Secret-Key-Agreement Advantage Distillation With Quantization Correction

We consider a physical layer-based secret-keyagreement (SKA) scenario where Alice and Bob aim at extracting a common bit sequence, which should remain secret to Eve, by quantizing a random number obtained from measurements of their communication channel. We propose an asymmetric advantage distillation protocol where i) Alice quantizes her measurement and sends partial information on it over an authenticated public side channel, and ii) Bob (and Eve) quantizes his measurement by exploiting the partial information. The partial information on the position of the measurement in the quantization interval allows Bob to obtain a quantized value closer to that of Alice. Such strategies are shown to increase the lower bound of the secret key rate.


I. INTRODUCTION
Secret-key-agreement (SKA) is a security mechanism by which two users, namely Alice and Bob, agree on a common key while keeping it secret from any third malicious user, namely Eve.The secret key can then be used for other security services, e.g., for symmetric key encryption or authentication.
Initially proposed by Maurer [1], Ahlswede, and Csiszar [2], physical-layer-based SKA schemes are information-theoretic secure, and their security is based on the physical properties of the channel itself.A source-model SKA procedure involves four steps [3]: channel probing, where Alice and Bob transmit in turn probing signals and collect the channel measurements later used to extract the keys; advantage distillation by which each agent extracts a bit sequence from his/her measurement; information reconciliation, where Alice and Bob exchange information with the aim of reducing the disagreement among the bit sequences; finally, privacy amplification, where each user extracts from the bit sequences a shorter one typically by using universal hashing (for further details see surveys [4] and [5]).
In this paper, we focus on the advantage distillation step.The basic approach requires quantizing the channel feature used for key extraction.A channel quantization scheme for multiple-input multiple-output (MIMO) channels is proposed in [6] and [7].In particular, in the strategy of [6] Alice transmits a quantization correction to Bob, the observations have a (known) Gaussian distribution, and the quantizer thresholds are set to provide equiprobable bit sequences (with maximum entropy).However, Eve's observations are assumed to be independent of those of Bob.We consider here instead a more realistic scenario, where the features' distribution is not known a priori, and Eve's observations are statistically correlated to those of Alice and Bob.
In [8] the quantization intervals are separated by guard bands and samples falling in these regions are discarded to reduce quantization mismatches between Alice and Bob.Indeed, this increases the probability of agreement and the bit sequence length, at the expense of fewer extracted bits.A related approach is also proposed in [9], where the quantizer thresholds are set to assure that each sequence is equiprobable, maximizing the output entropy.In both works, legitimates' and Eve's channels are assumed to be uncorrelated, thus no information about the actual bit sequence by collected from Eve.
Recently, a technique to extract bits from electrocardiograms (ECGs) signals for wireless body area networks (WBANs) has been proposed in [10].The quantizer thresholds are optimized to maximize both the entropy and the matching rate of the extracted bits.Still, due to the particular nature of the channel, no information is leaked to Eve during the channel probing step.We consider instead the case wherein Eve is observing a channel correlated to that of Alice and Bob, and Eve also overhears any public discussion between Alice and Bob.
In this letter, we propose a novel advantage distillation strategy for a source-model SKA, where Alice and Bob obtain each a random number and optimize their quantizers to obtain bit sequences providing the highest secret key rate (through a lower bound).Then, they coordinate the quantization of the observed feature with a discussion over a public authenticated channel.In particular, Alice quantizes her measurement and sends the position of the measurement in the quantization interval over an authenticated public side channel.In turn, Bob (and Eve) quantizes his measurement by exploiting the partial information.We denote the described advantage distillation technique as advantage distillation with qunantization correction (ADQC).We show that such a strategy allows the extraction of more secret bits from the channel measurements.Finally, with respect to the existing literature, we show that a careful design of the quantizers used during the advantage distillation and the transmission of quantization error correction over a public channel allows Alice and Bob to obtain a secret key, even in those harsh scenarios where Eve is close to one of the agents.
The rest of the paper is organized as follows.Section II introduces the system model.Section III describes the step of the proposed advantage distillation protocol.Section IV presents the numerical results.Section V draws the conclusions.

II. SYSTEM MODEL
We consider a scenario where Alice and Bob aim to agree on a common bit sequence, which has to stay secret from Eve.To this end, they use a source model SKA procedure [3].First, they probe their channel, as shown in Fig. 1: Alice and Bob alternatively send pilot signals through the connecting wireless channel to enable their partner to estimate the channel, so that Alice obtains the estimated channel h BA and Bob obtains estimated channel h AB .
We assume Alice and Bob have already agreed on a feature selection and extraction function such that Alice extracts x from h BA , while Bob extracts y from h AB .We focus on the scalar case where x and y are real numbers, although the SKA will operate on sequences of x and y, thus using longer observation sequences.We remark that, in general, the channels are only partially reciprocal, therefore x and y will be strongly correlated but not identical.
Eve is modeled as a passive attacker.From each exchange, she estimates channels h AE and h BE , from Alice and Bob, respectively.We assume Eve has an extraction function that exploits (one or) both channels and retrieves the scalar real feature z.Indeed, if Eve and Bob (or Alice) are in a different position, y = z and x = z.Still, if Eve is not too far from Alice or Bob, there exists a non-negligible correlation between z and both x and y.
We assume that the statistics of x, y, and z are not known in close form, but a dataset of measurements is available to all parties for the design of the SKA procedure.
An authenticated public side channel is available, over which Alice and Bob can exchange information, while Eve overhears any communication.Channel coding is used on this side channel, allowing Bob to detect and correct, with arbitrarily small error probability, any error of publicly exchanged information.

