A. Physical Layer-Based Key Generation Pipeline

As illustrated in Fig. 2, current physical layer-based key generation schemes are largely based on the 4-step pipeline performed by two devices named Alice and Bob.

• Step 1:

  Pairwise channel probing for ${\mathbf {T}}=\{1,\ldots, T\}$ time slots. With probing sequence $\{x^{t}|t\in {\mathbf {T}}\}$ , Alice and Bob have their corresponding received signals $\{y_{A}^{t}|t\in {\mathbf {T}}\}$ and $\{y_{B}^{t}|t\in {\mathbf {T}}\}$ , respectively.

• Step 2:

  Quantization scheme $\tau$ to generate bit strings: $\rho _{A}$ for Alice and $\rho _{B}$ for Bob.

• Step 3:

  Reconciliation to eliminate the discrepancy between two bit strings: Bob recovers $\rho _{A}$ by using its own measurement $\rho _{B}$ and error information $e$ . Since Bob’s string $\rho _{B}$ can be treated as a noisy (fuzzy) version of Alice’s string $\rho _{A}$ , the error information $e$ can be decoded based on $s$ , which is generated by the secure sketch scheme $Ske$ [27].

• Step 4:

  Privacy amplification to increase the randomness of the generated common key $k$ , where randomness extractor $Ext$ can derive a uniformly random string $k$ from $\rho _{A}$ and an $R$ -bit random seed $r$ [28], [23].

Owing to the wireless channel reciprocity between Alice and Bob, channel impulse responses or received signal strengths derived from $y_{A}^{t}$ and $y_{B}^{t}$ will function as shared random sources to generate a common key [23], [29], and it was found that the above key probing sequences can be piggybacked with the data exchange sequences. Another field study [30] showed that when the probing sequences are only used for the key generation purpose, i.e., no piggybacking, the energy consumption and time duration can be more demanding, as compared with classical key establishment approaches. Although there is a discrepancy on the efficiency of the physical layer-based key generation procedure, which requires further investigation, traditional cryptography-based security solutions are becoming inadequate, due to the difficulty in providing physical protection of devices and initializing and securing key materials during the lifetime of an IoT system. Consequently, it is important to explore the physical layer-based key extraction pipeline for IoT devices.

B. Security Analysis for Physical Layer Key Generation

Empirical Security Analysis — In terms of security analysis for the generated key, the majority of the existing evaluations are performed using empirical methods. 1) For a two-node system with Alice and Bob, the following metrics have been measured in different phases of the pipeline: bit disagreement rate (BDR) before and after Step 3 [23], [30], secret mutual information shared via probing sequence in Step 1 [23], average min-entropy on each bit of the bit string in Step 2 to measure the lower bound of the randomness of the key [31], and secret bit rate to measure the average number of secret bits extracted from each reconciled channel response (Step 3) [32]. 2) For the multi-node system with passive/active attacker Eve, leaked information has been adopted to measure the mutual information among Alice, Bob, and Eve of the probing sequences in Step 1 [23].

Channel Modeling — The theoretical security performance of the physical layer-based key depends on randomness inherent in the wireless channel model. Channel modeling has laid the foundation for the first generation of wireless cellular technology over 40 years ago. As illustrated in Fig. 3, the relationship between the signal received by Alice $y_{A}^{t}$ and the original probing signal $x^{t}$ is determined by the physical wireless channel model: at time $t$ , $y_{A}^{t}={h_{A}^{t}}{x^{t}}+n_{0}$ , where $n_{0}$ is the additive white Gaussian noise (AWGN) and $h_{A}^{t}$ is the time-varying channel gain with destination indicated by the sub-index $A$ . At any time $t$ , the instantaneous behavior of the channel fading $h_{A}^{t}$ can be statistically following Rayleigh, Rician, log-normal, or Nakagami probability distribution function [33]. The time-variation of the fading channel, i.e., the correlation between $h_{A}^{t}$ and $h_{A}^{t'}$ can be modeled with Markov property [34], [35]. For example, with the first-order Markov model, future $h_{A}^{t+1}$ and past $h_{A}^{t-1}$ are independent given present $h_{A}^{t}$ .

FIGURE 3.

One pair of ping and pong probings between Alice and Bob.

Show All

Theoretical Security Analysis — In the limited amount of theoretical frameworks, based on different wireless channel models, there are two directions on the security analysis.

1. With the assumption that $h_{A}^{t}$ and $h_{A}^{t+1}$ in Step 1 are independent and identically distributed (i.i.d.), i.e., no Markov property, the mutual information between Alice’s channel estimation ($\tilde { h}_{A}$ ) and Bob’s channel approximation ($\tilde {h}_{B}$ ) has been derived using an information theoretic approach [36]–​[38], where the time index $t$ is dropped because of the stationary and memoryless assumption. It has been found that the mutual information $I(\tilde { h}_{A},\tilde {h}_{B})$ will decrease with the key coherence time, which can be approximated as the duration of one time slot because when the time interval between the ping signal and pong signal in one time slot is bigger than a certain threshold, the reciprocity between channels ${h}_{A}$ and ${h}_{B}$ cannot be guaranteed [39]. To obtain high secrecy capacity (mutual information over coherence time), the key generation system prefers shorter time slots. The short time slot will invalidate the i.i.d. assumption for both $h_{A}^{t}$ and $h_{B}^{t}$ , and render the derived security performance measurement inaccurate.

