A Multihop Key Agreement Scheme for Wireless Ad Hoc Networks Based on Channel Characteristics

A number of key agreement schemes based on wireless channel characteristics have been proposed recently. However, previous key agreement schemes require that two nodes which need to agree on a key are within the communication range of each other. Hence, they are not suitable for multihop wireless networks, in which nodes do not always have direct connections with each other. In this paper, we first propose a basic multihop key agreement scheme for wireless ad hoc networks. The proposed basic scheme is resistant to external eavesdroppers. Nevertheless, this basic scheme is not secure when there exist internal eavesdroppers or Man-in-the-Middle (MITM) adversaries. In order to cope with these adversaries, we propose an improved multihop key agreement scheme. We show that the improved scheme is secure against internal eavesdroppers and MITM adversaries in a single path. Both performance analysis and simulation results demonstrate that the improved scheme is efficient. Consequently, the improved key agreement scheme is suitable for multihop wireless ad hoc networks.


Introduction
Network security (see, e.g., [1,2]) has been studied extensively. In wireless networks, security problems are especially critical, because wireless channels are inherently broadcast channels. When a pair of nodes communicate with each other, nearby nodes within the communication range may be able to overhear their messages. In order to prevent eavesdropping, messages are often encrypted before being sent. Hence, key agreement is of great importance for security of wireless networks.
Recently, Mathur et al. [3] propose a novel key agreement scheme for wireless networks, which is based on the secrecy of the wireless channel itself. In their scheme, the two communicating nodes send probe signals to each other and measure the channels. Then, they extract secret bits from the channel measurements using a level-crossing algorithm. Because of the reciprocity of the channel, the two nodes can extract the same key from their own channel measurements.
Any eavesdroppers that are more than half a wavelength away from both nodes can get no knowledge of the key, because their experienced channels are independent of the channel between the two communicating nodes. The broad applicability of this security alternative has been validated by Jana et al. [4], through a series of experiments in real environments.
However, both Mathur et al. 's and Jana et al. 's schemes require that two nodes are within the communication range of each other in order to establish a key. This requirement cannot always be satisfied. In many realistic scenarios, intermediate nodes are needed for relaying messages, because the end nodes cannot communicate directly.
In this paper, we show that it is feasible to build key agreement schemes based on wireless channel measurements in multihop wireless networks. We show that, by extracting secrets from the phase characteristics (it is feasible to extract secrets from phase characteristics-please see Section 3 for details) of channels, two end nodes that are more than one 2 The Scientific World Journal hop away from each other can establish a key between them. We propose a basic key agreement scheme for this purpose and show that it is secure against external eavesdroppers (i.e., eavesdroppers out of the paths connecting the two nodes). After that, we show that the basic scheme is subject to internal eavesdropping and Man-in-the-Middle (MITM) attacks. Therefore, we propose an improved key agreement scheme to prevent these two attacks. The improved scheme is based on the assumption that the network is biconnected. The secrets are extracted from two disjoint paths between the two end nodes. The improved scheme is secure against internal eavesdroppers and MITM adversaries in a single path. (Please see Section 5.3, Remark 7 for the possibility that adversaries control more than a single path.) In both the basic and the improved schemes, we follow the standard assumption [3][4][5][6] that adversaries are more than half a wavelength away from all the participating nodes. We give a theoretical analysis of the key agreement probability and show that it is affected by communication SNRs, sampling rates, and quantization parameters. We simulate the improved scheme in GlomoSim [7] and show that the established key has strong randomness and the key agreement efficiency is high.
In summary, we have the following contributions.
(i) We propose a basic multihop key agreement scheme and prove that it is secure against external eavesdroppers.
(ii) Since the basic scheme is not secure against internal eavesdroppers or MITM adversaries, we propose an improved multihop key agreement scheme, and prove that this improved scheme is secure against internal eavesdroppers and MITM adversaries in a single path between the two nodes.
(iii) We give both performance analysis and simulation results of the improved scheme. The results show that the improved scheme is very efficient and the established key has strong randomness.
The rest of this paper is organized as follows. In Section 2, we review the related work. In Section 3, we present technical preliminaries. In Section 4, we present the basic multihop key agreement scheme and give a security analysis. In Section 5, we describe the improved multihop key agreement scheme and prove its security. In Sections 6 and 7, we show that the improved scheme is efficient by both theoretical analysis and simulation results. Finally, we conclude in Section 8.

