Physical-Layer-Security Box: a concept for time-frequency channel-reciprocity key generation

The motivation for this study about Physical Layer Security comes from bridging the gap between the vast theory and a feasible implementation. We propose a Physical-Layer-Security Box as a system-level Box is a system-level solution, named PLS-Box, to solve the key exchange between two wireless communicating parties. The PLS-Box performs a novel key generation method named time-frequency filter-bank. The entropy of the radio channel is harvested via a filter-bank processing, and then turned into a reciprocal security key, at both ends. In this concept work, we also focus on several PLS open issues, such as radio-frequency imperfections and accessibility to the baseband communication modem. The goal is to show a wide applicability of our PLS-Box to actual wireless systems, paving the way for an evolution of existing schemes.

employees or citizens themselves (e.g., the usage of weak passwords or clicking phishing e-mails [17]). This motivates the urgent need of developing new fool-proof solutions today for the security landscape of tomorrow. The conventional approach to design secure communications is based on the computational intractability of cryptography primitives [18], usually implemented in software. Symmetric algorithms, such as Advanced Encryption Standard (AES), assure confidentiality between two parties, but require that a pre-shared key is known as secret information in order to perform encryption and decryption. On the other hand, asymmetric algorithms (such as Diffie-Hellman (DHE)) solve this key exchange problem, thanks to the mathematical intractability of factorization and discrete logarithms. Modern elliptic-curve cryptography (ECC) belongs to this category [19]. Generally, asymmetric algorithms are computationally expensive, slow, and have a high energy consumption [20]. Cryptography asymmetric primitives tend to consume three times more energy than symmetric primitives [21]. Moreover, a trusted centralized unit, known as Public-Key-Infrastructure (PKI), is necessary to manage the asymmetric keys.
Although cryptographic methods are constantly enhanced, they may not be applicable in all modern mobile contexts. Because of additional device requirements, such as long battery life, low complexity, low computing power, and small memory [22,23], there is in fact a whole research field dedicated to the so-called lightweight cryptography [24]. This is considered more suitable for IoT, with security schemes specifically designed for resource-constrained devices [25].
To complete the picture, it is worth mentioning that asymmetric cryptography will be no longer secure with the advent of quantum computers [26]. In line with the emerging paradigm of post-quantum-cryptography (PQC) [27,28], today there is an increasing demand for longer security keys in conventional security schemes [29]. The consequences are likely more overhead and latency in the actual communications and databases.
Generally, across the protocol stack from application layer (APP) to the physical layer (PHY), layers are ideally modular and independent. In practice, security functionalities instead might be redundant and inefficiently integrated. Therefore, cross-layer security solutions come into play [30,31], alternatively to conventional cryptography.
Within this evolving context, new solutions, such as Physical-Layer Security (PLS), are currently under investigation as potential technologies to provide a complementary and flexible layer of security. Among different methods, we can cite channel-reciprocity key generation (CRKG), wiretap coding [32], and physical-unclonable function (PUF) [33][34][35][36].
Originally, PLS dates back to the late 1940s [37][38][39]. Over the years, the PLS paradigm has been emerging from different complementary fields, and more recently, it has been investigated for many applications: TV/radio systems [40], ultra-wideband (UWB) systems [41], WiFi [42], Bluetooth [43,44], power-line-communication [45], optical fibers [46], satellite links [47], vehicular communication [48], visible light communication [49], and underwater communication [50]. However, to the best of our knowledge, it has not been fully commercially developed and exploited yet. In a nutshell, PLS implements some security functionalities down at the PHY, to achieve improvements in speed, energy, resilience, and isolation. The innovative strength of PLS relies upon the exploitation of the inherent randomness in the communication channel, electronic circuits [51,52], and radio-frequency (RF) systems [53]. PLS can in fact leverage on unpredictable entropy sources, such as the radio wave propagation, which varies due to mobility and environmental changes.
In conclusion, PLS offers interesting opportunities today, but it is not completely clear how it could be efficiently integrated in existing security frameworks. As far as we know, so far, only few research projects (e.g., Phylaws [54], WiPhyLoc8, and Prophylaxe [55]), and laboratory prototypes have been dedicated to PLS. All of this demands the need of further research for practical solutions.
Our contributions in this work about PLS are: • Addressing the open issues for implementation of PLS Key Generation, bridging the gap between literature and practice; • Presenting a new PLS system-level solution named PLS-Box to solve the key exchange between two wireless communicating parties, different from conventional cryptography algorithm; • Presenting a novel key generation quantization method named time-frequency filter-bank with some examples; • Proposing a preliminary unified framework for Physical-Layer-Security Key Generation for easy comparison and future development in the research community.
The rest of the paper is organized as follows: Section 2 describes the PLS state of the art. In Section 3, our PLS-Box concept is presented, with implementation issues discussed in Section 4. A novel time-frequency analysis for CRKG is described in Section 5. This leads to Sections 6 and 7, where the filter-bank quantization method is described and some examples are provided in line with actual wireless systems. Finally, in Section 8, a framework to assess the PLS-Box CRKG performance is provided.

