 Research
 Open access
 Published:
A powerful adversary model and corresponding OTP time slot allocation scheme in RISassisted physical layer key generation
EURASIP Journal on Wireless Communications and Networking volumeÂ 2024, ArticleÂ number:Â 54 (2024)
Abstract
Physical layer key generation (PLKG) is a technique of informationtheoretic security to tackle the problem of key distribution between resourceconstrained legitimate users and is a promising candidate for the one time pad (OTP) technique. However, in quasistatic, the key rate is greatly limited due to low entropy. Reconfigurable intelligent surface (RIS) is introduced to adaptively reconfigure the radio environment. However, how to allocate time slots in the OTP to counter the increasingly powerful adversary model is an urgent problem to be solved. In this paper, we propose a very powerful adversary model and give an attack strategy called eavesdropping channel search, which allows Eve to use its search and eavesdropping capabilities to maximize the probability of successful attacks. Meanwhile, we propose a time slot allocation algorithm in the OTP to ensure the security of the key. Simulations validate that our proposed attack strategy is more powerful than any existing adversary model and our proposed time slot allocation algorithm does not have any security loss.
1 Introduction
The exponential growth of connectivity and widespread adoption of wireless communications in the Internet of Things (IoT) have resulted in an unprecedented acknowledgment of the importance of data confidentiality [1]. Consequently, a multitude of encryption schemes have been suggested for enhancing wireless network security. These can be broadly classified into symmetric encryption and asymmetric encryption [2]. The secure distribution and management of keys in the former pose a considerable challenge, especially in network environments of significant scale. The security of the latter is contingent upon the intricacy of the asymmetric encryption algorithm, which directly affects the efficacy of encryption and decryption in resourceconstrained IoT environments. Furthermore, the emergence of formidable quantum computers presents a risk to the integrity of cryptographic methods, as they possess the capability to solve elliptic curve discrete logarithm problems in polynomial time [3].
Luckily, the issue of key distribution between two legitimate users, Alice and Bob, has been effectively addressed through the introduction of physical layer key generation (PLKG). This technique provides a costeffective approach while maintaining informationtheoretic security and lightweight properties [4]. PLKG exploits the inherent randomness and reciprocity of wireless channels to facilitate the establishment of symmetric keys between Alice and Bob [5]. The timevarying wireless channels serve as a source of randomness for generating physical layer keys. The reciprocal nature of channels within the coherence time enables Alice and Bob to acquire nearly identical channel state information (CSI). With the utilization of these attributes, Alice and Bob can successfully accomplish physical layer key generation schemes independently, devoid of any external node involvement [6].
Moreover, PLKG is a promising candidate for the one time pad (OTP) technique [7]. And OTP is commonly acknowledged as the holy grail of cryptography which provides informationtheoretic security [8]. However, only a higher key rate can provide enough random keys for OTP. This is difficult to achieve in a quasistatic environment [9, 10]. To solve the problem, reconfigurable intelligent surface (RIS) is usually used to improve the key rate [11,12,13,14]. RIS is able to change the amplitude and phase of the reflected signals to reconfigure the radio environment [15].
In the OTP process, channel probing, information reconciliation and encrypted packet transmission all need to occupy channel time [16]. Therefore, time slot allocation is also a key issue. The work in [17] designs an optimal algorithm for allocating time slots for channel probing and encrypted packet transmission. The work in [18] designs a time slot allocation algorithm to maximize the transmission rate. However, the time slot cost of information reconciliation is ignored in the above schemes. At the same time, these schemes lack security against a robust adversary model.
To evaluate the security of the OTP, a robust adversary model needs to be designed. Some studies [17, 19] assume that Eve has a powerful yet finite computational capability and uses the incomplete randomness of the channel to search for keys. Some studies [20,21,22,23] assume that Eve can get the CSI correlated with the legitimate channel. But no adversary model considers Eve to have all of the above capabilities. In other words, none of the adversary models in these studies are powerful enough.
In this paper, we propose a very powerful adversary model. Meanwhile, we propose a time slot allocation algorithm in the OTP against the adversary model. Our main technical contributions are as follows:

We propose a very powerful adversary model. We assume that Eve has a powerful yet finite computational capability and Eve can get the reconciliation information and the CSI correlated with the legitimate channel. We give an attack strategy called eavesdropping channel search, which allows Eve to use its search and eavesdropping capabilities to maximize the probability of successful attacks.

In order to resist the adversary model, we propose a time slot allocation algorithm to ensure the security of the key.

