2015 globecom group key

Secret Group Key Generation in Physical Layer

for Mesh Topology

Chan Dai Truyen Thai, Jemin Lee and Tony Q.S. Quek

Singapore University of Technology and Design, Singapore

Email:

{

thai truyen, jemin lee, tonyquek

}

@sutd.edu.sg

Abstract—Secret group key generation based on physical layer in wireless communications has a lot of practical applications. A few studies focused on the theoretical bounds of the secret key rate based on the sets of received signals rather than a particular secret key generation scheme. We propose a secret group key generation scheme for an arbitrary number of legitimate nodes,

n, in mesh topology in the presence of a passive eavesdropper.

In the scheme, after general pilot signal transmissions at all nodes, each node broadcasts a weighted combination of its received signals with optimized coefficients, so that legitimate nodes can obtain the information of channels used for group key generation while the eavesdropper cannot. We also apply different quantization schemes for quantizing and encoding the estimated channels into keys. To provide detailed transmissions and processing steps of group key generation, we also describe the proposed scheme for 4-node mesh topology case. The simulation results show that the proposed scheme achieves a higher secret group key rate and a lower key disagreement rate than a benchmark scheme.

Index Terms—Key generation, physical-layer security, group key, vector quantization.

I. INTRODUCTION

Recently, the key generation at physical layer in wireless communications has been extensively researched [1]. The physical-layer key generation does not require any network infrastructure for the key, and works even for the case of eavesdroppers with unlimited computing capacity. Many of the existing studies focus on the physical-layer secret key generation for two legitimate users [2]. However, the key generation for a certain group of legitimate users is required in many scenarios. For example, a group of travelers may want to set up a secret multi-point communication using a group key, and do not want to share the information with any person not in the group.

In fact, extending the key generation scheme for two users to several users is challenging due to two reasons. First, the channel information used for key generation in physical layer is characterized only between two users in terms of reciprocity and randomness. It is therefore easy for the two users linked to that channels to obtain the information. However, to share with other users, these two users need to forward the information to other users which leads to the new risk of leaking information to eavesdroppers. Second, there are more channels which can be used to generate a key with a higher rate. Consequently, we need a scheme with a longer duration in which the channels stay the same, i.e., it requires a longer coherence time. More-over, arranging the transmissions and selecting parameters

becomes a more complicated optimization problem.

A lot of studies on group key generation in physical layer focused on theoretical bounds or a closed-form formula of the secret key rate based on the observed transmissions at the legitimate nodes. For example, in [3], a arbitrary number of nodes established a secret group key based on their received signals from a certain source with help from other nodes. These prior works theoretically considered the sets of received signals at the nodes, and their results can be considered as upper bounds of the secret key rate of schemes. However, they did not specify how and which signals the nodes should transmit, receive, and process.

Recently, a specific scheme for secret group key generation was proposed for star and chain topologies by exploiting the received signal strength (RSS) in [4]. In the scheme of the star topology, the channel between a side node and the central node is selected as the reference channel and estimated first. Then, the central node combines the information of the reference channel with that of the channel linked to another side node and forwards it to this side node. In particular, the difference of two RSSs of these two channels is used as a combination. Each node combines the estimated of the channel linked to it and the received combination from the central node to estimate the reference channel and uses it to generate the group key. However, for a mesh topology, the scheme can be re-designed to provide a higher performance.

of quantization scheme affects the secret key rate as well as the key disagreement rate (KDR). In [6], the authors proposed to multiply the estimated channel with the optimal matrix before quantization in order to move the estimated channel away from the quantization boundaries. They also optimized the quantization scheme based on minimum KDR and minimum quadratic distortion. Another scheme was proposed to optimize the interval guard of the quantization in [7], and the adaptive quantization levels were used in in [8]. However, those works consider the case of key generation between only two users. In this paper, however, we consider the quantization scheme for several users. We also further analyze the characteristics of different quantization methods for a different number of group keys and different key lengths.

II. n-NODEMESHTOPOLOGY

In this section, we introduce the system model and describe the proposed scheme for a generaln-node topology. We also

summarize some important definitions and results related to secret key rate.

