A Lightweight Key Generation Scheme for Secure Device-to- Device (D2D) Communication

Key agreement is one the most essential steps when applying cryptographic techniques to secure device-to-device (D2D) communications. Recently, several PHY-based solutions have been proposed by leveraging the channel gains as a common randomness source for key extraction in wireless networks. However, these schemes usually suffer a low rate of key generation and low entropy of generated key and rely on the mobility of devices. In this paper, a novel secret key extraction protocol is proposed by using interference in wireless D2D fading channel. It establishes symmetrical keys for two wireless devices by measuring channel gains and utilizing artificial jamming sent by the third party to change the measured value of channel gains. We give a theoretically reachable key rate of the proposed scheme from the viewpoint of the information theory. It shows that the proposed scheme can make hundred times performance gain than the existing approaches theoretically. Experimental results also demonstrate that the proposed scheme can achieve a secure key distribution with a higher key rate and key entropy compared with the existing schemes.


Introduction
Because of the broadcast and open-air nature of a wireless channel, device-to-device (D2D) communications [1,2] are vulnerable to message eavesdropping and node impersonation [3][4][5][6]. To resist these attacks, an effective method is to encrypt sensitive data with secret session keys and send encrypted data via wireless channels. However, it is necessary to agree on a common secret session key between two communicating parties beforehand. Most of traditional protocols (e.g., Diffie-Hellman method [7]) rely on the computing capability of adversary, which have high computational complexity. Since a lot of wireless devices (e.g., miniature sensors) have limited computing ability, the existing cryptographic methods need to overcome the contradictions between high computational complexity and limited computing ability [8].
Some popular research works leverage the channel randomness between two wireless devices. Many theoretical results (e.g., [9,10]) show that multiple legitimate nodes can agree on a key unknown to an eavesdropper due to the high overhead of random coding. Recently, several radio channel features (i.e., temporal variations, spatial variations, and reciprocity of radio wave propagation) have been utilized for key extraction in wireless networks [11][12][13].
However, existing approaches still suffer from reliance on mobile environments, low key generation rate and key entropy [14]. To address these problems, a number of solutions have been proposed [15][16][17][18][19]. In [15], iJam is proposed to increase the channel change rate. Unfortunately, it decreases the throughout due to the retransmission-based self-protection procedure in the scheme. A key extraction scheme is proposed by exploiting multiantenna diversity [16]. However, it leads to an increase in the complexity of the transceivers. In [17], a key generation scheme is designed by using the randomness of channel phase. In [18], a secret key extraction protocol is proposed by leveraging the received signal strength (RSS). In [19], a secure key distribution scheme with artificial interference is designed. However, due to the inefficient bit extraction method and the low efficiency of artificial jamming, the key generation rate of the protocol is relatively low.
In this paper, a new secure key distribution approach is designed for key extraction in D2D communications. In our scenarios, a symmetrical key is aimed to be generated between two devices named Alice and Carol (Alice and Carol are called keying nodes) in the presence of an eavesdropper Eve. We also assume that there exists an assistance device Bob. The main contributions of the works are as follows: (1) A new key generation scheme is designed for D2D communication by leveraging the artificial jamming to change the channel gains. Unlike existing approaches [8,11], in the proposed scheme, the legitimate users can obtain multiple different channel measurements in each coherence time (2) A new bit extraction method is proposed to improve the key generation rate and key entropy, which includes low entropy measurement elimination, random permutation, and adaptive multiple-bit extraction (3) Extensive experiments are conducted to evaluate the performance of the proposed scheme with both theoretical analysis and simulation. Experimental results show that the proposed scheme can achieve a higher key generation rate and key entropy compared with existing schemes.
The reminder of this paper is organized as follows. Section 2 reviews the related work. In Section 3, the details of the proposed scheme and the theoretical analysis are presented. Section 4 details the experimental results and discussions. We finally conclude this work in Section 5.