State of the art
In the IoT era, a mobile device is equipped with many sensors and intelligence, within an heterogeneous architecture. Given that, it is reasonable to expect that PLS will be influenced also by other fields [56], such as hardware security or biometrics [59], along its evolution path. Potentially, CRKG and RF fingerprinting [60] techniques can be revolutionary for key-exchange and authentication problems, but they still have limited and contradicting performances, as reported in current literature. For example in [61], 1 min is necessary to generate 128 bit of security key, whereas in [62], in theory, only 16 ms are estimated for 256 bit of security key.
Traditionally, three entities are considered to investigate the security of a communication channel: Alice, Bob, and Eve. Alice wants to privately send messages to Bob and vice versa. Eve is instead a malicious entity, who wants to eavesdrop on the Alice/Bob messages or interfere with them [31,63].
In literature, works on PLS are numerous [64]. For the sake of simplicity, we hereby divide them into two branches, according to [65].

Key-less
Key-less PLS is based on information theory, leveraging on the secrecy capacity concept, given by the pioneering works of Shannon [37] and Wyner [38]. As explained in [62], the key-less PLS consists of building codes for secrecy, without using security keys: Alice and Bob encode the data to communicate in such a way that Eve cannot be able to decode [66], thanks to the performance gap between the legitimate channel and the eavesdropper's channel. The so-called secrecy capacity characterizes the maximal rate at which this successful coding between Alice and Bob may work. Today, the literature is vast [67,68], including multi-antenna and multi-user PLS schemes, developed in parallel to Multiple-Input-Multiple-Output (MIMO) communications over the last decades. For example, artificial noise techniques [69][70][71] or wiretap coding [72] fall into this branch. In a nutshell, key-less PLS has some advantages: • Bit-stream security, with no key generation; • Suitability for time division duplex (TDD) and frequency division duplex (FDD).
and disadvantages: • Partial reduction of communication capacity (i.e., data rate); • Assumptions on channel state information (CSI) and/or radio channel statistics; • Required knowledge about eavesdropper capabilities, such as number of antennas and noise level.