A. System Model

We consider a group of n legitimate nodes, Ai, i = {1,2, ..., n_}. These legitimate nodes want to generate nK

secret keys which are confidentially shared among them. A passive eavesdropper, E, tries to eavesdrop the information of the keys by listening, but does not actively attack. Before the key generation scheme starts, all nodes communicate in a public and noiseless channel so that all legitimate nodes know all node locations and the channel distribution and variances as well as other scheme parameters such as code vectors for the quantization scheme. We also assume that the legitimate nodes do not know the distance and the channel variances between them and the eavesdropper, while the eavesdropper knows all information.

All channels are independent and assumed to remain in the same state in a period of T time slots, i.e., coherence time, and change every period. At the beginning of a scheme, no node knows about the channel status. A channel is given in the form ofh=f d 2l wheref is a circularly-symmetric complex

normal random variable,dis the distance between the

consid-ered transmitter and receiver, and l is the path-loss exponent.

We consider the mesh topology in which there is a significant channel between any two nodes. The channel from Aito node

Aj and E are denoted byhij andgi, respectively. All channels

are reciprocal, i.e., hij =hji,8i, j ={1,2, ..., n}. All nodes are half-duplexed and equipped with a single antenna. The transmit and noise power of legitimate nodes and the noise power at eavesdropper E arep, 2, and 2E, respectively. The

transpose of matrixXand the cardinality of setKare denoted by XT _and

|K|, respectively.

B. Secret Key Capacity

Ai and E observe m realizations Xi = (Xi1, Xi2, ..., Xim)

andZ = (Z1_{, Z}2_{, ..., Z}m_{), respectively. We first consider the}

rate of a secret key shared between two legitimate nodes. A1 and A2 compute a common key denoted asK1 and K2,

respectively, from their observationsX1 andX2.K1 andK2

are supposed to be the same. Hence, rK(X1;X2kZ) is an

achievable secret key rate if for every✏>0and sufficient large m, there exists a scheme such that the following requirements

are satisfied [9]–[11]

Pr{K16=K2}✏, (1)

1

nI(K1;Z)✏, (2)

1

nH(K1) rK(X1;X2kZ) ✏, (3) 1

nlog|K| 1

nH(K1) +✏. (4)

where_K is the key’s alphabet andKi_2K,i_2{1,2, ..., n_}.

Based on the definition above, we can extend to the defini-tion of the rate of a secret group key shared amongnnodes,

rK(XikZ), by combining all pairwise secret key as follows

1 Pr_{K1=K2=...=Km}✏, (5)

1

nmaxi I(Ki;Z)✏, (6) 1

nmaxi H(Ki) rK(XikZ) ✏, (7) 1

nlog|K| 1

nmaxi H(Ki) +✏. (8)

Regarding the constraints above as reference, we devise the key generation scheme in the next sub-section.

C. Key Generation Scheme

1) Transmissions: In this sub-section, we propose a general scheme for generating a secret group key shared among n

legitimate nodes and confidential from an eavesdropping node. There are two phases in the scheme.

In the first phase, each legitimate node transmits a pre-defined pilot signal so that all other legitimate nodes can estimate the channels between the transmitting node and them. There are n time slots in this phase. In time slot i, node i

transmits the pilot signal and the received signal at nodej is given by

yi

j =pphij+zji (9)

wherezi

j is the noise at Aj when receiving a signal from Ai.

After this phase, each node can estimaten 1channels.

The second phase is organized in several rounds. The number of rounds depends on the number of channels,q, to be

estimated and used to generate the keys. We assume that the channels to be estimated by all nodes arehijwhere(i, j)_2H

and|H| =q. Assume that there are R rounds in the second

phase. In roundr, Aj broadcasts a signal given by

xrj = X

i6=j

arijyji = X

i6=j

arij pphij+zij ⌧((i, j)2H) (10)

wherear

ij are coefficient corresponding to received signal yji

at Aj, and ⌧(X) = 1 if X occurs and ⌧(X) = 0 otherwise.

used for key generation. When Aj broadcasts, the received

signal at Ak is given by

y_kr,j=hjkxrj+z r,j

k (11)

=hjkarkj pphjk+zjk ⌧((k, j)2H) (12) +hjk X

i₆=j i₆=k

arij pphij+zji ⌧((i, j)2H) +z r,j k .