The Literature Reviews
Recently, leveraging artificial jamming to improve the security of a wireless networking has drawn increasing attention [20][21][22][23][24][25][26][27]. In [20], Liu et al. proposed a secure communication scheme in a distributed relay networks, in which the destination transmits jamming signals to confuse the eavesdropper at first hop and the source and a particular relay jam eavesdropper cooperatively without jamming the destination at second hop. In [21], a two-stage cooperative scheme for secure communication with multiple helpers has been proposed. After that, Zheng et al. considered the secure communication scenario that the destination is with two antennas and only a single antenna is equipped in eavesdropper [22]. In this work, one antenna of destination receives the signals, and the other one transmits jamming to confuse the adversary. However, it requires a FD receiver and cannot guarantee the security when the adversary has multiple antennas. In [23], Li et al. studied the optimization problem for secrecy rate in a relay wiretap channel network, where the multiple multiantenna nodes act as the relaying nodes as well as the artificial jamming generation nodes. However, in a direct source-to-eavesdropper link case, it may be difficult to achieve a positive secrecy rate. In [24], an opportunistic relay-based secure communication scheme has been proposed to improve the secrecy rate for a relay network with two-hop. Specifically, a node (named opportunistic relay node) is used to forward the confidential signals and another node (named the jamming nodes) sends jamming signals to confuse the adversary. The multiantenna secure transmission by using beam-forming techniques to confuse multiple antenna eavesdroppers with limited feedback constraints has been studied in [25,26]. However, these works only focused on optimizing the secrecy rate theoretically and could not be directly applied for secret key distribution in practice. For more information about improving secrecy rate with friendly jamming, please refer to the survey in [27]. The related work about jamming attack also includes [28].
Key generation with artificial interference has been analyzed in [19]. Different from [19], this paper has the following advantages: (1) The theoretical results about key rate are different. The lower bound of key rate in [19] is ð1/2T c Þ½ln ffiffi ffi b p + 3 ln 2πe − e −1 , while, in this paper, a lower bound of key rate is ð1/2T c Þ½ln ðπðebÞ 2 Þ − e −1 . Thus, the new bound is at least L times over the bound in [19], where L = bT c f s /2M * c is the number of rounds in the coherence time T c , M is the length of probe vector for each measurement value, f s is the sampling rate, and b 2 is the average power at keying node Alice and helper node Bob. In other words, the proposed scheme can measure L channel state information measurements for a secure key extraction in each coherence time.
(2) The bit quantization method is different. Two-level bit quantization scheme is adopted in [19], while this paper presents an adaptive multiple-level bit extraction scheme. Moreover, the simulation results show that a larger jamming power may contribute to more bits extracted from each measurement (please refer to Section 4). (3) The approach to increasing the key bit entropy is different. In [19], there is no any added method to pretreat the measurements before bit quantization, while this paper proposed a low entropy measurement elimination algorithm and random permutation algorithm to eliminate the low entropy measurements and to increase the randomness of measurements, respectively.

The Proposed Solution
In this section, the network model and adversary model are first described. Then, we describe the proposed scheme. A random variable (RV) and its realization are denoted by an uppercase letter (e.g., X and Y) and a lowercase letter (e.g., x and y), respectively; a random vector is denoted by an hollow bold uppercase letter (e.g., X and Y ). Let H ij be a RV of channel gains between device i and device j, T c be the coherence time (i.e., the time interval over which the channel gain may be considered coherent), f s be the sampling rate, M be the sample number by fully exploiting the coherence time interval, and M * be the length of probe vector for each measurement at Alice and Carol.

