Efficient Physical-Layer Secret Key Generation and Authentication Schemes Based on Wireless Channel-Phase

Exploiting the inherent physical properties of wireless channels to complement or enhance the traditional security mechanisms has attracted prominent attention recently. However, the existing secret key generation schemes suffer from miscellaneous extracting procedure. Many PHY-layer authentication schemes assume that the knowledge of the shared key is preknown. In this paper, we propose PHY-layer secret key generation and authentication schemes for orthogonal frequency-division multiplexing (OFDM) systems. In the secret key generation scheme, to simplify the extracting procedure, only one legitimate party is chosen to probe the channel and quantize the measurements to obtain the preliminary key. The preliminary key is masked by the channel-phase after the mapping and before equalization and distributed to the other party. The final shared key is used for the PHY-layer authentication scheme in which random signals and the shared key masked by the channel-phase are exchanged at the PHY-layer. Then, a binary hypothesis test is formulated for authentication. Simulation results show that the proposed secret key generation scheme outperforms the existing schemes. For the PHY-layer authentication scheme, it is immune to various passive and active attacks and a high successful authentication rate is acquired even at low signal-to-noise ratio region.


Introduction
With the continuous development of the wireless communications, people pay more and more attention to the security issue.The security mechanisms of traditional communications networks mainly rely on symmetric or asymmetrical encryption algorithms to achieve confidentiality and authentication.However, due to the lack of key management infrastructures and limited resources of the devices, the conventional security mechanisms may be inapplicable in wireless communications.In addition, the broadcasting nature of the wireless channels causes the wireless communication channel easily to be eavesdropped on or intercepted by an adversary [1,2].Therefore, the interest in exploiting the characteristics of the wireless channels at the PHYlayer to enhance and complement the conventional security mechanisms is growing, such as the secret key extraction from the characteristics of wireless channels [3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19] and PHYlayer authentication [20][21][22][23][24][25][26][27].
From an information-theoretic perspective, the authors of [3,4] demonstrated that it is possible to extract secret key bits from the correlated random sources.Fortunately, with the properties of randomness, location-specific, and reciprocity, the wireless channels can be seen as natural correlated random sources.In [5], Hassan et al. firstly introduced the idea of generating secret keys from the characteristics of the wireless channels.Since then, many investigators pay attention to extract secret keys from received signal strength (RSS) [6][7][8][9], since the RSS is easy to acquire from the offthe-shelf wireless cards.However, these methods suffer from scalability and low secret key generation rate (KGR) which is defined as the average amount of secret key bits produced in one measurement/second [10][11][12].To resolve these issues, researchers exploit the channel state information (CSI) to extract secret keys [13][14][15].Besides, to increase the KGR, the orthogonal frequency-division multiplexing (OFDM) [18,19] and multi-input-multi-output (MIMO) techniques in the PHY-layer are adopted.
Various efforts also have been made towards PHY-layer authentication, which can be recognized as a complement or an enhancement to the higher layer authentication mechanisms.In general, according to whether a shared secret key between the legitimate parties is utilized to authenticate each other or not, the existing PHY-layer authentication schemes can be divided into key based or keyless [20].In some practical cases, it might be difficult to implement the keyless authentication schemes [21][22][23].This is because the features of either the transmitting device or the specific channel between the legitimate users, which are exploited to authenticate the transmission, are required to be identified.Instead, the authentication schemes based on the shared key between two legitimate users [25][26][27] are closer to the conventional challenge-response authentication protocols.In [25], the specific spatial and temporal multipath fading channel between the transmitter and the receiver was exploited for an authentication algorithm.The authors of [26] proposed a PHY-layer challenge-response authentication mechanism (PHY-CRAM) where the randomness and reciprocity of the wireless signal amplitude are exploited for authentication.In [27], a PHY-layer phase challenge-response authentication scheme (PHY-PCRAS) was proposed.It exploited the randomness and reciprocity of the channel-phase response to protect shared key from possible eavesdropping and achieve authentication.
However, the existing secret key generation schemes suffer from miscellaneous extracting procedure which may lead to a high secret key bits mismatched rate (BMR, defined as the ratio of the number of bits unmatched between Alice and Bob's preliminary keys to the number of the preliminary key [7]) and an inefficiency in secret key generation.The key based authentication schemes assume that the knowledge of the shared key is preknown between the authenticated parties, but how to implement the secret key distribution is not given.In this paper, we propose PHY-layer secret key generation and authentication schemes for OFDM systems.Both schemes exploit the randomness and reciprocity of the channel-phase response that is very sensitive to the distance between the legitimate parties.In the secret key generation scheme, to simplify the extracting procedure, only one legitimate party is chosen to probe the channel and quantize the measurements to obtain the preliminary key.After mapping and before equalizing, the preliminary key is masked in the channel-phase and then distributed to the other legitimate party.The final shared key is used for the PHY-layer authentication scheme in which random signals and the generated shared key masked by the channel-phase through mapping and before equalizing are exchanged at the physical layer.Then, a binary hypothesis test is formulated for the authentication procedure.
The security strength of our proposed schemes relies heavily on the randomness of the fading channel and the relative geographic location of the attacker and legitimate users, because the channel-phase response is sensitive to the distance between the legitimate parties.That is, even when the attacker's computational power is increased, the security of our schemes is guaranteed.
The major contributions of this paper are summarized as follows: (i) To simplify the secret key extraction procedure, we propose a secret key generation scheme based on the channel-phase response in which only one node is chosen to generate the preliminary key and further the preliminary key is masked by the channel-phase after mapping and before equalizing and distributed to the other node.
(ii) Extensive simulations are conducted to compare the secret key generation performance of the prior works with the proposed scheme and the security of the keys is evaluated under passive attack.
(iii) With the aid of the secret keys extracted in the proposed secret key generation scheme, we propose a PHY-layer authentication scheme based on the channel-phase response in which the shared key masked by the channel-phase is exchanged at the PHY-layer.
(iv) The judgement of the authentication is transformed into a binary hypothesis test and the security strength is analyzed under various types of attacks.
The remainder of this paper is organized as follows.In Section 2, we introduce the system model for the two proposed schemes.The procedure and performance of the proposed secret key generation scheme are analyzed in detail in Section 3. In Section 4, the proposed PHY-layer authentication is presented and the security and performance of the scheme are evaluated.Finally, concluding remarks are made in Section 5.