(13) The terms in (12) and (13) correspond to the cases of i=k

andi6=k, respectively.

In each round, a node combines all received signals in the first phase with pre-determined coefficients and broadcasts it. There are n time slots in each round so that each node has a chance to broadcast its combined received signals. In different rounds, a node uses different coefficients in order to avoid broadcasting the same signal repeatedly. The scheme is designed in such a way that all legitimate nodes can estimate

q certain channels and will use the information about these

channels to generate the keys. In the last round, there are probably less than n broadcasting nodes, and therefore less

than ntime slots, because all nodes already received enough

signals to estimate allq channels.

Since already receiving n 1 signals in the first phase, a legitimate node needs to receive at least q n+ 1additional different signals in order to have at least totally q signals

to reliably estimate all q channels. Consequently, we need a

total of _bq n+1

n 1 c rounds, where bxc is the greatest integer

which is not greater than x. The last round consists of q bq nn +11 c(n 1)time slots. This is a necessary condition

but does not guarantee the sufficient condition, all nodes can estimate all q channels. It is because the q signals that a

node received may not consist information about a certain channel which needs to be estimated. This depends on the signals which were previously broadcast by other nodes. It again depends on the particular topology and therefore the scheme design. We have described the transmissions in two phases above. In the next sub-sections, we will show how the channels are estimated and quantized.

2) Estimation: After receivingn 1pilot signals from other

nodes as one in (9), Ak has the estimations ˆhkjk = yjk

p_p = ⇣

hjk+_pzjk p

⌘

, j₆=k.Having these estimations, Ak can cancel

the related component in the term in (12), and estimate hij in the term in (13). There are totallyQ= n(n₂ 1)channels in the

network in which q channels are to be estimated. Arranging yr,j_k in (11) for all 1r R, j 6=k,1 j n where R

is the number of rounds, we haven 1channel estimations,

andq (n 1)channels to be estimated.Rtherefore depends

onn. The coefficientsar

kjshould be optimized for a specified

network and scheme design. We will demonstrate this in the next section with n= 4.

3) Quantization: After each of n nodes estimates all q

channels, it quantizes the estimated channels into nK keys.

We consider some cases as follows.

−3 −2 −1 0 1 2 3

−3

−2

−1 0 1 2 3

Fig. 1. A demonstration of vector quantization in a 2-dimensional space with code vectors represented by blue stars in Voronoi sets. A channel (the blue square) and its estimated versions at 4 legitimate nodes (the green, purple, magnetic and yellow circles) and the eavesdropper (the red circle) in a simulated realization.

If nK = 1, each node combines all the information of q

channels into one key. There are many methods to do this as follows

• Quantizing each information dimension, i.e. degree of

freedom, of each channel into a key: There are two dimensions for a estimated channel, real and imaginative parts or magnitude and phase. Combine all2q keys into the final key by mapping. This method quantizes each dimension independently using scalar quantization. To quantize a dimension of an estimated channel, which is normally distributed, we use the quantization steps as

xl = p2f_E1 ₂nlB 1

2 where 2 is the variance of

the corresponding dimension,f_E1 is the inverse function of the error function given by fE(x) = erf(x) =

2

p

⇡

Rx

0 e

t2

dt and nB is the bit number when using binary codes. We choosexlas such to guarantee that the

probabilities that an information dimension corresponds to quantization intervals are equal and the key entropy is maximized.

• Treating each dimension of the channel as a dimension

of a2q-dimensional vector and usingvector quantization

to quantize this vector: This method gives a lower key disagreement rate (KDR), but it is much more compli-cated than using SQ. One efficient algorithm is Linde-Buzo-Gray (LBG) [5] which is given in Algorithm 1 for vectors with nD dimensions and can be easily modified

for 2q dimensions.

• Combining a certain number of dimensions, saynD, into

a vector such that nDnV = 2q, quantize nV vectors

independently, and combine all outputs into one final key. If nK = 2q, 2 dimensions of all channels are independently

quantized. If 1 < nK <2q, a certain number of dimensions

are grouped into a vector accordingly with a similar approach as in the case withnK= 1.