2
Wireless Communications and Mobile Computing In the system model, two devices, Alice and Carol, are aimed at building a common secret key for secure D2D communication by measuring the channel gains from the channel between them, and a trusted third party Bob (helper), who changes the state channel information of channel between Alice and Carol by broadcasting jamming signals. Alice and Carol can reconcile their measurements by sending some error-correcting information through a public channel, and a secure channel exists between Alice and Bob. Of course, there is an eavesdropper Eve who plans to break the secret key.
3.1.1. Collection of Random Source. Let Λ be a Gaussian distribution with mean of 0 and variance of b 2 and M * be the probe vector length of measurement. The time is divided into slots t 1 ,t 2 ,···.
Step (1) In t 1 , Alice and Bob random choose λ A ½1 and λ B ½1 from Λ ∼ Gð0, b 2 Þ, respectively. Then, Alice transmits probe signals λ A ½1 s Step (2) Repeat Step (1) N times. Then, Alice, Bob, and Carol have the N vectors as follows: Step (3) Bob estimates h BC ½i by using the following equation: Step (4) Bob sends h ! BC ½i and λ B ½i to Alice over the secure channel between them.
Step (5) Alice first computes Then, Alice obtains the following equality: Step (6) Carol computeŝ After the above steps, Alice and Carol have the N vectorŝ To obtain a high key entropy, we must eliminate the low entropy measurements. The elimination method is described as follows: Alice and Carol drop instances of their measurements if there are at least β successive measurements lied between −α and α. Then, they exchange index set of dropped measurements between them, and only keep the measurements that both two devices decide not to drop, where α ≥ 0 and β ≥ 0 are the carefully chosen constants. We still denote the obtained vector after low entropy measurement elimination at Alice and Carol by hfŷ Figure 1(b) shows the first two hundred measurements at Alice with low entropy measurement elimination.

Random Permutation.
Since the values of channel gains are similar during each coherence time, the measurement valuesŷ A (andŷ C ) at Alice (and Carol) has a certain correlation in the coherence time ( Figure 1(b)). In the proposed scheme, we break that correlation by using random permutation. In practical experiments, a simple algorithm Knuth shuffle [29] is applied to generate a permutation uniformly at random without retries, in the practical experiments. Specifically, after obtaining hfŷ C ½ig N 1 i=1 i, Alice runs the algorithm 3

Wireless Communications and Mobile Computing
Knuth shuffle to generate a permutation g : f1,⋯,N1g → f1 ,⋯,N1g and then transmits it to Carol. Finally, Alice and Carol compute z Figure 1(c) plots the measurements at Alice with random permutation.

Adaptive Multiple-Bit Extraction.
In the implementation, we present adaptive multiple-bit extraction scheme (as shown in Figure 2) which is described as follows: (1) Alice and Carol select a positive integer ω as the bitnumber extracted for each channel measurement and choose two positive integers γ (named the valid zone width) and △γ (called the shield zone width) they (1) sort the elements of a sequence in ascending order; (2) for any j ∈ f1,⋯,2 ω g, map the rank from ðj − 1Þðγ + △γÞ + 1 to ðj − 1Þðγ + △γÞ + γ elements (named level j − 1) into j − 1;   Wireless Communications and Mobile Computing (4) Alice and Carol obtain the corresponding bit streams by using the ω -bit Gary code g : f0,⋯,2 ω − 1g → f0, 1g ω , respectively. The bit streams after bit quantization is denoted as K q A and K q C

Information Reconciliation and Privacy Amplification.
Because of the half-duplex beacon transmission and hardware variations, a small number of bit inconsistencies may exist between their bit streams. There are two ways to realize information reconciliation: interactive information reconciliation (IIR) scheme [30] or error-correcting codes (ECC) [31]. In the implementation, we use ECC-based information reconciliation (i.e., [127,85,13]-BCH code).
Moreover, as the reconciliation information is sent over a public and insecure channel, the adversary can leverage such information to obtain knowledge of the generated key. Privacy amplification protocols [32,33] can be used to recover such entropy loss. In the proposed scheme, the keying hash function SHA 1 [32] is leveraged for privacy amplification.

Theoretical Analysis
where L is the number of rounds in T c and brc is the largest integer equal or less than to real number r.
Let T be the total measurement time (e.g., the sum of all of the probing time). As shown in Figure 3, we divide T as follows. First dividing T to L * parts, where each part equals to coherence time T c (i.e., L * = bT/T c c). Then, splitting T c into L parts: t 1 , ⋯, t L equally. In time slot t i , Alice, Bob, and Carol follow the first step of the presented protocol. All the RVs of obtained measurement values at Alice and Carol are

Coherence time, Tc
Measurement time (T)