System Model Description.
As shown in Figure 1, an OFDM network with three nodes, in which Alice and Bob are legitimate nodes and Eve is an adversary, is considered.Each node is equipped with a single antenna.All nodes work in half-duplex mode and a time-division duplex (TDD) system is employed.The forward and reverse propagation channels are identical during coherence time by reciprocity.
The distance from Eve to both Alice and Bob is more than /2, where  is the wavelength of the radio waves; thus the wiretap channels and the legitimate channel are uncorrelated [28].

The Assumptions.
It is assumed that the subcarriers are well separated for ensuring independent fading, which ensures the randomness of the extracted secret keys and the independence of the subchannels.
For the secret key generation case, Alice and Bob want to build a shared secret key.Eve, a passive adversary who tries to obtain the key by eavesdropping, can monitor all the communications during the secret key extraction and neither modify any messages exchanged between Alice and Bob nor jam the legitimate channel.For the PHY-layer authentication case, Alice and Bob try to authenticate each other.Eve is an active attacker who not only can listen to the communications for authentication but also perform various active attacks.
The procedures and parameters of the secret key generation scheme and the PHY-layer authentication scheme adopted by Alice and Bob are assumed to be open to Eve.

Channel Reciprocity.
The principle of the short-term reciprocity of the radio channel is the basis of the two proposed schemes.As discussed in [29], this is guaranteed because, in the real environments compared to channel coherence time   , the processing time of channel probing or authentication can be much smaller.For example, we consider the 2.4 GHz radio frequency carrier.For a mobile scenario, the channel variation is mainly due to Doppler effects and when the relative speed between the transmitter and receiver is V = 60 km/h, the Doppler frequency is   = V/ = 16.67 × 2.4 × 10 9 /(3 × 10 8 ) = 133.3Hz.Empirically, the channel coherence time   which is related to the maximum Doppler frequency shift can be calculated as   = 9/16  = 9/(16 × 133.3) = 1.3 ms.In our proposed schemes, the processing time, which demands for channel coherence, includes double propagation time   and transmitting time   and one operation delay   .For 5 MHz sampling rate, it takes about   = 16 us to transmit an OFDM symbol with 64 subcarriers and 16 cyclic prefix samples.When the distance is 3000 m, the propagation time   = 10 us.In general, the transmitting time is in the same order of the operation delay.Then the total processing time 2  + 2  +   is much smaller than the coherence time   in our two proposed schemes.