III. 4-NODEMESHTOPOLOGY

In the previous section, we have presented the key gener-ation for a generaln-node network topology. In this section,

Data: The distribution ofnD-dimensional vectors to be

quantized.

Result: All code vector cn

0,n={1,2, ..., N0}.

• Generate M nD-dimensional vectors using assumed

distribution and fix ✏to be a small number.

• AssignN = 1,c10= M1 PM

m=1xm, and D0=M n1D

PM

m=1kxm c10k2.

while N < N0 do

• Fori={1,2, ..., N}, splitci1= (1 +✏)ci0, cN1+i= (1 +✏)cN0+i and setN = 2N. • Set D1=D0 and set the iteration indexi= 1.

while Di 1 Di

Di 1 >✏do

- Form= 1,2, ..., M, find the minimum value of kxm cnik2 over alln= 1,2, ..., N. Leti0 be

the index which achieves the minimum. Set

Q(xm) =ci0

i .

- Forn= 1,2, ..., N, update the codevector

cni+1=

P

Q(xm)=cni xm P

Q(xm)=cni 1

. (14)

- Set i=i+ 1. - CalculateDi= 1

M nD

PM

m=1kxm Q(xm)k2.

end

• Set D0=Di. For n= 1,2, ..., N, setcn0 =cni

as the final. end

Algorithm 1:LBG algorithm for quantizingnD-dimensional

vectors.

A. System Model

The general system model for an-node topology in Section II-A is also applied here. The nodes and channels are denoted as shown in Fig. 2. The information of all six channels in the network, i.e., q = 6, will be used to generate nK keys. The

received signal and noise at nodei,i=_{A,B,C,D_}, in time slotj,j=_{1,2, ...,8_}, is denoted byy_ij andz_ij, respectively.

B. Scheme Description

1) Transmissions: In Phase 1, each legitimate node trans-mits a pilot signal of pp. Their received signals are given by

y2

A=pph1+zA2, yB1 =pph1+zB1,

y3

A=pph5+zA3, yB3 =pph2+zB3,

y4

A=pph4+zA4, yB4 =pph6+zB4,

y1

C=pph5+zC1, yD1 =pph4+z1D,

y2

C=pph2+zC2, yD2 =pph6+z2D,

y4

C=pph3+zC4, yD3 =pph3+z3D.

(15)

Using (15), each node estimates 3 channels between itself and 3 other nodes.

In order to estimate all 6 channels at each node, it has to re-ceive at least 3 additional signals which contain the 3 channels that have not been estimated. Since a node cannot receive any new information when it transmits, each node should transmit

h1

h2

h3

h4

h5

h6

A B

C D

E

Fig. 2. System model of 4 legitimate nodes (A, B, C and D) and one passive eavesdropper (E).

at least once. This means that 4 time slots are required in Phase 2. According the general scheme described in sub-section II-C1, a node has to combine all 3 estimated channels in Phase 1 and broadcast it. However, for a 4-node mesh topology, if a node combines 2 estimated channels and broadcasts, other legitimate nodes still have enough information of the needed channels. Hence for the sake of simplicity, we design that A, B, C, and D broadcast signals xA = a4y4A+a5yA3,

xB=b1yB1+b6yB4,xC=c2yC2+c5yC1, andxD=d3yD3+d6yD2,

respectively, where ai, bi, ci, and di are corresponding co-efficients. Due to the transmit power constraint, the coef-ficients should satisfy a2