Key-based
Key-based PLS (named CRKG in the following) extracts keys from a common source of randomness, as suggested initially in [39,73]. In wireless communication systems, the channel itself is the source, as it varies randomly in time, space, and frequency. Basically, there are two fundamental assumptions: 1. The radio channel is reciprocal, such that Alice and Bob experience the same wireless medium and so can share the same secret. Unfortunately, this is not practically true for frequency-division duplex (FDD) systems, where uplink (UL) and downlink (DL) occur in separated bands. This is possible however in TDD, which is increasingly the duplexing scheme of choice for wireless systems. 2. The scenario offers a spatial protection (i.e., spatial decorrelation) against attackers.
Eve's radio channel is probably very different from Alice's and Bob's, because Eve cannot be superimposed to Alice's or Bob's positions. However, the well-known assumption of a correlation distance equal to half-wavelength (i.e., λ/2) [40] may not hold in reality, as demonstrated by [61,74,75].
One way to accomplish key-based PLS is by processing the received-signal-strength indicator (RSSI) [75][76][77]. RSSI is a PHY metric computed as an average received power over a certain time of the communication signal. Since it depends on the RF chain as well as the analog-digital conversion (ADC) and so is vendor-dependent. Since it is generally available in most wireless modems/interfaces, RSSI has been widely adopted for keybased PLS experimental works. RSSI-based CRKG primarily benefits from a time-variant scenario: since the terminals are moving (or there are significant mobile objects/people in the surrounding), the security key is generated from received power fluctuations (i.e., fading). In general, the acquisition rate of RSSI limits the key quality and size. For instance, in a scenario with limited mobility, the fading has little temporal variation, and so, RSSI methods become generally very slow and inefficient. For example, in [76] 8 min are necessary to generate 256 bit of secret key. Moreover, in [78], the RSSI key-based scheme [79] is demonstrated to suffer from sabotaging of key generation that reveals up to 47% of the generated secret bits. Differently, the CSI CRKG methods generate secret keys from wideband observations of the channel, such as channel impulse response (CIR) or channel transfer function (CTF) (e.g., OFDM sub-carriers) [80]. This is the approach we follow in this work.
In a nutshell, key-based PLS has some advantages: • Easy experimental set-up [43,76], for instance using software-defined-radio (SDR), Zigbee or WiFi cards; • Compatibility with modern encryption methods, since only the key distribution method is addressed; • Peer-to-peer key exchange without a centralized control. and disadvantages: • Suitability only for TDD systems, as it requires a reciprocal channel; • Constraints from the radio channel characteristics.

Key-less vs key-based comparison
Practically, key-less PLS addresses confidentiality directly encoding the data thought the channel. Then, the performance directly depends on the knowledge of the channel characteristics, such as signal-to-noise ratio (SNR), and Eve's capabilities. However, the profile of an attacker is usually difficult to estimate a priori. If Eve is more powerful than expected, (e.g., by having a very large number of antennas or a low-noise receiver), then, the effective security capacity may be effectively lower than the employed data rate. The system might become intrinsically insecure.
Key-based PLS, on the other hand, may rely on existing and well-established symmetric encryption schemes to ensure confidentiality, addressing only the CRKG key generation. This decoupling aspect allows to flexibly renovate the encryption key on demand or to change the key strength if necessary.
Because of these considerations, we argue that key-based PLS is more likely to be integrated more easily into a realistic overall security concept.

PLS Box
We present hereby the PLS-Box with a high-level description of its functionalities. The PLS-Box is conceptually similar to hardware-security-module (HSM) [81] or Trusted-Platform-Module [82,83]. The goal of the PLS-Box is to perform CRKG from the received communication data, as depicted by the block diagram in Fig. 1.
The important point here is the interaction between our PLS-Box and the wireless baseband communication modem. In reality, as shown by [84], it is hard to claim if a given modem is trustable or not, since is the only point of access to the radio channel. Therefore, we define 3 ideal configurations: • The box is implemented as part of the modem and so has low-level access to all PHY features. This is the usual assumption in literature. This way is called "modem-aided" in the following; • The box bypasses the modem and operates independently (Fig. 1). In this case, the box needs only a minimum amount of information from the modem, such as a trigger signal of incoming received frame, for example. This way is called "blind" in the following. However, there is a general trade-off between security and efficiency: the modem needs the box to encrypt and decrypt the data, whereas the box needs the modem to access the radio channel or the received signal. Practically, replicating all the modem functionalities (such as synchronization, mixing, sampling and channel estimation) in the box is costly and redundant, while adding the PLS blocks in the modem requires its full re-design. However, considering the overall security on a device, it is worth adopting a principle of isolation among the chips preventing the spread of a malicious attack, even at PHY.
Finally, in terms of cross-layer security, the PLS-Box could pass the generated key to perform conventional encryption (see Fig. 1). Alternatively, the PLS-Box itself can perform decryption (and encryption) of the communication data already at PHY.
Before describing the novelties of the PLS-Box in details, it is necessary to define the CRKG protocol which the PLS-Box is supposed to perform, in line with [31,67,68,85,86].

