## Definition

A key exchange protocol between two parties that enables the calculation of a key on both sides while preventing an adversary to extract any nontrivial information about the key. The protocol assumes the parties have access to a correlated random source that is derived from the wireless communication link they employ. The adversary can be considered to be passive (eavesdropping) or active (modifying the communication environment).

## Background

In a wireless environment, the received signal suffers from external distortions that include mean propagation pathloss, fading, interference from other users’ signals, and thermal noise. Among these causes, fading may change in an unpredictable way as the wireless environment changes due to the frequency, location, direction, and reflecting coefficients of the surrounding objects. The unpredictability of these factors presents a wireless channel as a (nonstationary) stochastic process that may contain a substantial amount of entropy.

The stochastic characteristics of a wireless channel determine the received signal’s delay, its envelope, and its phase. According to the principle of reciprocity, in the absence of interference, both transmitter and receiver experience the same signal envelope. Thus, the signal envelope information can provide the two transceivers with two correlated random sources, unique to the fading properties experienced by the wireless link between them. Note that in practice one cannot ignore interference and thus the correlation between the two sources will not be perfect.

In a variety of environments, the shared signal envelope will contain a number of unpredictable variations due to multi-path fading and thus can provide a sufficient amount of entropy that can potentially be used to extract a shared key. Furthermore, it may be difficult for an eavesdropper, which is a few wavelengths away from the transmitter and receiver to predict the exact envelopes perceived by the two legitimate transceivers since recreating the same fading environment would require an extensive understanding of the location and geometry of the spaces surrounding the legitimate transceivers.

A pair of transceivers can extract a symbol stream from the channel fading information in a variety of ways. One such possibility is based on a threshold that is set by both sides of the wireless link and measuring highs and lows. The statistics of the generated bit stream and consequently the generated key depend on this threshold as well as the transmit power and the attenuation in the link. An automatic gain control (AGC) mechanism can be used so that the statistics of the generated key is independent of the transmit power and the link attenuation.

## Theory

To abstract the problem at hand, we consider three parties, namely, Alice, Bob, and Eve, each one holding a random variable *X, Y*, and *Z*, respectively. The tuple (*X, Y, Z*) is sampled simultaneously from the underlying channel distribution while each of *X, Y*, and *Z* is a sequence of symbols of the same length. The objective of Alice and Bob is to use the information in *X* and *Y*, respectively, and produce an output Ka and Kb, respectively. An algorithmic solution *S* for the problem at hand would be a set of two algorithms, respectively, for Alice and Bob, that would provide a way to calculate Ka and Kb from *X* and *Y*. The solution *S* is said to be correct with error *e* if it happens that the event Ka = Kb occurs with probability at least 1 − *e*. The probability here is taken over the distribution of (*X, Y, Z*) as well as any probabilistic choices (if any) are made by *S*. On the other hand, the solution *S* is said to be secure with distance *e* if the following condition holds. Consider the conditional space over which it holds that the event Ka = Kb happens; in such case there is a joint key *K* = Ka = Kb that is calculated by the two players; the statistical distance of the random variable (*K, Z*) from (*U, Z*) is at most *e* where *U* is a uniformly random bitstring of the same length as *K*. The intuition behind the definition of security is that an adversary should be incapable of distinguishing the distribution of the key *K* from a uniformly random string even if it is given Eve’s input *Z*. We note that the algorithmic solution *S* can be either interactive or noninteractive. In the interactive case, the definition of security would also take into account that the messages exchanged between Alice and Bob become available to the adversary. Stronger adversarial settings for the problem involve an adversary that is not passively eavesdropping but rather actively changing the channel distribution of the two parties.

## Open Problems

The first challenge in designing an algorithmic solution *S* for key agreement in this setting is to account for the fact that the random variables *X* and *Y* can turn out to be different, i.e., we expect the event *X* = *Y* to happen with only negligible probability. Therefore, an information reconciliation step is needed. This may be solved by a process that will enable the two parties to drop the disagreement locations and produce identical strings. The second challenge is privacy amplification, i.e., using the joint string as a source of joint randomness that can produce a uniform key. This can be achieved by applying a randomness extractor extract the key *K*. Note that it may be possible to achieve extraction without agreeing on additional randomness given that the underlying distribution has specific characteristics. Finally, one has to ensure that conditioning on *Z* still retains the uniform randomness of *K*, i.e., the statistical distance of *K* from a uniform random variable *U* of the same length is bounded by a small fraction.

## Experimental Results

A number of experiments have demonstrated the feasibility of wireless key generation in the sense of agreement between the two players. See references [1–4].