Secret Key Generation and
Performance Analysis In general, a secret key generation scheme consists of the following four steps: (1) Channel probing: Alice and Bob alternately and periodically send the probe signals to each other to obtain the characteristics of channel between them.
(2) Measurement quantization: Alice and Bob separately quantize the collected channel characteristics into bit vector to obtain a preliminary secret key bits.
(3) Information reconciliation: due to the nature of halfduplex and noise, a small number of Alice and Bob's preliminary keys may be mismatched.They exchange messages to agree on a synchronized key.
(4) Privacy amplification: since the messages exchanged in the information reconciliation phase are open to Eve, they may be exploited by Eve to infer the generated keys.To address this issue, Alice and Bob apply privacy amplification method to eliminate Eve's partial information about the key and obtain a shared key.
We can find that, for half-duplex mode, the legitimate nodes have to transmit probe signals alternately to characterize the channel, which means they cannot probe the channel simultaneously.After collecting sufficient measurements, they quantize the measurements into preliminary keys separately.These phases may bring estimation error and quantization error, which may lead to many mismatched bits between the preliminary keys generated by the legitimate parties.Thus, the cost to reconcile the mismatched bits is high.
In this paper, to address this problem, we propose a scheme in which only one of the legitimate nodes is chosen to perform the channel probing and measurement quantization.This simplifies the procedure of secret key generation and eliminates the estimation error and quantization error.
Under the principle of reciprocity, we set h  = h  = h.To maintain the reciprocity requirement, for each of Alice to Bob's channel probes, the corresponding Bob to Alice's channel probe event must be conducted within the coherence time of the channel.The process of the proposed secret key generation scheme is depicted in Figure 2 and the detailed steps are as follows.(Note that throughout this paper, the signals and equations are in frequency domain.) Step 1 (channel probing).The experiments in [7] revealed that, in certain environments, due to lack of variations in the wireless channel, the extracted bits have very low entropy making these bits unsuitable for a secret key, which can cause predictable key generation by an adversary in these static environments.To prevent this, during channel probing, we utilize random signals to probe the channel.Suppose that Bob is chosen to probe the channel and quantize the channel measurements.Thus, Alice transmits the random probe signal s  = [ ,1 ,  ,2 , . . .,  , ] to Bob, where  , = exp( , ),  , ∼ [0, 2] for  = 1, 2, . . ., , and  is the number of the subcarriers of the OFDM system.The random signal s  is unknown to Bob and Eve.
Figure 2: The process of the secret key generation.
Without loss of generality, we only take the th (1 ≤  ≤ ) subcarrier, for example.Thus, the received signal at Bob can be expressed as where ℎ  denotes the th subchannel response of the legitimate channel in frequency domain and  ℎ, is the underlying subchannel-phase response.The subchannels are independent and identically distributed (i.i.d.) and ℎ  ∼ CN(0,  2 ℎ ). , is the i.i.d.complex Gaussian noise with zero mean and variance  2  .Based on the received signal, Bob gets the subchannelphase response estimation as where  , is the phase estimation error.Note that the phase of the random probe signal  , is contained in the subchannelphase response estimation, so we treat θ, as equivalent subchannel-phase response estimation.If Eve is in close proximity to Bob (here the "close" means that