Secret Key Agreement Over Multipath Channels Exploiting a Variable-Directional Antenna

We develop an approach of key distribution protocol (KDP) proposed recently by T. Aono et al. A more general mathematical model based on the use of Variable-Directional Antenna (VDA) under the condition of multipath wave propagation is proposed. Statistical characteristics of VDA were investigated by simulation, that allows us to specify model parameters. The security of the considered KDP is estimated in terms of Shannon's information leaking to an eavesdropper depending on the mutual locations of the legal users and the eavesdropper. Antenna diversity is proposed as a mean to enhance the KDP security. In order to provide a better agreement of the shared keys it is investigated the use of error-correcting codes.


I. INTRODUCTION
The problem of key distribution is still in focus of research activity especially for wireless LAN systems. This is due to the severe restriction of asymmetric (public key) cryptography WLAN implementation entailing a lower processing speed.
In order to solve this problem, quantum cryptography [1] which allows eavesdropping detection within the key sharing procedure seems useful. However, this approach does not reach a practical level due to many technical problems, such as the requirement of special quantum devices. There are well known key distribution protocols (KDP) based on the presence of noise in both legal and illegal channels [2], [3], [4]. But even though the eavesdropper's channel is less noisy than the legal ones and the eavesdroppers is passive, it is necessary to have the knowledge of the eavesdropper's noisy power in order to guarantee a fixed level of key security. Unfortunately this condition cannot be taken for granted because an eavesdropper may be able to get some advantage at the cost of better receiver sensitivity, or a shorter distance of interception that it was considered by legal parties in the design of the secure KDP.
The most basic assumption on the executed KDP is that the legal and illegal users have different locations, and this fact has to be verified by physical means. (For that matter, an existing special zone surrounding each legal user shall be assumed where the presence of an eavesdropper is not allowed.) If it is wanted to share a secret key by wireless communication among legal users, it is necessary that one user generates some randomness and then to transmit it to its correspondent in such a way that it is effectively delivered to the legal recipient and any eavesdropper perceives either uncorrelated or weak correlated randomness.
It is possible to provide non-unit correlation under the condition of multipatch wave propagation. Let us consider the following mathematical model of the channels between a source of randomness (the first legal user) and both the second legal user and the eavesdropper: is the coefficient vector of the multipath propagation to the second legal user, and y = (y i ) m i=1 is the coefficient vector of multipath propagation to the eavesdropper. Let us assume for simplicity E(ξ) = 0, then the following relation for the correlation coefficient of η and ζ results: where R ξ is correlation matrix of the random vector ξ.
Common randomness results from fluctuation of the cannel characteristics due to communicating object motion. Such approach has been proposed in [5], [6]. But it still entails another problem: it is easy to break the secret key under an environment with small fluctuation of the channel characteristics or in the case when the communicating objects are stopped. In order to overcome these defects, a more sophisticated method, using smart antenna excited randomly by electronic means [7], has been proposed. However, the results presented in this paper were obtained experimentally and the investigation of KDP security performed incompletely is extended here.
The goal of the current paper is thus to introduce a mathematical model and to present a theoretical investigation concerned with KDP security and reliability based on the use of a Variable-Directional Antenna (VDA). In order to justify the statistical characteristics of the VDA, we perform a simulation of a ring type VDA that is also excited randomly. In Section II, we describe the conditions of the physical channel and we introduce an exact mathematical model of the KDP. The results of the VDA simulation are presented in Section III. Section IV contains an optimization of the KDP in order to provide both reliability and security. Finally we conclude the main results and present some open problems in Section V. The scheme of the communication system corresponding to the KDP is presented in Fig. 1.
The KDP is described in the following steps: 1) The legal user A forms the random antenna diagram by exciting the VDA with output of truly random generator (TRG) and fix this diagram for some given time interval [0, T j ] of the j-th key bit generation, j = 1, 2, . . . , n. 2) A transmits to B a harmonic signal S j (t) = cos ω 0 t, 0 ≤ t ≤ T j /2, with the beam pattern obtained at step 1 over the multipath channel. 3) B receives a harmonic signal from an omni-directional antenna (ODA) and forms the j-th key bit by comparing some functional computed with the received signal on the time [0, T j /2] with a given threshold. 4) The user B switches off its ODA in a regime of radiation and transmits the same harmonic signal S j (t) = cos ω 0 t within the time interval T j /2 ≤ t ≤ T j . 5) The user A switches off its VDA to a receiver and processes the received signal in the same manner as B did, forming the j-th key bit. 6) A and B repeat n times the steps 1-5 with new and independent outputs of TRG in order to create the desired number of key bits. Thanks to the Reciprocity Theorem of radio wave propagation between uplink and downlink, the key sequences of A and B should be identical up to a random noise of receivers. Then the signal received by B at time T j /2 can be expressed as: where, with respect to the i-th ray at the j-th time interval, β ij is the channel attenuation coefficient, υ ij is the VDA amplitude gain, θ ij is the VDA phase shift, including both phases in antenna diagram and phase shift in i-th ray, and m is the number of paths (rays). The signal received by E at time T j /2 is: where the primed parameters have the same meaning as the corresponding parameters in (1)  neglect initially the noise at the legal receivers, and we assume at all moment a noise absence at the eavesdropper E, in advantage with the legal users.) Later we will show that the probability distributions of the random values η j and ζ j , which are produced by executing some functionals from both y j (t) and z j (t) can have a good approximation by a zero mean Gaussian law. Then we prove that the probability of a bit disagreement between the j-th bit of the legal users and the eavesdropper key bits obtained by comparing them with a zero threshold is: where ρ is the correlation coefficient between η j and ζ j , . The dependence of p e versus ρ is presented in Fig. 2. We can see that in contrast to our intuition, the probability p e = 0.1 can be provided even when the correlation coefficient ρ has a significant value 0.95. In order to enhance the security of the legal user key string k shared after completion of the KDP it should be performed a privacy amplification [3], [8], [9], [10], or more specifically a mapping of the raw key string k to a shorter key stringk of length < n, using the so called hashing procedurek = h(k) taken from the universal class of hash functions [11]. Then the amount of Shannon's information leaking to E given her knowledge of the string k satisfies where t = n + n log 2 p 2 e + (1 − p e ) 2 is the Renyi information under the assumption that the errors in the eavesdropper's key bits occur independently due to the independently generated VDA on each of the j-th time intervals. Hence in order to select the parameter we should calculate the correlation coefficient ρ depending on the mutual location of the legal user and the eavesdropper, the properties of VDA and the characteristics of the multipath cannel. A solution for this problem will be presented in the next Section.