Wireless Communications and Mobile Computing
where i ∈ f1, ⋯, L × L * g, CgÞ is the additive noise, and N j is independent and identically distributed of random variable N j ðj ∈ fA, B, CgÞ. In addition, the random vector of received signals at Eve are where i ∈ f1,⋯,L × L * g, ℕ E the additive noise vector.  Wireless Communications and Mobile Computing After obtaining Y E←AB ½i and Y E←C ½i, the optimal strategy of Eve is to computê where i ∈ f1,⋯,L × L * g. Based on the measurements at Alice, Carol, and Eve, the theorem is shown as follows.
where T c is the coherence time, M * is the length of probe signals for each measurement value, f s is the sampling rate, L = bT c f s /2M * c is the number of rounds in T c , and b 2 is the average power at Alice and Bob.
Proof. Please refer to the Appendix.

Numerical
Analysis. The impact of the parameter M * on the key rate of the proposed scheme is first discussed. On the one hand, the larger the value of M * means the more accurate measurement, the more accurate measurement represents the less information loss in information reconcile and 7 Wireless Communications and Mobile Computing hence the higher key rate. An experiment is conducted in MATLAB as follows. We generate a random vector G = fG i g M * i=1 by using a random number generator with zero mean and variance 1. That is, G is the i.i.d. variable obeying standard normal distribution Gð0, 1Þ. Figure 4 plots the statistical average value of G in 10 4 independent experiments under different values of M * (i.e., the length of G). On the other hand, the smaller the value of M * is, the more the number L of measurements of coherence time will be, yet the higher key rate.
Then, we discuss the impact of the value of b on the key rate. From Theorem 1, the key generation rate rises when the value of b increases. Furthermore, the key rate converges to infinite when b goes to infinite. As an example, for the parameters T c = 50 ms, Figure 5(a) plots the achievable key rate when b increases under different values of L. Note that the jamming power of helper Bob is denoted by P I = b 2 . Thus, the key generation rate rises when the jamming P I increases, and the key rate converges to infinite when P I goes to infinite. However, due to the logarithmic relationship between the achievable key rate and the value of b, the key rate growth is slow with the value of b increase. It can also be obtained from Figure 5(a).
Lastly, we compared the proposed scheme with traditional schemes. By [34], the maximum key generation rate of traditional methods is ð1/T c ÞH ðH AC Þ = ð1/2T c Þ ln ð2πe δ 2 AC Þ. Take T c = 50 ms, f s = 4 GHz, 10 4 ≤ M * ≤ 10 5 , and δ AC = δ BC = 1. Figure 5 That is to say, the key generation rate of the proposed scheme is at least 100× better than that of traditional methods.

Experiment Setting.
In the random source collection phase, it is assumed that both the artificial jamming and probes are single-tone signals. The probe signals are sðτÞ = a 0 cos ðω 0 τ + θ 0 Þ (τ ∈ ½0, T), where a 0 is the amplitude, θ 0 is the initial phase, and ω 0 is the angular frequency. Specifically, the probing signals are based on λ A (or λ B ) at jamming slots (i.e., Alice sends λ A sðτÞ and Bob sends λ B sðτÞ,τ ∈ ½0, T, at time slot t 1 ). It is also assumed that the coherence time is T c = 80 ms, the sampling rate is f s = 2:7 GHz, and the single-tone signal's carrier frequency is 0.9 GHz. In the information reconciliation phase, we assume that [127,85,13]-BCH code is used in our system. It is clear that the error tolerance of the code is ET = Δ ð6/127Þ ≈ 0:047 (i.e., error threshold). Specifically, Alice (resp., Carol) divides the quantized bits K q A (resp. K q C ) into small blocks K A means the mismatch between Alice and Carol happens in corresponding position). Thus, if the number of "1" in K q C ⊕ K q A is less than 6, Carol can obtain C i from C * i with error-correcting code technical, and then, compute K q A ðiÞ by computing C i ⊕ C * i ⊕ K q C . If we denote the bits after information reconciliation as K r A and K r C . Then, the common randomness K A ð= K r A = K r C Þ between Alice and Carol is established when the mismatch bit number of each block is less than 6.
In the privacy amplification phase, we leverage the keying hash function SHA 1 [32]. Specifically, a keying hash function F : K 0 × K 1 → K, where F is the well-known hash function SHA 1 , K 0 = K 1 = f0, 1g L , and K = f0, 1g L′ . One of keying  11 Wireless Communications and Mobile Computing nodes (say Alice) uniformly chooses K 0 form K 0 and public to the other node. Then, keying nodes compute the secret key by K ξ = FðK 0 , K r ξ Þðξ ∈ fA, CgÞ. Moreover, in order to verify whether the two values K A and K C are equal, Alice and Carol can interact as follows. Alice first randomly chooses a bitstream R A and then sends R A and its tig Tig A = SHA 1 ðK A , R A Þ to Carol. After receiving R A and Tig A , Carol computes Tig B = SHA 1 ðK B , R A Þ, and verify Tig A = Tig B or not, if so, K A and K C are equal; if not, K A ≠ K C .