CRKG protocol
• Authentication: Alice and Bob must trust each other before performing CRKG. This preliminary stage could be achieved in a conventional way [85], by exploiting, for example, secret keys stored by the devices manufacturer and challenge-response authentication methods. Alternatively, there are PLS techniques, such as PUF [87], vicinity-solution [61], or radio-signature authentication [85,88,89]. RF fingerprinting can be implemented today with good results [60,[90][91][92][93][94][95], thanks to the power of classification and clustering of machine and deep learning [96][97][98]. At this stage, Eve can try to impersonate Bob or Alice, playing a man-in-the-middle attack [85]. Authentication is out of scope of this work.
• Channel probing: While Alice and Bob exchange frames for communication, their PLS-Boxes work for security. If the modem access is granted to the PLS-Box, the focus could be on the frame preamble of the received signal. Such preamble contains sounding sequence (e.g., Zadoff-Chu) which are commonly available for communication tasks (e.g., channel estimation [99], carrier recovery, and synchronization) and therefore suitable to probe the radio channel for CRKG. Differently with no modem support, the PLS-Box can acquire the received full frame (2020) 2020: 114 Page 7 of 24 and process it for CRKG. During this stage of the protocol, Eve can perform several attacks [100]. For example, in [74], a stalking attack is performed by Eve in proximity of Bob, obtaining successfully up to 97% of the CRKG key. In IoT scenarios, Eve can be represented by a multitude of nodes (e.g., botnet), which can cooperate passively to wiretap the Alice-Bob link in multiple positions, even simultaneously at both ends.
Being part of the network, Eve is likely to be similar to Alice and Bob. Anyway, it can also have more powerful hardware, and with that, it can produce intentional interference, namely jamming [40,85]. The negative consequences of this attack could be unbalanced-reciprocity in Alice and Bob signals, or a forced repetition of the CRKG scheme, as sort of denial-of-service. This could be harmful, because Eve might attempt to trigger multiple CRKG sessions and crack the key. • Quantization: After gathering enough frames, the PLS-Box must transform signals into security keys. This is the crucial stage called quantization. It is of course a lossy operation. PLS key-based methods commonly use thresholding or level-crossing algorithms [79,101]. The ideal goals are: -Alice and Bob agree on the same key, regardless of additive white Gaussian noise (AWGN), interference, RF impairments and TDD delays, and Eve's attacks; -The quantized-generated key is random; -Quantization is fast and adaptive to radio channel conditions.
In this work, we propose a filter-bank processing as basis for quantization in Section 6.
• Reconciliation: Even though Alice and Bob experience the same channel, they may end up with different keys, as aforementioned. The reconciliation stage corrects these mismatching errors. For example, forward error correction (FEC) schemes, such as Bose Chaudhuri Hocquenghem (BCH) codes or Secure-Sketch [102,103] can be set to refine the quantized key and fix up to 20% of the bits [61]. Unfortunately, the reconciliation imposes an additional data exchange between Alice and Bob, and so, Eve can perform other attacks. It is worth reminding that reconciliation is a delicate stage, because the whole PLS CRKG scheme collapses if Alice and Bob do not match the generated key perfectly. Reconciliation is out of scope of this work. • Privacy amplification: Privacy amplification is usually included as the last stage in order to maximize the entropy of the reconciled key, thanks to one-way cryptography, such as hash functions. Amplification is out of scope of this work.
• Symmetric encryption: Once the Alice/Bob key is ready, any symmetric encryption scheme (e.g., AES) can provide confidentiality. It can be implemented by hardware or software, by the PLS-Box or externally. Figure 2 represent the first step towards a broad PLS implementation inside a wireless transceiver. In details, the PLS authentication methods might acquire unique RF fingerprints (i.e., signatures) from the transmission path, such as local oscillator (LO), mixer, and power amplifier (PA) blocks. Instead, the key-less PLS might operate digitally beyond the ADC, as part of the channel coding.