Related Work
Key agreement based on channel characteristics is firstly proposed in Hershey et al. [8], in which the secret key is extracted from the phase differences of continuous waves. After that, Hassan et al. [9] propose to use phase differences between two orthogonal subcarriers as extracted secrets. Tope and McEachen [10] propose a key generation scheme based on polarity of power envelope differences. Recently, a lot of schemes [3][4][5][6][11][12][13][14][15][16][17][18][19][20][21][22] are proposed to enhance the security and/or improve the performance. In particular, Mathur et al. [3] propose a scheme to extract secret bits from wireless channel measurements. They design a levelcrossing algorithm to increase the bit consistency rate. They do experiments using both customized 802.11 platform and off-the-shelf 802.11 network cards. In order to validate the effectiveness of the key extraction schemes based on signal strengths, Jana et al. [4] carry out extensive experiments in various environments. They propose adaptive quantization method to improve the performance. Patwari et al. [6] propose a high-rate uncorrelated bit extraction scheme based on fractional interpolation, decorrelation transformation and multibit adaptive quantization. Ye et al. [5] propose a secret key extraction approach that is suited for more general channel state distributions. Zhang et al. [21] find that mobility patterns have important impact on the correlation of channel measurements at the end nodes. They show that more diffusion in the mobility brings less correlation in the measured channel impulse responses. Gollakota and Katabi [23] propose a secret communication method based on receiver's jamming. Their method eliminates the reliance on channel variance and has high secret communication speed.
There are also many analytical works [24][25][26][27] that provide theoretical analysis of secret key exchange protocols and propose improved algorithms. In addition, secret key extraction schemes from UWB (Ultra-WideBand) channels are proposed in [28][29][30][31]. Croft et al. [32] propose a secret bit extraction scheme for wireless sensors, while Ali et al. [33] develop a key extraction approach in body area networks.
It is important to note that all the previous approaches focus on one single channel between two nodes. Therefore, they have the requirement that the two nodes are within the communication range of each other. In contrast, in this paper, we propose schemes that are suitable for multihop networks, in which nodes can be out of the communication range of each other. Consequently, our proposed schemes can be used for key agreement in multihop wireless networks.
Recently Wang et al. [34] propose a group key agreement scheme in wireless networks. Wang et al. 's scheme is based on the phase characteristics of wireless channels. They use phase randomness for bit generation and remove the reliance on the node mobility. According to Ren et al. [35], phasebased methods [8,9,16,34] have three advantages compared to RSS-based methods [3][4][5][6], including having uniform distribution, providing high resolution phase estimation, and enabling phase accumulation across multiple nodes. Similar to [34], the schemes proposed in this paper are also based on channel phase randomness. However, our proposed schemes consider a completely different setting, in which the involved nodes can be more than one hop away from each other. In fact, allowing nodes to be multiple hops away from each other is a major technical challenge addressed in this paper. Hence, our schemes are independent from, and complementary to, the results in [34].

Technical Preliminaries
In a typical multihop mobile ad hoc network, there are no infrastructures. Each node is both an end host and a router. Denote the nodes in the network by { 1 , 2 , . . . , }. If node The Scientific World Journal 3 is within the communication area of , then we say is a neighbor of . Without loss of generality, we assume that wireless channels are symmetric; that is, whenever a node is a neighbor of , is also a neighbor of . Just as in previous work [3,4], we assume the channel between any two neighboring nodes to be reciprocal. (This assumption implies that our work is most suitable for a homogeneous network. If the network is heterogeneous, then our work needs to be modified before it can be applied.) Denote the channel from to by ℎ ( ), and denote the channel from to by ℎ ( ). Then the channel reciprocity indicates that ℎ ( ) = ℎ ( ) for any time .
We use the phase characteristics of both the initial signals and the channel as a random source to extract the shared secret key from. (Note that using the channel phase characteristics as a source of randomness is a feasible approach, which has been adopted in existing work, e.g., [34]. A possible way to implement this can be found in [35].) From the channel reciprocity, we know that within the channel coherence time, the channel between two nodes can be assumed to be invariant. We divide the channel coherence time to equal time slots: 1 , 2 , . . . , . Let the length of each time slot be , and denote the coherence time of the channel by . Let = ⌊ / ⌋. During one time slot , when sends the initial signal to , we denote the signal sent from by ( ). ( ) has the following representation: In (1), ( ) is the amplitude of ( ). and ( ) are the center frequency and the initial phase of ( ), respectively. We emphasize that it is feasible to send a signal with a given phase ( )-in fact, some existing schemes like [34] already include such operations. In order to implement such an operation, one can use analog-to-digital converters [35].
Definition of Adversaries. In this paper, we consider three different kinds of adversaries: internal eavesdropper, external eavesdropper, and MITM adversary. Here both internal eavesdroppers and external eavesdroppers refer to passive adversaries that eavesdrop messages and attempt to figure out the established key. The difference between these two types of adversaries is that an internal eavesdropper is an intermediate node in a path selected for transmitting messages for key agreement, while an external eavesdropper is not an intermediate node in any such path. Unlike these two types of passive adversaries, an MITM adversary is an active adversary who controls one or more node in a path selected for transmitting messages for key agreement and carries out an MITM attack. A little more formally, we have the following definitions.