Correlations between Keying
Nodes and Eve. The statistic independence of the measurements of channel between Alice, Carol, and Eve is the hinge on the security of generated key. Figure 6 plots Pearson correlation coefficients of the measurements at the Alice and Eve against α under different values of β (β = 5, 10, ⋯, 50), where b = 2 and M = 2000. The result shows that, with a fixed α = 0:09, the correlation coefficients is at a very low level. Take α = 0:09, Figure 7 shows the valid index rate (i.e., the ratio of the number of valid index after the phase of low entropy measurements elimination to the number of measurements at Alice) and the correlation coefficients against β. We can see that, with a fixed β = 10, the valid index rate is greater than 0:7 and the correlation coefficients keep to a minimum. In the system, we set α = 0:09 and β = 10. Figure 8 plots the measurments at Alice and Eve by taking SNR = 0 dB and b = 2. It is obvious that Eve measures significantly different values from Alice (i.e., spatial variations of wireless channel). The result shows that the proposed scheme can resist predictable channel attacks. The results show that (1) a larger ω increases the number of matched bits but increases the mismatch rate; and (2) a larger b increases the number of matched bits and decreases the mismatch rate, in other words, a larger b can contribute to more bits extracted from each measurement. In particular, if b = 2, then the mismatch rate is less than the error threshold when ω = 2 and is larger than error threshold when ω = 3. Thus, if we take b = 2 in the system, then ω = 2 is the optimal choice to maximize the key rate.
Then the impact of the parameters γ and Δγ on mismatch rate and number of matched bits are discussed. However, less mismatch rate means higher key rate, and fewer match number implies lower key generation rate. Thus, the value of M * and Δγ should be chosen carefully. (ii) The increase of b decreases the mismatch rate and increases the match rate, and hence, the higher key rate is guaranteed.
The next, the impact of the system parameters γ and Δγ on the conditional entropy H ðK and K q E are the bit streams at Alice and Eve after quantizing, respectively, and H ðK Figure 15 plots the relationship between the value of Δγ, M * and the conditional entropy. For instance, the conditional entropies are larger than 0:68 and less than 0.7. Figure 16 shows the conditional entropy against Δγ under different values of b. In particular, all of the conditional entropies are larger than 0.68 and less than 0.7. The results show that Δγ, M * , and b cause little impact to conditional entropy.

Key Rate and Randomness.
Note that the bit streams after information reconciliation as K r A and K r C and denote the error-correcting information as Pub. Due to the fact that the conditional entropy H ðK q A | K q E Þ is less than 0:7, the conditional entropies H ðK r To improve the key entropy, in privacy amplification phase of the simulation, we use F : K 0 × K 1 → K, where F is the keying hash function SHA 1 , K 0 = K 1 = f0, 1g L , and K = f0, 1g L/2 .
Taking α = 0:09, β = 10, γ = 20, and b = 2, the simulation is conducted in a variety of M * and Δγ under different SNRs to find the optimal value of Δγ and M * to maximize the key rate (as shown in Table 1).
Moreover, the randomness of the generated key is the key for the proposed scheme to be widely used. To this end, a well-known randomness test suite NIST is used to verify the generated key's randomness. The p value from five kinds of tests is listed in Table 2. If the p value is greater than 0:01, then it means the bitstream passed the test. We conduct the simulation under different scenarios as shown in Table 1.