PLS-Box implementation issues
On the other hand, the key-based PLS works on the data obtained from the receiver path. Considering practical implementation, it is not defined yet at which section would be better to operate: ideally, the best option is the modem-aided way, where the PLS-Box has at disposal the full received frame at baseband, with RF impairments compensated and the data payload decoded. On the other hand, in a blind way, a possible solution is to perform only down-conversion and sampling on the received signals, without any intent of data demodulation or decoding.
In the end, the compensation of RF impairments remains a big open issue, because they represent, in fact, the constraints to Alice-Bob reciprocity and key matching. For instance, a base station (BS) has better equipment than any user equipment (UE) (e.g., number of antennas, better LNA, and better ADC). The differences in RF transceivers are hence reflected in signal imperfections, asymmetrically. The same frame in UL and in DL is differently influenced by the diverse RF hardware [104], even in TDD systems, although the radio channel has not changed at all.
We list here several hardware non-idealities that should be taken into account for PLS CRKG realistic results: • PA distortion: Caused by the non-linearities present in the transmission PA [105][106][107]. The distortion consequences are represented by the growth of undesired harmonics (out-of-band and in-band), named inter-modulation effects; • ADC non-idealities: ADC imperfections, such as clipping, bias, and jitter, may negatively contribute to alter synchronization and sampling between Alice and Bob [105,107]; • Noise: AWGN thermal noise power level can differ between Alice and Bob, due to different receiver temperatures and different hardware.
In conclusion, there are several open issues: where to allocate the PLS blocks along the RF chain, whether to trust or not the baseband modem, and how to account for the impact of non-reciprocal hardware impairments.

Time-frequency CRKG
Regarding the channel probing and the quantization stages of the CRKG protocol, we introduce here the considerations which lead to the idea of the filter-bank. Table 1 shows important radio channel parameters for a time and frequency analysis, as explained in the following.

Time-domain
Wireless links are often quasi-static. Channel fluctuations in time (i.e., time-selectivity) in communications are a secondary issue in many scenarios, such as home, office, shopping mall, restaurants, and city center. To assess such channel time variations, the well-known coherence time T coh [110,111] is used to describe a time window where two channel realizations (i.e., frames) are correlated along time. In reality, apart from high-speed trains, satellite, or flying objects, T coh ranges from 1 ms up to 250 ms. With reference to Table 1, the T coh is inversely proportional to the Doppler spread (ν DPS ), which is the dispersion metric that accounts for the frequency shifts in the communication bandwidth, due to the mobility of terminals. We define t p as the PLS-Box probing time, defined as the time interval between two received frames (Fig. 3). T coh can be many orders of magnitude larger than the channel probing interval t p , depending on the PHY specifications. This means that Alice and Bob are likely to sound the channel in a reciprocal way before it changes irreversibly and so extract the same key. With this in mind, it is possible to make important considerations on the limits of RSSIbased CRKG. Generally, at the baseband, a narrowband radio channel is modeled as a complex Gaussian stochastic process (with Rayleigh amplitude and uniform phase distribution), representing a model for NLOS small-scale fading. Given the received signal envelope and a threshold set for its level crossing, the well-known level-crossing ratio (LCR) and the average fade duration (AFD) are expressed by the following Eqs. (1 ,2), as fading parameters: where f D is the maximum Doppler shift and ρ is the ratio between the LCR threshold and the root-mean-squared level of the signal envelope [110]. The ideal situation is given by the scenario where the channel fading has large LCR and short AFD, meaning, respectively, that the keys are likely to have 0s and 1s uniformly distributed (i.e., no long consecutive sequence of 0s or 1s). According to the above equations, this can be achieved by increasing the parameter f D . This can be experienced only with fast moving terminals (or at very high carrier frequency), as confirmed experimentally by [44]. f D is not a design parameter, and, essentially, it limits the RSSI methods. The same conclusions are supported by [112], where the RSSI CRKG upper bound is computed with Nakagami fading. For an extension of the above equations with non-Rayleigh fading see [113,114]. For sake of brevity, we focus in the following on our novel filter-bank approach which is by-design independent on the kind of fading. It is worth stressing that Rayleigh-fading assumption across literature [100] might not be found in real systems, where the radio channel statistics are usually not known, must be estimated and are likely to be ruled by Rice-fading (e.g., in indoor environments). As well as for communications, it is worth recommending realistic channel models as shown in [115].