4( 24 + 2) + a52( 52 + 2) = p,

a2

1( 12+ 2)+a62( 26+ 2) =p,a22( 22+ 2)+a52( 52+ 2) =p,

anda2

3( 32+ 2) +a62( 26+ 2) =p. The received signals at

A, B, C and D from time slot 5 to 8 are respectively given by

y6

A=h1(b1h1+b6h6) +h1(b1z1B+b6zB4) +zA6,

y7

A=h5(c2h2+c5h5) +h5(c2zC2+c5z1C) +zA7,

y8

A=h4(d3h3+d6h6) +h4(d3z3D+d6zD2) +zA8,

y5

B=h1(a4h4+a5h5) +h1(a4z4A+a5zA3) +z5B,

y7

B=h2(c2h2+c5h5) +h2(c2zC2 +c5zC1) +zB7,

y8

B=h6(d3h3+d6h6) +h6(d3zD3 +d6z2D) +z8B,

y5

C=h5(a4h4+a5h5) +h5(a4zA4 +a5zA3) +zC5,

y6

C=h2(b1h1+b6h6) +h2(b1zB1 +b6zB4) +zC6,

y8

C=h3(d3h3+d6h6) +h3(d3z3D+d6zD2) +z8C,

y5

D=h4(a4h4+a5h5) +h4(a4zA4 +a5z3A) +zD5,

y6D=h6(b1h1+b6h6) +h6(b1zB1+b6zB4) +zD6,

y7

D=h3(c2h2+c5h5) +h3(c2zC2 +c5z1C) +zD7.

(16)

2) Estimation: Denote the received signal vector at node

i, i = {A,B,C,D}, in Phases 1 and 2 as y1

i and y2i,

respectively, with y1

A = [yA2 y3A yA4]T, y1B = [yB1 yB3 yB4]T,

y1

C= [yC1 yC2 yC4]T,yD1 = [yD1 yD2 yD3]T,y2A= [yA6 yA7 y8A]T,

y2

B = [yB5 yB7 yB8]T,yC2 = [y5C yC6 yC8]T,yD2 = [yD5 y6D y7D]T.

Denote the channel vectors that nodeican estimate in Phases 1 and 2 ash1

i andh2i, respectively, with h1A = [h1 h5 h4]T,

h1

B = [h1 h2 h6]T, h1C = [h5 h2 h3]T, h1D = [h4 h6 h3]T,

h2

A = [h2 h3 h6]T, h2B = [h3 h4 h5]T, h2C = [h1 h4 h6]T,

h2

D= [h1 h2 h5]T.

The channel vector h1

i estimated by node i in Phase 1 is

given by

ˆ

h1

i =

y1

i

p_p. (17)

The received signal vector at node i in Phase 2 is given by

y2

uB = [0 h2c2h2 h6d6h6]T, uC = [h5a5h5 0 h3d3h3]T, uD= [h4a4h4 h6b6h6 0]T, and

FA=

0

@h50c2 00 h10b6

0 h4d3 h4d6

1 A,FB=

0

@ 00 h10a4 hh12ac55

h6d3 0 0

1 A,

FC=

0

@h20b1 h50a4 h20b6

0 0 h3d6

1 A,FD=

0

@h60b1 00 h40a5

0 h3c2 h3c5

1 A,

z2

A=

0 @ h1(b1z

1

B+b6zB4) +z6A

h5(c2zC2 +c5z1C) +zA7

h4(d3zD3 +d6z2D) +z8A

1 A,

z2B=

0

@ h1(a4z

4

A+a5zA3) +zB5

h2(c2zC2 +c5z1C) +zB7

h6(d3zD3 +d6z2D) +z8B

1 A,

z2C=

0

@ h5(a4z

4

A+a5zA3) +zC5

h2(b1zB1+b6zB4) +z6C

h3(d3zD3 +d6z2D) +z8C

1 A,

z2D=

0

@ h4(a4z

4

A+a5zA3) +z5D

h6(b1zB1+b6zB4) +z6D

h3(c2zC2 +c5z1C) +zD7

1 A.

Vector ui consists of the variables which can be estimated at

node iand is therefore canceled out of yi as follows

˜

y2i =y2i uˆi

⇣ ˆ

h1i

⌘

=Fih2i +z2i +wi2. (18)

Since the information about_hˆ1

i at nodei is imperfect, vector

ui that nodeicalculates is also imperfect and therefore given

above as a function of _hˆ1

i as uˆi ⇣

ˆ

h1

i ⌘

. The cancellation in (18) is also imperfect, hence, y˜2

i consists of an error vector

denoted by w2

i.

