ARQ-Based Symmetric-Key Generation Over Correlated Erasure Channels

IEEE

Pro

of

Web

Ver

sion

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1

ARQ-Based Symmetric-Key Generation OverCorrelated Erasure Channels

Yahya Sowti Khiabani and Shuangqing Wei

Abstract—This paper focuses on the problem of sharing secretkeys using Automatic Repeat reQuest (ARQ) protocol. We con-sider cases where forward and feedback channels are erasurechannels for a legitimate receiver (Bob) and an eavesdropper(Eve). In prior works, the wiretap channel is modeled as statis-tically independent packet erasure channels for Bob and Eve.In this paper, we go beyond the state-of-the-art by addressingcorrelated erasure events across the wiretap channel. The createdrandomness is shared between two legitimate parties throughARQ transmissions that is mapped into a destination set using afirst-order digital filter with feedback. Then, we characterize Eve’sinformation loss about this shared destination set, due to inevitabletransmission errors. This set is then transformed into a highlysecure key using privacy amplification in order to intensify andexploit Eve’s lack of knowledge. We adopt two criteria for analysisand design of the system: secrecy outage probability as a measureof the secrecy quality, and secret key rate as a metric for efficiency.The resulting secrecy improvement is presented as a function ofthe correlation coefficients and the erasure probabilities for bothchannels. It is shown that secrecy improvement is achievable evenwhen Eve has a better channel than legitimate receivers, and herchannel conditions are unknown to legitimate users.

Index Terms—Automatic repeat request, correlation coefficient,secret key rate, universal hashing, wiretap channel.

I. INTRODUCTION

T HE broadcast nature of wireless transmissions makes itmore vulnerable from security perspective. Traditionally,

security can be provided using cryptographic approaches,mainly relying on generation, sharing and renewing of secretkeys [1]. However, key management is deemed quite chal-lenging in wireless networks. Maurer et al. in [2] consideredinformation theoretic key agreement in noisy communicationchannel based on common randomness and public discussion.They have defined secret key rate as the maximal achievablerate at which secret key can be generated by legitimate partners(Alice as transmitter and Bob as receiver) about which aneavesdropper (Eve) has virtually no knowledge.Among physical layer based key management techniques,

some have utilized the well known ARQ protocol to facilitate

Manuscript received April 17, 2012; revised August 02, 2012 and March 30,2013; accepted May 12, 2013. Date of publication May 21, 2013. This workwas supported in part by the Board of Regents of Louisiana under ContractsLEQSF(2009-11)-RD-B-03 and LEQSF-EPS(2012)-PFUND-282.The authors are with the School of Electrical Engineering and Computer Sci-

ence, Louisiana State University (LSU), Baton Rouge, LA 70803 USA (e-mail:[email protected]; [email protected]).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TIFS.2013.2264461

exchange of secret keys between Alice and Bob [3], [4]. In [5]authors have proposed using ARQ mechanism to generate se-crets by taking advantage of Eve’s inevitable information lossdue to transmission errors. In this approach, dynamic secretsare extracted from created common randomness using universalclass of hash functions [6]. However, in all of these works feed-back channel is assumed to be error-free which is not satisfiedin mobile radio environment. In [7], we considered a key man-agement scheme similar to [5], and characterized a two-waycommunication channel model where feedback channel is as-sumed to be a Binary Erasure Channel (BEC). Previously, inARQ communications, feedback transmission was also mod-eled as erasure channels [8], [9].In all of these schemes, it is assumed that erasure events

for Bob and Eve are statistically independent. However, in realradio communications, there could be correlation between chan-nels from a transmitter to different receivers depending on theavailability of line-of-sight, physical deployment of the receiverantennas and the presence or absence of scatterers [10]. In [11]information loss in terms of reduction in secrecy capacity dueto the correlation in wiretap channel is quantified. In [12] theeffects of correlation between packet erasures at Bob and Eveon the performance of LDPC based secrecy coding scheme wasaddressed.Our work lies in a different category than the works in [11],

[13], [14] that rely on secrecy capacity measure nor do wedesign specific codes for correlated wiretap channel as [12].This work is based on Maurer’s work [2] where key distillingproblem from common randomness is studied. In cryptographycommunity this problem is addressed based on extractingstrong security form a weakly secure source that is commonbetween two parties [15]. The main goal in this area is toincrease generation rate of a sufficiently secure key.In this work a key scheduling algorithm based on ARQ trans-

mission mechanism used in [5], [7] is revisited, analyzed morethoroughly, and further modified to address more challengingtechnical issues such as synchronization and correlation. Thekey contributions can be summarized below:1) One of the main issues in ARQ mechanism used to gen-erate shared randomness is synchronization. We show thateven with erasure feedback channel, synchronization be-tween Alice and Bob in selection of a random body oftransmitted data, called One-Time-Frame (OTF) set, canbe guaranteed using the proposed reconciliation protocol.

2) For performance analysis we design an optimized attackstrategy based on binary hypothesis testing [16] allowingEve to estimate this common randomness.

3) We design a digital filter based mapping and apply it overOTF set to generate a destination set constituting shared

1556-6013/$31.00 © 2013 IEEE

IEEE

Pro

of

Web

Ver

sion

2 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY

Fig. 1. Erasure forward and backward channel model for wiretap channel.

random data between legitimate users. It allows Alice andBob to take advantage of possible mistakes in Eve’s deci-sions due to transmission errors in order to cause furtherinformation loss for her. This lack of knowledge, will nextbe manipulated by applying privacy amplification to estab-lish secure keys.

4) In our correlated wiretap channel model we considercorrelation between erasures in main and eavesdropper’schannel and then study its negative influence on bothsecrecy and efficiency of the designed scheme. We ana-lyze the trade-off between secrecy measured in terms ofsecrecy outage rate and efficiency in terms of secret keyrate and design system parameters to achieve the requiredsecrecy and efficiency.

In simulations, evaluation of the achieved secrecy shows thatalmost for all channel conditions the required security enhance-ment can be attained, even when erasures are correlated and Evehas a better channel than that between legitimate users. Simu-lations also demonstrate that even in unknown wiretap channelcondition a good secrecy is achievable.Correlated wiretap channel model is illustrated in Section II,

and reconciliation strategy is explained in Section III. The pro-posed attack strategy for Eve and its analysis is presented inSection IV followed by description of the mapping strategy inSection V. In Section VI we analyze the performance of the de-signed system in terms of secrecy and efficiency. Numerical andsimulation results are illustrated in Section VII. Proofs and apreliminary on information theory are provided in Appendix.

II. CORRELATED CHANNEL MODEL

We consider the wiretap channel withmemoryless packet era-sure channel (PEC) model, where erasures for Bob and Eve arecorrelated. In our model, ARQ is added for authenticated usersas shown in Fig. 1. We use frame structure where numberof packets, encrypted using the same symmetric key and thenencoded according to a specific encoding rule, will be encapsu-lated into a frame. Alice transmits these packets over the mainchannel to an intended recipient called Bob. Acrosspacket erasures occur with probability . Bob is permitted torequest retransmission of any missing packets up to timesusing a feedback channel . When he decodes a packet cor-rectly sends back a bit 1 as an ACK, otherwise returns a bit 0 asa NACK. Alice receives these feedback bits through mod-eled as a BEC with bit erasure probability .Eve as a passive eavesdropper observes transmitted or re-

transmitted packets through a wiretap channel modeledas a PEC with packet erasure probability . She is supposedlyaware of the decoding rule and is also able to observe feedbackmessages through a backward wiretap channel where bit

erasures occur with probability . Since and are mem-oryless, erasures occur independently within each channel.However, packet erasures between two channels are correlatedwith correlation coefficient . We define two Bernoulli randomvariables and with values in the set {0, 1}, whereone indicates erasure and zero indicates correct reception of apacket at one-time transmission. Hence, and

. Let . Then,and

. Pearson correlation coefficient betweenrandom variables and can be written as [17], [12]

(1)

We should note that given a value for and , can not takeevery value in the interval [0,1] and will be bounded by thefunctions of erasure probabilities. By considering that

and , and the fact that where, we can get the following bounds for

(2)

If we define Bernoulli random variables and for erasureevents in feedback channels and , respectively, we willhave and . Let

. Then, across feedback channels these biterasures are correlated with correlation coefficient of

(3)

Similar to , there also exist bounds for . Finally, we have

(4)

III. RECONCILIATION STRATEGY

In this keymanagement scheme only packets that are decodedcorrectly for the first transmission and their corresponding feed-backs are received error-free by Alice would be selected to bein OTF set. Once the number of packets in the collected OTFreaches the threshold , they will stop putting packets intoit. The main purpose of reconciliation step is to make sure thatlegitimate users have no disagreement upon this randomly se-lected body of transmitted data. The next step is to apply a map-ping strategy to generate a destination set that will be next usedto extract secret keys by applying a mutually agreed universalhashing function over it. Each packet format contains three im-portant fields: a retransmission flag that is set to 1 by Alice whena packet is retransmitted to let Bob know that it does not belongto OTF, a unique sequence number assigned to each packet,which is the sequence number of the previous packet in theframe incremented by one, and a dropping flag used for syn-chronization purposes.In this scheme, we use Stop and Wait protocol (SW), that

requires Alice to wait for the response from Bob, which is thefeedback message represented by a bit belonging to the set

IEEE

Pro

of

Web

Ver

sion

KHIABANI AND WEI: ARQ-BASED SYMMETRIC-KEY GENERATION OVER CORRELATED ERASURE CHANNELS 3

TABLE IDENOTATIONS

. Whenever Alice receives ACK, represented by bit 1,she finds out that a new packet has to be transmitted, but onceshe receives a NACK feedback, represented by bit 0, she real-izes that the packet has to be retransmitted, thereby suggestingthat it is not in OTF. The erased bit represents the case whenAlice has not received the feedback message at the requiredtime interval. In this protocol, if the current packet is receivedcorrectly at first transmission, and the next received packet isa new one with a different sequence number, the receiver canidentify that the current packet belongs to OTF. Each packetcan be retransmitted at most times to make it more likelyfor Bob to correctly decode it. If no ACK is received withinretransmissions, Alice drops the packet.One of the main problems in this algorithm is OTF synchro-

nization issue because there is possibility of discrepancy be-tween Alice and Bob. For instance, assume that Bob has re-ceived a packet correctly in the first transmission, yet ACK hasnot gone through the backward channel in any of its retransmis-sions. Since Alice has not received any ACK, she will decide todrop the packet and transmit a new one. Next, Bob receives apacket with a different sequence number, leading him to put theprevious packet into OTF. We include a dropping flag in eachpacket to avoid such problems which is set to one for a packetwhen the number of consecutively dropped packets prior to it isodd, and zero otherwise.Suppose that at the beginning of each frame, the timers in both

sides launch and increments by one by each packet transmis-sion. Consider the denotations in Table I. Let the next correctlyreceived packet arriving at time have the sequencenumber of and the dropping flag sign of .Therefore, Bob realizes that there were dropped packetswithin the time interval . Whenever is odd and