Definition 1.
A multihop key agreement scheme is secure against a set of external eavesdroppers if, assuming all involved nodes follow the protocol faithfully, all signals overheard by this set of eavesdroppers are statistically independent from the final key generated by this scheme.

Definition 2.
A multihop key agreement scheme is secure against a set of internal eavesdropper if, assuming all involved nodes follow the protocol faithfully, all packets received by this set of eavesdroppers, together with all signals overheard by this set of eavesdropper, are statistically independent from the final key generated by this scheme.
Definition 3. A multihop key agreement scheme is secure against a set of MITM adversaries if, assuming all involved nodes except this set of MITM adversaries follow the protocol faithfully, the final keys different nodes obtain are consistent; furthermore, all packets received by this set of MITM adversaries, together with all signals overheard by this set of adversary, are statistically indepedent from the final key generated by this scheme.

The Basic Multihop Key Agreement Scheme
In this section, we propose a basic multihop key agreement scheme. The basic scheme is built on one selected path between the two nodes that want to agree on a secret key. It is secure against any external eavesdroppers as long as those eavesdroppers are more than half a wavelength away from all the nodes in the selected path.

Scheme Outline.
The basic idea of this multihop key agreement scheme is to use both the channel phase characteristics of the selected path and the randomly selected initial phases to extract common secrets (i.e., secrets known only to and ). By using quantization, these common secrets are quantized into common secret bits. After that, information reconciliation and privacy amplification are used [36][37][38] on the common secret bits, so that a secret key can be generated. When the external eavesdroppers are more than half a wavelength away, they will experience channels that are independent of the channels in the selected path [3,4].
In order to have common secret bits, the two parties (denoted by and ) need to interact with each other for ⌈ / ⌉ rounds, assuming in each round that they can get bits from quantization. In each round, picks a random phase value, and sends an initial signal with this initial phase value to using the selected path. Each intermediate node in this path estimates the phase of the signal received from its antecedent node and sends a new signal with this estimated phase to its subsequent node. Note that is the first node in the path, and is the last node in the path. Hence, has a subsequent node only, and has an antecedent node only. After receives the signal from its antecedent node, it picks a random phase value and sends an initial signal with this initial phase value back to , along the reverse path. Each intermediate node estimates the phase of the signal received from its subsequent node, and sends a new signal with the estimated phase to its antecedent node. Finally (resp., ) estimates the phase of the signal received from its antecedent (resp., subsequent) node and adds the estimated phase with its randomly generated initial phase. The sums generated by and both reflect characteristics of all the channels in the path and the random initial phase values picked by and . In order to make sure that they are highly correlated, each round is completed within the channel coherence time. The random initial phase values picked by and are sources of randomness of the extracted common secrets. After extracting common secrets from the channels and the random initial phase values, and perform independent quantization on these secrets and get common secret bits. The discrepancies between common secret bits of and are corrected by information reconciliation. The lost entropy of performing the information reconciliation is reduced by privacy amplification. In the following, we give detailed descriptions of these steps. After that, we give analysis of the basic scheme.