the distance between Eve and Bob is much smaller than /2, which may lead to highly correlated h  and h  ), she may infer the preliminary key easily based on her observations.To reduce the risk, Bob adds a stochastic coefficient to θ, as  Step 2 (measurement quantization and preliminary key distribution).Bob quantizes the vector records   into bit vector to obtain the preliminary key.Firstly, Bob divides the interval [0, 2) into 2  subintervals, where 2  is the number of quantization levels, which is bounded by the mutual information between Alice and Bob [30].Thus each  , can be quantized to  binary bits.The th Secondly, gray code is used to assign a binary code word with  bits to each subinterval.A quantization example with  = 2 is illustrated in Figure 3.
Then, Bob sends "probe signal" to Alice.Different from the constant probe signal and s  , this probe signal, in fact, is the preliminary key after mapping and before equalizing.Thus, the probe signal can be expressed as where M(⋅) denotes the mapping operation on the preliminary key and  M , = [ ,(−1)+1 , . . .,  ,(−1)+ ] is the th input secret key sequence with length  ( ≤ ).When  = 2, a mapping function can be designed as The mapping function is known to Alice.The subtraction term in (5) denotes the preequalization process using the equivalent subchannel-phase response estimation.In fact, the preequalization process can be seen as an encryption operation; thus the preliminary key is masked by the subchannelphase response estimation.
Alice's received signal can be expressed as where  , ∼ CN(0,  2  ) is the i.i.d.complex Gaussian noise.Based on the reciprocity between the forward and reverse links and substituting θ, with (2), ( 7) can be simplified as As observed in (8), during the receiving, Alice completes the subchannel-phase equalization and eliminates the encryption based on the channel reciprocity.Alice further multiplies (8) by the random probe signal  , and gets Then, Alice performs unmapping on the phase of  ,  , to acquire the preliminary key transmitted by Bob.
In conclusion, in this step, Bob firstly obtains the preliminary key by quantizing the vector records and randomly chooses  key bits from the preliminary key as the input key sequences of the mapping function.Secondly, these key sequences are mapped, preequalized, and transmitted to Alice.Lastly, Alice acquires these key sequences based on the channel reciprocity.So the preliminary key is distributed from Bob to Alice.
Step 3 (information reconciliation and privacy amplification).Note that, in our scheme, we assume that the length of the preliminary key is .In practical systems, this length may be much longer, which in turn may require more rounds of channel probing and secret key distribution.Alice and Bob need to update the random probe signal vector s  and the stochastic coefficient vector c  , respectively, after each round.
Due to the noise, a small number of mismatched bits may exist in the preliminary keys of Alice and Bob.Then, the mismatched bits are reconciled by using BCH codes to get synchronized keys.The privacy of the synchronized keys is subsequently enhanced by using a hash function to obtain a secure and common key.
During the secret key generation process, Alice and Bob should do Steps 1 and 2 fast enough to ensure that  2 −  1 is not more than the coherence time.We can observe that due to the random probe signal, the randomness of the channel is ensured even if the environments are static.So it also can address the highly correlated and unsecure key bits problem in stationary environments [7].

Performance Analysis.
In this subsection, we will analyze the proposed secret key generation scheme and evaluate its performance in terms of the secret key capacity, bits mismatched, and key generation rates.