Frequency-domain
Differently from time-domain variations, the channel multipath is instead nearly always present, independently from terminal movements. In some situations, such as pointto-point links, strong LOS, beamforming-based, or narrowband signals, the multipath components (MPC) may not be noticeable. However, in most cases, particularly with broadband communications, the channel multipath can be used for the generation of keys (i.e., CSI-based CRKG). Depending on the antennas, a received signal is generally composed by a multitude of attenuated and delayed replicas of the transmitted signal, because of the propagation interactions among the emitted electromagnetic radio waves and the surrounding environment (e.g., buildings or walls). The channel distortion (i.e., frequency selectivity) can be exploited for our CRKG purposes, considering to have enough bandwidth to resolve the multipath components. This is why we deem the multipath as a more reliable feature of the wireless communications for PLS, rather than fading. In other words, the multipath can be considered a signature of the channel, dependent on the environment, the antennas, and the terminal positions.
Similarly to the previous consideration on T coh , the well-known coherence bandwidth B coh (see Table 1) [110], describes the bandwidth at which two frequencies are likely to be correlated. It ranges from tens of kHz up to hundreds of MHz, depending on antennas, propagation scenario (i.e., urban, suburban, and rural) and carrier frequency, and it is inversely proportional to the delay spread τ DS . Then, we define f p as the frequency interval at which the PLS-Box samples the bandwidth of the received signal (see Fig. 4).
There are already evidence confirming that the frequency domain offers superior performance and more flexibility for PLS: in [42], a key generation of 90 bits per packet is obtained between Alice and Bob, with only 5 ∼ 10% of key mismatch, whereas, approximately, only tens of bit per second are generated via RSSI methods.

PLS-Box filter-bank model
A combined time-frequency analysis benefits from multipath and mobility to harvest entropy for CRKG. The validity of this approach is additionally confirmed by how efficiently the radio resources are commonly scheduled in a time-frequency grid (e.g., time slots and sub-carriers) in actual wireless networks (e.g., LTE, 5 G). Considering a general model for the filter-bank, the starting point is represented by the following: where x is the transmitted signal, n is the AWGN component, h is the baseband radio channel transfer function, y is the received signal, and * denotes the convolution operator. The channel h can be characterized by a time-variant complex impulse response [61,116]: where N p is the number of multipath components (MPC), the set of [α, φ, τ ] are, respectively, the random amplitude, phase, and propagation delay and δ(t) is the Dirac delta function. Alternatively, Eq. (4) can be rewritten with an explicit time-frequency representation of the channel: whose parameters are summarized in Table 1. The function S(τ , ν) is the delay-Doppler spread function [117,118]. This describes how the energy transmitted is dispersed in delays (τ ) and Doppler (ν) shifts through the channel, which is, in fact, the unpredictable chaotic nature of the radio channel.
In our PLS context, the signal x(t) is the transmitted frame by Alice to Bob and vice versa, as sketched in Fig. 3 (we assume h AB = h BA ). In practice, the PHY characteristics of the signal are constant in a short term, but the content of the frame (e.g., payload) might change. Alice and Bob are primarily communicating and not sounding the radio channel. So, in a modem-aided CRKG, we can assume that the PLS-Box has perfect knowledge of x(t), being capable to detect, demodulate, and decode y(t). In a blind CRKG, the PLS-Box operates on y(t) with limited knowledge of x(t). For example, the box knows only when a frame starts and ends or which bandwidth is used. In the following, we assume a blind CRKG with x(t) as a δ(t) of Dirac, negligible AWGN noise n(t) and y(t) available at baseband.
Then, we define a filter-bank block Fb as a set of M filters which process N received frames, sampled at intervals f p and t p , respectively. The goal is to project the received frame y over M parallel filters in the frequency domain, providing at the end M·N outputs to the quantization stage of CRKG. This not only increases the key generation rate, but also adds more degrees of freedom to the key generation. Figure 4 depicts the filter-bank outputs, represented by the matrix C in a timefrequency plane, derived according to the following equations: (1,1) . . . C (1,N) . . . . . . . . .
where n is the frame index, 1 ≤ n ≤ N, m is the filter index within the filter bank, 1 ≤ m ≤ M, 1/γ is an arbitrary normalization factor, and Fb m (t) is the impulse response of the mth filter. The functional Quant(·) in Eq. (7) represents the quantization process, which can be done in different manners [31], and is out of the scope of the work. In other words, the received signal y(t) is filtered by different band-pass filters, such that the filter outputs C(m, n) reflect an estimate of the magnitude of the channel frequency response h(t). According to the data processing inequality theorem, the filter-bank can only obtain equal or minor entropy with respect to what is initially available from the radio channel. However, in principle, by observing the radio channel both in time and in frequency, we can operate over two dimensions, and so extracting more entropy, rather than by means of solely temporal fading, e.g. RSSI-based CRKG. The filters can be a uniform grid of finite-impulse response (FIR) filters, but they can be also implemented using fast Fourier transform (FFT) or even wavelet transform. The big advantage of the proposed filtering approach is flexibility, as shown in Section 7. It works with any chosen communication waveform, as long as t p and f p are given. It allows us to choose both M, N, depending if the received frames are correlated in time, i.e., T coh is larger than t p , or in frequency, i.e., B coh is larger than the f p , (see Table 1). Depending on the channel conditions, an additional step of whitening [119] may be performed on the filter-bank outputs C in order to remove time-frequency correlations among filters.
In the end, the time-frequency filter-bank key generation comes with some challenges. It is necessary to have enough bandwidth to capture the multipath. For example, LoRa [120] or Bluetooth [43] are too narrowband, whereas in 5 G, WiFi or UWB [121], the available bandwidth ranges from tens to hundreds of MHz, enabling the frequencydomain filter-bank (e.g., 5 G has 800 MHz of maximum available bandwidth [122]). This positive trend is also supported by current research on mm-wave [123,124] and THz bands [22,125], pushing for Gbps data rate.