The channel vector h2

i estimated by node i using MMSE

estimator is then given by_hˆ2

i = FHi Fi+Ki

1

FH

i y˜ where

Ki=E

h

z2

i z2i Hi

, which is given by

KA= diag 0 @ |h1|

2 _b2

1+b26 2+ 2

|h5|2 c22+c25 2+ 2

|h4|2 d23+d26 2+ 2

1

A, (19)

KB= diag 0 @ |h1|

2 _a2

4+a25 2+ 2

|h2|2 c22+c25 2+ 2

|h6|2 d23+d26 2+ 2

1

A, (20)

KC= diag 0 @ |h5|

2 _a2

4+a25 2+ 2

|h2|2 b21+b26 2+ 2

|h3|2 d23+d26 2+ 2

1

A, (21)

KD= diag 0 @ |h4|

2 _a2

4+a25 2+ 2

|h6|2 b21+b26 2+ 2

|h3|2 c22+c25 2+ 2

1

A, (22)

wherediag(x)is the diagonal matrix with the diagonal entries

from vector x. However, due to estimation errors in the first

phase, the estimation at nodei will useFˆi andKˆi based on

the corresponding estimated channels _hˆ_{j that it estimated in}

the first phase as in (17) instead ofFi andKi.

3) Quantization: The quantization in the case ofn= 4 is

the same as in the general case ofn-node topology. C. Eavesdropping

In this sub-section, we describe how eavesdropper E can estimate the channels used for key generation. The signals E receives in the first 4 time slots are given byy_Ej =ppgi+gj_E

where(i, j) =_{(A,1),(B,2),(C,3),(D,4)_}. Then E estimate

the channels between the legitimate nodes and it asˆgi= y j

E

p_p.

Denote the channel vector that E needs to estimate byhE= [h1h2h3h4h5h6]T, and the virtual MIMO channel matrix

and the virtual noise vector at E by, respectively,

FE=

0 B B @

0 0 0 gAa4 gAa5 0

gBb1 0 0 0 0 gBb6

0 gCc2 o 0 gCc5 0

0 0 gDd3 0 0 gDd6

1 C C A,

(23)

z2E=

2 6 6 4

gA(a4z4A+a5zA3) +z5E

gB(b1z1B+b6zB4) +zE6

gC(c2zC2+c5z1C) +zE7

gD(d3z3D+d6zD2) +zE8

3 7 7

5. (24)

The received signal vector at E in the last 4 time slots is given by y2

E = FEhE + z2E. The channel

vector hE estimated by E using MMSE estimator is

then given by _hEˆ _{= F}H

EFE+KE

1

FH

Ey˜ where

KE = _Ehz2

E z2E

Hi

= diag⇥_|gA|2 a42+a25 2+ E2,

|gB|2 b21+b26 2+ E2, |gC|2 c22+c25 2+ E2,

|gD|2 d23+d26 2+ 2E

⇤

. Similarly to the estimation at

node i, E also use FEˆ and KEˆ based on giˆ instead of FE

andKE.

IV. SIMULATIONRESULTS

In this section, we use results of an Monte Carlo simulation in Matlab to verify the performance of the proposed scheme and compare it with a benchmark work. In the simulation, four legitimate nodes and one eavesdropping node are randomly located in a rectangle with the edge of 0.5m. The transmit power of all nodes is p = 1 and the path-loss exponent is l= 3.

0 5 10 15 20 25 30 0

0.5 1 1.5 2 2.5 3

SNR(dB)

Secret group key rate (b/s/Hz)

SQ, FC SQ, OC VQ, FC VQ, OC

Fig. 3. Secret group key rate

the meantime, we find the longest portion which is the output at E as the same as one of the legitimate nodes. We regard this portion as the leaked portion of the key. The difference between the key rate and the leaked key rate is the secret key rate. It means that the legitimate nodes can drop the first bits which are known by E and use the rest of the correct bits for a secret key.

We compare our proposed scheme with optimal coefficents (OC), obtained by exhaustive search, and the benchmark scheme with fixed coefficents (FC) of_p1

2[4]. We also compare

vector quantization (VQ) for a channel, i.e. the number of dimensions nD = 2, and the scalar quantization for each of

real and imaginative parts of an estimated channel. The results in Fig. 3 shows that OC scheme always provides a higher rate than FC schemes. For most SNR ranges, the performance of SQ scheme is better than that of VQ scheme due to two reasons. First, since we count the number of continuous correct bits in each realization, the number of bits in a key is not fixed. Voronoi sets in VQ normally optimized for a fixed number of bits are therefore not optimal. Second, mapping from Voronoi sets to the bit sample of the codevector should be optimally derived. The mapping can be achieved by arranging the codes such that the adjacent sets have the least in different bits. It is similar to designing modulation with Gray codes. However, due to the limitation of the length of the paper, we do not consider this optimization for the mapping and will investigate it in a future work.