Comparison of Key Extraction
Approaches. Some famous key extraction approaches are mentioned (i.e., RKG [8], CSKE [18], and SG [19]) in Section 1. Now, we compare their performance with the proposed scheme under different scenarios:    Table 1. In RKG, the quantization threshold is selected so that at most 10% of the whole measurements are discarded. In CSKE, we set m = 5 (i.e., the measurements are quantized into 4 equally likely levels) and set the quantization threshold such that at most 30% of the measurements are dropped. In SG, we set the configurable parameters α = 0:3, P B = 2, and κ = 30.
The simulation results in Figure 17 shows that the protocol has a significantly higher secret bit generation rate compared with the existing methods. This is because (1) RKG only uses the measurements that above or below the threshold, which leads to low utilization of measurements; (2) both RKG and SG only extract 1 bit for each measurement, which lead to low efficiency of quantization; (3) the channel state information in each coherence time are coherent in CSKE, which leads measurements in a coherence time are similar; and (4) the help node only sends fixed jamming signals in each coherence time in SG, which also leads to the measurements in a coherence time are alike. 4.6. Discussions. The proposed scheme can be used in the typical application scenarios as follows.
Let us first consider the scenario with busy wireless channels (e.g., multiple access points and multiple users exist in a conference room, enterprise, hotel, etc.,), in which we try to solve the key generation problem between access points and users (case shown in Figure 18(a) where any two adjacent access points (A and B) are connected by Ethernet backbone). In this situation, we could assume that there exists a secure channel between A and B (e.g., Diffie-Hellman protocol can be used to produce a secure channel as the access  13 Wireless Communications and Mobile Computing points are not constrained by the energy and computing ability). Therefore, we can further generate the security key for access points and users by utilizing the proposed scheme with the secure channel.
Then we consider the key extraction between two users in the scenario of typical busy wireless environments (scenario (2) shown in Figure 18(b)). Based on the previous case, we can have a secure channel between the access points and users. With the secure channel, we can use the proposed scheme to extract a security key for two users.
Next, we consider another key generation problem in the scenario of MISO system (shown in Figure 18(c)). When Alice and Bob are the antennas of a device, the "secure channel" exists between them. We can further use the presented protocol to generate a security key for two devices.
In the case of group key generation, as shown in Figure 18(d), we can use the key extraction scheme (like work [16,17] to set up a secure channel, then use the proposed scheme for the others. As shown in Figure 18(d), the secure channel 1 is built by traditional protocols and the secure channel 2, 3, 4, ⋯ can be set up by KEI. With no doubt, the efficiency of group key generation can be improved.

Conclusion
In this paper, a novel PHY-based approach has been designed for secret key extraction in wireless networks. The proposed scheme leverages jamming to changes the channel states such that two keying nodes can obtain a large number of channel measurements in each coherence time. To further improve the key generation rate and key entropy, a new bit extraction method has been presented to eliminate the low entropy measurement, to break the correlation of measurements in the coherence time with random permutation, and to transform the measurements into bit stream with an adaptive multiple-bit extraction scheme. Theoretical analysis and simulation have been presented to show the performance of the proposed scheme. The results show that the proposed scheme generates secret bits at low mismatch bit rate, high key rate, and high entropy.

Appendix Proof of Theorem 1
Assumed that the sampling number M * is sufficiently large and δ AC = δ BC = 1. Then, we have From Equation (A.2), we can rewrite the above equality as : ðA:6Þ Denoted by H ij ½l * as the channel gain between node i and j at l * th coherence time and by Λ L A ½l * (Λ L B ½l * ) as the random vector selected by Alice (Bob) during in l * th coherence time. We rewriteŶ where l * ∈ f1,⋯,L * g. Due to the assumption that the RVs fΛ A ½ig LL * i=1 , fΛ B ½ig LL * i=1 and the channel gains are i.i.d across coherence periods. Hence, by the chain rule of entropy [35], Equation (A.6) can be rewritten as Combine with Equations (A.9), (A.10), and (A.14), we have ðA:16Þ

Data Availability
The data used to support the findings of this study are included within the article.

Conflicts of Interest
The authors declare that they have no conflicts of interest.