Security Analysis.
Eve is a passive attacker and only can listen to the communications during secret key generation.For ease of analysis, we neglect the effect of noise in Step 1 so that Eve's received signal from Alice is where ℎ , = |ℎ , |  ℎ, is the th subchannel from Bob to Eve.We can find that the factors which influence Eve to derive the key bits are the phases of ℎ  , ℎ , , ℎ , , and  , , that is,  ℎ, ,  ℎ, ,  ℎ, , and  , .Besides, the stochastic coefficient  , also impairs Eve's inference to some extent.
To reduce the factors, Eve can multiply ( 10) by (11) and obtains Then, the factors are reduced to  ℎ, ,  ℎ, , and  ℎ, .Note that since the phase of the signals transmitted by Alice and Bob in Steps 1 and 2 is random, it is hard for Eve to estimate the phases of  ℎ, and  ℎ, .Thus, it is difficult for Eve to derive the generated keys and we will analyze various cases in the following.Firstly, both Alice and Bob are far away from Eve, so that the wiretap channels (i.e., ℎ  and ℎ  ) and the legitimate Mobile Information Systems channel (i.e., ℎ) are uncorrelated, along with the random signal s  and stochastic coefficient c  ; for Eve, it is almost impossible to obtain the generated secret keys from her measurements.
Then, an aggressive case, where Eve is close to Bob, is considered.In this case, ℎ , ≈ ℎ , = ℎ  .Then (10) Then the phase of  , is approximately equal to Bob's equivalent subchannel-phase response estimation θ, .So for Eve it is possible to infer the preliminary key by the same quantization approach.However, due to the random coefficient c  , which is unknown to Eve, the probability of obtaining the key based on  , is low.In ( 11) and ( 12), since ℎ , is uncorrelated with ℎ , , for Eve it is improbable to derive the distributed preliminary key.Lastly, we consider that Eve is close to Alice.Under this circumstance, ℎ , ≈ ℎ , = ℎ  , so (11) becomes Since  , is random and unknown to Eve, she cannot infer the key based on  , .In this situation, ℎ , is uncorrelated with ℎ , , so it is obvious that Eve cannot obtain the key based on (10) and (12).
In conclusion, when Eve is a passive attacker, the secret key cannot be derived only by her observations and Alice and Bob can still establish a secure key.In fact, the channel-phase response is sensitive to the distance between Alice and Bob, so for Eve it is more difficult to infer the secret key bits from her measurements of the channel-phase.In addition, in [31], the authors pointed out that applying error-correcting codes on the preliminary key with reasonable rate can ensure the correct preliminary key for Alice in theory, while ensuring useless information for Eve.It means that we can design an error-correcting code with proper rate to further ensure the security of the proposed scheme.