Common Secret Extraction.
The common secret extraction consists of ⌈ / ⌉ rounds, and each round contains (2 + 2) time slots. Figure 1 illustrates the signal transmission involved in one round.
In the following, we describe steps involved in one round.
computes the phase estimate of the signal received from −1 and sends a new unit signal with this phase estimate to +1 . In +1 , sends the signal ( ( − ⋅ )+̂, ) to .
From the previous protocol process, we can get that = (̂, ,1 . We quantize each subinterval into log 2 ( ) bits using the Gray code [39]. By using Gray code, adjacent subintervals have only one bit discrepancy after quantization, which reduces the number of bit errors caused by estimation errors.
Denote the length of the targeted secret key by . In order to generate the key, and need to interact with each other for at least ⌈ / ⌉ rounds.

Information Reconciliation and Privacy Amplification.
Because there exist noises and interferences at the receivers, and can get discrepancies at some common secret bits. They can achieve secret bits reconciliation by transmitting error correcting information through a public channel, which is called information reconciliation [40,41]. We use the classic Cascade protocol [40] to perform reconciliation between the extracted secret bits. For completeness we briefly review the Cascade protocol.
Denote the two secret bit strings at and by and . In the Cascade protocol, each of the two bit strings The Scientific World Journal 5 are divided into disjoint blocks. One party sends the parity values of all the blocks to the other party. If an odd number of errors are found within any block, and perform an interactive binary error search on that block, until one bit error is corrected. The Cascade protocol consists of several rounds, depending on the rate of bit discrepancies between and . If in the th ( ≥ 2) round, one error is corrected at the th bit, and then any other block that contains the th bit also contain an odd number of errors, which need to be corrected subsequently. Only minimal information gets leaked out if the number of rounds and the block size are selected appropriately.
After the information reconciliation, privacy amplification [36][37][38] is used to reduce the side information leaked during information reconciliation. We use the following 2universal hash family [4]: where is a prime number that satisfies > . This 2universal hash family consists of all the functions ℎ that map from {1, 2, . . . , } to {0, 1} . One party randomly selects and and sends them to the other party. We divide the secret bits after reconciliation into blocks of log 2 ( ) bits, and is decided based on the required secret key length.
After these two processes, the generated keys at and are cryptographic secure keys. and can use the generated key for secret communications.

Security Analysis of the Basic Scheme.
In this section, we present a security analysis of the basic scheme. Firstly we argue that the basic scheme is secure against any external eavesdroppers that are more than half a wavelength away from all the nodes in the selected path. Secondly we show that threats from internal adversaries can affect the security of the scheme. Finally we show that MITM attack is possible in the basic scheme. (Recall that internal eavesdroppers, external eavesdroppers, and MITM adversary are defined at the end of Section 3.)

Security against Any External
Eavesdropper. If all the external eavesdroppers are more than half a wavelength away from all the nodes in the selected path, then their experienced channels are independent of channels between nodes in the selected path.
In the following we analyze the security of the basic scheme when there exists only one external eavesdropper. The analysis can be similarly extended to the case in which there are more than one eavesdroppers. In Figure 2, denote the eavesdropper by . From Round( , , ), gets the following estimated phases from its received signals: In (4), gets est( 1 + , ) at 1 from and gets est( 1 + On the other hand, gets est( 2 + , ) at +2 from and gets est( 2 + , + ∑ −1 = +1 , + , ) at +2+ from +1− , ∈ [1, ]. Because 1 and 2 are randomly selected by and , respectively, these estimated phases are also random. Because , is independent of , 1 , cannot get any knowledge of ( 1 + , 1 ) from est( 1 + , ). Similarly, cannot get any knowledge of ( 1 + , ]. Finally, during the channel coherence time, no probe signals are transmitted between the nodes in the selected path, so , , , , ∈ [1, ] and , are unknown to . Therefore, from these estimated phase values, gets no knowledge of the extracted secrets at or . We stress that it is realistic to assume that the external eavesdroppers are at least half a wavelength away. When the carrier frequency is 2.437 GHz (one of the frequency band of 802.11 b), the wavelength of the carrier is (3 ⋅ 10 8 m/s)/(2.437 ⋅ 10 9 Hz) ≈ 0.12 m. Half a wavelength is only about 6 centimeters. Within such a distance, it is hard for an eavesdropper to avoid being detected.