Monte Carlo simulation proves that our attack strategy is more powerful than any existing adversary model. At the same time, our proposed time slot allocation algorithm does not have any security loss, which is superior to the existing schemes.
The remainder of this paper is organized as follows. SectionÂ 2 describes the methods. SectionÂ 3 describes a detailed system model. SectionÂ 4 presents the details of our proposed adversary model. SectionÂ 5 presents the details of our proposed time slot allocation algorithm. The performance evaluation of the proposed scheme is introduced in Sect.Â 6. At last, this paper is concluded in Sect.Â 7.
Notations: Italic letters \((A, B, a, b, \dots )\), boldface lowercase letters \(({\textbf {a, b, \dots }})\) and boldface uppercase letters \(({\textbf {A, B, \dots }})\) denotes scalars, vectors and matrices, respectively. \((\cdot )^T\) is the transpose. \(\circ\) is the Hadamard product. \([{\textbf {a}}]_m\) denotes the mth element of vector \({\textbf {a}}\). \([{\textbf {A}}]_{m,n}\) denotes the (m,Â n)th element of matrix \({\textbf {A}}\). \(\mathcal{C}\mathcal{N}(\mu ,\sigma ^2)\) denotes the circularly symmetric complex Gaussian distribution with mean \(\mu\) and variance \(\sigma ^2\). \(Re(\cdot )\) is the function of the real part, \(Im(\cdot )\) is the function of the imaginary part. \(\text{erf}(\cdot )\) is the Gaussian error function. \(\mathrm {erfc^{1}(\cdot )}\) is the inverse complementary error function. \(E(\cdot )\) denotes the statistical expectation. \(Pr[\cdot ]\) represents the probability function. \(H(\cdot )\) is the entropy function. \(f(\cdot )\) is the probability density function.
2 Methods
This article uses PLKG to implement OTP. The security of OTP is a key issue. To ensure the security of our OTP scheme, we first build a powerful adversary model. The adversary model not only has a strong computing power to search, but also can eavesdrop to obtain the relevant channel state information. We give an attack strategy called eavesdropping channel search, which allows Eve to use its search and eavesdropping capabilities to maximize the probability of successful attacks. In order to resist the adversary model, we propose a time slot allocation algorithm to ensure the security of OTP. By increasing the number of channel probes, the probability of the key being breached is reduced. Monte Carlo simulation proves that our attack strategy is more powerful than any existing adversary model. At the same time, our proposed time slot allocation algorithm does not have any security loss, which is superior to the existing schemes.
3 System model
In this section, we first give the channel model of this paper and then explain the whole process from channel state information to key generation.
3.1 Channel model
Our proposed system consists of legitimate nodes (Alice and Bob), a RIS, and an eavesdropper (Eve), as shown in Fig.Â 1. All communication nodes are equipped with a single antenna. Key generation works in timedivision duplex (TDD) mode. In this system, a RIS equipped with R passive reflecting elements is deployed to enhance the key generation rate so that Alice and Bob can extract a long key and achieve OTP. We assume the RIS is controlled by Alice through a reliable and low delay channel. We consider a passive eavesdropper Eve located around Bob who wants to get the same key as the legitimate nodes based on her own channel observations.
We consider a narrowband and slowfading channel. The RISmodified channel from the transmitter u to the receiver v consists of the direct channel and the RIS reflecting channel, where \(u,v \in \{a,b,e\}\), and \(\{a,b,e\}\) denote Alice, Bob and Eve, respectively. At the tth time instant, the channel from the transmitter u to the receiver v can be expressed as
where \(h_{uv}(t)\sim \mathcal{C}\mathcal{N}(0,\sigma _h^2)\) denotes the received channel including the direct channel and the reflecting channel, \(hd_{uv}(t)\sim \mathcal{C}\mathcal{N}(0,\sigma _{hd}^2)\) denotes the direct channel, \(\Phi ^T(t)({\textbf{g}}_{rv}(t)\circ {\textbf{s}}_{ur}(t))\) denotes the reflecting channel, \({\textbf{s}}_{ur}(t)\in {\mathbb {C}}^{R \times 1}\) denotes the channel from the transmitter u to RIS, \({\textbf{g}}_{rv}(t)\in {\mathbb {C}}^{R \times 1}\) denotes the channel from RIS to the receiver v, and \(\Phi (t)=[\phi _1(t),\dots ,\phi _R(t)]^T\) indicates the reflecting coefficient vector of the RIS where \(\phi (t)=e^{j\theta _r(t)}\beta _r(t)\) is the reflecting coefficient of rth element. The range of each passive element is given as \(\beta _r(t)\in [0,1]\) and \(\theta _r(t)\in [0,2\pi ]\).
In the slowfading scenario, there is a time correlation between the two adjacent channel probe values. The time correlation coefficient of the channel gain is given as
where \(J_0(\cdot )\) is a zerothorder Bessel function of the first kind, \(T_s\) is the sampling period, \(f_d\) is the maximum Doppler shift [24]. Allowing for time correlation, channels at the next time instant is given as
where \(\omega _{hd}\sim \mathcal{C}\mathcal{N}(0,\sigma _{hd}^2)\) is independent of \(hd_{ur}(t)\), \(\mathbf {\omega }_s\) and \({\textbf{s}}_{ur}(t)\) are independently and equally distributed, \(\mathbf {\omega }_g\) and \({\textbf{g}}_{ur}(t)\) are equally distributed independently.
Without loss of generality, we only consider the case that Eve eavesdrops on the data transmission from Alice to Bob. The relationship between \({h}_{ab}(t)\) and \({h}_{ae}(t,k)\) in the correlated channel model can be presented as
where \(\omega _h\sim \mathcal{C}\mathcal{N}(0,\sigma _h^2)\) is independent of \({h}_{ab}(t)\), \(\rho _s\) represents the space correlation coefficient between the legitimate channel and eavesdropping channel. The space correlation coefficient is given as