The Secret Key Generation
Performance.Firstly, the secret key capacity which is defined as the maximum available key generation rate [3] is considered.Since the subchannels are independent, for ease of analysis, we only take one of the subchannels, for example.Our proposed scheme can be approximatively modeled as Bob generating a random source  = ℎ and Alice observing the random source as  =  +   = ℎ +   , where ℎ ∼ CN(0,  2 ℎ ) is one of the subchannel responses and   ∼ CN(0,  2  ) is the observed noise.Alice and Bob extract secret keys from the phases of  and , that is,   and   , respectively.Assuming that Eve's observations are uncorrelated with Alice's, the secret key capacity can be expressed as [3]   =  (  ;   ) , (15) where symbol (⋅; ⋅) denotes the mutual information between two random variables.Since the joint probability density function of   and   is difficult to calculate, we adopt the information theoretical estimators (ITE) toolbox to estimate the secret key capacity [32].The input of the ITE is (  ;   ), where   = [ ,1 ,  ,2 , . . .,  , ],   = [ ,1 ,  ,2 , . . .,  , ], and  is the length of the input.In the simulations, the signalto-noise ratio (SNR) is defined as  2 ℎ / 2  .The secret key capacity of the proposed secret key generation scheme is compared with the existing channelphase based secret key generation scheme [15] and channelgain based secret key generation scheme [14] in Figure 4.During channel probing, the channel condition of these three schemes is identical.We can clearly observe that, in contrast to the channel-phase based and channel-gain based schemes, our proposed scheme achieves a greater secret key capacity.For example, when SNR is 10 dB, the secret key capacity of the proposed scheme is 34% and 170% greater than the channel-phase based scheme and channel-gain based scheme, respectively.Note that the secret key capacity of the discussed OFDM systems is  times of those shown in Figure 4.
Secondly, we analyze the secret key bits mismatched and key generation rates.The BMR and KGR of the proposed scheme are evaluated through Monte-Carlo simulations under multipath channels and further are compared with the channel-phase based and channel-gain based schemes.Since it does not need to estimate the CSI during channel probing, in the simulations, the probe signal contains two OFDM symbols, that is, one pilot symbol for synchronization and one symbol for signal phase estimation.The carrier frequency of the OFDM system is 2.4 GHz and the number of the subcarriers is  = 64.We consider the multipath Rayleigh fading channel with 2 us constant delay time and the maximum Doppler frequency is 0 Hz (suppose that Alice and Bob remain static in the simulations).The sample interval is 0.25 us.
These three schemes adopt the same quantization method, that is, equal interval quantization method, in which the characteristics space is divided on average into 2  = 4 subspaces.The same information is reconciled and privacy amplification approaches are employed.Note that, theoretically, the bit length of the resulting quantization should be bounded by the mutual information between Alice and Bob [33].In other words, the quantization level 2  should not be higher than the secret key capacity, that is, 2  ≤ 2   .However, for ease of analysis, the quantization levels for the three schemes are all set as 2  = 4.
Figures 5 and 6 show the BMR and KGR performance of these schemes, respectively.From these two figures, we can observe that the BMRs of these schemes decrease, while the KGRs increase as SNR increases.The primary reason is that the accuracy of the channel estimates obtained in the channel probing phase increases as SNR increases.The BMR and KGR performances of the proposed scheme exhibit apparent superiority to the other schemes.For example, when SNR = 10 dB, the BMR and KGR of the proposed scheme decreases by 41% and increases 6.6%, respectively, compared to the channel-phase based scheme.Lastly, the randomness of the secret key is analyzed.A cryptographic key should be substantially random; otherwise, an adversary can crack the key with low cost.A widely used randomness test suite NIST [34] is employed to verify the randomness of our generated secret key bits.The NIST test suite is a statistical package consisting of 16 tests which were developed to test the randomness of binary sequences.To pass the test, all the  values of the 16 tests should be at least greater than 0.01.We randomly select 10-bit sequences generated from our simulations at SNR = 10 dB.Due to the limitation of bit length, we run eight typical tests.The results in Table 1 shows that our generated bit sequences pass the NIST test and their average entropy is close to that of a truly random sequence.