Example of filter-bank input-output correlation
To demonstrate the potential of the filter-bank, we performed a simple simulation.
Thanks to the property of the channel model QuaDRiGa (QUAsi Deterministic RadIo channel GenerAtor version 2.2.0) [126], we investigate the performance of the filter-bank CRKG in the urban 3GPP TR38.901 UMi [127] scenario. A micro base-station (Alice) is located at a 10-m height, in the middle of an ideal circular cell of 500 m 2 . It serves 100 UEs (i.e., Bobs) randomly dropped in the area, with 50% indoor probability and uniformly distributed, with 0.5 to 3 m of height. For each UE (Bob), an eavesdropper UE (Eve) is located at 1 m of distance along a random direction on the horizontal plane. The frequency carrier is set to 2 GHz, all the UEs are static, and, for the sake of simplicity, the radio channel is assumed perfectly reciprocal, noiseless, and interference free. Therefore, the simulation is not meant to be representative of all scenarios, but to provide preliminary hints of the filter-bank potential. As shown in Table 2, the Pearson coefficients are calculated on inputs-outputs of the Fb in order to evaluate the correlation between Bob and Eve. The simulation includes 6 different bandwidths and 2 different filter-bank settings with M=32 and M=512 filters.
Ideally, the Pearson coefficient between Bob and Eve should be 0.0, showing a perfect isolation between Alice/Bob and Eve. As confirmed also experimental work by [61], in reality, the correlation might vary significantly due to the radio channel. However, several results are interesting: • Firstly, before the filter-bank, the Pearson coefficients computed on the received signal in time, i.e., y(t), are higher than the same signal in frequency, i.e., Y (f ) = FFT(y(t)) (see columns 2 and 3 in Table 2). • Secondly, with larger bandwidth, more multipath components can be resolved by the filter-bank. So, correlation is decreasing proportionally with bandwidth (along rows in table). The propagation differences are more pronounced between Bob and Eve. • Thirdly, after the filter-bank (see columns 4 and 5 in table), the correlation on C is less than before the filter-bank (see columns 2 and 3 in table) on y or Y.
• Finally, after the filter-bank, it is evident that with M =512 (column 5 in table), the filter-bank C is less correlated with respect to M =32 (column 4 in table). Because the frequency-domain resolution is increased (i.e., f p is smaller), