1. Introduction
Wireless communication is ubiquitous in our daily life, and it is expected to support extremely high data rates and radically new applications in the foreseeable future. Meanwhile, wireless transmission is vulnerable to eavesdropping attacks due to the broadcast nature of the wireless medium. Therefore, safeguarding data transmission is given the top priority in the development of next-generation wireless networks [
1,
2]. A paradigmatic problem of securing data transmission is the key distribution. Traditional public key cryptography techniques are widely used in existing communication networks. However, they require a public key infrastructure and are computationally intense, and thus encounter key distribution and management difficulties in the limited-resource mobile networks. Furthermore, with the advent of quantum computers capable of rapidly performing a complex and massive factorization, the traditional cryptography mechanism based on computation complexity is no longer reliable.
Recently, physical layer key generation (PKG) has been emerging as a supplement to the upper layer key distribution method [
2]. The underlying idea of it lies in the use of channel reciprocity and the uncertainty of multipath characteristics to encrypt the transmitted information in order to solve the problem of symmetric secret key distribution [
3,
4]. Besides, the spatial variation prevents eavesdroppers from observing the same randomness as legitimate users, for a sufficiently large distance between them.
Although the uplink and downlink channels are reciprocal, measurements of radio channels are not the same, due to the differences originating from additive noise, transceiver hardware, and time delay in time division duplex (TDD) systems [
5]. However, the objective of PKG is to generate a pair of strict identical symmetric keys. Even one bit of difference would lead to decryption failure due to the avalanche effect. To address this issue, information reconciliation is exploited to detect and correct errors in the preliminary key material between the two communicating parties [
6].
Several information reconciliation approaches have been proposed in previous work. Generally, these approaches can be classified into two categories, i.e., error detection protocol-based approaches (EDPAs) and error correction code-based approaches (ECCAs). EDPAs, such as BBBSS [
7], Cascade [
8], and Winnow [
9], use multiround interactive parity checks to eliminate mismatches. In EDPAs, Alice divides the preliminary key material into small blocks and sends the parity information of each block to Bob. Bob divides his key material in the same way, computes parity check bits, and checks for mismatches. For each mismatch, Bob performs a binary search on the block to find a correction vector, which may fix the errors. These steps are iterated a number of times to ensure a high probability of success. Bennett et al. proposed BBBSS on the permute-and-bisect method in the first implementation of quantum key distribution (QKD) [
7]. To reduce information leakage, Brassard and Salvail proposed an improved scheme called Cascade in [
8]. Cascade uses the information in the preceding passes to correct errors in the parity check of the current pass. The parity check in bisect is also replaced with an MD5 hash [
10] and by a cyclic redundancy check (CRC) [
11] to further reduce the information leakage of Cascade. A more efficient implementation of Cascade, using some inherent information already available in the protocol, exactly known bits, and already known parities, was proposed in [
12]. However, these approaches lead to more interactions since parallelization becomes much more challenging. Winnow is another interactive reconciliation protocol introduced by Buttler et al. in [
9]. Different from BBBSS and Cascade, Winnow resolves the errors in the block using a syndrome calculation with Hamming codes. Parity bits and syndromes can be calculated and exchanged in parallel, making the protocol less interactive than Cascade. However, Winnow can introduce new errors if the error count per block is more than two. A modified one-way error reconciliation protocol that employed a mixed Hamming code concatenation scheme was proposed to study the relationship between the error correction capability and the key generation efficiency in [
13].
On the other hand, it has been shown that reconciliation can be deemed as a special case of channel coding [
6]. Therefore, existing coded modulation techniques can be adapted for reconciliation. ECCA corrects the mismatches using error correction codes such as Hamming, BCH codes, and low density parity check (LDPC) codes [
6,
13,
14,
15]. Alice and Bob divide the preliminary key material into vectors. By utilizing the error correction code, Alice calculates and sends the parity check bits to Bob. Bob applies the corresponding decoder, whereby the required code word is composed of Bob’s information vector and the received parity bits. If the number of bit disagreements is smaller than the error correcting capability, synchronized key material is guaranteed. Only one-round interaction is required in ECCA. In [
13], a reconciliation protocol is proposed that is based on a mixed combination of Hamming syndrome concatenation. A reconciliation scheme, which uses syndromes of a BCH code for error correction and a one-bit feedback to report a successful decoding, is studied in [
16]. In [
17], the authors proposed using Turbo codes for reconciliation purposes. An information reconciliation protocol based on a rate-compatible construction of LDPC codes was proposed in [
18]. However, the information leakage and computation complexity are generally increased in ECCA.