2. With channel fading $h_{A}^{t}$ being kept in a black-box, Edman et al. [40] assumed the first order Markov property for Alice’s received signal ${{\mathbf {Y}}_{A}}=\{y_{A}^{t}|t\in \bf {T}\}$ , and they subsequently adopted the hidden Markov model (HMM) to derive the conditional min-entropy, which measures the uncertainty remained in Alice’s private sequential channel measurements $y_{A}^{t}\in \{s_{0},\ldots, s_{j},\ldots, s_{255}\}$ given Eve’s passive sequential observation sequence, where 0–255 is the standard range of the received signal strength indicator (RSSI) [41]. Wang et al. [42] extended the scenario to the case with multiple passive eavesdroppers ${\mathbf {M}}=\{1,\ldots, M\}$ . As illustrated in Fig. 4, at time $t$ , the eavesdroppers’ measurements are ${{\mathbf {Y}}_{E}^{t}}=\{y_{i}^{t}|i\in \bf {M}\}$ , with $y_{i}^{t}$ being the ping signal transmitted by Bob and received by the $i$ -th eavesdropper. However, it is found that HMM cannot scale well with multiple eavesdroppers because the state space ($256^{M}$ possible states) of eavesdroppers’ joint observation grows exponentially with $M$ and the corresponding HMM parameters cannot be estimated accurately with the limited probing sequence given in Step 1.

FIGURE 4.

Eavesdropping: (a) wiretap channel model with $M$ eavesdroppers $\{E_{1},\ldots, E_{i},\ldots, E_{M}\}$ , and (b) HMM with multiple eavesdroppers’ observations.

Show All

A. Signal Model

As shown in Fig. 5, the wiretap channel model is adopted to evaluate the performance of the secret key extracted from the physical properties of the wireless channel between two legitimate wireless devices: Alice $A$ and Bob $B$ , with multiple distributed adversaries $E_{i}$ , $i\in {\mathbf {M}}=\{1,\ldots, M\}$ , eavesdropping the private data transmission. Alice and Bob will alternatively probe the pair-wise highly correlated wireless channel ${h}_{A}^{t}$ and ${h}_{B}^{t}$ , where $h$ is the channel gain, subindex $A$ indicates the destination node being Alice, and $B$ for Bob. With the assumption of channel reciprocity, ${h}_{A}^{t} \approx {h}_{B}^{t}$ , a common key will be derived based on a sequence of probing results over the time duration of ${\mathbf {T}}=\{1,\ldots, t,\ldots, T\}$ .

FIGURE 5.

Signal probing with multiple eavesdroppers: (a) Ping signal received by Alice and $M$ eavesdroppers. (b) Pong signal received by Bob and $M$ eavesdroppers.

Show All

In the $t$ -th probing iteration, we denote $x^{t}\in \{0,1\}$ as the probing symbol transmitted by Alice and Bob alternatively [23]. Then, the discrete-time model for the received signal is $$\begin{equation*} \begin{cases} y_{A}^{t}=h_{A}^{t}x^{t}+n_{0},\\ y_{B}^{t}=h_{B}^{t}x^{t}+n_{0},\\ \end{cases}\tag{1}\end{equation*}$$ View Source\begin{equation*} \begin{cases} y_{A}^{t}=h_{A}^{t}x^{t}+n_{0},\\ y_{B}^{t}=h_{B}^{t}x^{t}+n_{0},\\ \end{cases}\tag{1}\end{equation*} where the signals received by Alice and Bob are $y_{A}^{t}$ and $y_{B}^{t}$ , respectively. $n_{0}$ is the zero mean additive Gaussian noises with variance ${\sigma }^{2}$ .

Each eavesdropper $E_{i}$ , $i\in \bf {M}$ , will monitor the probing sequences sent by Alice and Bob. Let $y_{i}^{t}$ be the $i$ -th adversary’s passive observation for the Bob$\rightarrow$ Eavesdropper link, and $y_{i'}^{t}$ for the Alice$\rightarrow$ Eavesdropper channel. $$\begin{equation*} \begin{cases} y_{i}^{t}=h_{i}^{t} x^{t}+n_{0},\\ y_{i'}^{t}=h_{i'}^{t} x^{t}+n_{0},\\ \end{cases}\tag{2}\end{equation*}$$ View Source\begin{equation*} \begin{cases} y_{i}^{t}=h_{i}^{t} x^{t}+n_{0},\\ y_{i'}^{t}=h_{i'}^{t} x^{t}+n_{0},\\ \end{cases}\tag{2}\end{equation*} where $h_{i}^{t}$ and $h_{i'}^{t}$ are the gains for the channel from Bob/Alice to the Eavesdropper, respectively.