Threats of Internal Adversaries.
In the basic scheme, each of the internal nodes can get the complete knowledge of the extracted secrets at and . If one of them is corrupted, then the scheme is not secure. For example, if is corrupted, based on its received signals from −1 and +1 , it getŝ , +1 ) and̂, = est( 2 + ∑ −1 = +1 , + , ). By adding up these two values, gets an estimate, which is highly correlated to both and . (1) In each round, performs the following steps: then quantizes , and , to generate secret bit strings , and , . Denote the length of , and , by bits.
From the attack process we can see that , =̂, + , +1 + , 1 + 1 . So and can also agree on a secret key KEY , . In this way, carries out the MITM attack successfully.

Possible Reduction of Estimation Errors.
Given the basic scheme we have designed, there are possible ways to reduce the estimation errors. For instance, the intermediate nodes between and may append fix phase delay on forward and backward paths; that is, let Ψ , +1 = Ψ +1 , . This would not reduce secrecy because 1 and 2 are random and unknown to the intermediate nodes.

The Improved Multihop Key Agreement
Because the basic scheme suffers from threats of internal adversaries and the MITM attack, in this section, we propose an improved multihop key agreement scheme.

Scheme Outline.
In the improved multihop key agreement scheme, we assume that the network is biconnected. Therefore, between any pair of nodes, we can find at least two disjoint paths. The basic scheme suffers from threats from internal adversaries and the MITM attack because the signals are only transmitted in one path. Any node in that path can get knowledge of the extracted common secret bits and can perform the MITM attack. We design the improved multihop key agreement scheme to make it impossible for nodes in one path to get knowledge of the secret key or control it.
We emphasize that the previous goal of security is nontrivial to achieve. In particular, we consider a simple protocol, which we call SMPP hereafter. Assume that there are two disjoint paths Path and Path between and . SMPP starts by letting and generate key over Path and key over Path . Then, generates two random sequences and , respectively, and sends ⊕ over Path to and ⊕ over Path to . Finally, computes by XORing his received value of ⊕ with ; similarly, he computes . The final key agreed by and is the ‖ . Note that SMPP cannot really work against MITM attacks. For example, suppose that there is a node Adv controlled by the adversary in the middle of Path . When and try to generate over Path , Adv launches an MITM attack and makes them disagree on the value of . (This is very easy in general, because Adv can simply play 's role when talking to its neighbor on 's side and play 's role when talking to its neighbor on 's side. In this way, and Adv agree on one value of , while Adv and agree on another value of .) Hence, believes that the value of is , while believes that the value of is . Both values ( and ) are private against nodes in path . Also suppose that all nodes in Path are honest and so and agree on the value of , which is private against nodes in Path . Next, generates and and sends ⊕ over path and ⊕ over path . Assume that Adv does not tamper with these transmitted values. Therefore, receives these values correctly. However, since has a different belief about the value of , when tries to recover the value of , he will get ⊕ ⊕ instead of . In other words, and will disagree on the value of , which is part of the final key.
In order to achieve our goal of security, we use a better approach. We send the initial signals along two disjoint paths between and , perform estimation, and forwarding at intermediate nodes and add up the estimated phases of received signals from two paths at the two end nodes. In this way, the sum of phases contain not only the initial random values picked for phases, but also channel phase characteristics of both the two paths. Any adversaries within one single path can neither get the established secret key nor carry out a successful MITM attack.
The Scientific World Journal In the improved multihop key agreement scheme, and jointly discover two disjoint paths between them. Denote the lengths of the two paths by and , respectively. After that, and carry out Round( , , ) along the first path and Round( , , ) along the second path. They interact with each other for sufficient rounds in order to get the targeted common secret bits. In each round, they add up extracted secrets from both rounds together. Finally, and perform quantization, information reconciliation and privacy amplification to get the secret key.
When performing the first step, existing node-disjoint routing discovery protocols [42,43] can be used. In the improved scheme, we do not assume that there are any preloaded keys or public key infrastructures in the network. Secure routing protocols based on malicious node detection and trust based routing protocols [44][45][46] can meet this requirement. Using one of these protocols, can find two disjoint paths to . After that, and perform the rest of the multihop key agreement protocol by using the two paths.
The improved scheme consists of the following steps.
(3) and perform information reconciliation and privacy amplification on and . After these two processes, they get the secret key.