In existing work, reconciliation efficiency is the most commonly used evaluation metric, which is inversely proportional to leakage bit rate (LBR). However, rare work takes into account the interaction delay and computation complexity. But these factors may affect reconciliation efficiency greatly in some specific scenarios. For example, heavy interaction is unbearable in long-distance satellite communications. In Internet of Things (IoT) networks with limited resources, computation complexity has to be considered. Furthermore, both EDPA and ECCA have their pros and cons. There is still a gap regarding how to integrate their strengths to improve the reconciliation efficiency. To address these problems, this paper carries out a comprehensive and theoretical study on the information reconciliation schemes to establish highly efficient identical secret keys. Our contributions are as follows.
A comprehensive reconciliation evaluation metric is proposed, taking consideration of LBR, interaction delay, and computation overhead. The metric represents the effective corrected bit number per unit time. The calculation expression of the metric is derived in this paper.
The characteristics of BBBSS and BCH are analyzed from the perspective of the proposed new metric. Combining advantages of the two together, a new hybrid information reconciliation protocol (HIRP) is proposed. The detailed realization steps of HIRP are presented, including training, table lookup, and testing.
The simulation results verify the theoretical analysis of both BBBSS and BCH. Monte Carlo simulations validate that the proposed HIRP outperforms the other two approaches to provide a more efficient information reconciliation in PKG.
The rest of the paper is organized as follows.
Section 2 introduces the system model, the secret key generation process, the general information reconciliation model, and the problem studied in this paper.
Section 4 provides a comprehensive reconciliation efficiency metric and presents the calculation expression for each factor.
Section 5 proposes a new hybrid information reconciliation protocol (HIRP) and designs the realization algorithms.
Section 6 presents the simulation results, and
Section 7 concludes the paper.
2. System Model
2.1. General System Model
We consider a general Single Input single output single eavesdropper (SISOSE) model. All the users are equipped with a single antenna. Alice and Bob are two distinct legitimate users with a distance between each other of
d meters. The communication system works at a frequency of
GHz with a bandwidth of
B Hz. The data transmission rate is then
B bits per second (bps). Alice and Bob intend to extract secret keys from their channel characteristics to protect the data transmission. Key generation requires a temporally dynamic channel, and the channel variation can be introduced by the movement of users and/or surrounding objects [
19].
Eve is a passive eavesdropper located more than the coherence distance from both Alice and Bob. According to the definition of coherence distance, the coherence distance at a carrier frequency of 2.4 GHz is cm. Therefore, we assume that Eve experiences a fading channel independent of that of Alice and Bob. Despite this, Eve knows the whole communication protocols, the pilots, and all the information transmitted over the public channels between Alice and Bob.
The notations used in this paper, and their definitions, are summarized in
Table 1.
2.2. Secret Key Generation Process
Considering the
-th round of secret key generation, Alice and Bob generate secret keys during a period of time
T, as shown in
Figure 1, which includes four main steps: channel sounding, quantization, information reconciliation, and privacy amplification. At first, Alice and Bob estimate their channel characteristics through channel sounding, i.e., sending pilots to each other. Eve may also estimate her channel to Alice or Bob. For simplicity, Eve’s channel is referred to as that between Eve and Bob in this paper. Denote the channel characteristics estimated during
T for the user
as
with length
, where A, B, and E represent Alice, Bob, and Eve, respectively. Secondly, the user
u maps the input values from
into output values in a bit sequence set through quantization, e.g., channel quantization with guardband (CQG) used in [
20]. The quantized bit sequence is represented as
with length
.