B. Channel Model

We denote ${\mathbf {H}}_{A}=\{h_{A}^{t}| t\in {\mathbf {T}}\}$ as Bob’s channel vector, which collects the fading coefficients on the links from Alice to Bob during the entire probing process. Similarly, Alice’s channel vector is ${\mathbf {H}}_{B}=\{h_{B}^{t}| t\in {\mathbf {T}}\}$ . Eve has two channel matrices ${\mathbf {H}}_{E}=\{h_{i}^{t}| t\in {\mathbf {T}},i\in {\mathbf {M}}\}$ and ${\mathbf {H}}_{E'}=\{h_{i'}^{t}| t\in {\mathbf {T}},i\in {\mathbf {M}}\}$ . For each channel fading coefficient, we have the following two assumptions regarding the instantaneous behavior and the time variation behavior.

The instantaneous channel fading amplitude is assumed to be a Gaussian mixture model (GMM) with multiple components [43], [44]. With a sufficient number of mixing Gaussian components, it is mathematically convenient to adopt GMM as a universal approximator of densities. For instance, at time $t$ , the channel from Bob to Alice is $$\begin{equation*} h_{A}^{t}\sim \sum \limits _{j=1}^{N_{A}} w_{A,j}^{t}\mathcal {N}\left ({\mu _{A,j}^{t},\,\left ({\sigma _{A,j}^{t}}\right)^{2}}\right),\tag{3}\end{equation*}$$ View Source\begin{equation*} h_{A}^{t}\sim \sum \limits _{j=1}^{N_{A}} w_{A,j}^{t}\mathcal {N}\left ({\mu _{A,j}^{t},\,\left ({\sigma _{A,j}^{t}}\right)^{2}}\right),\tag{3}\end{equation*} where $N_{A}$ is the total number of Gaussian components, and the $j$ -th component follows the Gaussian distribution with mean value $\mu _{j}$ and standard deviation $\sigma _{A,j}^{t}$ . The weight of the $j$ -th component is $w_{A,j}^{t}$ and $\sum \nolimits _{j=1}^{N} w_{A,j}^{t}=1$ [45].

The time variation of the wireless fading channels is assumed to satisfy the first order Markov property. Namely, $$\begin{equation*} h_{A}^{t+1}\perp h_{A}^{t-1}|h_{A}^{t},\tag{4}\end{equation*}$$ View Source\begin{equation*} h_{A}^{t+1}\perp h_{A}^{t-1}|h_{A}^{t},\tag{4}\end{equation*} where the future $(t+1)$ is conditionally independent of the past $(t-1)$ given the present $t$ .

C. Information Flow Model

To provision practical and provable security, fundamental methods are needed to bridge the gap between information theory and engineering solutions. We will adopt a general dynamic Bayesian network (DBN) model, which can represent the probabilistic relationships among interacting variables (nodes) using a parameterized directed acyclic graph. The directed edge encodes the conditional dependence of the child node on one or more parent nodes, where the starting vertex of the directed edge is the parent, and the ending vertex is the child.

As shown in Fig. 6, at each time slot $t$ , the signals received by each node in the system is determined by the parent nodes (e.g., the signal received by the $i$ -th eavesdropper from Alice, $y_{i'}^{t}$ , depends on the probing signal $x^{t}$ , the fading channel between Alice and eavesdropper $h_{i'}^{t}$ , and white noise $n_{0}$ ). With the Markov property, the channel fading value at time slot $t$ is correlated with the fading value at the previous time slot $t-1$ . Note that the probing signal $x^{t}$ is not a stochastic random variable, but an input variable externally imposed on the system. Meanwhile, owing to the channel reciprocity, one directed edge is added from $h_{A}^{t}$ to $h_{B}^{t}$ to indicate the correlation between these two channel measurements. With the proposed DBN network structure, since these two nodes ($h_{A}^{t}$ and $h_{B}^{t}$ ) do not form a v-structure, i.e., they do not share a common child, the direction of the edge between $h_{A}^{t}$ and $h_{B}^{t}$ is not important and we choose the one to imply “Bob probes Alice first”. Furthermore, Bob’s probing signals will be received by both Alice and eavesdropper $E_{i}$ , $i\in \mathbf {M}$ , and thus one edge is added from $h_{A}^{t}$ to $h_{i}^{t}$ to indicate the information leakage caused by the correlation between these two channel measurements. Similarly, we have the $h_{B}^{t}\rightarrow h_{i'}^{t}$ edge.

FIGURE 6.

DBN = graph structure + local conditional distribution of each node given its parents. A colored node denotes a continuous observable variable, a shaded node indicates a latent continuous variable, and a square node means a discrete control variable.