III. ADVANTAGE DISTILLATION WITH QUANTIZATION CORRECTION
We now describe the ADQC technique.Let us introduce the binary space S = {0, 1} b containing M = 2 b different binary strings, each of b bits.Alice and Bob aim at drawing two sequences, s A ∈ S and s B ∈ S, by processing the observed channel features x and y, respectively.
The problem of associating a real number (in this case, the feature measurement) to a binary sequence can be seen as a quantization problem that partitions the set of real numbers into M intervals so that the m-th interval is associated with the sequence s m ∈ S. A quantizer q provides the bit sequence s = q(a) from the real number a.
First, note that the quantizers used by Alice, Bob, and Eve are chosen before the actual key agreement protocol, as will be detailed later.Moreover, we consider a worst-case scenario where all quantizers are publicly known, However, both the secrecy and the randomness of the scheme still lie in the extracted channel measurements.Now, we aim to make this extraction process such that s A is as close as possible to s B while remaining secret to Eve.We can write the observation at Bob as the observation at Alice corrupted by an error ǫ, i.e., y = x + ǫ. (1) Let q A (x) be the quantized value at Alice (corresponding to the m-th quantization interval), and let η = x − q(x) be the quantization error at Alice.Then, from (1) we have In general, note that η and ǫ are statistically dependent.However, ignoring this dependency, we can have that y is turned away from the quantization value q A (x) by both errors η and ǫ.Thus, to improve the advantage distillation procedure, in ADQC Alice communicates over the public channel the value of the quantization error η so that Bob can compute and quantize y ′ with quantizer q B (•) to obtain its bit sequence.
If Alice uses B bits to feedback η over the public channel, we must quantize η.To this end, each quantization interval m , m = 1, . . ., M , is split into K = 2 B sub-intervals of equal length, and (a binary representation) of the index of the sub-interval in which η is falling is transmitted over the public channel.Then, Alice transmits where L (A) (x) is the length of the quantization interval of x.This quantization procedure also avoids transmitting the value of η that may reveal in part the interval I m to Eve, since quantization intervals may have different lengths.Upon reception of ξ, Bob computes where L (B) (y) is the length of quantization interval of y.Then Bob uses η ′ instead of η in (3) to quantize y ′ with q B (•).Indeed, it may happen that L (A) (x) = L (B) (y).Nonetheless, it is reasonable to assume the length of intervals close to each other to be similar.Eve can do the same procedure of Bob, by computing its own correction factor η ′′ and applying it to its measurement z before quantizing it with q E (•).However, there will be a higher probability that z ′ = z − η ′′ falls in another interval than x, thus the correction factor won't provide the same benefit on the sequence extraction of Bob.

A. Quantizer Design
We are now left with the design of the Alice, Bob, and Eve quantizers, i.e., q A , q B , and q E , respectively.Now, note that a quantizer q with M quantization intervals is fully defined by the position of M +1 thresholds, T = {T i , i = 0, . . ., M +1}, where however the saturation values T 0 = T min and T M+1 = T max are set to match a predefined saturation probability. 1 Let T A , T B , and T E be sets of thresholds used for the three quantizers.The metric used for the design is the lower bound on the secret-key capacity for the source model [1], [3,Ch. 4], i.e., where I(v 1 ; v 2 ) is the mutual information between random vectors v 1 and v 2 .Alice and Bob aim at designing the quantizers q A and q B to increase C low sk , i.e., by increasing the agreement between Alice's and Bob's extracted bit sequences, while limiting the amount of information revealed to Eve.Eve in turn aims at minimizing C low sk (T A , T B , T E ) with a proper choice of her quantizer q E .
To estimate the mutual information it is necessary to have the associated joint probability density function (PDF): this is either known a priori or estimated by using a dataset of observations (x, y, z) as input to the quantizers.
To design the quantizer we consider the following iterative procedure.Starting from uniform quantizers on a predefined range, at each iteration Eve optimizes her quantizer Finally, Alice, Bob, and Eve set the quantizers qA , qB , and qE , from the new thresholds TA , TB , and TE .The optimizations are performed via numerical methods.The procedure is repeated either until convergence is reached or a maximum number of iterations has been performed.