Until now, there has existed unavoidable bit disagreements between
and
, caused by time delay in TDD systems, hardware differences, and noise [
21]. Although some preprocessing approaches, e.g, principal component analysis (PCA) [
20], are applied, the bit disagreements are not fully eliminated. However, even a bit difference in a secret key will trigger an avalanche effect, leading to complete decryption failure. To deal with this problem, Alice and Bob correct the bit disagreements of
through information reconciliation, and the corrected bit sequence is denoted by
with length
. Totally, the
bits of parity information
M are transmitted during the reconciliation process. The dashed line in
Figure 1 shows that the communication may either be bidirectional or one way. Unfortunately,
M is also leaked to Eve as she knows all the information transmitted through public channels. According to the leftover hash lemma,
bits arbitrarily chosen for
are discarded to guarantee key security during the privacy amplification step. For example, when
and
, a simple realization method is to map the 168-bit corrected sequence
to a 128-bit random sequence
through an MD5 hash function. Finally, the key consistency is verified by sending a simple hash value
of
from one to another. When the hash value is identical, the
-th round of secret key generation is successful. Otherwise, the
-th round of secret key generation fails, and the
is discarded.
2.3. A General Model for Information Reconciliation
Various approaches, including EDPA and ECCA, are proposed for information reconciliation. In this section, we establish a general model for them. During the information reconciliation step, Alice communicates with Bob over public channels for K passes. All information transmitted over public channels is assumed to be error-free.
An EDPA, such as BBBSS, has rounds of back-and-forth interactions for the k-th pass. In each round of interaction, Alice first sends the parity information to Bob, then Bob feeds back the information about error position to Alice. On the other hand, an ECCA, such as BCH codes, generally only has one pass and one round of communication, i.e., and . It is because the error correct code has error propagation when the error number is beyond its error correcting capability. Therefore, it is inefficient for ECCA to gradually reduce bit error numbers through multiple passes or rounds. Besides, ECCA is a one-way communication in which Alice sends a syndrome to Bob but Bob does not provide feedback. Bob uses the syndrome to correct his channel observation through decoding algorithms, e.g., the Viterbi algorithm.
Figure 2 illustrates the information reconciliation process for both EDPA and ECCA. During the
k-th pass of communication, Alice and Bob divide
into
groups with group length
. Denote
as the estimated average number of error bits in one group. For EDPA, group length
is designed to guarantee that each group has about one error, i.e.,
. During the first round of communication (
), Alice sends the parity of each group to Bob, and Bob feeds back the indexes of wrong groups. A group is defined as an error group if the parity information of Alice and Bob is different. Then, for each wrong group,
rounds of bisect error-correcting are applied to find the position of error bit. As for ECCA, group length
depends mainly on the affordable decoding complexity of Bob. In the affordable range, the larger the
, the more accurate the
. Therefore,
is usually set as the largest affordable length. Each group may have more than one error in this case. According to the signal-to-noise ratio (SNR), it is estimated that the ratio of
to
matches the coarse bit disagreement ratio (BDR) estimation of
. Then, ECCA chooses the error correction code
, where
,
and
are the code length, message length, and error correcting number, respectively. Code
satisfies that the message bit length
and the correction error number
. Next, Alice divides
into groups and sends all groups of syndromes to Bob. According to the syndromes, Bob corrects the inconsistent bits in
using decoding algorithms.
3. Problem Statement
Information reconciliation approaches are mainly categorized as EDPA or ECCA, and each has its advantages and drawbacks. The downside to EDPA is that it needs multiple passes and multiple rounds of back-and-forth interactions, as shown in
Figure 2. When Alice is far away from Bob, it causes a very large interaction delay and communication overhead. Furthermore, the efficiency of EDPA decreases with the increase in pass number. The proof is provided in
Section 3. On the plus side, EDPA just uses bisect error-correcting, which consumes less computation and leaves less leakage of information.
Conversely, ECCA only has one pass, one round, and one-way communication. Obviously, the interaction delay and communication overhead are significantly reduced. The negative side of ECCA is that it has expensive computation overhead and large information leakage, especially for low SNR scenarios. If
is small, the estimate of
is inaccurate, which may lead to error propagation. Instead, if
is large, the decoding complexity is high. Even worse, information leakage increases rapidly with the rise of
for ECCA.
Table 2 summarizes the features of EDPA and ECCA.