III. CORRELATION BETWEEN THE VALUES η j AND ζ j
Let us consider as VDA the so called ring antenna (RA) shown in Fig. 3 having N identical isotropic radiators excited by their random phases.
Then the complex instant antenna diagram can be presented by the well known formula [12]: where ψ s is a phase in the s-th radiator; k 0 = 2π λ , λ is the length of the wave; R the radius of the RA; φ is the angle in the azimuthal plane; and θ is the angle in the vertical plane.
Both instant amplitude and the phase antenna diagrams can be obtained from (5) and they are random values providing random exciting to the RA. It would be possible to find theoretically different statistical characteristics of f (φ, θ) but it is rather more easy to solve the same problem by simulation. Since the current paper is limited in space, we present only the main conclusions based on the simulations for the case of independent and uniformly distributed phases ψ s on (0, 2π): • the probability distribution of the amplitude antenna diagram has a good approximation through the Rice law which can be approximated in its turn by a Gaussian nonzero mean law; • the probability distribution of the phase antenna diagram has a good approximation by an uniform law on the interval (0, 2π).
Next it is possible to compute theoretically the correlation coefficients between η j and ζ j for different functionals producing them and to find their probability distributions by simulation. However, it is necessary to specify the channel model and the functional description. To be more specific, let us consider a 3-ray channel model and a location of eavesdropper on the line connecting legal users (Fig. 4). We select two functionals of y j (t) and z j (t) producing η j and ζ j and the functionals are compared with some thresholds in order to obtain the key bit k j . The functionals are (see eq. (1)): In a similar manner, there can be presented the corresponding functionals for eavesdropper: µ j , µ cj , µ sj , ∆ψ j . We will be interested in finding the probability distributions of all functionals and correlations between similar functionals of any legal user B and the eavesdropper E. Because it is very hard to compute these values theoretically, we will find them by simulation for some given channel parameters.
Let us take 1 = 25m; h 1 = 3m, h 2 = 3m (distances to the first and to the second reflecting surfaces, respectively), N = 6, λ = 12.5cm, R = λ/2 (see Fig's. 3 and 4). Assume that E is placed between legal users A and B within the interval (3-22)m. The results of simulation are presented in Fig. 5. The dependences of the correlation coefficients r µ,µ and r ∆ψ,∆ψ versus distance ∆ between the eavesdropper E and the legal user B are shown in Fig. 5(a) and Fig. 5(b).
Since the correlation between the values ∆ψ j and ∆ψ j occurs less than the correlation between µ j and µ j (see Fig. 5), it is reasonable to select the phase difference functional in order to form η j and compare it with zero threshold for the k j key bit generation. (In order to coincide phases of support generators at users A and B, it is possible to transmit a special pilot signal and to tune phases of both users at the initial stage of KDP.) In Fig. 6 there are presented empirical probability distributions for these functionals. It is evident that both cases can be approximated by appropriated Gaussian distributions (see solid curves). Therefore the relation (3) can be used to find the probability of disagreement between the key bits of the legal users and the eavesdropper. But before we address to eq. (4) in order to calculate security of KDP, it should be  taken into account an opportunity for the presence of noise at the receivers of the legal users.