B. Advantage Distillation vs Information Reconciliation with Limited-Rate Public Channel
When the public channel has no rate limitations, a large value of B (number of bits describing the quantization error) is to be preferred to improve the agreement between the bit sequences extracted by Alice and Bob.However, in a scenario where the side-channel rate is limited, and it is used for both advantage distillation and information reconciliation, we must decide the number of bits to be used for both processes.
For ADQC, we have seen that B bits are transmitted for each quantized sample.For the information reconciliation, a sequence of n > b bits obtained from the advantage distillation is considered an error-corrupted version of a codeword of a linear code (k, n) as done, for instance, in [11].Hence, during 1 Samples eventually falling outside the region [T min , Tmax] are remapped to the closest interval.
the reconciliation, Bob will share n − k bits over the public channel for n/b samples.The number of bits shared on the public channel for each bit of the extracted bit sequence is β B b , with β = 0 when no information is shared during advantage distillation, in what we will denote as no error correction (NEC) technique.
Next, we observe that the code rate is related to the secret key capacity (after the advantage distillation) as follows We introduce now the cost function γ representing the ratio between the numbers of bits shared on the side channel for the ADQC and the NEC techniques.For the same number of measurements (thus for the same n), the ADQC and NEC techniques generate k (ADQC) and k (NEC) bits of the secret key, respectively.Then, γ is computed as (ADQC) AB and C (NEC) AB are the mutual information between Alice and Bob bit sequences for the ADQC and NEC techniques, respectively.

IV. NUMERICAL RESULTS
In this Section, we report the performance of the ADQC technique and compare it with both the NEC technique and the guard-band (GB) technique of [8].
We model the vector v = [x y z] T of Alice's, Bob's, and Eve's measurements as a jointly Gaussian vector having zeromean and covariance where we fixed the correlation between legitimates and Eve features to ρ AE = ρ BE = 0.8.Next, we let ρ AB varying in the interval ρ AB ∈ [0.8, 1].The saturation thresholds are set at T max = −T min = 6, assuring a saturation probability For the ADQC technique we considered B = 1 and 2 bit of quantization error correction.For both ADQC and NEC techniques, quantizers are either optimized as described in the previous section or uniform, with M − 1 thresholds, placed uniformly in [−T min , T max ].For the GB technique, the quantizer is uniform and guard bands are set to 0.85, to maximize the secret key capacity lower bound.
Fig. 2 shows C low sk for the considered SKA techniques when extracting b = 3 bit per sample.We remark that the GB technique discards samples falling on the guard bands, reducing the observation rate (and in general the secret key rate).The best performance is in fact achieved by ADQC with optimized quantizers, thus, sharing information during the advantage distillation is advantageous.In particular, optimizing the quantizers and using ADQC yields on average a 60% improvement of the secrecy capacity, more than doubling it for low correlation values, i.e., when ρ AB ≈ ρ AE = ρ BE = 0.8.Note that even the NEC technique with optimized quantizers 0.8 0.82 0.84 0.86 0.88 0.9 0.92 0.94 0.96 0.98 0 0.5  yields a higher C low sk with respect to both [8] and NEC with uniform quantizers.
Table I shows the performance of the ADQC with B = 2 bit used for quantization error correction and for several values of extracted bit per measurement, b = 2, 3, and 4 bit.Increasing the number of bits extracted from the channel yields a higher C low sk , even just sharing just B = 2 bit of error correction.We now consider the case of limited side-channel capacity, described in Section III-B, focusing on the NEC and ADQC techniques, both with optimized quantizers, to understand the overhead introduced on the side channel.Fig. 3 shows γ as a function of the correlation ρ AB , with B = 1 bit, b = 2 or 3, and B = 1 or 2 bit.We first note that for B = 1 (thus a very limited side-channel overhead due to quantization error correction) the number of bits exchanged on the side channel is very close for both ADQC and NEC schemes (i.e., γ ≈ 1).Indeed, for high values of ρ AB the ADQC technique requires even fewer bits than NEC (for b = 3 and 4) since the extracted bit sequences are more similar and the information reconciliation part is less demanding.Instead, when we consider B = 2, we note that the data rate of the side channel increases by a factor of 3 (for highly correlated channels) to obtain however a higher secrecy capacity as from Fig. 2.

V. CONCLUSION
We have proposed an advantage distillation technique for physical layer-based SKA, where Alice transmits via a publicly authenticated channel a correction, that is exploited by Bob and, eventually by Eve, to correct their measurements.Numerical results show that both the quantizer optimization 0.8 0.82 0.84 0.86 0.88 0.9 0.92 0.94 0.96 0.98 and the correction transmission allow Alice and Bob to achieve a higher lower bound of the secret key capacity, even when Eve optimizes her quantizers as well.Additionally, we showed that the lower bound of the secrecy key rate per bit shared on the public channel is higher when correction is used, revealing an efficient use of the public channel by this technique.
with T A and T B fixed.Next, Alice and Bob optimize their own [ TA , TB ] = arg max TA,TB C low sk (T A , T B , TE ) .