Since both EDPA and ECCA have their pros and cons, this raises a natural question: “How to comprehensively evaluate the performance of an information reconciliation approach?” Existing work only considers one or two indicators of performance, e.g., information leakage, leaking the evaluations of interaction time, complexity, etc. The subsequent problem is: “Is it possible to integrate the strengths of both EDPA and ECCA to design a new reconciliation approach that makes a trade-off of all these performance indicators?” To address this problem, we first propose a comprehensive metric to evaluate the efficiency of reconciliation approaches. Next, we discuss the performance of EDPA and ECCA, respectively. In this paper, we choose BBBSS of EDPA and BCH code of ECCA as a case study. Under the guidance of the new metric, we then design a new approach named HIRP to achieve good efficiency.
6. Simulations
In this section, we give some simulation results of the BBBSS, BCH, and our proposed HIRP scheme with and for comparison. The communication distance is set as KM, the communication bandwidth is MHz. The communication overhead in one interactive is set as ms for the consideration of packet loss.
First, we simulate the efficiency metrics of BBBSS in every individual pass. The results are given in
Figure 7. Both the corrected bit number and information leakage ratio reduce with the increase in pass number. The interaction time delay rises at first and then goes down after the 4-th pass. This is caused by the fact that the group length
increases, while the number of error groups is not reduced significantly. Comprehensively, as shown in
Figure 8, the metric
decreases with the increase in pass number, which means that BBBSS has a high efficiency at the first several passes. The simulation results coincide with the theoretical analysis in
Section 5.1.
We also simulate the individual performance of BCH for different BDRs in
Figure 9. With the increase in the BDR, the information leakage ratio, the time delay, and the computation time show an upward trend. Therefore, the performance of
presents a general falling tendency, as shown in
Figure 10. When the BDR is lower than
, the
has a slight increase. This is because the correct bit number has a significant rise with the increase in BDR.
Next, we compare the performance in terms of the information leakage, the time delay, the computation time, and the comprehensive efficiency for various information reconciliation approaches including BBBSS, BCH, and HIRPs with optimal and designed pass numbers.
Figure 11a shows the information leakage ratio versus BDRs. BCH has the highest information leakage ratio, which rises significantly with the increase in BDR. When the BDR is
, the BCH code is chosen as
, and the leakage ratio reaches 1. Therefore, we do not represent the BCH performance results for BDRs larger than
. The leakage ratio of the HIRPs is almost identical to that of BBBSS, and their growth is slow with BDR.
Figure 11b represents the interaction time delay as a function of the BDRs. BBBSS has a longer interaction time compared with others. HIRPs have the shortest time delay and the slowest growth for BDRs above
.
Figure 12a describes the computation time with respect to BDRs. The computation complexity rises significantly with the ramp-up of BDR. BCH has the longest computation time, which becomes significant in high BDR regions. BBBSS has the shortest computation time, and HIRPs have the middle one. In addition, the computation times of BBBSS and HIRPs rise slowly with the increase in BDR.
Figure 12b compares the efficiency
of different information reconciliation approaches. In low BDR regions, BCH has a better performance than BBBSS, while in high BDR regions, the opposite is true. It is observed that the
of HIRP outperforms that of both BBBSS and BCH along all BDR regions. It should be noted that when we only consider information leakage and computation time, HIRP seems to have no advantage compared to BBBSS. However, the time delay in
Figure 11b shows that HIRP has a much lower time delay than BBBSS. The multipass interaction in the BBBSS protocol increases its time delay seriously. Therefore, the final comprehensive efficiency of HIRP is higher than that of BBBSS. In addition, HIRP with designed
p has almost the same performance as HIRP with optimal
p. The results verify the effectiveness of our proposed approach.
Table 7 shows the numerical improvement results of HIRP against BBBSS and BCH. According to Equation (
7), the effective reconciliation rate
is inversely proportional to information leakage
, time delay
, and computation time
. Compared to BBBSS, the comprehensive efficiency
is improved 2.48 times, mainly due to the fact that HIRP declines
by 73% on average. Compared to BCH codes, HIRP declines
,
, and
, which results in the improvement of HIRP efficiency by an average of 22.36.