IV. KDP OPTIMIZATION UNDER NOISY LEGAL CHANNEL
From now on we remove our previous assumption that the multipath channel among legal users A and B is noiseless but keep such condition for eavesdropper's channel. (Obviously, the last assumption cannot degrade the security of KDP.) In this setting it is necessary to use some methods in order to correct disagreements in key bits of legal users. It is very reasonable to use firstly a selection of the most reliable key bits with a public discussion over a noiseless channel between legal users, and then to apply forward error correction codes (FEC) by sending of the check bits over the same noiseless channel. (It is worth to note that a noiseless public channel among legal users can be arranged by the choice of special regime, namely large signal power or omnidirectional antenna of the user A that we were unable to use for the execution of KDP.) The first method of the most reliable key bit selection is to take decision following the rule: where η j is the output of ∆ψ j , and α a threshold.
After a completion of the KDP including a production of the erased bits for both legal users it is necessary to mutually announce the numbers of these bits over public noiseless channels. In this case, the probability of a key bit disagreement between legal users and eavesdropper, given by (3), has to be corrected because an eavesdropper is able to intercept information about the numbers of accepted key bits over the public channel. We will take into account this fact later for the simulation procedure. The second method is to keep only the most reliable key bits, say M , and to remove the others. This means that the legal users form variation series of the values |η j | on a decreasing order and next to keep (after mutual public discussion) the first M members of this series to generate the key bits. Of course in this case the probability of key bit disagreement p e is changed also against (3).
Let us denote by p 1 and p 2 the probability of legal key bit errors after the first and the second method, respectively. Next we use an error-correcting code (n 0 + r, n 0 ) sending a sequence of r check symbols over public noiseless channel in order to correct eventually errors in the key sequence. Then the probability of erroneous decoding P ed by the modified Gallager's theorem is [10]: n0+r , and n 0 is the number of bits k j which have been kept by legal users after erasing the unreliable bits following the first or the second procedures, and p is the error probability for the kept bits. In the case of check symbol sending, the Privacy Amplification Theorem against (4) becomes [10]: (2) .
KDP optimization problem is to get the maximum key rate while n er is the number of erased symbols after the use of the method 1 or 2 and given the values I(k; k ), P ed , , and different signal-to-noise ratio (S/N) at the receivers of the legal users. We solve this problem by simulation for the case of Gaussian noise at the legal receivers.
In Tables I and II there are presented the results of such optimization for typical conditions for the first and the second method of unreliable bits removal, respectively, where P er is the probability of key bit erasing.
We can see from these tables that the second method is for large correlation a little bit better than the first one. However both methods provide sufficiently reliable and secure key sharing if eavesdropper is placed on 3-21m away from legal user B and phase difference is used as key generating method (see Fig. 5(b)). A similar conclusion is drawn also for multipath channels with other parameters and locations of eavesdroppers. In order to enhance the security of the KDP, antenna diversity can be used when B has m omnidirectional antennas and he selects randomly one of them at each time period T j to receive and transmit signal. Then the relation finding the Renyi information used in (4) changes for:   The relation (6) holds with the probability equal to the probability of the event in which with at least of one of antennas a mutual location of the legal user and the eavesdropper is got such that ρ ≤ ρ * , where ρ * is found by (3) givenp e .
We considered so far a scenario when an eavesdropper uses the same omnidirectional antenna as the legal user B. But E can execute directional antenna to separate all rays and to process the best of them or even apply joint processing to all of them. We have performed a simulation of the case with single ray separation and it has been shown that the correlation coefficient even decreases in comparison with one presented before. The case of joint processing of separated rays is noteworthy. But we can remark that even under the very strong condition in which the eavesdropper knows exactly all channel parameters both for E and B, there is still uncertainty about VDA gains in the direction of E and B. Therefore, generally speaking, the correlation coefficient occurs even in this case with a value less than one.

V. CONCLUSION AND FUTURE WORK
We considered a method of key sharing based on the concept of a VDA under the condition of multipath channel and we showed that sufficient security and reliability of the shared keys can be provided even when the eavesdropper's channel is noiseless. The results of investigations show that the security of the KDP (in terms of Shannon's information leaking to eavesdropper) does not depend only on the distance between legal users and eavesdropper but also on the eavesdropper's location. This result somewhat contradicts to a very optimistic conclusion in [7].
We propose to use the difference-phase functional instead of either quadrature components or envelope in order to form key bits. This approach results in less mutual correlation between legal user and eavesdropper and simplifies a choice of threshold. The key sequence k is i.i.d if VDA is excited by independent random phases and threshold is chosen in an appropriate manner. (This fact has been confirmed by simulation using statistical tests.) Our contribution consists also in the proof of relation (3) which allows to connect the probability of disagreement between the key bits of legal users and eavesdropper with the correlation of corresponding values. Unfortunately, a limited space of the paper does not allow us to show all simulation results for different multipath channels and mutual location of legal users and eavesdroppers, which we have got at our disposition.
In the future we are going to investigate: i) the use of multitone signals in the KDP, ii) the localization of optimal processing of the eavesdropper rays separation in order to provide the greatest correlation, iii) the use of real FEC and effective decoding algorithms with KDP (instead of extended Gallager's bounds); and, iiv) the use of other types of VDA (like ESPAR or others).