Security Analysis.
In this section, we give a security analysis of the improved scheme. This security analysis is based on the assumption that all participating nodes are more than half a wavelength away from each other. Just as mentioned in Section 4.5.1, this is a reasonable assumption.
The security of the improved scheme is guaranteed against adversaries in a single path. Collusion attack from adversaries of both paths is not considered. In the following we first prove that the improved scheme is secure against any internal eavesdroppers in a single path. After that we prove that the improved scheme is secure against any MITM adversaries in a single path. (Recall that internal eavesdroppers and MITM adversary are defined at the end of Section 3.)

Theorem 4. Under the assumption that all nodes are more than half a wavelength away from each other, the improved multihop key agreement scheme is secure against any internal eavesdroppers in a single path.
Proof. In this proof we enumerate all the phase information that the routing nodes can extract and then point out that they cannot generate any useful information about and 's secrets.
In the following we consider the collected phase information at an intermediate node in one round. Because the extracted common secrets at each round are quantized separately, they cannot be used for getting knowledge of secrets of other rounds. Consider 1 in the first path → 1 → 2 → ⋅ ⋅ ⋅ → → . 1 receives signals from both and 2 . From the signals received from and 2 , 1 getŝ +1 , + , ), respectively. From these two phase estimates, 1 can only get the value of̂, 1 +̂, 1 . However, the secrets obtained by and also include the phase estimates through the other path → 1 → 2 → ⋅ ⋅ ⋅ → → . So we can see that 1 can get no information about the secrets.
For each intermediate node in the first path, we enumerate its estimated phases as follows: Because all the intermediate nodes are more than half a wavelength away from other nodes, they cannot get the phase information from the other path; that is, , 1 +∑ −1 =1 , +1 + , . No matter how many nodes in the first path combine their phase information, they cannot gain any knowledge about this value. 8 The Scientific World Journal Therefore, we can see that the proposed protocol is secure against any internal eavesdroppers in one single path.

Remark 5.
If an eavesdropper is not an intermediate node in either path, and he is more than half a wavelength away from all participating nodes, then he cannot gain any knowledge on the secret key either. This is similar to our analysis in Section 4.5. Theorem 6. The improved multihop key agreement scheme is secure against any MITM adversaries in a single path.
Proof. Without loss of generality, suppose that try to perform the MITM attack to and . The purpose of MITM attack is to establish two different keys with and , respectively, and after that to relay encrypted messages between them.
From the previous analysis we know that cannot agree on two different keys with and . Therefore, it cannot carry out MITM attack successfully. This analysis can be directly extended to the case that any number of intermediate nodes in the first path carry out MITM attacks collaboratively. Because their experienced channels are statistically independent of channels of the second path, they cannot gain any information of (2) or (2) .
We conclude that the improved protocol is secure against any MITM adversaries in a single path.

Remark 7.
If the adversary can place cheating nodes on two disjoint paths, there are straightforward ways to extend our protocol to achieve security. For example, we can consider using three disjoint paths between and . In general, in order to prevent cheating nodes on disjoint paths, and can use + 1 disjoint paths between them for key extraction, as long as there exist + 1 disjoint paths between them. (If there are cheating nodes on all disjoint paths between and , then no solution is possible because these nodes can choose to simply block all communications between and .) This will lead to higher complexity of the protocol-so, there is a tradeoff between security and efficiency.