where d is the distance between Eve and Bob and \(\lambda\) is the length of waveform [20].
Considering the channel reciprocity in the coherent time, we have \(hd_{uv}=hd_{vu}\), \({\textbf{g}}_{rv}={\textbf{g}}_{vr}\) and \({\textbf{s}}_{ur}={\textbf{s}}_{ru}\). Alice configures the \(\Phi (t)\) same for every channel bidirectional probing to ensure the reciprocity of the uplink and downlink channels.
3.2 Key generation process
As shown in Fig.Â 2, key generation protocol comprises four stages, namely channel probing, quantization, information reconciliation, privacy amplification. Randomness test (RT) should be carried out before privacy amplification after information reconciliation to ensure that the key can be used.
3.2.1 Channel probing
The received channel can be estimated by sending a public pilot sequence. At the tth time instant, the estimated channel at node v can be expressed as
where \({\varepsilon }_{v}(t)\sim \mathcal{C}\mathcal{N}(0,2\sigma _n^2/P_uL_P)\) is the channel estimation error by employing zero forcing channel estimation, \(P_u\) is the pilot power of the transmitter u, \(L_P\) is the length of pilot sequences. \(\gamma _v = P_uL_p\sigma _h^2/\sigma _n^2\) is the normalized signaltonoise ratio (SNR) of pilot signals.
3.2.2 Quantization
After the channel probing, the communicators put the channel estimate into the quantizer to get the initial key \(\textbf{IK}_u\), where \(u\in \{a,b,e\}\). We use a 1bit quantizer with real part uniform quantization, which is applied in [20, 25] and is expressed as
where \(IK_u(t)\) represents the bit quantized by the channel estimate of the tth time.
3.2.3 Information reconciliation
However, it can be seen that due to the noise contained in the two legitimate nodes, the initial key may not be exactly the same and cannot be directly used to encrypt information. Information reconciliation is the final step to correct the inconsistency of the initial key. In this paper, we implement the wellknown interactive Cascade protocol [26]. In the information reconciliation process, the legitimate nodes exchange partial information over a public channel, which can be obtained by the eavesdropper.
We denote the bit disagreement ratio (BDR) between \(\textbf{IK}_a\) and \(\textbf{IK}_b\) as \(P_{ab}\). Thus, the mutual information [21] of \(\textbf{IK}_a\) and \(\textbf{IK}_b\) can be expressed as
where L is the length of initial key.
During information reconciliation, Alice and Bob exchange information which can allow Bob to compute the value of \(\textbf{IK}_a\). It follows from the noiseless coding theorem that the minimum amount of information which Alice and Bob need to exchange is \(H(\textbf{IK}_a\textbf{IK}_b)\) [27]. However, in a practical implementation of IR, Alice and Bob need exchange more than \(H(\textbf{IK}_a\textbf{IK}_b)\) bits of information. This means that legitimate nodes can extract less information than \(I(\textbf{IK}_a;\textbf{IK}_b)\) when IR succeeds. We assume that Alice and Bob can extract \(\beta I(\textbf{IK}_a;\textbf{IK}_b)\) bits, where \(\beta \in [0,1]\) is the efficiency of the IR protocol. Thus, the amount of information exchanged can be calculated as
3.2.4 Randomness test
After information reconciliation, the legitimate nodes obtain the common key \(\textbf{CK}\) with the same length as the initial key. Next, the common key needs to be tested for randomness to ensure that the generated key has sufficient randomness. A common practice is to adapt the NIST randomness tests to evaluate whether the common key generated from the wireless channel exhibit randomness properties [28]. The common key that passes the randomness test goes to the next step, otherwise it is discarded.
3.2.5 Privacy amplification
In the process of channel probing, the eavesdropper can obtain the relevant channel information. In the process of information reconciliation, the eavesdropper can obtain the information exchanged on the open letter channel. The information leaked during these two processes puts the key at risk of being cracked by Eve. Thus, Alice and Bob apply the privacy amplification methods to map the results of both nodes to a fixedlength key bit string in order to eliminate part of the information that may be leaked. After privacy amplification, the legitimate nodes get the final key \(\textbf{FK}\) of length M (\(M \le L\)) that can be used for encryption. The common methods used in privacy amplification contain the leftover hash lemma, the cryptographic hash functions, and the Merkleâ€“Damgard hash function [29]. Here, we use the 2universal hash family which is applied in [30].
4 Formal adversary model
In this section, we propose and analyze the adversary model. We first give the hypothesis about the capabilities of the eavesdropper, then analyze the secret bits extracted from the wireless channel, and then give all the possible attack strategies of the eavesdropper, and analyze the success rate of different strategies.
4.1 Assumptions about Eveâ€™s capabilities
We consider a wireless channel randomness based design scenarios in Sect.Â 3. We assume that all design specifications and parameters in the wireless key generation process (e.g., bandwidth, carrier frequency, quantization methods and privacy amplification methods) are known to the public. An adversary Eve can hear all communications between Alice and Bob. We assume that Eve can neither actively affect the wireless channel between Alice and Bob, nor modify the content of any communication. We also assume that Eve has a powerful yet finite computational capability. This enables Eve to perform intensive computations to search for the secret between Alice and Bob.
Definition 1
(Eveâ€™s Capabilities):