Show All

The probabilistic model for the graph is a joint probability over all random variables. Since each variable is conditionally independent of all its non-descendants in the graph given the value of all its parents, joint distributions can be encoded as a product of local conditional distributions. The joint probability of the system is expressed as follows. $$\begin{align*}&\Pr \left ({{\mathbf {Y}}_{A},{\mathbf {H}}_{A},n_{0},{\mathbf {Y}}_{B},{\mathbf {H}}_{B},{\mathbf {Y}}_{E},{\mathbf {Y}}_{E'},{\mathbf {H}}_{E},{\mathbf {H}}_{E'}}\right) \\&\;={\Pr \left [{y_{A}^{1}|x^{1},h_{A}^{1},n_{0}}\right]}\times \Pr [h_{A}^{1}]\times \Pr [n_{0}] \\&\;\times {\Pr \left [{y_{B}^{1}|x^{1},h_{B}^{1},n_{0}}\right]}\times \Pr \left [{h_{B}^{1}|h_{A}^{1}}\right] \\&\;\times \prod \limits _{i=1}^{M}\left \{{{\Pr \left [{y_{i}^{1}|x^{1},h_{i}^{1},n_{0}}\right]}\times {\Pr [h_{i}^{1}|h_{A}^{1}]}}\right \} \\&\times \;\prod \limits _{i=1}^{M}\left \{{{\Pr \left [{y_{i'}^{1}|x^{1},h_{i'}^{1},n_{0}}\right]}\times {\Pr [h_{i'}^{1}|h_{B}^{1}]}}\right \} \\&\;\times \left \{{\prod \limits _{t=2}^{T}\left \{{{\Pr \left [{y_{A}^{t}|x^{t},h_{A}^{t},n_{0}}\right]}\times \Pr \left [{{h_{A}^{t}|h_{A}^{t-1}} }\right]\times \Pr [n_{0}]}\right \}}\right \} \\&\;\times \left \{{\prod \limits _{t=2}^{T}\left \{{{\Pr \left [{y_{B}^{t}|x_{t},h_{B}^{t},n_{0}}\right]} \Pr \left [{{h_{B}^{t}|h_{B}^{t-1}}}\right]\Pr \left [{{h_{B}^{t}|h_{A}^{t}}}\right]}\right \}}\right \} \\&\;\times \left \{{\prod \limits _{t=2}^{T}\prod \limits _{i=1}^{M}\left \{{{\Pr \left [{y_{i}^{t}|x^{t},h_{i}^{t},n_{0}}\right]}{\Pr [h_{i}^{t}|h_{i}^{t-1}]}{\Pr [h_{i}^{t}|h_{A}^{t}]}}\right \}}\right \} \\&\;\times \left \{{\prod \limits _{t=2}^{T}\prod \limits _{i=1}^{M}\left \{{{\Pr \left [{y_{i'}^{t}|x^{t},h_{i'}^{t},n_{0}}\right]}{\Pr [h_{i'}^{t}|h_{i'}^{t-1}]}{\Pr [h_{i'}^{t}|h_{B}^{t}]}}\right \}}\right \}\tag{5}\end{align*}$$ View Source\begin{align*}&\Pr \left ({{\mathbf {Y}}_{A},{\mathbf {H}}_{A},n_{0},{\mathbf {Y}}_{B},{\mathbf {H}}_{B},{\mathbf {Y}}_{E},{\mathbf {Y}}_{E'},{\mathbf {H}}_{E},{\mathbf {H}}_{E'}}\right) \\&\;={\Pr \left [{y_{A}^{1}|x^{1},h_{A}^{1},n_{0}}\right]}\times \Pr [h_{A}^{1}]\times \Pr [n_{0}] \\&\;\times {\Pr \left [{y_{B}^{1}|x^{1},h_{B}^{1},n_{0}}\right]}\times \Pr \left [{h_{B}^{1}|h_{A}^{1}}\right] \\&\;\times \prod \limits _{i=1}^{M}\left \{{{\Pr \left [{y_{i}^{1}|x^{1},h_{i}^{1},n_{0}}\right]}\times {\Pr [h_{i}^{1}|h_{A}^{1}]}}\right \} \\&\times \;\prod \limits _{i=1}^{M}\left \{{{\Pr \left [{y_{i'}^{1}|x^{1},h_{i'}^{1},n_{0}}\right]}\times {\Pr [h_{i'}^{1}|h_{B}^{1}]}}\right \} \\&\;\times \left \{{\prod \limits _{t=2}^{T}\left \{{{\Pr \left [{y_{A}^{t}|x^{t},h_{A}^{t},n_{0}}\right]}\times \Pr \left [{{h_{A}^{t}|h_{A}^{t-1}} }\right]\times \Pr [n_{0}]}\right \}}\right \} \\&\;\times \left \{{\prod \limits _{t=2}^{T}\left \{{{\Pr \left [{y_{B}^{t}|x_{t},h_{B}^{t},n_{0}}\right]} \Pr \left [{{h_{B}^{t}|h_{B}^{t-1}}}\right]\Pr \left [{{h_{B}^{t}|h_{A}^{t}}}\right]}\right \}}\right \} \\&\;\times \left \{{\prod \limits _{t=2}^{T}\prod \limits _{i=1}^{M}\left \{{{\Pr \left [{y_{i}^{t}|x^{t},h_{i}^{t},n_{0}}\right]}{\Pr [h_{i}^{t}|h_{i}^{t-1}]}{\Pr [h_{i}^{t}|h_{A}^{t}]}}\right \}}\right \} \\&\;\times \left \{{\prod \limits _{t=2}^{T}\prod \limits _{i=1}^{M}\left \{{{\Pr \left [{y_{i'}^{t}|x^{t},h_{i'}^{t},n_{0}}\right]}{\Pr [h_{i'}^{t}|h_{i'}^{t-1}]}{\Pr [h_{i'}^{t}|h_{B}^{t}]}}\right \}}\right \}\tag{5}\end{align*} where ${\mathbf {Y}}_{A}=\{y_{A}^{t}| t\in {\mathbf {T}}\}$ are the signals received by Alice over $T$ time slots. Similarly, Bob’s signal vector is ${\mathbf {Y}}_{B}=\{y_{B}^{t}| t\in {\mathbf {T}}\}$ . Eve has two channel matrices ${\mathbf {Y}}_{E}=\{y_{i}^{t}| t\in {\mathbf {T}},i\in {\mathbf {M}}\}$ and ${\mathbf {Y}}_{E'}=\{y_{i'}^{t}| t\in {\mathbf {T}},i\in {\mathbf {M}}\}$ .

