 can randomly flip some bits to make the same effect as p = 0.001. It was shown that the possible range 4
5 5
for p is from 0.2% to 4% with maximal ratio combining decision feedback equalizer (MRCDFE) [1].
6 6
Our choices of p’s are within this range.
7 7
8 8
9 9
6. Simulation

F
10 10
11 11

O
12 We use programs to simulate the noisy channel and the protocol. Assume that a beacon node broad- 12
13 casts random bits. The first step is to simulate nodes A and B to receive the random bits broadcast by 13

O
14 the beacon node. A, B and the eavesdropper receive each random bits independently with specified error 14
15 rate p. The second step is to compute the exclusive-or of the bit strings received by A and B. Node A 15

PR
16 sends the parity bit string to B and B sends back those positions with different parities. Then, A and B 16
17 compute the key by the steps specified in the protocol. 17
18 The simulation program judges whether the protocol succeeds by checking whether the received 18
19 strings of A and B are the same after adjusting the strings by using the parity bits. 19
20 20
Figure 3 shows the successful rate of the basic step of the protocol for different bit flip probability
D
21
p, assuming m = 256 and 320. The simulation performs 1000 times and the averages are taken. In 21
22 22
addition to the results of simulation, theoretical rates are also plotted. The lines 256t and 320t are
TE

23 23
theoretical results and the lines 256s and 320s are the simulation results. We can see that they agree
24 24
quite nicely.
25 25
Figure 4 is the number of entropy bits for different bit flip probability p, assuming m = 256, 320
EC

26 26
27
and r = 20. The theoretical values are also shown in the figure. The lines 256t and 320t are theoretical 27
28
results and the lines 256s and 320s are the simulation results. They agree quite nicely, too. 28
29 29
R

30 30
31 0.95 31
R

32 32
33 33
O

0.9
Success rate

34 34
35 35
C

36 36
37 0.85 37
N

38 256t 38
256s
U

39 39
40 0.8 320t 40
41 320s 41
42 42
43 1 1.2 1.4 1.6 1.8 2 43
44 Error rate p ·10−2 44
45 45
Fig. 3. Simulation results for success rate.
46 46
 [research-article] p. 12/13

12 A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels

1 140 1
2
256t 2
3 256s 3
4
120 320t 4
5 Entropy bits 320s 5
6 100 6
7 7
8 8
9 80 9

F
10 10
11 60 11

O
12 12
13 13

O
14 1 1.2 1.4 1.6 1.8 2 14
15 Error rate p ·10−2 15

PR
16 16
Fig. 4. Simulation results for entropy bits.
17 17
18 7. Conclusions 18
19 19
20 20
We have presented a protocol for two sensor nodes to compute a secret key in a binary symmetric
D
21 21
channel in wireless sensor networks. The secrecy of the key is established by using the uncertainty of
22 22
the messages received by the two sensor nodes and the eavesdropper.
TE

23 23
We are able to prove formally that the eavesdropper’s information about the secret key K is negligible.
24 24
Thus, the key computed by two sensor nodes is secure in the sense that the eavesdropper does not have
25 25
enough information to compute the secret key. This is different from the computational security of public
EC

26 26
key systems, such as the Diffie–Hellman key exchange protocol.
27 27
We have used the scenario of wireless sensor networks to describe our method. This scenario is one
28 28
of the possible applications of our method. Any two parties who share a common noisy channel can use
29 29
our method to establish a secret key. The only setting that needs to be changed is the way the two parties
R

30 30
collect the random bit strings.
31 31
R

32 32
33 33
Acknowledgment
O

34 34
35 35
This research is supported in part by the MOST project 104-2221-E-009-112-MY3.
C

36 36
37 37
N

38 References 38
U

39 39
40 [1] Z.K. Adeyemo and T.I. Raji, Bit error rate analysis for wireless links using adaptive combining diversity, Journal of 40
41 Theoretical and Applied Information Technology 20(1) (2010), 58–65. 41
[2] H. Ahmadi and R. Safavi-Naini, Secret keys from channel noise, in: Advances in Cryptology: Proceedings of the 30th An-
42 42
nual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT 2011, Springer-
43 Verlag, Berlin, 2011, pp. 266–283. 43
44 [3] T. Aono, K. Higuchi, T. Ohira, B. Komiyama and H. Sasaoka, Wireless secret key generation exploiting reactance-domain 44
45
scalar response of multipath fading channels, IEEE Transactions on Antennas and Propagation, 53(11) (2005), 3776– 45
3784. doi:10.1109/TAP.2005.858853.
46 46
 [research-article] p. 13/13

A. Guan and W.-G. Tzeng / Secret key establishment protocol based on noisy channels 13

1 [4] B. Azimi-Sadjadi, A. Kiayias, A. Mercado and B. Yener, Robust key generation from signal envelopes in wireless net- 1
2 works, in: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, ACM, New 2
York, NY, USA, 2007, pp. 401–410. doi:10.1145/1315245.1315295.
3 3
[5] C.H. Bennett, G. Brassard, C. Crepeau and U.M. Maurer, Generalized privacy amplification, IEEE Transactions on Infor-
4 mation Theory 41(6) (1995), 1915–1923. doi:10.1109/18.476316. 4
5 [6] K.-Y. Cheong and A. Miyaji, Unconditionally secure oblivious transfer based on channel delays, in: Proceedings of the 5
6 13th International Conference on Information and Communications Security, ICICS 2011, Springer-Verlag, Berlin, 2011, 6
pp. 112–120.
7 [7] C. Crépeau, Efficient cryptographic protocols based on noisy channels, in: Advances in Cryptology: Proceedings of 7
8 the 16th Annual International Conference on Theory and Application of Cryptographic Techniques, EUROCRYPT ’97, 8
9 Springer-Verlag, Berlin, 1997, pp. 306–317. 9
[8] C. Crepeau and J. Kilian, Achieving oblivious transfer using weakened security assumptions (extended abstract), in:

F
10 10
Proceedings of the 29th Annual Symposium on Foundations of Computer Science, 1988, pp. 42–52.
11 [9] C. Crepeau, K. Morozov and S. Wolf, Efficient unconditional oblivious transfer from almost any noisy channel, in: Pro- 11

O
12 ceedings of Fourth Conference on Security in Communication Networks, SCN ’04, Springer-Verlag, 2004, pp. 47–59. 12
[10] L. Eschenauer and V.D. Gligor, A key-management scheme for distributed sensor networks, in: Proceedings of the 9th
13 13
ACM Conference on Computer and Communications Security, CCS ’02, ACM, New York, NY, USA, 2002, pp. 41–47.

O
14 [11] A.A. Hassan, W.E. Stark, J.E. Hershey and S. Chennakeshu, Cryptographic key agreement for mobile radio, Digital Signal 14
15 Processing 6(4) (1996), 207–212. doi:10.1006/dspr.1996.0023. 15

PR
16 [12] H. Imai, K. Morozov and A.C.A. Nascimento, On the oblivious transfer capacity of the erasure channel, in: 2006 IEEE 16
International Symposium on Information Theory, 2006, pp. 1428–1431. doi:10.1109/ISIT.2006.262082.
17 [13] S. Jana, S.N. Premnath, M. Clark, S.K. Kasera, N. Patwari and S.V. Krishnamurthy, On the effectiveness of secret key 17
18 extraction from wireless signal strength in real environments, in: Proceedings of the 15th Annual International Conference 18
19 on Mobile Computing and Networking, MobiCom ’09, ACM, New York, NY, USA, 2009, pp. 321–332. 19
[14] H. Koorapaty, A.A. Hassan and S. Chennakeshu, Secure information transmission for mobile radio, IEEE Communica-
20 20
tions Letters, 4(2) (2000), 52–55. doi:10.1109/4234.824754.
D
21 [15] D. Liu and P. Ning, Establishing pairwise keys in distributed sensor networks, in: Proceedings of the 10th ACM Conference 21
22 on Computer and Communications Security, CCS ’03, ACM, New York, NY, USA, 2003, pp. 52–61. doi:10.1145/948109. 22
TE

948119.
23 23
[16] S. Mathur, W. Trappe, N. Mandayam, C. Ye and A. Reznik, Radio-telepathy: Extracting a secret key from an unau-
24 thenticated wireless channel, in: Proceedings of the 14th Annual International Conference on Mobile Computing and 24
25 Networking, MobiCom ’08, 2008, ACM, New York, NY, USA, pp. 128–139. 25
[17] M.J. Miller and N.H. Vaidya, Leveraging channel diversity for key establishment in wireless sensor networks, in: Pro-
EC

26 26
ceedings of the 25th IEEE International Conference on Computer Communications, INFOCOM 2006, 2006, pp. 1–12.
27 [18] P. Palmieri and O. Pereira, Building oblivious transfer on channel delays, in: Proceedings of the 6th International Con- 27
28 ference on Information Security and Cryptology, Inscrypt 2010, Springer-Verlag, Berlin, 2011, pp. 125–138. doi:10.1007/ 28
29 978-3-642-21518-6_10. 29
R

[19] K. Ren, K. Zeng and W. Lou, A new approach for random key pre-distribution in large-scale wireless sensor networks,
30 30
Wireless Communication and Mobile Computing 6(3) (2006), 307–318. doi:10.1002/wcm.397.
31 [20] S.-C. Tsai, W.-G. Tzeng and K.-Y. Zhou, Key establishment schemes against storage-bounded adversaries in wireless sen- 31
R

32 sor networks, IEEE Transactions on Wireless Communications 8(3) (2009), 1218–1222. doi:10.1109/TWC.2009.081048. 32
[21] U.E. Uyoata and J.M. Noras, BER performance of 2x2 and 4x4 transmit diversity MIMO in downlink LTE, International
33 33
O

Journal of Computer Applications 108(9) (2014), 23–28. doi:10.5120/18941-9693.

34 [22] R. Wilson, D. Tse and R.A. Scholtz, Channel identification: Secret sharing using reciprocity in ultrawideband channels, 34
35 IEEE Transactions on Information Forensics and Security 2(3) (2007), 364–375. doi:10.1109/TIFS.2007.902666. 35
C

36 [23] A.D. Wyner, The wire-tap channel, Bell System Technical Journal 54(8) (1975), 1355–1387. doi:10.1002/j.1538-7305. 36
1975.tb02040.x.
37 37
N

38 38
U

39 39
40 40
41 41
42 42
43 43
44 44
45 45
46 46