Eve and Bob are located close enough to get the CSI correlated with the legitimate channel.

Eve can get the reconciliation information that Alice and Bob exchanged on the open letter channel.

Eve has a powerful yet finite computational capability to search for the secret between Alice and Bob.
4.2 Analyzing secrets generated from wireless channel
4.2.1 Equivalent channel model
In order to facilitate the subsequent analysis, we first simplify the channel model. According to the channel model in (1), the received channel consists of a slowfading direct channel and a reflected channel controlled by a phase shift matrix. By randomly changing the phase shift matrix, the reflecting channel can be regarded as a fastfading channel with complex Gaussian distribution [18]. Therefore, the receiving channel at the next time instant is simplified as
where \(\omega _0 = {h}_{ab}(t)\), \(\omega _1 \sim \mathcal{C}\mathcal{N}(0,\sigma _h^2)\) is independent of \(\omega _0\) and \(\rho _1=\rho _t\sigma _{hd}/\sigma _{h}\) is the time correlation coefficient of the equivalent channel.
The eavesdropping channel at the current time instant cannot be simplified, but for the sake of symbolic unity and to distinguish it from the expression in Sect.Â 3, it is reformulated as
where \(\rho _2=\rho _s\) and \(\omega _2 \sim \mathcal{C}\mathcal{N}(0,\sigma _h^2)\) is independent of \(\omega _0\).
Given that the eavesdropping channel at the next time instant \({h}_{ae}(t+1)\) is both time dependent on \({h}_{ae}(t)\) and space dependent on \({h}_{ab}(t+1)\), it can be expressed as
where \(\omega _3 \sim \mathcal{C}\mathcal{N}(0,\sigma _h^2)\) and \(\omega _0,\omega _1,\omega _2,\omega _3\) are independent of each other.
4.2.2 Calculation of statistical correlation of the initial key
Since the measurements from the wireless channel are correlated in time, the initial key generated from the measurements is also statistically correlated. Using this statistical correlation, Eve can effectively increase the probability of a successful attack [19]. In addition, the statistical correlation will be used to calculate the probability of the key passing the randomness test in Sect.Â 4.4.
The initial key is modeled as a binary correlated sequence with correlation coefficient \(\rho _{I}\in [1,1]\) for consecutive bits IK(t) and \(IK(t+1)\), which is written as
where \(cov(IK(t),IK(t+1))=E((IK(t)E(IK(t)))(IK(t+1)E(IK(t+1))))\) is the covariance between IK(t) and \(IK(t+1)\), \(\sigma (IK(t))\) is the standard deviation of IK(t) and the subscript \(u=\{a,b\}\) is dropped for clarity.
Given that \(Pr(IK(t)=0)=Pr(IK(t)=1)=1/2\), \(E(IK(t))=1/2\). Thus, the standard deviation is calculated as
the covariance is calculated as
where \(E(IK(t)IK(t+1))\) is calculated as
where the integral region D is \(\infty<s_0<+\infty\), \(\infty<s_1<+\infty\).
4.2.3 Analysis of the BDR of the legitimate channel
According to (11), the BDR between legitimate communicators affects the amount of information exchanged during the reconciliation phase and thus the amount of information that Eve can obtain. We need to calculate the BDR for subsequent strategy.
We can derive the BDR between Alice and Bob based on [25], which is
4.2.4 Analysis of the BDR of the eavesdropping channel
Eve and Bob are located close enough to get the CSI associated with the legitimate channel. Eve can use her own CSI to generate the initial key \(\textbf{IK}_e\). Given the proximity of Bob and Eve, it is reasonable to assume that they have the same SNR.
We can derive the BDR between Alice and Eve based on [25], which is
In fact, due to the effect of time correlation, the BDR of each bit of Alice and Eve is not independent. When \({IK}_a(t)\ne {IK}_e(t)\), the probability of \({IK}_a(t+1)\ne {IK}_e(t+1)\) is greatly increased. Conversely, if \({IK}_a(t)= {IK}_e(t)\), the probability of \({IK}_a(t+1)\ne {IK}_e(t+1)\) is greatly decreased [21]. We can calculate the conditional probability based on [21], which is
and
where \(\text{erf}_1=\text{erf}(\sqrt{{\gamma _a}/{2}} {s_0})\), \(\text{erf}_2=\text{erf}(\sqrt{{\gamma _b}/{2}} ({\rho _2}{s_0} + \sqrt{1  {\rho _2}^2} {s_2}))\), \(\text{erf}_3=\text{erf}(\sqrt{{\gamma _a}/{2}} ({\rho _1}{s_0} + \sqrt{1  {\rho _1}^2} {s_1}))\), \(\text{erf}_4=\text{erf}(\sqrt{{\gamma _b}/{2}} ({\rho _1}{\rho _2}{s_0} + {\rho _2}\sqrt{1  {\rho _1}^2} {s_1} + {\rho _1}\sqrt{1  {\rho _2}^2} {s_2}+ \sqrt{1  {\rho _1}^2} \sqrt{1  {\rho _2}^2} {s_3}))\), \(s_1, s_2, s_3, s_4\) are the integral variables. Thus, \(Pr[{IK}_a(t+1)={IK}_e(t+1){IK}_a(t)\ne {IK}_e(t)]=1P_1\).
Similarly, \(Pr[{IK}_a(t+1)\ne {IK}_e(t+1){IK}_a(t)={IK}_e(t)]=P_2\) and \(Pr[{IK}_a(t+1)={IK}_e(t+1){IK}_a(t)={IK}_e(t)]=1P_2\). These conditional probabilities will come into play in the Eveâ€™s strategies in Sect.Â 4.3.
Moreover, according to the Markov chain in Fig.Â 3, \(P_0\), \(P_1\), \(P_2\) are satisfied
4.3 Eveâ€™s strategies
In this section, we give corresponding attack strategy for each link of key generation and propose an attack strategy named eavesdropping channel search (ECS).
The whole process of key generation can be expressed as
As Eve knows the process, there are three straightforward strategies:
4.3.1 Random guess (RG)
Search for the final key \(\mathbf {FK_a}\) in the \(\{0,1\}^{M}\) space. Since the final key is completely random with equal probability distribution, Eve has to rely on random guess to crack it.
4.3.2 Eavesdropping channel search without reconciliation information (ECSwo)
Search for the initial key \(\mathbf {IK_a}\) in the \(\{0,1\}^{L}\) space. Eve uses her own initial key \(\textbf{IK}_e\) without reconciliation information to search for \(\textbf{IK}_a\). According to (20), if the space correlation coefficient is larger than 0, it means that the initial key generated by Eve is more likely to have the same value of the initial key generated by Alice, i.e., \(P_0\) should be smaller than 0.5. If the space correlation is smaller than 0, \(P_0\) should be larger than 0.5, respectively. This helps Eve because she can search for \(\textbf{IK}_a\) by her own \(\textbf{IK}_e\).
As shown in Fig.Â 4, when \(\rho _2>0\), \(\textbf{IK}_e=01101\) and \(\textbf{IK}_a=01110\) will be very similar. Eve first tests \(\textbf{IK}_a\) with the original initial key 01101. If the test does not pass, Eve will change a bit in the \(\textbf{IK}_e\) (\(11101,00101,\dots\)) and test again. If the test still fails, Eve will change the two bits in the \(\textbf{IK}_e\) (\(10101,00001,\dots\)) and test again. And so on until the test is passed.
Furthermore, according to Sect.Â 4.2.4, when \({IK}_a(t)\ne {IK}_e(t)\), the probability of \({IK}_a(t+1)\ne {IK}_e(t+1)\) is greatly increased. Therefore, when changing more than one bit, Eve will preferentially change consecutive bits. As shown in Fig.Â 4, when two bits are changed, Eve will first test \(10101,00001,\dots\) and then \(11010, 11100,\dots\).
On the contrary, when \(\rho _2<0\), the BDR between Alice and Eve will be larger than 0.5. Therefore, Eve will first change all of her bits to test. For example, if \(\textbf{IK}_e=01101\), Eve will first test 10010. If the test fails, Eve will reserve one bit and change the rest of the bits (\(00010,11010,\dots\)), and then test again. If the test still fails, Eve will reserve the two bits and test again. Similar to when \(\rho _2>0\), Eve will first reserve consecutive bits when reserving multiple bits.
4.3.3 Eavesdropping channel search with reconciliation information (ECSw)
Search for the common key \(\mathbf {CK_a}\) in the \(\{0,1\}^{LL_E}\) space. Considering that Alice and Bob will leak \(L_E\) bits in the information reconciliation phase, this compresses the search space. At this point, Eveâ€™s efficiency in using her own initial key \(\textbf{IK}_e\) to search for the common key will be greatly improved.