D. Security Evaluation for the Probing Phase of the Key Generation Pipeline

The security strength of a pre-shared key between Alice and Bob can be measured as the number of bits (Shannon entropy) in the key, that is, to break any “$L$ -bits security strength” key $k$ , an attacker is required to perform around $2^{L}$ operations. Meanwhile, the concept of min-entropy provides a worst case estimation of the randomness of the key, where the lower bound of uncertainty is given below [31]. $$\begin{align*} H_{\infty }(K)=&\min \limits _{k\in \mathcal {K}}-\log \Pr [K=k] \\=&- \log \left ({\max \limits _{k\in {\mathbf {{\mathcal {K}}}}} \Pr [K=k]}\right),\tag{6}\end{align*}$$ View Source\begin{align*} H_{\infty }(K)=&\min \limits _{k\in \mathcal {K}}-\log \Pr [K=k] \\=&- \log \left ({\max \limits _{k\in {\mathbf {{\mathcal {K}}}}} \Pr [K=k]}\right),\tag{6}\end{align*} where the random variable key is $K$ and $\mathcal {K}$ is the set of all possible $L$ -bits keys. $\Pr [K=k]$ is the probability of generating the pre-shared key ${k\in {\mathbf {{\mathcal {K}}}}}$ . The success probability of an adversary guessing the key on the first try using an optimal guessing scheme is $2^{-{H_{\infty } }(K)}$ .

Suppose the adversary can eavesdrop some information $O$ about the key $K$ . The conditional min-entropy, ${H_{\infty } }(K|O)$ , is adopted to indicate the remaining uncertainty. Given an observation $o$ , the probability of adversaries successfully obtaining the key using the maximum likelihood decoder on the first try is [46]: $$\begin{equation*} 2^{-{H_{\infty } }(K|O=o)}=\max \limits _{k\in {\mathbf {{\mathcal {K}}}}} \Pr [K=k|{O} = o].\tag{7}\end{equation*}$$ View Source\begin{equation*} 2^{-{H_{\infty } }(K|O=o)}=\max \limits _{k\in {\mathbf {{\mathcal {K}}}}} \Pr [K=k|{O} = o].\tag{7}\end{equation*} Then, the average performance of Eve using a maximum likelihood decoder to obtain the correct key will be $2^{-{H_{\infty } }(K|O)}$ , and the corresponding conditional min-entropy is formally defined as follows. $$\begin{align*}&{H_{\infty } }({K}|{O}) = - \log \left ({{\mathop {\mathbb {E}}\limits _{o \leftarrow {O}}[{2^{ - {H_{\infty } }({K}|{O} = o)}}]}}\right) \\&\;- \log \left ({\sum \limits _{o \in {O}}\Pr [{O} = o] \left ({\max \limits _{k\in {\mathcal {K}}} \Pr [K=k|O = o]}\right)}\right),\tag{8}\end{align*}$$ View Source\begin{align*}&{H_{\infty } }({K}|{O}) = - \log \left ({{\mathop {\mathbb {E}}\limits _{o \leftarrow {O}}[{2^{ - {H_{\infty } }({K}|{O} = o)}}]}}\right) \\&\;- \log \left ({\sum \limits _{o \in {O}}\Pr [{O} = o] \left ({\max \limits _{k\in {\mathcal {K}}} \Pr [K=k|O = o]}\right)}\right),\tag{8}\end{align*} where $\leftarrow$ refers to sampling of a random variable.