Performance Analysis
As the improved protocol has more than just a pair of nodes, the estimation errors at each intermediate node will aggregate. In this section we present performance analysis of the improved protocol. We mainly focus on the agreement probability of and 's common secrets.
From the protocol description, we know that the ideal values of and are as follows: From the channel reciprocity and the assumption that one protocol round is performed within the channel coherence time, we can see that = . We denote this value by ; that is, = = . However, due to the estimation errors of the phase information, there may be discrepancies between and . In the following we analyze the probability of = during one protocol round. We denote this probability by . When one node transmits signals to another node, they use the same frequency, so that the receiver does not need to do frequency estimation. Without loss of generality, the noises at the receivers are independent Gaussian noises with zero mean and variance 2 . The receiver samples the received signal and computes the phase estimate. When the sampling rate is high enough, the estimated phase is a Gaussian random variable whose variance is bounded by the Cramér-Rao bound [47].
From [47], when the signal frequency is known, the variance of the phase is bounded by The Scientific World Journal 9 In (9), 0 is the amplitude of the received signal. From (9), we can see that the lower bound of the phase variance depends on the signal to noise ratio (SNR) and the sampling rate. When the SNR is higher, the phase variance can achieve a smaller lower bound. When the sampling rate is increased at the receiver, the lower bound can be further decreased. This is in accordance with the intuition that we should get more precise estimation given a higher SNR and sampling rate. In the following we use the Cramér-Rao bound for our analysis.
The estimation error at each node is modeled as a Gaussian noise, with the zero mean and standard deviation relying on the SNR and the sampling rate. Without loss of generality, we assume that the SNR and the sampling rate are all the same at all the participating nodes. From the protocol execution process, we know that the accumulated estimation error at the source or the destination is the sum of all the intermediate estimation errors. We can write as represents the accumulated estimation error at . According to the previous analysis, ∼ (0, ( + + 2) 2 ).
The probability is a function of . It can be computed using the following equation: Because of the independent noise accumulations at and , we can get Denote the interval [2 / , 2 ( + 1)/ ) by . Let . Then from the distribution function of Gaussian distribution, ( , ) and have the same distributions, can be computed by the following expressions: From (13) we can see that is the sum of the probability that and fall into the same quantization subinterval; that is, ( , ), = 1, 2, . . . , . For each subinterval , the magnitude of ( , ) is affected by whether ∈ . Suppose that ∈ * , and then * ( , ) will be larger than any other ( , ) for ∉ . This is because the Gaussian distribution function has a larger value when the variable value is closer to the mean (in this case, ). Therefore, is dominated by * ( , ), for ∈ * . On the other hand, * ( , ) is affected by 's position in * . If is close to the center of * , then * ( , ) will be large; if is close to the end points of * , then * ( , ) will be small. This is because when is close to the end points, the probability that and fall into two adjacent subintervals increases. In addition, the standard deviation also has impact on * ( , ). A smaller will result in a larger * ( , ), because when is smaller, the probability of or being close to is larger.

Simulation Results
In order to measure the performance of the proposed scheme, we simulate the proposed scheme using GlomoSim [7]. By using the PARSEC programming language [48], we write programs for the proposed scheme in the physical layer of GlomoSim protocol stack. We simulate the proposed scheme for different SNRs. Because the receiver SNR is affected mainly by distances between adjacent nodes, we select a set of communication distances, which is {10 m, 20 m, 30 m, 40 m, 50 m, 100 m, 150 m, 200 m, 250 m, 300 m}. For each communication distance (denote it by ), we randomly generate a geometric distribution of 6 nodes. The distance between any pair of adjacent nodes is randomly generated in [0.7 , 1.3 ]. We denote these distances by { 1 , 2 , 3 , 4 , 5 , 6 }. Because we select 10 communication distances, we also generate 10 random distributions of nodes. One common node distribution for the simulation is shown in Figure 4. We measure average SNRs under different communication distances. The results are shown in Figure 5.
To best simulate the wireless communication environment in reality, we set the center carrier frequency to be 2.437 GHz and the baseband bandwidth to be 11 MHz. This is one of the standard carrier band of 802.11 b. According to Nyquist-Shannon sampling theorem, the sampling rate should be no less than 22 MHz. We choose the sampling rate to be 25 MHz, so that the estimation at the receiver is more accurate.
is chosen to be 10 s. For the large scale signal propagation, we use the two-ray ground reflection model [49] which can be expressed by (14) In (14), is the transmission power, and ( ) is the received power at a distance away from the transmission antenna. and are the antenna gains at the transmitter and the receiver, respectively; ℎ and ℎ are the antenna heights at the transmitter and the receiver, respectively; is the distance between the transmitter and the receiver.
We use the Rayleigh distribution [49] for the small scale wireless fading model. Both the two-ray ground reflection model and the Rayleigh fading model are directly supported by the GlomoSim network simulator [7].
We measure the quantization agreement probability of and under different communication distances. We also measure the randomness of the secret key. In addition, we measure the key efficiency of the proposed scheme. The results are shown in Sections 7.1, 7.2, and 7.3.

Quantization Agreement Probability.
Under different communication distances, we measure quantization agreement probabilities and bit error rates (BERs) of the quantized common secret bits. For the quantization step, we choose = 32. Therefore, the interval of [0, 2 ) is divided into 32 subintervals of equal length. We use the Gray code to encode the quantization indices, so that only one bit discrepancy is introduced for adjacent intervals.
The results are shown in Figures 6 and 7, respectively. From Figures 6 and 7, we can see that when the communication distance is 50 m (approximately 38.23 dB SNR), the quantization agreement probability is 0.9535, and the BER is 0.0093. Even when the communication distance is increased  to 300 m (approximately 10 dB SNR), the quantization agreement probability is still 0.906, and the BER is 0.019.