PHY-Layer Authentication Scheme and Performance Analysis
4.1.PHY-Authentication Scheme.In the proposed secret key generation scheme, the legitimate parties establish a shared key which can be used for the encryption and authentication.The existing key based authentication schemes assume that the knowledge of the shared key is preknown between the authenticated parties, but how to achieve the secret key distribution is not given.Consider that the shared key between the authenticated parties is generated by our proposed secret key generation scheme.After establishing a shared key and a period of time without communication, if Alice and Bob want to establish a communication, they need to authenticate each other.In this section, we propose a challenge-response PHY-layer authentication scheme for OFDM systems, which exploits the short-term reciprocity and randomness of the channelphase response in TDD mode.Generally, Alice and Bob need a two-way authentication process to achieve the mutual authentication.However, the one-way authentication process is enough to describe the process, since both directions of the two-way authentication employ the same regulation.We assume that Alice wants to communicate with Bob, who in turn needs to verify the identity of "Alice" based on the proposed challenge-response PHY-layer authentication scheme (here Bob is assumed to be legitimate, while, for the illegitimate Bob, it will be analyzed later).The process of the proposed PHY-layer authentication scheme is shown in Figure 7 and the detailed stages are as follows.
Stage 1. Alice transmits an authentication request signal to Bob.The authentication request signal contains the frame type, time stamp information, media access control address, and so forth.
Stage 3. The received signal of the th subcarrier in frequency domain at Alice is where ℎ , denotes the th subchannel response from Bob to Alice and  ℎ, is the underlying subchannel-phase response.The subchannels are i.i.d. and ℎ , ∼ CN(0,  2 ℎ ). , is the i.i.d.complex Gaussian noise with zero mean and variance  2  .Alice is not concerned with what Bob transmits but only estimates the phase of the received signal.The estimation can be expressed as where  , is the phase estimation error.Then, to generate a tagged signal vector s  for authentication, Alice processes her shared secret key by using the mapping function and preequalizes the mapped key by subtracting the phase estimation vector θ (here the length of the shared key is assumed to be long enough).The tagged signal at the th subcarrier is Alice sends the tagged signal to Bob.As processed in (18), the secret key for authentication is masked by phase estimation and it is difficult for a passive attacker to crack the authenticated secret key.
where ℎ , denotes the th subchannel response from Alice to Bob, and  ℎ, is the underlying subchannel-phase response.
, ∼ CN(0,  2  ) is the i.i.d.complex Gaussian noise.Alice and Bob perform these steps fast enough to ensure the time interval from Stages 2-4 is smaller than the coherence time; thus ℎ , = ℎ , = ℎ  .Then (19) , where ⊕ is the XOR operation.If  <  0 , Bob determines that the other party is Alice; otherwise it is not, where  0 is a constant real number.However, it is hard to determine  0 in practical systems.Thus, we provide another solution in which the authentication judgement is formulated as a binary hypothesis test.
From (21), we can find that the phase of   is mainly affected by the mapped authenticated key.In order to eliminate the influence of the authenticated key, similar to [27], we generate a variable with the expression as where ()  denotes transpose operation.Thus, the binary hypothesis test can be expressed as where k M  denotes the authenticated key possessed by "Alice."For H0 and H1, the corresponded  H0 and  H1 are Based on (24), Bob makes a final decision by comparing with a threshold .If H1 is true, then Bob judges that the other party is Alice; otherwise, it is not.Now, it is essential to find the threshold .We can see that, in both hypotheses,  −M(k M  ) y  is the sum of  dependent normally distributed random variables.The resulting sum is still normally distributed [27]; thus its amplitude  obeys Rice distribution.The probability density function of  is

H𝑖
) , where  ≥ 0,  = 0, 1.  H and  2 H denote the mean and variance of  H , respectively. 0 (⋅) is the zero-order modified Bessel function of the first kind.Based on   H (), we can calculate the false acceptance rate (the rate that the attacker passes the authentication) as ) , where (, ) = ∫ +∞   exp(−( 2 +  2 )/2) 0 ().(⋅, ⋅) is Marcum  function.Thus, for a given false acceptance rate   , the threshold value  can be calculated by (27).Furthermore, we can get the successful authenticate rate (the rate that the legitimate user passes the authentication) as ) . (28)

Security Analysis.
To evaluate the security of the proposed scheme, in this section, we analyze various types of attackers.
Eve, as the adversary, knows Alice and Bob's PHY-layer authentication scheme.When Eve is a passive attacker, she only can listen to all the communications inside the network and attempts to learn the shared key from the information that she eavesdropped.In Section 3.2, we have analyzed that it is almost impossible for Eve to crack and infer the shared key during the secret key generation.Thus, during the authentication, it is also difficult for Eve to derive the shared key and pass the authentication as a passive attacker, and the analysis process is similar.Therefore, we mainly consider the case that Eve is an active attacker.When Eve is an active attacker, she can perform three types of attacks, namely, impersonation attacks, jamming attacks, and replay attacks.