, or is even and , he finds out thatpacket is dropped and does not belong OTF. The pseudo-codesfor Alice and Bob’s OTF packets selection strategies are pre-sented in Tables II, III. Alice puts a packet into OTF if at firsttransmission, the received feedback . On the other side,from , Bob can realize that it is not a retransmission, andalso by observing , and she finds out it is notdropped and belongs to OTF.When Alice and Bob make decisions based on these strate-

gies, it can be guaranteed that their synchronization error onOTF set is zero, and both completely agree on OTF packetsthat later on will be used as a basis to establish secret keys. As aresult, packet that are received correctly with probabilityand their feedbacks are received correctly with probability ,will be in common OTF set with the probability of

(5)

TABLE IIALICE’S OTF STRATEGY

TABLE IIIBOB’S OTF STRATEGY

IV. EVE’S ATTACK STRATEGY AND ITS PERFORMANCE

Even though Eve is able to eavesdrop retransmissions as wellas feedback messages, unlike Alice and Bob, she is not certainof synchronization with users. In fact, that is because her trans-mission errors are partially independent from the errors in themain channel, and she is unable to directly communicate withthe transmitter, or for instance ask for retransmission as Bobdoes. As a result, she has to determine a strategy to make deci-sions based on the eavesdropped data.Let indicate a packet that Eve has received correctly with

sequence number , associated feedback message and re-transmission flag . Let also denote Eve’s next cor-rectly received packet. Note that to decide which packets are inOTF, Eve has to make the best use of her obtained informationabout these packets. There are some cases that help Eve con-fidently know what exactly users did with the packet . Forinstance, when is one, or is zero, she can ascertainthat packet does not belong to OTF.In other cases where , Eve has to make a guess

about packet based on her main observation which is thefeedback message, . In this scheme Eve uses binary hypoth-esis testing based onMaximumA-Posteriori Probability (MAP)rule [16] as her strategy in distinguishing OTF packets. Letbe the hypothesis that packet is in Alice and Bob’s OTF andotherwise. Assuming that packet is the same packet whichis simultaneously received by Bob, according to the MAP deci-sion rule, for the received feedback by Eve, she decidesthat packet belongs to OTF set if

(6)

indicates the random variable associated with one-timetransmission of packet , i.e. means packet is re-ceived correctly by Eve. The following theorem with the pro-vided proof in Appendix B gives us a more explicit idea aboutEve’s decision rule.Theorem 1: Assume that Eve makes a decision based on the

MAP rules in (6). Then, for a correctly received packet whenshe receives feedback 1, she makes a decision in favor of if

, where is defined as

(7)

On the other hand, when she receives an erased feedback, shemakes decision in favor of if which is defined as

IEEE

Pro

of

Web

Ver

sion


TABLE IVEVE’S ATTACK STRATEGY

(8)

Accordingly, the pseudocode for Eve’s attack strategy in distin-guishing OTF packets is presented in Table IV.In order to analyze Eve’s performance, we need to investigate

howmuch discrepancy her OTF has with the actual one, namelywith what probability, she misses an OTF packet, called OTFmissing probability , or chooses a non-OTF packet, calledfalse OTF probability . is the probability that given hy-pothesis has occurred for packet , Eve does not choose itas an OTF packet. is the probability that given hypothesis, Eve puts into OTF. In Lemma 1, whose proof is given

in Appendix C, we compute these probabilities.Lemma 1: In our scheme, if Eve uses the proposed attack

strategy, she misses one OTF packet with the probability of

(9)

Moreover, she puts a wrong packet into OTF with probability

(10)

where is the indicator function, which is equal to 1 whenholds. and are provided in (4).

V. EVE’S MISALIGNMENT AND OTF MAPPING STRATEGY

Whenever Eve has a miss-detection, by missing a packet orputting a wrong packet into OTF, assuming that her next OTFpackets are selected correctly, her gathered OTF set respec-tively moves one packet size backward or forward comparedto the original set. Hereafter, she loses her OTF alignment withAlice and Bob, and in order to realign with the users, she has tohave the same number of OTF missing events as the false OTFpackets. However, If Alice and Bob take a strategy by mappingOTF into a destination set where once a misalignment occurs,the resulted error propagates to upcoming packets, any miss-de-tection for Eve would be equivalent to missing the rest of thetransformed data.A possible mapping strategy is a simple digital filter with

a delayed feed back. Let and denote respectively thepacket in the original OTF and in the destination set, where

. After applying this transformation, whose blockdiagram is depicted in Fig. 2, will be the result of Xor ofand . Note that only the random body of each OTF

Fig. 2. Block diagram of the simple digital filter used for mapping OTF set.

TABLE VALICE-BOB AND EVE’S OTF AND DESTINATION SETS

packet will be used in this mapping. Let be the maximumpossible number of packets within the frame. If each packet hassize , by excluding the sequence number as well as two bitflags, only bits of each packet will betransformed, so ’s have size , and the generated destinationset will be of size .Consider a simple case when the number of packets within

OTF set is . In Table VAlice and Bob’s OTF asand Eve’s OTF as (starting from the second packet)are illustrated when Eve misses and has a false event bychoosing . In this case even though has missed itsalignment at the second packet, it realigns with atresulting in only two packet discrepancies between them. Theresulted destination set for legitimate users as and forEve as are given in Table V. We assume that ’s aregenerated uniform randomly, so for instance for the third andthe fourth packets in , behaves like an additivenoise with error rate of 0.5. That is why when a misalignmentoccurs, for the remaining packets in , missed or false OTFpackets act like additive noise to further deceive Eve. In otherwords, every miss-detection causes an uncertainty for her thataccumulates in upcoming packets, resulting in a larger uncer-tainty for Eve in her destination set. In general, when there isa miss-detection at packet, by utilizing the suggested map-ping strategy, any realignment for Eve becomes highly unlikely,and it can be guaranteed that there will be errors in the rest of

packets of Eve’s destination set.

VI. SECRECY SCHEME DESIGN AND ANALYSIS

Privacy amplification is transforming a partially secure datastring into a highly secure key about which Eve has arbitrarylow knowledge. Among all techniques for privacy amplifica-tion, universal hashing is a well-known technique against deter-ministic eavesdropping [6]. A class of hash functions that mapsan string into a string is universal if the collisionprobability for two distinct inputs is [6].Throughout transmission of each frame by using the ARQ

protocol and mapping strategy, Alice and Bob will generate adestination set upon which they both completely agree. When afunction is chosen uniform-randomly from a universal class ofhash functions, regardless of what distribution the actual inputhas, for sufficiently short output, the expected hash output willhave a distribution close to uniform with maximum entropy. Bythe last packet of the frame, Alice will transmit this chosen func-tion to Bob that will be applied over the produced destination setto extract secret keys, later on being used as a symmetric key forencryption of the next frame. As a result, for a short hash output

IEEE

Pro

of

Web

Ver

sion


they can make sure that Eve, given her knowledge, gets arbi-trarily negligible information about it.In order to analyze the designed secrecy scheme, we define

appropriate metrics whereby the required secrecy and efficiencyfor the system can be regulated. We define outage probabilityas the probability that the aimed information theoretic secrecyis not achieved, based on which system parameters will be de-signed. Furthermore, we use secret key rate to measure secrecythroughput and efficiency of the scheme.

A. Outage Probability based on a New Oracle Model

In [6], the additional information that a virtual oracle freelygives Eve is considered as an auxiliary random variable thatsimplifies secrecy analysis for privacy amplification. Assumethat a virtual oracle freely informs Eve that in which packetshe first missed her alignment with Alice-Bob OTF. Let thispacket be the OTF packet, so that Eve knows witha high probability she has observed packets, with length

denoted by , correctly from the actual destina-tion set . Nonetheless, she will have error propagation inthe remaining packets because of using the proposed mappingstrategy. Eve can not correct her mistake by using this additionalinformation because she has no idea what kind of miss-detectionhas occurred or what happened after this misalignment. Liter-ally, the secrecy that system obtains in the presence of this or-acle provides a lower-bound of the actual secrecy that schemecould have gained without giving such a privilege to Eve.Let and function be an

arbitrary eavesdropping function, with , whereis the length of the input string . Alice and Bob arbitrarilychoose a function from a universal class of hash functions,mapping into , and then apply it over to geta secret key of size , where . Accordingto the corollary 5 in [6], Eve’s expected information about thesecret key, given and , satisfies .As information theoretic secrecy goal, if we require the upper-bound of to be , the necessary is

(11)

for logarithm of base 2. But is the length of theinput string after misalignment. Hence, for the required andgiven , the minimum required number of packet discrepanciesbetween two sets denoted by has to be

(12)

Consequently, if we design the system in a way that with a highprobability misalignment in OTF set happens at one of the first

OTF packets, we can make sure that after mapping,it is very likely to have the number of different packets betweenand , denoted by , be more than . We define outage

probability as the probability that , which actually isthe probability that determined secrecy goal as isnot satisfied. The following Theorem, proven in Appendix D,provides an upper-bound for outage probability.

Theorem 2: Let secrecy outage be the probability thatthere exists less than packet discrepancies between Eve’s des-tination set and the actual set. For the proposed secrecy scheme,

is upper-bounded as

(13)

where is the number of packets in OTF. , and canbe computed using (9), (10) and (5).Note that in our analysis we will consider the worst case sce-

nario where equality in (13) holds. Now we can determine theminimum average uncertainty that Eve has about the generatedsecret key. Let be a random n-bit string with uniform dis-tribution over , and be the random variable indicatingwhat Eve observes correctly form with the help of the oracle.Let us define as the probability that the length of is largerthan bits for some , and let be a positive safetyparameter, such that . With the probability ,will take on values of that belong to the set constituted

of subsets of with less than or equal to bits. In this case, asthe most optimistic scenario for Eve, she will know bits cor-rectly out of . If Alice and Bob choose as their universalhashing function from to , according to corollary5 in [6] her information about the secret key withlength will be upper-bounded asor in other words . Since thisholds for every , by statistical averaging over , Eve’saverage entropy about given and will be lower-boundedas

(14)

For with the length of , and bits, wecan replace with its upper-bound in (13) to consider themost pessimistic scenario.

B. Secret Key Rate

The next step is to quantify and analyze efficiency of the de-signed secrecy system in terms of secret key rate. First of all,we need to design system parameters including the size of OTFset and data frame, to guarantee that the system is sufficientlysecure. As will be described later, these are two parameters thatmainly affect efficiency of the system. In order to maintain alarge uncertainty for Eve, according to (14), we need to havelarge enough and as small as possible. If is chosen basedon the determined in (11), with outage probability suffi-ciently close to 0, we can have a highly likely secure system,with Eve’s average entropy close to maximum. The number ofpackets in OTF, , can be lower-bounded accordingly to haveoutage probability stay below a threshold chosen to be suf-ficiently small, i.e.