In the second simulation, we evaluate the key disagreement rate (KDR). In this case, all 6 channels are used to generate a key only. We also use 2-dimensional VQ with a 2-bit codeword for each channel quantization, i.e., the seret key rate of 2⇥6 channels

8 time slots = 1.5 (bits/s/Hz). The OC schemes are

still better than FC schemes in terms of KDR. However, VQ schemes provide a lower KDR than the SQ schemes because we consider a fixed quantization rate in the VQ that can achieve a minimum distortion.

V. CONCLUSION

In this paper, we proposed the scheme of the secret group key generation for legitimate nodes in mesh topology in the presence of an eavesdropper. Specifically, the proposed scheme

10 15 20 25 30 35 40

10−2 10−1 100

SNR(dB)

Key disagreement rate

SQ VQ

Fixed coefficients

Optimal coefficients

Fig. 4. Key disagreement rate

consists of three steps: transmission, channel estimation, and quantization to generate keys. The scheme uses information of several channels to generate the keys. In addition, in the scheme, a node broadcasts a weighted combination of its received signals with optimal coefficients. Moreover, a suitable vector quantization is used to increase the performance of the scheme. Through the simulations, we showed the proposed scheme achieved a higher secret key rate and a lower key agreement rate than a benchmark scheme.

ACKNOWLEDGEMENT

This work was partly supported by the Temasek Research Fellowship and the A*STAR SERC Grant 1224104048.

REFERENCES

[1] K. Ren, H. Su, and Q. Wang, “Secret key generation exploiting channel characteristics in wireless communications,”IEEE Wireless Commun., vol. 18, no. 4, pp. 6–12, Aug. 2011.

[2] C. D. T. Thai, J. Lee, and T. Quek, “Physical-layer secret key generation with colluding untrusted relays,” IEEE Trans. on Wireless Commun., submitted.

[3] I. Csiszar and P. Narayan, “Secrecy capacities for multiple terminals,”

IEEE Trans. on Inform. Theo., vol. 50, no. 12, pp. 3047–3061, Dec 2004.

[4] H. Liu, J. Yang, Y. Wang, Y. Chen, and C. Koksal, “Group secret key generation via received signal strength: Protocols, achievable rates, and implementation,”IEEE Trans. on Mobile Computing, vol. 13, no. 12, pp. 2820–2835, Dec 2014.

[5] Y. Linde, A. Buzo, and R. Gray, “An algorithm for vector quantizer design,”IEEE Trans. on Comm., vol. 28, no. 1, pp. 84–95, Jan 1980. [6] H.-T. Li and Y.-W. Hong, “Secret key generation over correlated wireless

fading channels using vector quantization,” inProc. IEEE Sig. Inform. Process. Asso. Annual Summ. and Conf. (APSIPA ASC), Dec 2012, pp. 1–7.

[7] Y. E. H. Shehadeh and D. Hogrefe, “An optimal guard-intervals based mechanism for key generation from multipath wireless channels,” in

Proc. IEEE Int’l Conf. on New Tech., Mob. and Security (NTMS), Feb 2011, pp. 1–5.

[8] S.-B. Hamida, J.-B. Pierrot, and C. Castelluccia, “An adaptive quan-tization algorithm for secret key generation using radio channel mea-surements,” inProc. IEEE Int’l Conf. on New Tech. Mob. and Security (NTMS), Dec 2009, pp. 1–5.

[9] R. Ahlswede and I. Csiszar, “Common randomness in information theory and cryptography-Part I: Secret sharing,”IEEE Trans. on Inform. Theory, vol. 39, no. 4, pp. 1121–1132, Jul. 1993.

[10] T. Shimizu, H. Iwai, and H. Sasaoka, “Physical-layer secret key agree-ment in two-way wireless relaying systems,”IEEE Trans. on Inform. Forensics and Security,, vol. 6, no. 3, pp. 650–660, Sep. 2011. [11] H. Zhou, L. Huie, and L. Lai, “Secret key generation in the two-way