Impersonation Attacks. Eve can impersonate Alice or
Bob under impersonation attacks.If Eve initiates Stage 1 (sends authentication request to Bob), she can hardly succeed.The reason is that Bob's response contains no information about the shared key in Stage 2. If Eve impersonates Alice in Stage 3 and sends a tagged signal to Bob, she will not be authenticated by Bob as she has no information about the authenticated key.Compared to the other two stages, Stage 2 is more vulnerable, since, during Stage 1, Alice does not know the legitimacy of its counterpart.In this case, Eve impersonates Bob and may steal the authenticated key from the tagged signal of Alice.To solve this problem, the authors in [26] proposed a mutual authentication approach by sharing two distinguished keys,   and   , between Alice and Bob.However, the keys of Alice and Bob generated by the secret key generation scheme are identical in our scheme, which means that the mutual authentication approach cannot be applied directly.To solve this problem in our scheme, after Alice has been authenticated by Bob, they drop the authenticated key.When Alice authenticates Bob, they choose new authenticated key from the remaining shared key.If Bob cannot provide a valid tagged signal, Alice would consider  Extensive Monte-Carlo simulations are conducted to investigate the PDFs of  under two hypothesis H0 and H1, which can be utilized to evaluate false acceptance rate and successful authentication rate.Furthermore, the appropriate choice of the threshold  also can be determined by these PDFs.
Figures 8 and 9 show the empirical PDFs of  H0 and  H1 at SNR = 5 dB for  = 64 and  = 128, respectively.As claimed in Section 4.1,  H0 and  H1 obey Rice distribution.Hence, Rice distributions according to (26) are also given in both figures, where the mean and variance are directly  estimated through Monte-Carlo simulations [36].From these two figures, we can find that the empirical distributions are coincided well with the theoretical Rice distributions.We also note that the PDFs of  H0 and  H1 are distinguished clearly in Figure 8 and in Figure 9 and the PDF of  H1 is far apart from that of  H0 even at SNR = 5 dB.Thus, it is easy to calculate threshold  if the successful authentication rate and false acceptance rate are given.
The receiver operating characteristic (ROC) describes the correlation between the false acceptance rate and the successful authentication rate.Figure 10 plots the ROC performance for different  when SNR = 5 dB.From these four subfigures, we can find that the ROC performance becomes better as  increases.Furthermore, when  = 32, the ROC are nearly ideal even at SNR = 5 dB.

Comparison with PHY-CRAM and PHY-PCRAS.
The PHY-layer authentication schemes PHY-CRAM [26] and PHY-PCRAS [27] were shown to be simple and feasible.In the following, we will compare our proposed scheme with these two schemes.
As illustrated in Figure 11, for ROC performance, our scheme is better than PHY-CRAM and very similar to PHY-PCRAS.The reason is that our proposed scheme and PHY-PCRAS employ the channel-phase response, while amplitude modulation is employed in PHY-CRAM, which in performance is usually worse than phase modulation.Since the amplitude of all the subcarriers are not the same, the received performance may be impacted due to different SNR at each subchannel.Furthermore, in PHY-CRAM, high-peak fluctuations may occur, and in practice it is required to suppress the high peak with additional complexity.However, since OFDM technique is employed, compared to PHY-CRAM, our proposed scheme and PHY-PCRAS are more sensitive to the frequency offset.
As discussed in [26,27], for impersonation attacks, our proposed scheme and PHY-PCRAS are more secure than PHY-CRAM.This can be explained by the better ROC performance and the fact that the channel-phase response

Figure 4 :
Figure 4: The secret key capacity of different schemes.

Figure 5 :Figure 6 :
Figure 5: The BMR performance of different schemes.

Figure 7 :
Figure 7: The process of the PHY-layer authentication.

Figure 10 :
Figure 10: Successful authentication rate versus false acceptance rate for different  when SNR = 5 dB.

Table 1 :
The evaluation of randomness test.
can be simplified as  , =     ℎ      exp ( (M ( M , ) −  , −  , )) +  , .(20)We can find that the channel-phase equalization has been completed during the receiving.Bob multiplies  , by his response signal  , and gets y = r  ⊙ s  , where ⊙ denotes element-wise multiplication.The th element of y can be expressed as  =  ,  , =     ℎ      exp ( (M ( M , ) −  , )) +  ,  , .(21)Then Bob obtains the signal   which only contains the mapped secret key from Alice and estimation error.Based on   , combining his shared key, Bob needs to judge whether the other party is Alice or not.There are two solutions for this judgement.A straightforward solution is to check the difference between the obtained authenticated key k M  from "Alice" and his own secret key k M  , where k M  = M −1 (∠y).The difference is defined as