As shown in Fig. 2, during the key generation procedure, adversaries can eavesdrop the channel probing signal, the secure sketch, and the random seed. In this paper, we primarily focus on the information leakage incurred during the probing phase. That is, the observation $O$ includes two sets of signals ${\mathbf {Y}}_{E}$ and ${\mathbf {Y}}_{E'}$ . Since both Alice and Bob’s key $K$ will be extracted from the commonly agreed ${\mathbf {Y}}_{A}$ , the conditional min-entropy during the probing phase will be ${H_{\infty } }({\mathbf {Y}}_{A}|{\mathbf {Y}}_{E},{\mathbf {Y}}_{E'})$ , with $2^{-{H_{\infty } }({\mathbf {Y}}_{A}|{\mathbf {Y}}_{E},{\mathbf {Y}}_{E'})}$ being given in Eq. (9). The objective of a key generation system is to maximize the conditional min-entropy, i.e., minimizing Eq. (9). $$\begin{align*}&2^{-{H_{\infty } }\left ({{\mathbf {Y}}_{A}|{\mathbf {Y}}_{E},{\mathbf {Y}}_{E'}}\right)} \\&\;=\sum \limits _{\left \{{y_{(1:M)}^{(1:T)},y_{(1':M')}^{(1:T)}}\right \}}\left \{{\vphantom {\max \limits _{y_{A}^{(1:T)}} \Pr \left [{{\mathbf {Y}}_{A}=y_{A}^{(1:T)}|{\mathbf {Y}}_{E}=y_{(1:M)}^{(1:T)},{\mathbf {Y}}_{E'}=y_{(1':M')}^{(1:T)}}\right]}\Pr \left [{{\mathbf {Y}}_{E}=y_{(1:M)}^{(1:T)},{\mathbf {Y}}_{E'}=y_{(1':M')}^{(1:T)}}\right]}\right. \\&\;\quad \times \left.{\max \limits _{y_{A}^{(1:T)}} \Pr \left [{{\mathbf {Y}}_{A}=y_{A}^{(1:T)}|{\mathbf {Y}}_{E}=y_{(1:M)}^{(1:T)},{\mathbf {Y}}_{E'}=y_{(1':M')}^{(1:T)}}\right]}\right \}. \\\tag{9}\end{align*}$$ View Source\begin{align*}&2^{-{H_{\infty } }\left ({{\mathbf {Y}}_{A}|{\mathbf {Y}}_{E},{\mathbf {Y}}_{E'}}\right)} \\&\;=\sum \limits _{\left \{{y_{(1:M)}^{(1:T)},y_{(1':M')}^{(1:T)}}\right \}}\left \{{\vphantom {\max \limits _{y_{A}^{(1:T)}} \Pr \left [{{\mathbf {Y}}_{A}=y_{A}^{(1:T)}|{\mathbf {Y}}_{E}=y_{(1:M)}^{(1:T)},{\mathbf {Y}}_{E'}=y_{(1':M')}^{(1:T)}}\right]}\Pr \left [{{\mathbf {Y}}_{E}=y_{(1:M)}^{(1:T)},{\mathbf {Y}}_{E'}=y_{(1':M')}^{(1:T)}}\right]}\right. \\&\;\quad \times \left.{\max \limits _{y_{A}^{(1:T)}} \Pr \left [{{\mathbf {Y}}_{A}=y_{A}^{(1:T)}|{\mathbf {Y}}_{E}=y_{(1:M)}^{(1:T)},{\mathbf {Y}}_{E'}=y_{(1':M')}^{(1:T)}}\right]}\right \}. \\\tag{9}\end{align*}

A. Model Structure Simplification

DBN learning aims to learn the parameters based on the known structure and partially observed data in Fig. 6. In particular, based on the collected signals ${\mathbf {Y}}_{A},{\mathbf {Y}}_{B},{{\mathbf {Y}}_{E}},{\mathbf {Y}}_{E'}$ , the learning algorithm will be designed to estimate the distributions of each node, including the probability distribution of each root node (node with no children) and the conditional probability distributions of the remaining nodes given their parents in the graph.

One challenge for conducting parameter learning is designing a general framework applicable to the various probability distribution for the instantaneous wireless channel behaviors. Another issue is that the mixed template model has discrete input variable $x^{t}$ , continuous hidden states (e.g., $h_{A}^{t}$ ), and continuous observed states (e.g., $y_{A}^{t}$ ), thus rendering the problem intractable. For example, the conditional probability of $h_{B}^{t}$ given $h_{A}^{t}$ may be very complex. As shown in Eq. (3), to simplify the mathematical derivation process without losing the parameter estimation accuracy, Gaussian mixture model is adopted to model the instantaneous channel fading amplitude. Moreover, to avoid complex conditional distribution caused by varying $x^{t}$ , we assume that the probing sequence consists of all 1s, i.e., $x^{t}=1, \forall t\in {\mathbf {T}}$ ; this assumption will provide the lower bound of the randomness in the key.