4.4 The attack success probability of Eve
In this section, we will calculate the attack success probability (ASP) for each of Eveâ€™s strategies in Sect.Â 4.3. We use N to represent Eveâ€™s search capability. This means that Eve can guess or test the key N times.
4.4.1 The attack success probability of RG
After privacy amplification, each bit of the final key is randomly distributed with equal probability. This means that Eve has a 1/2 chance of guessing each bit correctly. In addition, the final key is generated, indicating that it has passed the randomness test. Thus, the attack success probability of RG is expressed as
4.4.2 The attack success probability of ECSwo
Since the search is for the initial key, Eveâ€™s successful attack requires that the correct initial key is searched and that the key passes the randomness test.
First, we introduce the probability of the generated key passing frequency test in RT [19], which is given as
where \(\alpha\) is the Pvalue threshold in RT, and other modules in RT are defined in [19] Appendix C.
Then, given the fact that RT has been passed, we calculate the attack success probability of ECSwo. Since Eve does not know Aliceâ€™s CSI, she cannot know the correlation coefficient \(\rho _2\) exactly. Thus, Eve need to consider the positive and negative correlation simultaneously. Because Eve cannot know the correlation is positive or not, she needs to search from her original initial key and the initial key in which all bits are changed simultaneously. ECSwo searches for \(\textbf{IK}_a\) from the most likely bit sequence toward the least likely one in \(\{0,1\}^L\). Given the fact that RT has been passed, the ECSwo success probability searching for \(\textbf{IK}_a\) is expressed as
When the time correlation coefficient \(\rho _1=0\), whether \(IK_a(t)\) is equal to \(IK_e(t)\) does not affect whether \(IK_a(t+1)\) is equal to \(IK_e(t+1)\). In this case, \(P_0=P_1=P_2\) and (27) can be simplified as
where \(I_x(a,b)\) is the regularized incomplete beta function and n satisfies
As a result, the attack success probability of ECSwo is calculated as
4.4.3 The attack success probability of ECSw
Like ECSwo, ECSw uses the same search method, but ECSw uses reconciliation information to compress the search space. Thus, the attack success probability of ECSw is calculated as
where \(Pr[\text {ECSw}\text {RT}]=P_{ECS}(L',P_1,P_2)\) and \(L'=LL_E\).
Because the search space of ECSw is smaller than that of ECSwo, the success probability of ECSw is higher than that of ECSwo.
5 The proposed OTP scheme
In this section, we propose a time slot allocation algorithm in the OTP against the adversary model. We first analyze the defense strategy against Eve. Then, we propose a threestage OTP scheme. Finally, we propose a time slot allocation algorithm to ensure the security of the key.
5.1 The defense strategy against Eve
We assume that legitimate communicators cannot restrict Eveâ€™s search capability. In addition, we assume that the length of the final key will not change, because the commonly used encryption keys are 128 bits or 256 bits.
For RG, since neither N nor M can be changed, the probability of success of RG is fixed. This means that Eve has at least a probability of \(Pr[\text {RG}]\) attack success. For ECSwo, in order to reduce \(Pr[\text {ECSwo}]\), Alice can increase the number of channel probing to increase the initial key length L. In addition, Alice can reduce the time correlation by increasing the sampling period or using RIS. For ECSw, in addition to the above strategy, Alice can also reduce the BDR of Alice and Bob by increasing the signal power to reduce the information leakage during the information reconciliation. However, increasing signal power also allows Eve to gain more relevant CSI to Alice, which in turn increases \(Pr[\text {ECSw}]\). Based on the above analysis, the most effective strategy is to increase the number of channel probing, that is, to increase the length of the initial key L.
With the increase of L, the probability that the key is successfully attacked by ECSw and ECSwo decreases. However, when L is too large, it will greatly reduce the efficiency of key generation, which may cause Alice to have no key available for a period of time. So we need to set L to an appropriate size. Given that Eve has at least a probability of \(Pr[\text {RG}]\) attack success, we just need to set L to satisfy
5.2 Threestage OTP scheme
Our proposed scheme consists of three stages: channel probing, information reconciliation and encrypted packet transmission in Fig.Â 5. We assume that Alice and Bob have performed twoway authentication before generating the physical layer key.
In Stage 1, Alice and Bob probe the channel L times, which occupies total 2L time slots. In Stage 2, Alice and Bob send the parity checks to realize information reconciliation. According to (11), Alice and Bob send reconciliation information \(L_E\) times, which occupies total \(2L_E\) time slots. In Stage 3, Alice or Bob uses the remaining time slots to transmit the encrypted data. Each time slot transmits 1 bit of encrypted data. Because OTP needs to be given a key of the same length as the message, the length of the encrypted data is the same as that of the final key. Therefore, Alice or Bob spends M time slots to transmit the encrypted information.
5.3 Time slot allocation algorithm
Our time slot allocation algorithm will follow the guideline that guarantees both enough security strength and high efficiency. We want the total time slot from key generation to encrypted transmission to be minimal, while ensuring security. Thus, we can formulate the time slot allocation as the following problem:
In (33a), the objective function is the number of total time slots. (33b) is for security constraint. Variables used in the security constraint are given in (33c), (33d) and (33e).
According to (33b) and (33e), L is positively correlated with \(L_e\), and L is negatively correlated with \(Pr[\text {ECSw}]\). Thus, the problem formulation of (33) is to find the minimum value of L under the security constraint. And we can solve it by AlgorithmÂ 1.
6 Results and discussion
In this section, numerical results are given to illustrate the effectiveness of the proposed attack strategy and the security of the proposed OTP scheme.
6.1 Set up
We consider an RISassisted wireless system. Unless otherwise stated, the experimental parameters are set in this section.
A RIS, equipped with \(M=16\) elements, is deployed between Alice and Bob. The signal power of the direct channel is equal to the signal power of the reflecting channel.
The attacker Eve aims to obtain the secret key through ECS with reconciliation information. Given that a realistically powerful capability for Eve is \(2^{63.1}\) [31], we consider a powerful capability of Eve with \(N=2^{64}\) such that the attack success probability of cracking a 128bit key by random guess is \(2^{64}\).
For ease of analysis, we assume that \(\gamma _a=\gamma _b=\gamma _e=20\) dB. The length of the final key is set to \(M=128\) and the length of the initial key is set to \(L=180\). The time correlation coefficient is set to \(\rho _t=0.4\) and the space correlation coefficient is set to \(\rho _s=0.5\). Thus, \(\rho _1=0.2\) and \(\rho _2=0.5\). The efficiency of the IR protocol is set to \(\beta =0.9\). The Pvalue threshold in RT is set to \(\alpha =0.01\) [11].
6.2 Benchmark schemes
6.2.1 Benchmarks for attack strategies
Four benchmarks are as follows, and their ASPs are calculated in Appendix A.
(1) MaximumLikelihood tree search without reconciliation information (MLTSwo): Eve uses the statistical correlation to search for the initial key without reconciliation information, which is applied in [17, 19]. Statistical correlation results in the probability of the initial key not being completely random, and Eve can search for the initial key in order of probability from maximum to minimum.
(2) MaximumLikelihood tree search with reconciliation information (MLTSw): Eve uses the statistical correlation to search for the common key without reconciliation information. Considering that Alice and Bob will leak some bits in the information reconciliation phase, this compresses the search space. At this point, Eveâ€™s efficiency in using statistical correlation to search for the common key will be greatly improved.
(3) Eavesdropping channel attack without reconciliation information(EAwo): Eve uses her own CSI to crack the key but does not search, which is applied in [20, 21]
(4) Eavesdropping channel attack with reconciliation information(EAw) Eve uses reconciliation information to get some bits, and uses her own CSI to crack the rest.
6.2.2 Benchmarks for time slot allocation
Four benchmarks based on RIS are present:
(1) [17]â€™s scheme: This case is to protect the key against MLTSwo attack.
(2) [18]â€™s scheme: This case is to maximize the transmission rate.
(3) [22]â€™s scheme: This case is to maximizes the minimum secret key capacity for the worstcase eavesdropper channel.
(4) [32]â€™s scheme: This case is to maximizes key generation rate.
6.3 Metrics
The performance of the attack strategy is evaluated by the attack success probability (ASP). The performance of the OTP scheme is evaluated by the security loss (SL).
(1) The attack success probability: The ASP refers to the probability of cracking a key using a certain attack strategy. A higher ASP indicates that the attack strategy is more threatening and effective.
(2) The security loss: The SL describes the loss of security during key generation [19]. The SL is calculated as
where \(Pr[\text {Eve}\ \text {succeeds}]\) is the maximum probability that Eve will break the key by any attack strategies. If SL=0, the ASP without any attack strategies will be higher than the ASP of RG, which means that there is no security loss. If SL>0, this indicates that there is a strategy that can crack the key more efficiently than RG. The smaller the SL, the more secure the key generation process is.
6.4 Results
6.4.1 Evaluation of ASP
We evaluate the ASP of the attack strategies against the length of the initial key, the time correlation coefficient of the equivalent channel, the space correlation coefficient of the equivalent channel and the SNR.
FigureÂ 6 illustrates the ASP versus the length of the initial key L. From this figure, we can clearly observe that the ASP of all schemes except RG decreases with the increase of the L. This is because as L increases, the search space for these schemes becomes larger. This verifies the correctness of our proposed OTP scheme. However, the search space of RG scheme is always \(2^M\), so the ASP of RG does not change. Our proposed OTP scheme is to find the smallest L to satisfy that the ASP of ECSw is smaller than the ASP of RG. In addition, the ASP of our proposed ECS strategy is always larger than that of MLTS strategy and EA strategy. At the same time, we can also see that the use of leaked reconciliation information can effectively compress the search space and improve ASP.
In Fig.Â 7, we present the impact of the \(\rho _1\). We find that the ASP of all schemes except RG generally increases with the increase of \(\rho _1\). The MLTS strategy is the most affected because it only exploits \(\rho _1\) for attacks. When \(\rho _1=0\), the MLTS strategy is even worse than the RG strategy because in this case the MLTS strategy is completely a random guess and the search space for the MLTS strategy is larger. In addition, when \(\rho _1\) changes from 0 to 0.1, the ASP of ECS and EA has an abnormal decline. This is because the probability of the initial key passing RT is reduced. In addition, the ASP of our proposed ECS strategy is larger than that of MLTS strategy and EA strategy.
FigureÂ 8 presents the influence of the \(\rho _2\). We find that the ASP of ECS and EA increases with the increase of \(\rho _2\). This is because the larger \(\rho _2\), the more similar the CSI of Eve and Alice will be, and the greater the probability that the initial keys generated will be the same. When \(\rho _2\ge 0.2\), ECS strategy is superior to MLTS strategy. This means that even if Eve and Alice have only a small correlation, our proposed attack strategy is superior to the others.
In Fig.Â 9, we illustrate the performance of the ASP with different SNR. The ASP of our proposed ECS strategy is always larger than that of MLTS strategy and EA strategy. When SNR changes from 0 dB to 15 dB, the ASP of the strategies those use leaked reconciliation information decreases, but the ASP of the strategies those do not use leaked reconciliation information increases. This is because \(P_{ab}\) is reduced, less reconciliation information is leaked, and the search space is larger. At the same time, \(P_{ae}\) decreases, and the probability of single search success increases. As SNR increases further, the ASP of each strategy tends to stabilize, because the \(P_{ab}\) and \(P_{ae}\) change little at this time.
6.4.2 Evaluation of LS
We evaluate the security loss of our and other time slot allocation schemes. Table 1 shows the number of channel probing and the number of information reconciliation required by our algorithm with no security risk compared to other schemes. The length of both final key and ciphertext is set to 128 bits, so the time slots occupied by encrypted packet transmission is 128. Our algorithm has no security loss against any of the listed attacks in Sect.Â 4.3 and 6.2.1, whereas the others have varying degrees of security loss. In addition, when \(\rho _2\) changes from 0.3 to 0.5, the SL of benchmark schemes increases significantly. This means that in cases where Eve has access to the relevant CSI, the benchmark schemes have a greater security loss.
6.5 Discussion
This paper mainly designs a powerful adversary model and proposes an OTP scheme to counter this model. We found that Eve, after obtaining a CSI correlated with the legitimate channel, can generate a key similar to that of a legitimate communicator. And in a slowchanging environment, Eve is more likely to continuously guess the key. Based on this, we designed Eveâ€™s attack strategy and calculated the probability of success. Compared with the adversary model in [17, 19,20,21], our adversary model has a higher attack success probability. In addition, we designed an OTP scheme to counter our adversary model. Compared with the OTP scheme in [17, 18, 22, 32], our OTP has no security loss.
However, the OTP scheme in this paper needs to know the specific correlation of the eavesdropping channel. How to obtain the correlation is not considered in this paper, but it can be solved by radar sensing and other methods.
7 Conclusion
In this paper, we propose a very powerful adversary model. We assume that Eve has a powerful yet finite computational capability and Eve can get the reconciliation information and the CSI correlated with the legitimate channel. We give an attack strategy called eavesdropping channel search, which allows Eve to use its search and eavesdropping capabilities to maximize the probability of successful attacks. Meanwhile, we propose a time slot allocation algorithm in the OTP against the adversary model. Simulations validate that our proposed attack strategy is more powerful than any existing adversary model and our proposed time slot allocation algorithm does not have any security loss.
Data availability
The datasets used during the current study are available from the corresponding author on reasonable request.
Abbreviations
 IoT:

Internet of Things
 PLKG:

Physical layer key generation
 OTP:

One time pad
 RIS:

Reconfigurable intelligent surface
 CSI:

Channel state information
 RT:

Randomness test
 TDD:

Timedivision duplex
 SNR:

Signaltonoise ratio
 BDR:

Bit disagreement ratio
 ECS:

Eavesdropping channel search
 RG:

Random guess
 ECSwo:

Eavesdropping channel search without reconciliation information
 ECSw:

Eavesdropping channel search with reconciliation information
 ASP:

Attack success probability
 SL:

Security loss
 MLTSwo:

Maximumlikelihood tree search without reconciliation information
 MLTSw:

Maximumlikelihood tree search with reconciliation information
 EAwo:

Eavesdropping channel attack without reconciliation information
 EAw:

Eavesdropping channel attack with reconciliation information
References
G. Li, C. Sun, W. Xu, M.D. Renzo, A. Hu, On maximizing the sum secret key rate for reconfigurable intelligent surfaceassisted multiuser systems. IEEE Trans. Inf. Forensics Secur. 17, 211â€“225 (2022). https://doi.org/10.1109/TIFS.2021.3138612
Y. Chen, Z. Chen, Y. Zhang, Z. Luo, Y. Li, B. Xing, B. Guo, L. Chen, Physical layer key generation scheme for MIMO system based on feature fusion autoencoder. IEEE Internet Things J. 10(16), 14886â€“14895 (2023). https://doi.org/10.1109/JIOT.2023.3288641
M. Ylianttila, R. Kantola, A. Gurtov, L. Mucchi, I. Oppermann, Z. Yan, T.H. Nguyen, F. Liu, T. Hewa, M. Liyanage, A. Ijaz, J. Partala, R. Abbas, A. Hecker, S. Jayousi, A. Martinelli, S. Caputo, J. Bechtold, I. Morales, A. Stoica, G. Abreu, S. Shahabuddin, E. Panayirci, H. Haas, T. Kumar, B.O. Ozparlak, J. RÃ¶ning, 6G White paper: Research challenges for Trust. Security and Privacy (2020)
U.M. Maurer, Secret key agreement by public discussion from common information. IEEE Trans. Inf. Theory 39(3), 733â€“742 (1993). https://doi.org/10.1109/18.256484
J. Zhang, G. Li, A. Marshall, A. Hu, L. Hanzo, A new frontier for IoT security emerging from three decades of key generation relying on wireless channels. IEEE Access 8, 138406â€“138446 (2020). https://doi.org/10.1109/ACCESS.2020.3012006
J. Zhang, A. Marshall, R. Woods, T.Q. Duong, Efficient key generation by exploiting randomness from channel responses of individual OFDM subcarriers. IEEE Trans. Commun. 64(6), 2578â€“2588 (2016). https://doi.org/10.1109/TCOMM.2016.2552165
G. Li, Z. Zhang, J. Zhang, A. Hu, Encrypting wireless communications on the fly using onetime pad and key generation. IEEE Internet Things J. 8(1), 357â€“369 (2021). https://doi.org/10.1109/JIOT.2020.3004451
C.E. Shannon, Communication theory of secrecy systems. The Bell Syst. Tech. J. 28(4), 656â€“715 (1949). https://doi.org/10.1002/j.15387305.1949.tb00928.x
J. Jiao, L. Chen, Stochastic perturbationbased physicallayer secret key generation in quasistatic scene. In: 2021 7th International Conference on Computer and Communications (ICCC), pp. 544â€“548 (2021). https://doi.org/10.1109/ICCC54389.2021.9674489
L. Hu, Y. Chen, G. Li, A. Hu, Exploiting artificial randomness for fast secret key generation in quasistatic environments. In: 2021 IEEE 6th International Conference on Signal and Image Processing (ICSIP), pp. 985â€“989. (2021) https://doi.org/10.1109/ICSIP52628.2021.9688810
T. Lu, L. Chen, J. Zhang, C. Chen, A. Hu, Joint precoding and phase shift design in reconfigurable intelligent surfacesassisted secret key generation. IEEE Trans. Inf. Forensics Secur. 18, 3251â€“3266 (2023). https://doi.org/10.1109/TIFS.2023.3268881
L. Jiao, G. Sun, J. Le, K. Zeng, Machine learningassisted wireless PHY key generation with reconfigurable intelligent surfaces. In: Proceedings of the 3rd ACM Workshop on Wireless Security and Machine Learning. WiseML â€™21, pp. 61â€“66. Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3468218.3469042
V. Shahiri, H. Behroozi, A. Kuhestani, K.K. Wong, Reconfigurable intelligent surfaceassisted secret key generation under spatially correlated channels in quasistatic environments. IEEE Internet of Things Journal, 1â€“1 (2024) https://doi.org/10.1109/JIOT.2023.3349354
Z.M. Jiang, M. Rihan, P. Zhang, L. Huang, Q. Deng, J. Zhang, E.M. Mohamed, Intelligent reflecting surface aided dualfunction radar and communication system. IEEE Syst. J. 16(1), 475â€“486 (2022). https://doi.org/10.1109/JSYST.2021.3057400
M.D. Renzo, M. Debbah, D.T. PhanHuy, A. Zappone, M.S. Alouini, C. Yuen, V. Sciancalepore, G.C. Alexandropoulos, J. Hoydis, H. Gacanin, Smart radio environments empowered by reconfigurable AI metasurfaces: an idea whose time has come. EURASIP J. Wirel. Commun. Netw. 2019(1), 1â€“20 (2019)
Y. Song, L. Chen, W. Ma, T. Lu, P. Zhang, Time slot allocation for RISassisted physical layer key generation in OTP. In: 2023 IEEE 98th Vehicular Technology Conference (VTC2023Fall), pp. 1â€“5 (2023). https://doi.org/10.1109/VTC2023Fall60731.2023.10333784
L. Chen, K. Cao, T. Lu, Y. Lu, A. Hu, A onetime pad encryption scheme based on efficient physicallayer secret key generation for intelligent IoT system. China Commun. 19(7), 185â€“196 (2022)
Z. Ji, P.L. Yeoh, G. Chen, C. Pan, Y. Zhang, Z. He, H. Yin, Y. Li, Random shifting intelligent reflecting surface for OTP encrypted data transmission. IEEE Wirel. Commun. Lett. 10(6), 1192â€“1196 (2021). https://doi.org/10.1109/LWC.2021.3061549
Z. Qu, S. Zhao, J. Xu, Z. Lu, Y. Liu, How to test the randomness from the wireless channel for security? IEEE Trans. Inf. Forensics Secur. 16, 3753â€“3766 (2021)
L. Jin, X. Hu, X. Sun, Y. Lou, K. Huang, Z. Zhong, X. Xu, Native security scheme based on physical layer chain key for encryption and authentication. In: 2021 IEEE Wireless Communications and Networking Conference Workshops (WCNCW), pp. 1â€“7 (2021). IEEE
L. Chen, Y. Song, T. Lu, P. Zhang, Machine learning assisted physical layer secret key generation in the onetimepad encryption scheme. In: Proceedings of the 2023 ACM Workshop on Wireless Security and Machine Learning. WiseMLâ€™23, pp. 45â€“50. Association for Computing Machinery, New York, NY, USA (2023)
Z. Ji, P.L. Yeoh, D. Zhang, G. Chen, Y. Zhang, Z. He, H. Yin, Y. li, Secret key generation for intelligent reflecting surface assisted wireless communication networks. IEEE Trans. Veh. Technol. 70(1), 1030â€“1034 (2021) https://doi.org/10.1109/TVT.2020.3045728
X. Gu, W. Duan, G. Zhang, Q. Sun, M. Wen, P.H. Ho, Physical layer security for RISaided wireless communications with uncertain eavesdropper distributions. IEEE Syst. J. 17(1), 848â€“859 (2023). https://doi.org/10.1109/JSYST.2022.3153932
J. Zhang, B. He, T.Q. Duong, R. Woods, On the key generation from correlated wireless channels. IEEE Commun. Lett. 21(4), 961â€“964 (2017)
X. Hu, L. Jin, K. Huang, K. Ma, C. Song, S. Xiao, A secure communication scheme based on equivalent interference channel assisted by physical layer secret keys. Secur. Commun. Netw. 2020, 1â€“15 (2020)
G. Brassard, L. Salvail, Secretkey reconciliation by public discussion, in Advances in Cryptology â€“ EUROCRYPT â€™93. ed. by T. Helleseth (Springer, Berlin, Heidelberg, 1994), pp.410â€“423
T.B. Pedersen, M. Toyran, High performance information reconciliation for QKD with CASCADE (2013)
L.E. BasshamÂ III, A.L. Rukhin, J. Soto, J.R. Nechvatal, M.E. Smid, E.B. Barker, S.D. Leigh, M. Levenson, M. Vangel, D.L. Banks, et al.: Sp 80022 rev. 1a. a statistical test suite for random and pseudorandom number generators for cryptographic applications. National Institute of Standards & Technology (2010)
A. Dey, S. Nandi, M. Sarkar, Security measures in IoT based 5G networks. In: 2018 3rd International Conference on Inventive Computation Technologies (ICICT), pp. 561â€“566 (2018). https://doi.org/10.1109/ICICT43934.2018.9034365
S. Jana, S.N. Premnath, M. Clark, S.K. Kasera, N. Patwari, S.V. Krishnamurthy, On the effectiveness of secret key extraction from wireless signal strength in real environments. In: Proceedings of the 15th Annual International Conference on Mobile Computing and Networking. MobiCom â€™09, pp. 321â€“332. Association for Computing Machinery, New York, NY, USA (2009)
M. Stevens, E. Bursztein, P. Karpman, A. Albertini, Y. Markov, The first collision for full sha1, in Advances in Cryptology  CRYPTO 2017. ed. by J. Katz, H. Shacham (Springer, Cham, 2017), pp.570â€“596
Y. Liu, M. Wang, J. Xu, S. Gong, D.T. Hoang, D. Niyato, Boosting secret key generation for irsassisted symbiotic radio communications. In: 2021 IEEE 93rd Vehicular Technology Conference (VTC2021Spring), pp. 1â€“6 (2021). https://doi.org/10.1109/VTC2021Spring51267.2021.9448719
Acknowledgements
Not applicable.
Funding
This work is supported by National Natural Science Foundation of China (No.U22B2026).
Author information
Authors and Affiliations
Contributions
All authors contributed to this work and approved the final manuscript.
Corresponding author
Ethics declarations
Ethics approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Competing interests
The authors have no competing interests to declare.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix A The ASP of benchmarks
Appendix A The ASP of benchmarks
1.1 A.1 The attack success probability of MLTSwo
Since the search is for the initial key, Eveâ€™s successful attack requires that the correct initial key is searched and that the key passes the randomness test. According to [19], given the fact that RT has been passed, the attack success probability of MLTSwo can be expressed as
where \(I_x(a,b)\) is the regularized incomplete beta function and n satisfies (29).
1.2 A.2 The attack success probability of MLTSw
Like MLTSwo, MLTSw uses the same search method, but MLTSw uses reconciliation information to compress the search space. Given the fact that RT has been passed, the attack success probability of MLTSw is calculated as
1.3 A.3 The attack success probability of EAwo
Eve uses her own initial key to crack the key. Given the fact that RT has been passed, the attack success probability of EAwo is calculated as
1.4 A.4 The attack success probability of EAw
Like EAwo, EAw uses the same search method, but EAw uses reconciliation information to compress the search space. Given the fact that RT has been passed, the attack success probability of EAw is calculated as
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Chen, L., Song, Y., Ma, W. et al. A powerful adversary model and corresponding OTP time slot allocation scheme in RISassisted physical layer key generation. J Wireless Com Network 2024, 54 (2024). https://doi.org/10.1186/s13638024023842
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s13638024023842