IEEE

Pro

of

Web

Ver

sion


(15)

only takes integer values, and is obtained by (12). Notethat is positive.We also need to have enough number of packets within each

frame to make sure that the number of OTF packets reaches tothe threshold . The probability that a packet is in OTF is .The total number of packets being in OTF out of packets hasbinomial distribution with parameter . We call the probabilityof having at least OTF packets within packets, successprobability and denote it by . In order to have enough numberof packets within OTF set with a high probability, we can choosea threshold sufficiently close to 1 and determine the smallestfor which

(16)

Clearly, with increase in the required number of packets ina frame, i.e. , goes up.There is an outage probability that the number of

OTF packets does not reach to the required threshold . Whensuch an outage occurs, Alice and Bob can use the existing OTFpackets to complete OTF set. Suppose that Alice has alreadyfinished transmission of the whole frame but the created OTFset still lacks number of packets. In this case, since they bothagree on the accumulated OTF packets, one possiblealternative would be OTF refilling protocol which divides theexisting OTF into partitions with equal size ofpackets and then selects one packet out of each subset in orderto refill the remaining vacant positions. Note that rarely doesthis outage event occur for a well designed system, and henceits overall effect on Eve’s knowledge will be negligible.Secret key rate is the maximal rate such that for

every , there exists a public communication over an in-secure but authenticated channel, over which Alice and Bobwho agree upon a random data can generate keys andrespectively, where with probability at least .Also, , and , where isdata observed by Eve, and is the number of channel uses[2]. In our secrecy scheme, Alice and Bob both agree on arandom data called destination set by using reconciliation pro-tocol and mapping strategy, then they transform it into the se-cret key of length which is the same for both of them.Moreover, according to (14) since , we can computeEve’s information about the key given her knowledgeas .Namely, design of a system with a very low outage probabilityand sufficiently large results in a negligible key informationfor Eve. As a result, we achieved the required public transmis-sion and can compute secret key rate as the length of the gen-erated hash value over the total transmission cost which is thenumber of channel uses including retransmissions.Assume that for the designed key generating ARQ protocol,

due to throughput requirements the maximum number of al-lowed retransmissions per packet is set to be . In our scheme,given that a packet is received correctly, the probability that it istransmitted for times with is .

On the other hand, not being received correctly by Bob impliesthat the packet was transmitted for times. It is straight-forward to show that the average number of trials per packetdenoted by is

(17)

When is fixed and also sufficiently large, by the Strong Lawof Large numbers (SLL), the total number of transmissions de-noted by for packets in the frame will be . Foras the number of bits per packet, the number of channel uses is

bits. Since secret key rate is the ratio of the generated keyentropy over all channel uses, it can be obtained as

(18)

It should be noted that when to meet the secrecy requirements,is chosen to be the minimum possible value for which (16)

is satisfied, gives us the maximum achievable key rate.To study the trade-off between secrecy and efficiency of the

system, we evaluate system performance in various settings ofdesign parameters. If it is required to have a higher informationtheoretic secrecy meaning that a lower upper-bound for Eve’sinformation about the key, i.e. , is mandated, (11) and (12)show that higher and are needed. However, a system that isdesigned to guarantee a higher discrepancy between Bob andEve turns out to have a lower secret key rate and a larger se-crecy outage rate. That is because with decrease in the exponentof (13) due to the increase in since its base is less than 1,ascends, whereas according to (15) with increase in , andconsecutively go up that brings about a lower based on(18). Accordingly, the threshold should be precisely deter-mined, otherwise unnecessarily low can negatively affectboth secrecy and efficiency.If for a fixed channel condition, and specified and re-

sulting in a fixed , the system designer tailors to a higher se-crecy or a lower secrecy outage rate by regulating a lower outagethreshold , according to (15), it elevates that causesto rise and to descend. Conversely, raising by reducingaccording to (16) lowers and causes to ascend, as

(13) indicates. Namely, increases with rising , or havinga higher efficiency requires a lower secrecy and vice versa. Thistrade-off between secrecy and efficiency should be taken intoaccount in system architecture.

C. The Effect of Correlation on System Performance

To study the effect of correlation on the system secrecy, weneed to investigate how it affects two defined secrecy metrics.Suppose that with some fixed forward and backward erasurerates, for a predetermined secrecy requirement, system param-eters including , and are designed. We want to analyzehow increase in correlation between erasures in main and eaves-dropper channels influences outage probability. We only con-sider the case which is more conforming to the real worldconditions in which transmission error rates are much smallerthan 0.5. For , based on (9) and (10) we can obtainmissingand false OTF probabilities as

ysowti1

Highlight

Please completely remove this paragraph.

ysowti1

Highlight

ysowti1

Highlight

ysowti1

Highlight

ysowti1

Highlight

ysowti1

Highlight

ysowti1

Highlight

ysowti1

Highlight

ysowti1

Highlight

ysowti1

Sticky Note

Please replace both paragraphs with: 'We should note that the threshold $I_{sup}$ should be precisely determined because unnecessarily low $I_{sup}$ will require higher $s$ and $l$ that according to Eq's (13), (18) result in a lower secret key rate and a larger secrecy outage rate. If for a fixed channel condition, and specified $I_{sup}$ and $r$ resulting in a fixed $l$, the system designer tailors to a higher secrecy or a lower secrecy outage rate by regulating a lower outage threshold $T_{out}$, according to Eq. (15), it elevates $n_{ts}$ that causes $M$ to rise and $R_s$ to descend. Conversely, raising $R_s$ by reducing $M$ according to Eq. (16) lowers $n_{ts}$ and causes $P_{out}$ to ascend, as Eq. (13) indicates. Namely, $P_{out}$ increases with rising $R_s$, or having a higher efficiency requires a lower secrecy and vice versa. This trade-off between secrecy and efficiency should be taken into account in system architecture.'

ysowti1

Highlight

IEEE

Pro

of

Web

Ver

sion


(19)

According to (4) with increase in , increases. Assumingthat feedback erasure rates and are close to each other, theeffect of and consequently on will be insignificant.However, (19) shows that with rising and therefore ,falls that accordingly increases based on (13). Thus, for analready designed system, increase in correlation leads to a largeroutage rate. On the other hand, if we design new system parame-ters, with increase in , as a result of reduction in , accordingto (15), system will require a larger as well as a larger toproduce a lower secrecy key rate . It is also intuitively correctthat the more correlated Eve’s forward channel erasures are withBob’s, the more conforming her decisions about the receivedpackets to Bob’s, reducing her uncertainty, so that more data willbe transmitted to carry the same amount of uncertainty for her,thereby reducing secret key rate. In this case does not haveany effect on because for , , according to Table IV,Eve’s decision does not depend on whether the received feed-back bit is erased, making her performance independent of thecorrelation across backward channels. It could also be inferredfrom independence of and from in (19).For by (9), (10), missing and false OTF probabilities

can be rewritten as

(20)

In this scenario for already designed system, with increasedand then , decreases whereas increases. However,from (20), when and are much smaller than 1, the effectof on increasing can be assumed to be negligible. Thisprevailing effect on reducing causes to go up, by (13),and for a new design, according to (15), requires system to havea larger and reducing secret key rate. Unlike ,here increase in impacts system performance as for an erasedfeedback, Eve decides not to put packet in OTF. For an alreadydesigned system parameters, by (4) once rises with increasein , according to (20), both and decrease causingto increase. On the other hand, for a new design it reducesby requiring a larger . Overall, correlation in both forwardand backward channels influences secrecy and efficiency of thesystem in a negative way by decreasing and increasing .

VII. SIMULATION RESULTS

Our objective in simulations is to evaluate secrecy and effi-ciency of the designed scheme in various channel conditions.We assume that there exists no discrepancy between Aliceand Bob using reconciliation strategy, and that the numberof packets in OTF always reaches to by OTF refillingprotocol. In these simulations, we require implying thatthe upper-bound on Eve’s information about secret key doesnot exceed which is sufficiently negligible.For the maximum number of packets within each frame chosen

Fig. 3. Obtained secret key rate in terms of forward and backward correlationcoefficients with and .

to be with each packet of length s,we remove number of bits dedicated forsequence number as well as two flag bits from the packet to get

random part used for key establishment. For thegenerated key length of , according to (12), theminimum required number of packet discrepancies for Eve willbe . We set the thresholds , andchoose , so packets can only be transmitted once.

A. Numerical Analysis Based on Secret Key Rate

In numerical analysis we experiment how secret key ratechanges with varying correlation. It is assumed that wiretapchannel quality is better than the main channel asbut . Then, for different forward and backwardcorrelation coefficients, based on the secrecy requirement

, and are computed using (15), (16).Namely, for an upper-bounded , each and result in adifferent secret key rate based on (18). For , since

, increase in from 0 to 0.8 reduces from 0.135 to0.075 as illustrated in Fig. 3 which conforms with our analysis.As was expected, in this case does not have any effect on. However, for , we get , and therefore with

increase in , secret key rate goes down to about 0.04 for largeand , as shown in Fig. 3. Note that correlation coefficients

are upper-bounded based on (2). These results show that evenwhen Eve has a better channel than legitimate users, our schemecan provide secrecy for the established key except for highlycorrelated channel errors.

B. System Robustness Against Various Channel Conditions

In our simulation we study whether for all channel con-ditions, the designed system maintains its robustness forrequired secrecy criterion, i.e. . To study howforward channel erasure rates influence system performance,throughout this simulation a consistent condition for feedbackchannel as , as well as fixed correlation coefficients

are considered. For the predetermined ,we get , meaning that outage occurs when the numberof mismatches between Eve’s destination set and the actualset is less than 11. Suppose that Alice is aware of the mainand wiretap channel conditions such that for each differentand , determines and . Then, for the designed system,

ysowti1

Highlight

ysowti1

Highlight

ysowti1

Sticky Note

Please replace all of it with: 'In this case $\psi$ does not have any effect on $R_s$ due to independence of $P_m$ and $P_F$ from $\psi$ as given in Eq. (19). A similar analysis can be made for $\Lambda<0$ with this difference that in this case $\psi$ has negative impact on system secrecy and efficiency. Overall, correlation in both forward and backward channels influences system performance in a negative way by decreasing $R_s$ and increasing $P_{out}$.'

ysowti1

Highlight

IEEE

Pro

of

Web

Ver

sion


Fig. 4. Simulated outage rate for different forward packet erasure rates in mainand wiretap channels, with and .

with 50000 frames, we apply the OTF packet selection withineach frame based on Alice and Bob’s strategy in Tables II, IIIby simulating the erasure rates on their packet and feedbackreceptions. Similarly, based on Eve’s strategy in Table IV, wefind Eve’s chosen OTF packets. For each frame, due to mappingstrategy, the number of correct packets in Eve’s destination setsis the number of packets in her OTF before the first mismatchwhich is known to Eve by a virtual oracle. Then, by countingthe number of frames with outage event we get the averageoutage rate or experimental for each channel condition. InFig. 4, the simulated outage rate is depicted for varying forwardchannel conditions. It illustrates that even when , namelywhen wiretap channel has advantage over the main channel, theexperimental outage rate is below 0.003 which is much lowerthan the required threshold , indicating that systemis sufficiently secure and robust.