With the above two assumptions, a latent variable is introduced to indicate which Gaussian component is chosen, and the DBN in Fig. 6 can be simplified to Fig. 7. For instance, GMM for $h_{A}^{t}$ is represented in a hierarchical fashion, where $z_{A}^{t}$ is a multi-nominal label for the mixture component. $h_{A}^{t}$ is conditionally Gaussian given $z_{A}^{t}=j$ . Meanwhile, $y_{A}^{t}$ is a linear combination of two independent Gaussian distributions: the $j$ -th component that follows the Gaussian distribution and the white noise. To our best knowledge, this is the first general theoretical framework that can effectively consider all of the information leakage caused by the broadcasting nature of wireless channels. $$\begin{equation*} \begin{cases} \Pr [z_{A}^{t}=j]=w_{A,j}^{t},j\in \{1,\ldots, N_{A}\},\\ \Pr [h_{A}^{t}]=\sum \limits _{j=1}^{N_{A}}\Pr [h_{A}^{t}|z_{A}^{t}=j]\Pr [z_{A}^{t}=j]\\ \qquad \quad \mathrel {\mathrel {\mathop:}\hspace {-0.0672em}=}\sum \limits _{j=1}^{N_{A}} w_{A,j}^{t}\mathcal {N}\left ({\mu _{A,j}^{t},\,{(\sigma _{A,j}^{t}})^{2}}\right),\\ \Pr [y_{A}^{t}]=\Pr [h_{A}^{t}+n_{0}]\\ \qquad \quad \mathrel {\mathrel {\mathop:}\hspace {-0.0672em}=}\sum \limits _{j=1}^{N_{A}} w_{A,j}^{t} \mathcal {N}\left ({\mu _{A,j}^{t},\,(\sigma _{A,j}^{t})^{2}+\sigma ^{2}}\right), \end{cases}\tag{12}\end{equation*}$$ View Source\begin{equation*} \begin{cases} \Pr [z_{A}^{t}=j]=w_{A,j}^{t},j\in \{1,\ldots, N_{A}\},\\ \Pr [h_{A}^{t}]=\sum \limits _{j=1}^{N_{A}}\Pr [h_{A}^{t}|z_{A}^{t}=j]\Pr [z_{A}^{t}=j]\\ \qquad \quad \mathrel {\mathrel {\mathop:}\hspace {-0.0672em}=}\sum \limits _{j=1}^{N_{A}} w_{A,j}^{t}\mathcal {N}\left ({\mu _{A,j}^{t},\,{(\sigma _{A,j}^{t}})^{2}}\right),\\ \Pr [y_{A}^{t}]=\Pr [h_{A}^{t}+n_{0}]\\ \qquad \quad \mathrel {\mathrel {\mathop:}\hspace {-0.0672em}=}\sum \limits _{j=1}^{N_{A}} w_{A,j}^{t} \mathcal {N}\left ({\mu _{A,j}^{t},\,(\sigma _{A,j}^{t})^{2}+\sigma ^{2}}\right), \end{cases}\tag{12}\end{equation*} where $z_{A}^{t}$ is a multi-nominal label for the mixture component, $h_{A}^{t}$ is conditionally Gaussian given $z_{A}^{t}=j$ , and $y_{A}^{t}$ is a linear combination of two independent Gaussian distributions.

FIGURE 7.

Simplified DBN.

Show All

B. Algorithms for Tasks 1–3

Parameter Learning: To learn the network parameters (conditional probability distribution of each variable), the expectation–maximization (EM) algorithm is adopted to iteratively improve the maximum likelihood of the latent variables [47]. 1) Assume the latent variable follows the multinomial distributions. 2) Expectation (E) step creates a function for the expectation of the log-likelihood evaluated using the current estimate for the parameters. 3) The maximization (M) step computes parameters that maximize the expected log-likelihood found on the E step, and these parameter-estimates are then used to determine the distribution of the latent variables in the next E step. The EM iteration alternates between performing the E step and M step until convergence.

Marginal Inference: The junction tree algorithm will make probabilistic inference. The intuition is to use independence properties of the graph to decompose a global calculation on a joint probability into a linked set of local computations. The inference data structure named junction tree will elicit the relationship between locality and probabilistic inference. This algorithm will work with any probabilistic graphical model by generalizing variable elimination.

MAP Inference: The Annealed MAP algorithm [48] can find the most likely configuration of values of a set of nodes given observations of another subset of nodes. The Annealed MAP algorithm approximates the most probable sequence of states by simulated annealing [49]. While the solution is approximate, it performs well in practice and it gives an idea of the order of magnitude of the true maximum. The Annealed MAP algorithm drastically extends the class of MAP problems that can be solved.

A. Assumption Verification of the Real-World Data

To quantify the security performance of the physical layer key generated form the real-world RSSI sequences, the following properties have been verified so that they can fit the proposed DBN model.

FIGURE 10.

The mixture Gaussian decomposition of Alice’s RSSI sequence (dBm).

Show All

B. Model Comparisons

The three tasks for the conditional min-entropy estimation are conducted using the GeNIe Modeler and SMILE Engine,¹ which provides artificial intelligence modeling and machine learning software based on Bayesian networks. The performance of the proposed DBN model is compared with two existing models illustrated in Fig. 11: 1) the Hidden Markov model with Alice and one eavesdropper [40]; 2) the Hidden Markov model with Alice and five eavesdroppers [42].

FIGURE 11.

HMM based models (where 1 in the arc means first order Markov).

Show All

Parameter Learning Accuracy: Suppose each user’s RSSI sequence has been divided into chunks, each with $T=5$ consecutive measurements. For the user-specific 9755 chunks, the parameter learning algorithm, i.e., EM algorithm, uses 90% as the training set with 10-fold cross validation, and the remaining 10% is used as the test set. The model training/validation procedure set $y_{A}^{t}$ as target, and then learn the model parameters such that the target can be estimated based on the observed $y_{i}^{t}$ .

The validation and training accuracy for $y_{A}^{0}$ is given in Table 1. For the HMM model with $M=1$ eavesdropper, the validation and test performances are 0.11 and 0.14, respectively. That is, for the chunks in the validation dataset, the model can only accurately predicted 11% of the Alice’s RSSI value at time $t=0$ , and the remaining 89% of chunks are predicted with error. The low accuracy for the test dataset demonstrates that the physical layer key generation pipeline can be very secure.

TABLE 1 Parameter Learning Performance

For the HMM model, the learning accuracy decreases with the number of eavesdroppers $M$ because the state space for $y_{A}^{t}\times y_{i}^{t}$ increases from 48² to more than 48⁶. Note that although Fig. 8 shows 48 distinct RSSI measurement values for Alice, some eavesdroppers have up to 54 distinct RSSI values (not included in the figure because of the space limit). With the same number of data records (9775), the parameter learning accuracy decreases when the state space increases.

As we can see, the proposed DBN model outperforms the two existing HMM based models, because the test accuracy is up to 48%. This shows that the physical layer-key generation pipeline is not as secure as though by previous works. When $M$ increases, the DBN model accuracy degradation is much less obvious because the state space for $z_{A}^{t}$ is much smaller. Instead of 48 states, the number of possible Gaussian components for Alice is 7 (Fig. 10) and the numbers of components for eavesdroppers are all less than 10 (not demonstrated in the figure because of the space limit). This concludes the DBN model can better fit the collected real-world data.

Minimum Conditional Entropy Estimation: For the system with Alice and one eavesdropper, among the collected 9755 user-specific RSSI chunks, each unique eavesdropper’s sequence of length $T=5$ has been fed into the learned HMM model and DBN model as evidence. For each evidence chunk $y_{1}^{t}, t\in \mathcal {T}$ , the marginal probability of the eavesdropper’s RSSI observations and the maximum posterior probability of Alice’s RSSI measurements have been calculated via the junction tree and annealed MAP algorithm. The summation of the product of marginal probability and maximum posterior probability are used to estimate the minimum conditional entropy, and the results are 14.94 and 14.39 for the HMM model and the proposed DBN model, respectively. The reduction in the entropy estimates proves that the DBN model can better evaluate the information leakage. Note that estimates with collected $y_{1}^{t}$ in Table 2 are not the exact minimum conditional entropy because not all the possible evidence chunks are included in the 9755 chunks. When all of the possible evidence chunks are included, the product summation will increase and the entropy will drop for both HMM and DBN models.

TABLE 2 Minimum Conditional Entropy Estimates

For the DBN model, instead of using RSSI measurement as evidence, $z_{1}^{t}, t\in \mathcal {T}$ has been used as evidence as well. Since the state space of $z_{1}^{t}$ is smaller, the entropy is reduced to 10.72. Similarly, when all of the possible $z_{1}^{t}$ is considered, the minimum conditional entropy of DBN model with first order Markov property is reduced further to 10.25. Furthermore, when the Markov order is increased to 4, the entropy is reduced to 8.56. This concludes that the proposed DBN model can better quantify the information leakage and obtain more accurate security performance measurement for the physical layer key generation pipeline.

C. The DBN-Based Security Quantification for IoT Networks

For IoT networks, the security performance of the physical layer-based key depends on the randomness inherent in the wireless channel. If the key generation pipeline is deployed in the stationary wireless sensor network, the slowly changing wireless channel characteristics will increase the order of the Markov property, because the consecutive probing signals received by each user, such as Alice, can be highly correlated, even identical. In this case, the proposed DBN model can still measure the security performance of the generated key because an edge between correlated vertices (from $z_{A}^{t}$ to $z_{A}^{t+1}$ ) can be flexibly added into the model structure. However, the security performance will drop, as shown in Table 2 with the Markov order being 4, i.e., there are 4 directed edges from $z_{A}^{t}$ to $z_{A}^{t+1}$ , $z_{A}^{t+2}$ , $z_{A}^{t+3}$ , and $z_{A}^{t+4}$ , respectively.

For the IoT system with high order Markov property, to guarantee the conditional min-entropy, one approach is downsampling the probing sequence [40], which can increase the time interval of time series being fed into the DBN model. The second approach relies on the privacy amplification scheme designed in Step 4 of Fig. 2. The first approach will take longer to generate one key, and the second approach requires the computing resources of the IoT devices. Nonetheless, the proposed model can guide whether the security enhancement schemes have reached the desired performance level.