CSI-based versus RSS-based Secret-Key Generation under Correlated Eavesdropping

Francois Rottenberg, Trung-Hien Nguyen, Jean-Michel Dricot, Francois Horlin, Jerome Louveaux
2020 IEEE Transactions on Communications  
Physical-layer security (PLS) has the potential to 1 strongly enhance the overall system security as an alternative 2 to or in combination with conventional cryptographic primitives 3 usually implemented at higher network layers. Secret-key gener-4 ation relying on wireless channel reciprocity is an interesting 5 solution as it can be efficiently implemented at the physical 6 layer of emerging wireless communication networks, while pro-7 viding information-theoretic security guarantees. In this
more » ... guarantees. In this article, 8 we investigate and compare the secret-key capacity based on the 9 sampling of the entire complex channel state information (CSI) or 10 only its envelope, the received signal strength (RSS). Moreover, 11 as opposed to previous works, we take into account the fact 12 that the eavesdropper's observations might be correlated and 13 we consider the high signal-to-noise ratio (SNR) regime where 14 we can find simple analytical expressions for the secret-key 15 capacity. As already found in previous works, we find that 16 RSS-based secret-key generation is heavily penalized as compared 17 to CSI-based systems. At high SNR, we are able to precisely 18 and simply quantify this penalty: a halved pre-log factor and 19 a constant penalty of about 0.69 bit, which disappears as Eve's 20 channel gets highly correlated. 21 Index Terms-Secret-key generation, RSS, CSI, physical-layer 22 security. 23 65 consider the case where Eve's observations are correlated with 66 the ones of Alice and Bob, which can occur in many practical 67 situations. Related works are detailed in the next subsection 68 while our contributions are presented in the subsequent sub-69 section. 70 B. State of the Art 71 This study falls into the broad field of physical-layer secu-72 rity (PLS), which has attracted much interest in the recent 73 decade as a competitive candidate to provide authentication, 74 integrity and confidentiality in future communication networks 75 [5]-[7]. We refer to [4] for an overview on the area. In the 76 context of secret-key generation based on wireless reciprocity, 77 there has been a large amount of related works, both from 78 theoretical and experimental aspects [8]-[10]. In several recent 79 approaches, more general models than the source model have 80 been considered for secret-key generation, taking advantage of 81 the channel to transmit part of the key [11], [12]. 82 Many works have considered using RSS as a source 83 of randomness for secret-key generation [13]-[19]. In [20], 84 the authors show how to exploit the channel diversity com-85 ing from the multipath nature of the channel. The work 86 of [21] leverages the use of multiple-antenna systems. In [22], 87 the authors incorporate the orthogonal frequency division 88 multiplexing (OFDM) modulation and carrier frequency offset 89 as a way to increase bit generation in static environments with 90 limited mobility. The choice of using RSS over full CSI is 91 mainly due to its practical convenience. As opposed to CSI, 92 RSS indicators are usually available at the higher layers of 93 the communication layers, allowing for simple implementa-94 tion of the key distillation procedure, relying on the legacy 95 network infrastructure (no need to change the physical layer). 96 Moreover, RSS is intrinsically more robust to phase offsets 97 between Alice and Bob, relaxing constraints on the hardware, 98 the synchronization and the reciprocity calibration. On the 99 other hand, in the full CSI approaches, the reconciliation of 100 phase information between legitimate users requires tightly 101 synchronized nodes. A key selling point of PLS versus its 102 cryptographic counterparts is its low implementation com-103 plexity, which is particularly suited in applications such as 104 the Internet-of-Things or sensor networks where low power 105 devices are used. In this context, the RSS approach can be 106 more suited than the full CSI one. 107 The main disadvantage of RSS-based secret-key generation 108 is that it does not use the full channel information and 109 thus achieves a lower secret-key capacity than its CSI-based 110 counterpart. In certain PLS applications, larger data rates and 111 thus key sizes are targeted, using more powerful devices. For 112 these use cases, using the full CSI approach can be more suited 113 than the RSS one. CSI-based secret-key capacity is generally 114 easier to characterize analytically, which has been done in a 115 large number of works [23], [24], relying on multi-antenna 116 systems [25]-[29], ultrawideband channels [30], and on the 117 OFDM [31]-[34]. The authors in [20] analytically compare 118 I E E E P r o o f ROTTENBERG et al.: CSI-BASED VERSUS RSS-BASED SECRET-KEY GENERATION UNDER CORRELATED EAVESDROPPING 3 applicable for our channel model. Furthermore, other works 175 have already compared RSS and CSI-based approaches taking 176 into account correlated eavesdropping, such as [35]. However, 177 the studies were mostly conducted experimentally and not 178 analytically. 179 More specifically, our contributions can be summarized 180 as follows: 1) We evaluate lower and upper bounds on the 181 secret-key capacity for both the complex (full CSI) and 182 the envelope (RSS) cases. In the complex case, we obtain 183 simple closed-form expressions, while, in the envelope case, 184 the bounds must be evaluated numerically. Some of the expres-185 sions in the complex case were already obtained in previous 186 works. We chose to present them again in this work to provide 187 a systematic framework and useful comparison benchmarks 188 for the envelope case. 2) We show that, in a number of 189 particular cases, the lower and upper bounds become tight: 190 low correlation of the eavesdropper, relatively smaller noise 191 variance at Bob than Alice (and vice versa) and specific 192 high signal-to-noise ratio (SNR) regimes. 3) We show that, 193 as soon as Alice (or Bob since everything is symmetrical) 194 samples the envelope of her channel estimate, the other parties 195 do not lose information by taking the envelopes of their 196 own channel estimates. 4) We show that, in the high SNR 197 regime, the bounds can be evaluated in closed-form and result 198 in simple expressions. The penalty of envelope-based versus 199 complex-based secret-key generation is: i) a pre-log factor of 200 1/2 instead of 1, implying a slower slope of the secret-key 201 capacity as a function of SNR and ii) a constant penalty of 0.69 202 bit, which disappears as Eve's channel gets highly correlated. 203 The rest of this article is structured as follows. Section II 204 describes the transmission model used in this work. 205 Sections III and IV study the secret-key capacity based on 206 complex and envelope sampling, respectively. Section V 207 numerically analyzes the obtained results. Finally, Section VI 208 concludes the paper. 209 Notations 210 Matrices are denoted by bold uppercase letters. Non bold 211 upper case letter refers to a random variable. Superscript * 212 stands for conjugate operator. The symbol (.) denotes the 213 real part.  is the imaginary unit. |A| is the determinant of 214 matrix A. The letters e and γ refer to the Euler number and 215 the Euler-Mascheroni constant respectively. h(.) and I(.; .) 216 refer to the differential entropy and the mutual information 217 respectively. We use the notation f (x) = O(g(x)), as x → a, 218 if there exist positive numbers δ and λ such that |f (x)| ≤ 219 λg(x) when 0 < |x − a| < δ. 220 523
doi:10.1109/tcomm.2020.3040434 fatcat:qluvdnhoa5bxhjywrxukflvdpe