C. System Robustness Against Unknown Wiretap Channel

To study the situation in which Alice is unaware of wiretapchannel condition, we conducted another simulation with thesame secrecy parameters assuming that Alice designs thesystem and determines , based on a presumed correla-tion coefficients , such that this design remainsconsistent throughout the simulation. All channel erasure ratesare supposed to be fixed and equal to 0.2. Then, for different ,’s simulation is run with 50000 frames to obtain the averageoutage rate. In Fig. 5 the experimental secrecy outage rateis drawn in terms of various forward and backward channelcorrelations. As it shows, for the most of the region, outageprobability is very low, and the system is stable, but whenand go above 0.4, outage rate rises very sharply, withremaining below except for . As aresult, even with the lack of knowledge about wiretap channelcorrelations, the designed system remains sufficiently secureexcept for very highly correlated case.We repeat this simulation but this time with presumedwiretap

channel erasure rates , and correlation coefficientsthat are fixed and equal to 0.2. Then, we draw experimentallyobtained in terms of the varying and in Fig. 6. It illus-trates that backward erasure rate has little effect on average se-

Fig. 5. Simulated outage rate in terms of correlation coefficients across forwardand backward channels, with and .

Fig. 6. Simulated outage rate in terms of wiretap channel forward and back-ward erasure rates, with and .

crecy outage rate except for very low ’s. However, as forwarderasure rate exceeds the presumed , secrecy outage goesup steeply till it reaches to 0.006 for due to the reductionin , never exceeding the threshold 0.01. These two simula-tions show that without prior knowledge about Eve’s channelconditions, system preserves its robustness from secrecy pointof view. Note that simulated outage probability shows muchbetter results than the numerically computed outage rate in (13)because system is designed based on the upper-bound for theactual outage probability (as explained in Appendix D). It pro-vides a pessimistic design of the protocol giving a safety marginwhen presumptions about channel conditions no longer hold.

VIII. CONCLUSION

In this paper, a key scheduling scheme based on ARQmecha-nism and privacy amplification is studied. We considered a cor-related main and wiretap channel model with noisy feedbackchannels. The system is designed and its secrecy is analyzedbased on outage probability and secret key rate. With numer-ical and theoretical analysis we showed that correlation betweenEve’s and legitimate users transmission errors has negative ef-fect on system secrecy. The conducted simulations proved thatthis scheme delivers its security and maintains its stability evenwhen wiretapper has advantage over legitimate users in channelquality or when wiretap channel conditions are unknown to le-gitimate users.

ysowti1

Highlight

ysowti1

Sticky Note

Please remove the whole conclusion.

IEEE

Pro

of

Web

Ver

sion


APPENDIX APRELIMINARY: INFORMATION THEORETIC MEASURES

Information theory provides measures to quantify uncertaintyof random variables [18]. Let be two random variables,with as their sets of values, whereand . The entropy of is defined as:

. Conditional entropy is de-fined as:which measures the remaining uncertainty in when isknown. The mutual information between andis defined as that measures theinformation known about provided that is observed.

APPENDIX BPROOF OF THEOREM 1

Proof: Let and be the random variables and, respectively, associated with one-time transmission and

feedback reception of packet by Bob. Also, let andbe the random variables and , associated with one-timetransmission and feedback reception of packet by Eve. Weassume that transmission of each packet and its associatedfeedback is independent for different packets while their corre-sponding events of correct receptions or failures for differentpackets are equally likely. Thus, at final steps of the followingproofs we can replace , , and with , ,and , respectively. Eq. (6) can be rewritten as

(21)

Since hypothesis occurs when and packet is re-ceived correctly by Bob, using Bayesian rule we get

(22)

In this Eq. since the erasure in the received feedback by Bob, i.e., is independent from the erasure in Eve’s received packet, the

first term can be written

(23)First of all, we consider the case where Eve has received feed-back . Then, the second term in (22) will be one becausereceiving feedback by Eve implies that it was initiallyreceived error-free by Bob. By using (23), we can rewrite thefirst term in (22) as

(24)

The second equality is resulted from the definition of joint back-ward erasure probabilities. The third equality comes from rela-tionships and

, with given in (4). Thus, by (22) and (24),we can write the decision rule (21) as

(25)

This is equivalent to as it was defined in (7).Next, suppose that Eve has received an erased feedback

. Due to independence of the packet reception by Boband feedback reception by Eve, we can show that the secondterm of (22) will be

(26)

Similarly, by (23), the first term in (22) will be

(27)

Now by replacing (26) and (27) into (22), we can get the deci-sion rule in (21) as

(28)

According to the definition of in (8), it is equivalent to thedecision rule for .

APPENDIX CPROOF OF LEMMA 1

Proof: According to the definition of OTF packet missingprobability, by using Bayesian rule we have

(29)

where denotes Eve’s chosen OTF set, and ‘ ’means Eve did not receive correctly. By definition, isequivalent to the event , so we have

(30)

where and are given in (4). Similarly, we can show

(31)We can compute the last term in (29) as

IEEE

Pro

of

Web

Ver

sion


(32)

For a correctly received packet by Eve, with the received feed-back as , she will not put packet into if .If , will not belong to Eve’s OTF if . Appar-ently, when ‘ ’, regardless of what the received feedbackwould be, she has no way to put in . Hence,

(33)

By replacing (30)–(33) into (29), we can get the formula forin (9).To compute the false OTF probability which is

, we split hypothesis into two events:when packet is received incorrectly by Bob, and

when is received without error, but . It should benoted that according to Eve’s strategy, false detection eventonly occurs when and because sheonly cares about fresh packets. We define as the false OTFprobability when takes place, which is

(34)

That is because when occurs, since Bob has not decodedcorrectly, he will send back a Nack which can be received eithererased bit or zero that in the latter case Eve will certainly notput it into OTF. According to Eve’s strategy in Table IV, for acorrectly received packet once receiving , Eve putsinto OTF if , so

(35)

Moreover, the erasure event in the received feedback by Eve isindependent of the reception of packet and . As a result, thesecond term in (34) will be

(36)

Therefore, we have

(37)

We also define as the false OTF probability whenoccurs. We can similarly show that

(38)Now, we can obtain the total false OTF probability as

replacing , from (38), (39) completes the proof.APPENDIX D

PROOF OF THEOREM 2

Proof: Let denote the packets in OTF for, and indicate the packets in Eve’s OTF. We

denote the number of Alice and Bob’s Bernoulli trials betweenand successes in putting in OTF as . ’s are

i.i.d. random variables with geometric distribution. Letdenote the number of mismatches between two destination sets.Outage probability is defined as the probability that there existsless than packet discrepancies between two destination setsthat occurs when there is at least packets to be thesame for and . It means that misalignment would happenafter packet in . Hence, we have,

(39)

(2) holds because the decision that receiver makes about eachpacket is independent of other packets. (3) is based on Bayesianrule by summing over all possible number of trials for eachBernoulli success. For the first success it can reach to the totalnumber of packets within the frame, i.e. , but for the nextones, we should subtract the number of all previous trials. (5)holds since to have , neither should there be missingOTF event for Eve for packet at the Bernoulli successnor any false detection event for the rest of unsuccessful OTFBernoulli events that are totally trials. (4) shows that (13)provides an upper-bound for .

REFERENCES[1] A. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of

Applied Cryptography. Boca Raton, FL, USA: CRC Press, 1996.[2] U. M. Maurer and S. Wolf, “Information-theoretic key agreement:

From weak to strong secrecy for free,” in Advances in Cryptology,EUROCRYPT 2000 (Lecture Notes in Computer Science). Berlin,Germany: Springer-Verlag, 2000, vol. 1807, pp. 351–368.

[3] M. A. Latif, A. Sultan, and H. E. Gamal, “ARQ-based secret keysharing,” in Proc. IEEE Int. Conf. Communications 2009 (ICC’09),Jun. 2009, pp. 1–6.

[4] Y. Abdallah, M. A. Latif, M. Youssef, A. Sultan, and H. E. Gamal,“Keys through ARQ: Theory and practice,” IEEE Trans. Inf. ForensicsSecurity, vol. 6, no. 3, pp. 737–751, Sep. 2011.

[5] S. Xiao, W. Gong, and D. Towsley, “Secure wireless communicationwith dynamic secrets,” in Proc. IEEE INFOCOM 2010 (INFOCOM2010), Mar. 2010, pp. 1–9.

[6] C. H. Bennett, G. Brassard, C. Crpeau, and U. M. Maurer, “General-ized privacy amplification,” IEEE Trans. Inf. Theory, vol. 41, no. 6, pp.1915–1923, Nov. 1995.

IEEE

Pro

of

Web

Ver

sion


[7] Y. S. Khiabani and S. Wei, “Design and analysis of an ARQ basedsymmetric key generation algorithm,” in Proc. Military Communica-tions Conf. 2011 (MILCOM’11), Baltimore, MD, USA, Nov. 2011, pp.1273–1278.

[8] M. Zorzi, R. R. Rao, and L. B. Milstein, “ARQ error control for fadingmobile radio channels,” IEEE Trans. Veh. Technol., vol. 46, no. 2, pp.445–455, May 1997.

[9] S. R. Kim and C. K. Un, “Throughput analysis for two ARQ schemesusing combined transition matrix,” IEEE Trans. Commun., vol. 40, no.11, pp. 1679–1683, Nov. 1992.

[10] W. C. Y. Lee, “Effects on correlation between two mobile radiobase-station antennas,” IEEE Trans. Veh. Technol., vol. 22, no. 4, pp.130–140, Nov. 1973.

[11] H. Jeon, N. Kim, J. Choi, H. Lee, and J. Ha, “Bounds on secrecy ca-pacity over correlated ergodic fading channels at high SNR,” IEEETrans. Inform. Theory., vol. VT-57, no. 4, pp. 1975–1983, Apr. 2011.

[12] W. K. Harrison, J. Almeida, S. McLaughlin, and J. Barros, “Phys-ical-layer security over correlated erasure channels,” in Proc. IEEE Int.Conf. Communications 2012 (ICC’12), Ottawa, Canada, Jun. 2012.

[13] A. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, no. 8,pp. 1355–1387, Oct. 1975.

[14] I. Csiszár and J. Körner, “Broadcast channels with confidential mes-sages,” IEEE Trans. Inf. Theory, vol. 24, no. 3, pp. 339–348,May 1978.

[15] R. Renner and S. Wolf, “Simple and tight bounds for information rec-onciliation and privacy amplification,” in Proc. 11th Int. Conf. Theoryand Application of Cryptology and Information Security Advances inCryptology (ASIACRYPT 2005), Chennai, India, 2005, pp. 199–216.

[16] T. A. Schonhoff and A. A. Giordano, Detection and Estimation Theoryand its Applications, 1st ed. Englewood Cliffs, NJ, USA: PearsonPrentice-Hall, 2006.

[17] G. Grimmett and D. Stirzaker, Probability and Random Processes, 3rded. Oxford, UK: Oxford Univ. Press, 2001.

[18] T. M. Cover and J. A. Thomas, Elements of Information Theory, 2nded. Hoboken, NJ, USA: Wiley, 2006.

Yahya Sowti Khiabani received the B.S. and M.S.degrees in electrical engineering from the Universityof Tabriz, Iran, in 2003 and 2007. He was admitted asa Ph.D. student to Louisiana State University, ECEDepartment, in 2009 and granted Economic Devel-opment Assistantship (EDA) to work on security al-gorithms in wireless networks under advisory of Dr.Shuangqing Wei. As a Ph.D. student, his research isfocused on information theoretic security, antieaves-dropping algorithms, and cryptography.

ShuangqingWei received the B.E. andM.E. degreesin electrical engineering from Tsinghua University in1995 and 1998, respectively. He started his academiccareer at Louisiana State University (LSU) after ob-taining the Ph.D. degree from the University ofMass-achusetts, Amherst, in 2003.He is currently a Tenured Associate Professor

in the Department of ECE, LSU. His researchinterests are in the areas of wireless security andcognitive radio networks. He is an Editor for IEEETRANSACTIONS ON WIRELESS COMMUNICATIONS,

and was an Associate Editor for IEEE TRANSACTIONS ON VEHICULARTECHNOLOGY from January 2009 to July 2012. He has served as a TechnicalProgram Committee (TPC) Member for numerous IEEE Flagship commu-nication conferences, such as ICC, Globecom, and MILCOM. His researchhas been funded by the NSF, AFRL, and DOE, and the Board of Regents ofLouisiana.

IEEE

Pro

of

Prin

t Ver

sion

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1

ARQ-Based Symmetric-Key Generation OverCorrelated Erasure Channels

Yahya Sowti Khiabani and Shuangqing Wei

Abstract—This paper focuses on the problem of sharing secretkeys using Automatic Repeat reQuest (ARQ) protocol. We con-sider cases where forward and feedback channels are erasurechannels for a legitimate receiver (Bob) and an eavesdropper(Eve). In prior works, the wiretap channel is modeled as statis-tically independent packet erasure channels for Bob and Eve.In this paper, we go beyond the state-of-the-art by addressingcorrelated erasure events across the wiretap channel. The createdrandomness is shared between two legitimate parties throughARQ transmissions that is mapped into a destination set using afirst-order digital filter with feedback. Then, we characterize Eve’sinformation loss about this shared destination set, due to inevitabletransmission errors. This set is then transformed into a highlysecure key using privacy amplification in order to intensify andexploit Eve’s lack of knowledge. We adopt two criteria for analysisand design of the system: secrecy outage probability as a measureof the secrecy quality, and secret key rate as a metric for efficiency.The resulting secrecy improvement is presented as a function ofthe correlation coefficients and the erasure probabilities for bothchannels. It is shown that secrecy improvement is achievable evenwhen Eve has a better channel than legitimate receivers, and herchannel conditions are unknown to legitimate users.

Index Terms—Automatic repeat request, correlation coefficient,secret key rate, universal hashing, wiretap channel.

I. INTRODUCTION

T HE broadcast nature of wireless transmissions makes itmore vulnerable from security perspective. Traditionally,

security can be provided using cryptographic approaches,mainly relying on generation, sharing and renewing of secretkeys [1]. However, key management is deemed quite chal-lenging in wireless networks. Maurer et al. in [2] consideredinformation theoretic key agreement in noisy communicationchannel based on common randomness and public discussion.They have defined secret key rate as the maximal achievablerate at which secret key can be generated by legitimate partners(Alice as transmitter and Bob as receiver) about which aneavesdropper (Eve) has virtually no knowledge.Among physical layer based key management techniques,

some have utilized the well known ARQ protocol to facilitate

Manuscript received April 17, 2012; revised August 02, 2012 and March 30,2013; accepted May 12, 2013. Date of publication May 21, 2013. This workwas supported in part by the Board of Regents of Louisiana under ContractsLEQSF(2009-11)-RD-B-03 and LEQSF-EPS(2012)-PFUND-282.The authors are with the School of Electrical Engineering and Computer Sci-

ence, Louisiana State University (LSU), Baton Rouge, LA 70803 USA (e-mail:[email protected]; [email protected]).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TIFS.2013.2264461

exchange of secret keys between Alice and Bob [3], [4]. In [5]authors have proposed using ARQ mechanism to generate se-crets by taking advantage of Eve’s inevitable information lossdue to transmission errors. In this approach, dynamic secretsare extracted from created common randomness using universalclass of hash functions [6]. However, in all of these works feed-back channel is assumed to be error-free which is not satisfiedin mobile radio environment. In [7], we considered a key man-agement scheme similar to [5], and characterized a two-waycommunication channel model where feedback channel is as-sumed to be a Binary Erasure Channel (BEC). Previously, inARQ communications, feedback transmission was also mod-eled as erasure channels [8], [9].In all of these schemes, it is assumed that erasure events

for Bob and Eve are statistically independent. However, in realradio communications, there could be correlation between chan-nels from a transmitter to different receivers depending on theavailability of line-of-sight, physical deployment of the receiverantennas and the presence or absence of scatterers [10]. In [11]information loss in terms of reduction in secrecy capacity dueto the correlation in wiretap channel is quantified. In [12] theeffects of correlation between packet erasures at Bob and Eveon the performance of LDPC based secrecy coding scheme wasaddressed.Our work lies in a different category than the works in [11],

[13], [14] that rely on secrecy capacity measure nor do wedesign specific codes for correlated wiretap channel as [12].This work is based on Maurer’s work [2] where key distillingproblem from common randomness is studied. In cryptographycommunity this problem is addressed based on extractingstrong security form a weakly secure source that is commonbetween two parties [15]. The main goal in this area is toincrease generation rate of a sufficiently secure key.In this work a key scheduling algorithm based on ARQ trans-

mission mechanism used in [5], [7] is revisited, analyzed morethoroughly, and further modified to address more challengingtechnical issues such as synchronization and correlation. Thekey contributions can be summarized below:1) One of the main issues in ARQ mechanism used to gen-erate shared randomness is synchronization. We show thateven with erasure feedback channel, synchronization be-tween Alice and Bob in selection of a random body oftransmitted data, called One-Time-Frame (OTF) set, canbe guaranteed using the proposed reconciliation protocol.

2) For performance analysis we design an optimized attackstrategy based on binary hypothesis testing [16] allowingEve to estimate this common randomness.

3) We design a digital filter based mapping and apply it overOTF set to generate a destination set constituting shared

1556-6013/$31.00 © 2013 IEEE

IEEE

Pro

of

Prin

t Ver

sion


Fig. 1. Erasure forward and backward channel model for wiretap channel.

random data between legitimate users. It allows Alice andBob to take advantage of possible mistakes in Eve’s deci-sions due to transmission errors in order to cause furtherinformation loss for her. This lack of knowledge, will nextbe manipulated by applying privacy amplification to estab-lish secure keys.

4) In our correlated wiretap channel model we considercorrelation between erasures in main and eavesdropper’schannel and then study its negative influence on bothsecrecy and efficiency of the designed scheme. We ana-lyze the trade-off between secrecy measured in terms ofsecrecy outage rate and efficiency in terms of secret keyrate and design system parameters to achieve the requiredsecrecy and efficiency.

In simulations, evaluation of the achieved secrecy shows thatalmost for all channel conditions the required security enhance-ment can be attained, even when erasures are correlated and Evehas a better channel than that between legitimate users. Simu-lations also demonstrate that even in unknown wiretap channelcondition a good secrecy is achievable.Correlated wiretap channel model is illustrated in Section II,

and reconciliation strategy is explained in Section III. The pro-posed attack strategy for Eve and its analysis is presented inSection IV followed by description of the mapping strategy inSection V. In Section VI we analyze the performance of the de-signed system in terms of secrecy and efficiency. Numerical andsimulation results are illustrated in Section VII. Proofs and apreliminary on information theory are provided in Appendix.

II. CORRELATED CHANNEL MODEL

We consider thewiretap channel withmemoryless packet era-sure channel (PEC) model, where erasures for Bob and Eve arecorrelated. In our model, ARQ is added for authenticated usersas shown in Fig. 1. We use frame structure where numberof packets, encrypted using the same symmetric key and thenencoded according to a specific encoding rule, will be encapsu-lated into a frame. Alice transmits these packets over the mainchannel to an intended recipient called Bob. Acrosspacket erasures occur with probability . Bob is permitted torequest retransmission of any missing packets up to timesusing a feedback channel . When he decodes a packet cor-rectly sends back a bit 1 as an ACK, otherwise returns a bit 0 asa NACK. Alice receives these feedback bits through mod-eled as a BEC with bit erasure probability .Eve as a passive eavesdropper observes transmitted or re-

transmitted packets through a wiretap channel modeledas a PEC with packet erasure probability . She is supposedlyaware of the decoding rule and is also able to observe feedbackmessages through a backward wiretap channel where bit

erasures occur with probability . Since and are mem-oryless, erasures occur independently within each channel.However, packet erasures between two channels are correlatedwith correlation coefficient . We define two Bernoulli randomvariables and with values in the set {0, 1}, whereone indicates erasure and zero indicates correct reception of apacket at one-time transmission. Hence, and

. Let . Then,and

. Pearson correlation coefficient betweenrandom variables and can be written as [17], [12]

(1)

We should note that given a value for and , can not takeevery value in the interval [0,1] and will be bounded by thefunctions of erasure probabilities. By considering that

and , and the fact that where, we can get the following bounds for

(2)

If we define Bernoulli random variables and for erasureevents in feedback channels and , respectively, we willhave and . Let

. Then, across feedback channels these biterasures are correlated with correlation coefficient of

(3)

Similar to , there also exist bounds for . Finally, we have

(4)

III. RECONCILIATION STRATEGY

In this keymanagement scheme only packets that are decodedcorrectly for the first transmission and their corresponding feed-backs are received error-free by Alice would be selected to bein OTF set. Once the number of packets in the collected OTFreaches the threshold , they will stop putting packets intoit. The main purpose of reconciliation step is to make sure thatlegitimate users have no disagreement upon this randomly se-lected body of transmitted data. The next step is to apply a map-ping strategy to generate a destination set that will be next usedto extract secret keys by applying a mutually agreed universalhashing function over it. Each packet format contains three im-portant fields: a retransmission flag that is set to 1 by Alice whena packet is retransmitted to let Bob know that it does not belongto OTF, a unique sequence number assigned to each packet,which is the sequence number of the previous packet in theframe incremented by one, and a dropping flag used for syn-chronization purposes.In this scheme, we use Stop and Wait protocol (SW), that

requires Alice to wait for the response from Bob, which is thefeedback message represented by a bit belonging to the set

IEEE

Pro

of

Prin

t Ver

sion


TABLE IDENOTATIONS

. Whenever Alice receives ACK, represented by bit 1,she finds out that a new packet has to be transmitted, but onceshe receives a NACK feedback, represented by bit 0, she real-izes that the packet has to be retransmitted, thereby suggestingthat it is not in OTF. The erased bit represents the case whenAlice has not received the feedback message at the requiredtime interval. In this protocol, if the current packet is receivedcorrectly at first transmission, and the next received packet isa new one with a different sequence number, the receiver canidentify that the current packet belongs to OTF. Each packetcan be retransmitted at most times to make it more likelyfor Bob to correctly decode it. If no ACK is received withinretransmissions, Alice drops the packet.One of the main problems in this algorithm is OTF synchro-

nization issue because there is possibility of discrepancy be-tween Alice and Bob. For instance, assume that Bob has re-ceived a packet correctly in the first transmission, yet ACK hasnot gone through the backward channel in any of its retransmis-sions. Since Alice has not received any ACK, she will decide todrop the packet and transmit a new one. Next, Bob receives apacket with a different sequence number, leading him to put theprevious packet into OTF. We include a dropping flag in eachpacket to avoid such problems which is set to one for a packetwhen the number of consecutively dropped packets prior to it isodd, and zero otherwise.Suppose that at the beginning of each frame, the timers in both

sides launch and increments by one by each packet transmis-sion. Consider the denotations in Table I. Let the next correctlyreceived packet arriving at time have the sequencenumber of and the dropping flag sign of .Therefore, Bob realizes that there were dropped packetswithin the time interval . Whenever is odd and

, or is even and , he finds out thatpacket is dropped and does not belong OTF. The pseudo-codesfor Alice and Bob’s OTF packets selection strategies are pre-sented in Tables II, III. Alice puts a packet into OTF if at firsttransmission, the received feedback . On the other side,from , Bob can realize that it is not a retransmission, andalso by observing , and she finds out it is notdropped and belongs to OTF.When Alice and Bob make decisions based on these strate-

gies, it can be guaranteed that their synchronization error onOTF set is zero, and both completely agree on OTF packetsthat later on will be used as a basis to establish secret keys. As aresult, packet that are received correctly with probabilityand their feedbacks are received correctly with probability ,will be in common OTF set with the probability of

(5)

TABLE IIALICE’S OTF STRATEGY

TABLE IIIBOB’S OTF STRATEGY

IV. EVE’S ATTACK STRATEGY AND ITS PERFORMANCE

Even though Eve is able to eavesdrop retransmissions as wellas feedback messages, unlike Alice and Bob, she is not certainof synchronization with users. In fact, that is because her trans-mission errors are partially independent from the errors in themain channel, and she is unable to directly communicate withthe transmitter, or for instance ask for retransmission as Bobdoes. As a result, she has to determine a strategy to make deci-sions based on the eavesdropped data.Let indicate a packet that Eve has received correctly with

sequence number , associated feedbackmessage and re-transmission flag . Let also denote Eve’s next cor-rectly received packet. Note that to decide which packets are inOTF, Eve has to make the best use of her obtained informationabout these packets. There are some cases that help Eve con-fidently know what exactly users did with the packet . Forinstance, when is one, or is zero, she can ascertainthat packet does not belong to OTF.In other cases where , Eve has to make a guess

about packet based on her main observation which is thefeedback message, . In this scheme Eve uses binary hypoth-esis testing based onMaximum A-Posteriori Probability (MAP)rule [16] as her strategy in distinguishing OTF packets. Letbe the hypothesis that packet is in Alice and Bob’s OTF andotherwise. Assuming that packet is the same packet whichis simultaneously received by Bob, according to the MAP deci-sion rule, for the received feedback by Eve, she decidesthat packet belongs to OTF set if

(6)

indicates the random variable associated with one-timetransmission of packet , i.e. means packet is re-ceived correctly by Eve. The following theorem with the pro-vided proof in Appendix B gives us a more explicit idea aboutEve’s decision rule.Theorem 1: Assume that Eve makes a decision based on the

MAP rules in (6). Then, for a correctly received packet whenshe receives feedback 1, she makes a decision in favor of if

, where is defined as

(7)

On the other hand, when she receives an erased feedback, shemakes decision in favor of if which is defined as

IEEE

Pro

of

Prin

t Ver

sion


TABLE IVEVE’S ATTACK STRATEGY

(8)

Accordingly, the pseudocode for Eve’s attack strategy in distin-guishing OTF packets is presented in Table IV.In order to analyze Eve’s performance, we need to investigate

howmuch discrepancy her OTF has with the actual one, namelywith what probability, she misses an OTF packet, called OTFmissing probability , or chooses a non-OTF packet, calledfalse OTF probability . is the probability that given hy-pothesis has occurred for packet , Eve does not choose itas an OTF packet. is the probability that given hypothesis, Eve puts into OTF. In Lemma 1, whose proof is given

in Appendix C, we compute these probabilities.Lemma 1: In our scheme, if Eve uses the proposed attack

strategy, she misses one OTF packet with the probability of

(9)

Moreover, she puts a wrong packet into OTF with probability

(10)

where is the indicator function, which is equal to 1 whenholds. and are provided in (4).

V. EVE’S MISALIGNMENT AND OTF MAPPING STRATEGY

Whenever Eve has a miss-detection, by missing a packet orputting a wrong packet into OTF, assuming that her next OTFpackets are selected correctly, her gathered OTF set respec-tively moves one packet size backward or forward comparedto the original set. Hereafter, she loses her OTF alignment withAlice and Bob, and in order to realign with the users, she has tohave the same number of OTF missing events as the false OTFpackets. However, If Alice and Bob take a strategy by mappingOTF into a destination set where once a misalignment occurs,the resulted error propagates to upcoming packets, any miss-de-tection for Eve would be equivalent to missing the rest of thetransformed data.A possible mapping strategy is a simple digital filter with

a delayed feed back. Let and denote respectively thepacket in the original OTF and in the destination set, where

. After applying this transformation, whose blockdiagram is depicted in Fig. 2, will be the result of Xor ofand . Note that only the random body of each OTF

Fig. 2. Block diagram of the simple digital filter used for mapping OTF set.

TABLE VALICE-BOB AND EVE’S OTF AND DESTINATION SETS

packet will be used in this mapping. Let be the maximumpossible number of packets within the frame. If each packet hassize , by excluding the sequence number as well as two bitflags, only bits of each packet will betransformed, so ’s have size , and the generated destinationset will be of size .Consider a simple case when the number of packets within

OTF set is . In Table V Alice and Bob’s OTF asand Eve’s OTF as (starting from the second packet)are illustrated when Eve misses and has a false event bychoosing . In this case even though has missed itsalignment at the second packet, it realigns with atresulting in only two packet discrepancies between them. Theresulted destination set for legitimate users as and forEve as are given in Table V. We assume that ’s aregenerated uniform randomly, so for instance for the third andthe fourth packets in , behaves like an additivenoise with error rate of 0.5. That is why when a misalignmentoccurs, for the remaining packets in , missed or false OTFpackets act like additive noise to further deceive Eve. In otherwords, every miss-detection causes an uncertainty for her thataccumulates in upcoming packets, resulting in a larger uncer-tainty for Eve in her destination set. In general, when there isa miss-detection at packet, by utilizing the suggested map-ping strategy, any realignment for Eve becomes highly unlikely,and it can be guaranteed that there will be errors in the rest of

packets of Eve’s destination set.

VI. SECRECY SCHEME DESIGN AND ANALYSIS

Privacy amplification is transforming a partially secure datastring into a highly secure key about which Eve has arbitrarylow knowledge. Among all techniques for privacy amplifica-tion, universal hashing is a well-known technique against deter-ministic eavesdropping [6]. A class of hash functions that mapsan string into a string is universal if the collisionprobability for two distinct inputs is [6].Throughout transmission of each frame by using the ARQ

protocol and mapping strategy, Alice and Bob will generate adestination set upon which they both completely agree. When afunction is chosen uniform-randomly from a universal class ofhash functions, regardless of what distribution the actual inputhas, for sufficiently short output, the expected hash output willhave a distribution close to uniform with maximum entropy. Bythe last packet of the frame, Alice will transmit this chosen func-tion to Bob that will be applied over the produced destination setto extract secret keys, later on being used as a symmetric key forencryption of the next frame. As a result, for a short hash output

IEEE

Pro

of

Prin

t Ver

sion


they can make sure that Eve, given her knowledge, gets arbi-trarily negligible information about it.In order to analyze the designed secrecy scheme, we define

appropriate metrics whereby the required secrecy and efficiencyfor the system can be regulated. We define outage probabilityas the probability that the aimed information theoretic secrecyis not achieved, based on which system parameters will be de-signed. Furthermore, we use secret key rate to measure secrecythroughput and efficiency of the scheme.

A. Outage Probability based on a New Oracle Model

In [6], the additional information that a virtual oracle freelygives Eve is considered as an auxiliary random variable thatsimplifies secrecy analysis for privacy amplification. Assumethat a virtual oracle freely informs Eve that in which packetshe first missed her alignment with Alice-Bob OTF. Let thispacket be the OTF packet, so that Eve knows witha high probability she has observed packets, with length

denoted by , correctly from the actual destina-tion set . Nonetheless, she will have error propagation inthe remaining packets because of using the proposed mappingstrategy. Eve can not correct her mistake by using this additionalinformation because she has no idea what kind ofmiss-detectionhas occurred or what happened after this misalignment. Liter-ally, the secrecy that system obtains in the presence of this or-acle provides a lower-bound of the actual secrecy that schemecould have gained without giving such a privilege to Eve.Let and function be an

arbitrary eavesdropping function, with , whereis the length of the input string . Alice and Bob arbitrarilychoose a function from a universal class of hash functions,mapping into , and then apply it over to geta secret key of size , where . Accordingto the corollary 5 in [6], Eve’s expected information about thesecret key, given and , satisfies .As information theoretic secrecy goal, if we require the upper-bound of to be , the necessary is

(11)

for logarithm of base 2. But is the length of theinput string after misalignment. Hence, for the required andgiven , the minimum required number of packet discrepanciesbetween two sets denoted by has to be

(12)

Consequently, if we design the system in a way that with a highprobability misalignment in OTF set happens at one of the first

OTF packets, we can make sure that after mapping,it is very likely to have the number of different packets betweenand , denoted by , be more than . We define outage

probability as the probability that , which actually isthe probability that determined secrecy goal as isnot satisfied. The following Theorem, proven in Appendix D,provides an upper-bound for outage probability.

Theorem 2: Let secrecy outage be the probability thatthere exists less than packet discrepancies between Eve’s des-tination set and the actual set. For the proposed secrecy scheme,

is upper-bounded as

(13)

where is the number of packets in OTF. , and canbe computed using (9), (10) and (5).Note that in our analysis we will consider the worst case sce-

nario where equality in (13) holds. Now we can determine theminimum average uncertainty that Eve has about the generatedsecret key. Let be a random n-bit string with uniform dis-tribution over , and be the random variable indicatingwhat Eve observes correctly form with the help of the oracle.Let us define as the probability that the length of is largerthan bits for some , and let be a positive safetyparameter, such that .With the probability ,will take on values of that belong to the set constituted

of subsets of with less than or equal to bits. In this case, asthe most optimistic scenario for Eve, she will know bits cor-rectly out of . If Alice and Bob choose as their universalhashing function from to , according to corollary5 in [6] her information about the secret key withlength will be upper-bounded asor in other words . Since thisholds for every , by statistical averaging over , Eve’saverage entropy about given and will be lower-boundedas

(14)

For with the length of , and bits, wecan replace with its upper-bound in (13) to consider themost pessimistic scenario.

B. Secret Key Rate

The next step is to quantify and analyze efficiency of the de-signed secrecy system in terms of secret key rate. First of all,we need to design system parameters including the size of OTFset and data frame, to guarantee that the system is sufficientlysecure. As will be described later, these are two parameters thatmainly affect efficiency of the system. In order to maintain alarge uncertainty for Eve, according to (14), we need to havelarge enough and as small as possible. If is chosen basedon the determined in (11), with outage probability suffi-ciently close to 0, we can have a highly likely secure system,with Eve’s average entropy close to maximum. The number ofpackets in OTF, , can be lower-bounded accordingly to haveoutage probability stay below a threshold chosen to be suf-ficiently small, i.e.

IEEE

Pro

of

Prin

t Ver

sion


(15)

only takes integer values, and is obtained by (12). Notethat is positive.We also need to have enough number of packets within each

frame to make sure that the number of OTF packets reaches tothe threshold . The probability that a packet is in OTF is .The total number of packets being in OTF out of packets hasbinomial distribution with parameter . We call the probabilityof having at least OTF packets within packets, successprobability and denote it by . In order to have enough numberof packets within OTF set with a high probability, we can choosea threshold sufficiently close to 1 and determine the smallestfor which

(16)

Clearly, with increase in the required number of packets ina frame, i.e. , goes up.There is an outage probability that the number of

OTF packets does not reach to the required threshold . Whensuch an outage occurs, Alice and Bob can use the existing OTFpackets to complete OTF set. Suppose that Alice has alreadyfinished transmission of the whole frame but the created OTFset still lacks number of packets. In this case, since they bothagree on the accumulated OTF packets, one possiblealternative would be OTF refilling protocol which divides theexisting OTF into partitions with equal size ofpackets and then selects one packet out of each subset in orderto refill the remaining vacant positions. Note that rarely doesthis outage event occur for a well designed system, and henceits overall effect on Eve’s knowledge will be negligible.Secret key rate is the maximal rate such that for

every , there exists a public communication over an in-secure but authenticated channel, over which Alice and Bobwho agree upon a random data can generate keys andrespectively, where with probability at least .Also, , and , where isdata observed by Eve, and is the number of channel uses[2]. In our secrecy scheme, Alice and Bob both agree on arandom data called destination set by using reconciliation pro-tocol and mapping strategy, then they transform it into the se-cret key of length which is the same for both of them.Moreover, according to (14) since , we can computeEve’s information about the key given her knowledgeas .Namely, design of a system with a very low outage probabilityand sufficiently large results in a negligible key informationfor Eve. As a result, we achieved the required public transmis-sion and can compute secret key rate as the length of the gen-erated hash value over the total transmission cost which is thenumber of channel uses including retransmissions.Assume that for the designed key generating ARQ protocol,

due to throughput requirements the maximum number of al-lowed retransmissions per packet is set to be . In our scheme,given that a packet is received correctly, the probability that it istransmitted for times with is .

On the other hand, not being received correctly by Bob impliesthat the packet was transmitted for times. It is straight-forward to show that the average number of trials per packetdenoted by is

(17)

When is fixed and also sufficiently large, by the Strong Lawof Large numbers (SLL), the total number of transmissions de-noted by for packets in the frame will be . Foras the number of bits per packet, the number of channel uses is

bits. Since secret key rate is the ratio of the generated keyentropy over all channel uses, it can be obtained as

(18)

It should be noted that when to meet the secrecy requirements,is chosen to be the minimum possible value for which (16)

is satisfied, gives us the maximum achievable key rate.To study the trade-off between secrecy and efficiency of the

system, we evaluate system performance in various settings ofdesign parameters. If it is required to have a higher informationtheoretic secrecy meaning that a lower upper-bound for Eve’sinformation about the key, i.e. , is mandated, (11) and (12)show that higher and are needed. However, a system that isdesigned to guarantee a higher discrepancy between Bob andEve turns out to have a lower secret key rate and a larger se-crecy outage rate. That is because with decrease in the exponentof (13) due to the increase in since its base is less than 1,ascends, whereas according to (15) with increase in , andconsecutively go up that brings about a lower based on(18). Accordingly, the threshold should be precisely deter-mined, otherwise unnecessarily low can negatively affectboth secrecy and efficiency.If for a fixed channel condition, and specified and re-

sulting in a fixed , the system designer tailors to a higher se-crecy or a lower secrecy outage rate by regulating a lower outagethreshold , according to (15), it elevates that causesto rise and to descend. Conversely, raising by reducingaccording to (16) lowers and causes to ascend, as

(13) indicates. Namely, increases with rising , or havinga higher efficiency requires a lower secrecy and vice versa. Thistrade-off between secrecy and efficiency should be taken intoaccount in system architecture.

C. The Effect of Correlation on System Performance

To study the effect of correlation on the system secrecy, weneed to investigate how it affects two defined secrecy metrics.Suppose that with some fixed forward and backward erasurerates, for a predetermined secrecy requirement, system param-eters including , and are designed. We want to analyzehow increase in correlation between erasures in main and eaves-dropper channels influences outage probability. We only con-sider the case which is more conforming to the real worldconditions in which transmission error rates are much smallerthan 0.5. For , based on (9) and (10) we can obtainmissingand false OTF probabilities as

IEEE

Pro

of

Prin

t Ver

sion


(19)

According to (4) with increase in , increases. Assumingthat feedback erasure rates and are close to each other, theeffect of and consequently on will be insignificant.However, (19) shows that with rising and therefore ,falls that accordingly increases based on (13). Thus, for analready designed system, increase in correlation leads to a largeroutage rate. On the other hand, if we design new system parame-ters, with increase in , as a result of reduction in , accordingto (15), system will require a larger as well as a larger toproduce a lower secrecy key rate . It is also intuitively correctthat the more correlated Eve’s forward channel erasures are withBob’s, the more conforming her decisions about the receivedpackets to Bob’s, reducing her uncertainty, so thatmore data willbe transmitted to carry the same amount of uncertainty for her,thereby reducing secret key rate. In this case does not haveany effect on because for , , according to Table IV,Eve’s decision does not depend on whether the received feed-back bit is erased, making her performance independent of thecorrelation across backward channels. It could also be inferredfrom independence of and from in (19).For by (9), (10), missing and false OTF probabilities

can be rewritten as

(20)

In this scenario for already designed system, with increasedand then , decreases whereas increases. However,from (20), when and are much smaller than 1, the effectof on increasing can be assumed to be negligible. Thisprevailing effect on reducing causes to go up, by (13),and for a new design, according to (15), requires system to havea larger and reducing secret key rate. Unlike ,here increase in impacts system performance as for an erasedfeedback, Eve decides not to put packet in OTF. For an alreadydesigned system parameters, by (4) once rises with increasein , according to (20), both and decrease causingto increase. On the other hand, for a new design it reducesby requiring a larger . Overall, correlation in both forwardand backward channels influences secrecy and efficiency of thesystem in a negative way by decreasing and increasing .

VII. SIMULATION RESULTS

Our objective in simulations is to evaluate secrecy and effi-ciency of the designed scheme in various channel conditions.We assume that there exists no discrepancy between Aliceand Bob using reconciliation strategy, and that the numberof packets in OTF always reaches to by OTF refillingprotocol. In these simulations, we require implying thatthe upper-bound on Eve’s information about secret key doesnot exceed which is sufficiently negligible.For the maximum number of packets within each frame chosen

Fig. 3. Obtained secret key rate in terms of forward and backward correlationcoefficients with and .

to be with each packet of length s,we remove number of bits dedicated forsequence number as well as two flag bits from the packet to get

random part used for key establishment. For thegenerated key length of , according to (12), theminimum required number of packet discrepancies for Eve willbe . We set the thresholds , andchoose , so packets can only be transmitted once.

A. Numerical Analysis Based on Secret Key Rate

In numerical analysis we experiment how secret key ratechanges with varying correlation. It is assumed that wiretapchannel quality is better than the main channel asbut . Then, for different forward and backwardcorrelation coefficients, based on the secrecy requirement

, and are computed using (15), (16).Namely, for an upper-bounded , each and result in adifferent secret key rate based on (18). For , since

, increase in from 0 to 0.8 reduces from 0.135 to0.075 as illustrated in Fig. 3 which conforms with our analysis.As was expected, in this case does not have any effect on. However, for , we get , and therefore with

increase in , secret key rate goes down to about 0.04 for largeand , as shown in Fig. 3. Note that correlation coefficients

are upper-bounded based on (2). These results show that evenwhen Eve has a better channel than legitimate users, our schemecan provide secrecy for the established key except for highlycorrelated channel errors.

B. System Robustness Against Various Channel Conditions

In our simulation we study whether for all channel con-ditions, the designed system maintains its robustness forrequired secrecy criterion, i.e. . To study howforward channel erasure rates influence system performance,throughout this simulation a consistent condition for feedbackchannel as , as well as fixed correlation coefficients

are considered. For the predetermined ,we get , meaning that outage occurs when the numberof mismatches between Eve’s destination set and the actualset is less than 11. Suppose that Alice is aware of the mainand wiretap channel conditions such that for each differentand , determines and . Then, for the designed system,

IEEE

Pro

of

Prin

t Ver

sion


Fig. 4. Simulated outage rate for different forward packet erasure rates in mainand wiretap channels, with and .

with 50000 frames, we apply the OTF packet selection withineach frame based on Alice and Bob’s strategy in Tables II, IIIby simulating the erasure rates on their packet and feedbackreceptions. Similarly, based on Eve’s strategy in Table IV, wefind Eve’s chosen OTF packets. For each frame, due to mappingstrategy, the number of correct packets in Eve’s destination setsis the number of packets in her OTF before the first mismatchwhich is known to Eve by a virtual oracle. Then, by countingthe number of frames with outage event we get the averageoutage rate or experimental for each channel condition. InFig. 4, the simulated outage rate is depicted for varying forwardchannel conditions. It illustrates that even when , namelywhen wiretap channel has advantage over the main channel, theexperimental outage rate is below 0.003 which is much lowerthan the required threshold , indicating that systemis sufficiently secure and robust.

C. System Robustness Against Unknown Wiretap Channel

To study the situation in which Alice is unaware of wiretapchannel condition, we conducted another simulation with thesame secrecy parameters assuming that Alice designs thesystem and determines , based on a presumed correla-tion coefficients , such that this design remainsconsistent throughout the simulation. All channel erasure ratesare supposed to be fixed and equal to 0.2. Then, for different ,’s simulation is run with 50000 frames to obtain the averageoutage rate. In Fig. 5 the experimental secrecy outage rateis drawn in terms of various forward and backward channelcorrelations. As it shows, for the most of the region, outageprobability is very low, and the system is stable, but whenand go above 0.4, outage rate rises very sharply, withremaining below except for . As aresult, even with the lack of knowledge about wiretap channelcorrelations, the designed system remains sufficiently secureexcept for very highly correlated case.We repeat this simulation but this time with presumedwiretap

channel erasure rates , and correlation coefficientsthat are fixed and equal to 0.2. Then, we draw experimentallyobtained in terms of the varying and in Fig. 6. It illus-trates that backward erasure rate has little effect on average se-

Fig. 5. Simulated outage rate in terms of correlation coefficients across forwardand backward channels, with and .

Fig. 6. Simulated outage rate in terms of wiretap channel forward and back-ward erasure rates, with and .

crecy outage rate except for very low ’s. However, as forwarderasure rate exceeds the presumed , secrecy outage goesup steeply till it reaches to 0.006 for due to the reductionin , never exceeding the threshold 0.01. These two simula-tions show that without prior knowledge about Eve’s channelconditions, system preserves its robustness from secrecy pointof view. Note that simulated outage probability shows muchbetter results than the numerically computed outage rate in (13)because system is designed based on the upper-bound for theactual outage probability (as explained in Appendix D). It pro-vides a pessimistic design of the protocol giving a safety marginwhen presumptions about channel conditions no longer hold.

VIII. CONCLUSION

In this paper, a key scheduling scheme based on ARQmecha-nism and privacy amplification is studied. We considered a cor-related main and wiretap channel model with noisy feedbackchannels. The system is designed and its secrecy is analyzedbased on outage probability and secret key rate. With numer-ical and theoretical analysis we showed that correlation betweenEve’s and legitimate users transmission errors has negative ef-fect on system secrecy. The conducted simulations proved thatthis scheme delivers its security and maintains its stability evenwhen wiretapper has advantage over legitimate users in channelquality or when wiretap channel conditions are unknown to le-gitimate users.

IEEE

Pro

of

Prin

t Ver

sion


APPENDIX APRELIMINARY: INFORMATION THEORETIC MEASURES

Information theory providesmeasures to quantify uncertaintyof random variables [18]. Let be two random variables,with as their sets of values, whereand . The entropy of is defined as:

. Conditional entropy is de-fined as:which measures the remaining uncertainty in when isknown. The mutual information between andis defined as that measures theinformation known about provided that is observed.

APPENDIX BPROOF OF THEOREM 1

Proof: Let and be the random variables and, respectively, associated with one-time transmission and

feedback reception of packet by Bob. Also, let andbe the random variables and , associated with one-timetransmission and feedback reception of packet by Eve. Weassume that transmission of each packet and its associatedfeedback is independent for different packets while their corre-sponding events of correct receptions or failures for differentpackets are equally likely. Thus, at final steps of the followingproofs we can replace , , and with , ,and , respectively. Eq. (6) can be rewritten as

(21)

Since hypothesis occurs when and packet is re-ceived correctly by Bob, using Bayesian rule we get

(22)

In this Eq. since the erasure in the received feedback by Bob, i.e., is independent from the erasure in Eve’s received packet, the

first term can be written

(23)First of all, we consider the case where Eve has received feed-back . Then, the second term in (22) will be one becausereceiving feedback by Eve implies that it was initiallyreceived error-free by Bob. By using (23), we can rewrite thefirst term in (22) as

(24)

The second equality is resulted from the definition of joint back-ward erasure probabilities. The third equality comes from rela-tionships and

, with given in (4). Thus, by (22) and (24),we can write the decision rule (21) as

(25)

This is equivalent to as it was defined in (7).Next, suppose that Eve has received an erased feedback

. Due to independence of the packet reception by Boband feedback reception by Eve, we can show that the secondterm of (22) will be

(26)

Similarly, by (23), the first term in (22) will be

(27)

Now by replacing (26) and (27) into (22), we can get the deci-sion rule in (21) as

(28)

According to the definition of in (8), it is equivalent to thedecision rule for .

APPENDIX CPROOF OF LEMMA 1

Proof: According to the definition of OTF packet missingprobability, by using Bayesian rule we have

(29)

where denotes Eve’s chosen OTF set, and ‘ ’means Eve did not receive correctly. By definition, isequivalent to the event , so we have

(30)

where and are given in (4). Similarly, we can show

(31)We can compute the last term in (29) as

IEEE

Pro

of

Prin

t Ver

sion


(32)

For a correctly received packet by Eve, with the received feed-back as , shewill not put packet into if .If , will not belong to Eve’s OTF if . Appar-ently, when ‘ ’, regardless of what the received feedbackwould be, she has no way to put in . Hence,

(33)

By replacing (30)–(33) into (29), we can get the formula forin (9).To compute the false OTF probability which is

, we split hypothesis into two events:when packet is received incorrectly by Bob, and

when is received without error, but . It should benoted that according to Eve’s strategy, false detection eventonly occurs when and because sheonly cares about fresh packets. We define as the false OTFprobability when takes place, which is

(34)

That is because when occurs, since Bob has not decodedcorrectly, he will send back a Nack which can be received eithererased bit or zero that in the latter case Eve will certainly notput it into OTF. According to Eve’s strategy in Table IV, for acorrectly received packet once receiving , Eve putsinto OTF if , so

(35)

Moreover, the erasure event in the received feedback by Eve isindependent of the reception of packet and . As a result, thesecond term in (34) will be

(36)

Therefore, we have

(37)

We also define as the false OTF probability whenoccurs. We can similarly show that

(38)Now, we can obtain the total false OTF probability as

replacing , from (38), (39) completes the proof.APPENDIX D

PROOF OF THEOREM 2

Proof: Let denote the packets in OTF for, and indicate the packets in Eve’s OTF. We

denote the number of Alice and Bob’s Bernoulli trials betweenand successes in putting in OTF as . ’s are

i.i.d. random variables with geometric distribution. Letdenote the number of mismatches between two destination sets.Outage probability is defined as the probability that there existsless than packet discrepancies between two destination setsthat occurs when there is at least packets to be thesame for and . It means that misalignment would happenafter packet in . Hence, we have,

(39)

(2) holds because the decision that receiver makes about eachpacket is independent of other packets. (3) is based on Bayesianrule by summing over all possible number of trials for eachBernoulli success. For the first success it can reach to the totalnumber of packets within the frame, i.e. , but for the nextones, we should subtract the number of all previous trials. (5)holds since to have , neither should there be missingOTF event for Eve for packet at the Bernoulli successnor any false detection event for the rest of unsuccessful OTFBernoulli events that are totally trials. (4) shows that (13)provides an upper-bound for .

REFERENCES[1] A. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of

Applied Cryptography. Boca Raton, FL, USA: CRC Press, 1996.[2] U. M. Maurer and S. Wolf, “Information-theoretic key agreement:

From weak to strong secrecy for free,” in Advances in Cryptology,EUROCRYPT 2000 (Lecture Notes in Computer Science). Berlin,Germany: Springer-Verlag, 2000, vol. 1807, pp. 351–368.

[3] M. A. Latif, A. Sultan, and H. E. Gamal, “ARQ-based secret keysharing,” in Proc. IEEE Int. Conf. Communications 2009 (ICC’09),Jun. 2009, pp. 1–6.

[4] Y. Abdallah, M. A. Latif, M. Youssef, A. Sultan, and H. E. Gamal,“Keys through ARQ: Theory and practice,” IEEE Trans. Inf. ForensicsSecurity, vol. 6, no. 3, pp. 737–751, Sep. 2011.

[5] S. Xiao, W. Gong, and D. Towsley, “Secure wireless communicationwith dynamic secrets,” in Proc. IEEE INFOCOM 2010 (INFOCOM2010), Mar. 2010, pp. 1–9.

[6] C. H. Bennett, G. Brassard, C. Crpeau, and U. M. Maurer, “General-ized privacy amplification,” IEEE Trans. Inf. Theory, vol. 41, no. 6, pp.1915–1923, Nov. 1995.

IEEE

Pro

of

Prin

t Ver

sion


[7] Y. S. Khiabani and S. Wei, “Design and analysis of an ARQ basedsymmetric key generation algorithm,” in Proc. Military Communica-tions Conf. 2011 (MILCOM’11), Baltimore, MD, USA, Nov. 2011, pp.1273–1278.

[8] M. Zorzi, R. R. Rao, and L. B. Milstein, “ARQ error control for fadingmobile radio channels,” IEEE Trans. Veh. Technol., vol. 46, no. 2, pp.445–455, May 1997.

[9] S. R. Kim and C. K. Un, “Throughput analysis for two ARQ schemesusing combined transition matrix,” IEEE Trans. Commun., vol. 40, no.11, pp. 1679–1683, Nov. 1992.

[10] W. C. Y. Lee, “Effects on correlation between two mobile radiobase-station antennas,” IEEE Trans. Veh. Technol., vol. 22, no. 4, pp.130–140, Nov. 1973.

[11] H. Jeon, N. Kim, J. Choi, H. Lee, and J. Ha, “Bounds on secrecy ca-pacity over correlated ergodic fading channels at high SNR,” IEEETrans. Inform. Theory., vol. VT-57, no. 4, pp. 1975–1983, Apr. 2011.

[12] W. K. Harrison, J. Almeida, S. McLaughlin, and J. Barros, “Phys-ical-layer security over correlated erasure channels,” in Proc. IEEE Int.Conf. Communications 2012 (ICC’12), Ottawa, Canada, Jun. 2012.

[13] A. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, no. 8,pp. 1355–1387, Oct. 1975.

[14] I. Csiszár and J. Körner, “Broadcast channels with confidential mes-sages,” IEEE Trans. Inf. Theory, vol. 24, no. 3, pp. 339–348,May 1978.

[15] R. Renner and S. Wolf, “Simple and tight bounds for information rec-onciliation and privacy amplification,” in Proc. 11th Int. Conf. Theoryand Application of Cryptology and Information Security Advances inCryptology (ASIACRYPT 2005), Chennai, India, 2005, pp. 199–216.

[16] T. A. Schonhoff and A. A. Giordano, Detection and Estimation Theoryand its Applications, 1st ed. Englewood Cliffs, NJ, USA: PearsonPrentice-Hall, 2006.

[17] G. Grimmett and D. Stirzaker, Probability and Random Processes, 3rded. Oxford, UK: Oxford Univ. Press, 2001.

[18] T. M. Cover and J. A. Thomas, Elements of Information Theory, 2nded. Hoboken, NJ, USA: Wiley, 2006.

Yahya Sowti Khiabani received the B.S. and M.S.degrees in electrical engineering from the Universityof Tabriz, Iran, in 2003 and 2007. He was admitted asa Ph.D. student to Louisiana State University, ECEDepartment, in 2009 and granted Economic Devel-opment Assistantship (EDA) to work on security al-gorithms in wireless networks under advisory of Dr.Shuangqing Wei. As a Ph.D. student, his research isfocused on information theoretic security, antieaves-dropping algorithms, and cryptography.

ShuangqingWei received the B.E. and M.E. degreesin electrical engineering from Tsinghua University in1995 and 1998, respectively. He started his academiccareer at Louisiana State University (LSU) after ob-taining the Ph.D. degree from the University ofMass-achusetts, Amherst, in 2003.He is currently a Tenured Associate Professor

in the Department of ECE, LSU. His researchinterests are in the areas of wireless security andcognitive radio networks. He is an Editor for IEEETRANSACTIONS ON WIRELESS COMMUNICATIONS,

and was an Associate Editor for IEEE TRANSACTIONS ON VEHICULARTECHNOLOGY from January 2009 to July 2012. He has served as a TechnicalProgram Committee (TPC) Member for numerous IEEE Flagship commu-nication conferences, such as ICC, Globecom, and MILCOM. His researchhas been funded by the NSF, AFRL, and DOE, and the Board of Regents ofLouisiana.

Documents

ARQ-Based Symmetric-Key Generation Over Correlated Erasure Channels