Randomness of the Generated Key.
We test the randomness of the generated key using the NIST randomness test suite [50]. We use the 8 tests in the NIST test suite to validate the randomness of one 1024-bit key. The results are shown in Table 1. From Table 1 we can see that the generated key passes all the 8 tests.

Key Efficiency.
In this section, we focus on measuring how long it takes in order to generate a 256-bit key. In order to generate a 256-bit key, and need to get more common secret bits, because the Cascade protocol causes entropy loss. We compute the lost entropy rate of Cascade  protocol according to the theoretical results in [40]. After that we measure the key efficiency under different Cascade parameters.
We have completely implemented the Cascade protocol and the privacy amplification method described in Section 4.4. We use the MIRACL library to implement the prime generation and large number arithmetics required for 2universal hash family. We choose 4∼5 rounds for the Cascade protocol, in order that the key agreement ratio is high. We compute the entropy loss rate when the Round-1 block size has different values. For each Round-( + 1), its block size is two times the block size of Round-. The results are shown in Figure 8.
As can be seen from Figure 8, when the Round-1 block of Cascade protocol increases, the lost entropy rate decreases. When the communication distance decreases, the lost entropy rate also decreases, because less bits need to be corrected. For example, when the communication distance is 50 m and the round-1 block size is 14, the lost entropy rate is 0.1925. Under such a lost entropy rate, in order to generate a 256-bit key, at least 317 common secret bits need to be collected. When the communication distance is 300 m and the round-1 block size is 10, the lost entropy rate is 0.3203. Under such a lost entropy rate, in order to generate a 256-bit key, at least 376 common secret bits need to be collected.
Under the 10 distributions generated for different communication distances, we measure the efficiency of generating a 256-bit key using the multihop key agreement protocol. Different combinations of Cascade rounds and Round-1 block sizes are used. The simulation is run at a laptop with Intel Core2 CPU of 2.33 GHz and 2.0 GB memory. For each different setting, we run the key agreement scheme for 100 times and measure the average time. In all these executions, and achieve successful key agreement. The efficiency results are shown in Figure 9.
From Figure 9, we can see that when the Cascade Round-1 block size is decreased, the key efficiency is also decreased. This is because the block number is increased, which increases transferred bits in each round. Furthermore, when the number of Cascade rounds is decreased, the key efficiency is increased. Specifically, for the Cascade parameter (Block = 12, Round = 4), when the communication distance is 50 m, the time of generating a 256-bit key is 0.0726 seconds. At this speed, the proposed key agreement scheme can achieve 3.5 Kbps rate. Even when the communication distance is 300 m, the proposed scheme can still achieve 3.17 Kbps rate.

Conclusions and Discussions
In this paper, we propose two key agreement schemes as a novel physical-layer technique in multihop wireless networks. The proposed key agreement schemes enable secret key generation between nodes in multihop wireless networks, even if they cannot communicate with each other directly. The proposed basic scheme is secure against external eavesdroppers. And the improved two-path-based scheme is secure against external eavesdroppers, as well as internal eavesdroppers and MITM adversaries in a single path. The proposed scheme can achieve high key efficiency under different communication distances among nodes. The secret key generated by the proposed scheme has very strong randomness. By properly selecting the protocol parameters, the proposed scheme can achieve high success ratio. The proposed scheme is suitable for establishing secret keys for multihop wireless networks.
It is worth noting that our paper has covered only key agreement for unicast communications between two nodes. Broadcast and multicast communications may require different protocols for key agreement. In particular, key agreement for broadcast communications in a wireless network is relatively easy if there are only passive eavesdroppers. A straightforward solution is to establish key agreement between neighbor nodes and then transmit a global key in encrypted form throughout the network. If some nodes in the network are dishonest, then leaking the final global key is unavoidable.
For multicast communications, this problem becomes the pretty challenging problem of group key agreement. Existing solutions such as Wang et al. 's [34] are suitable for this case, but further improvement in security and/or efficiency is also possible.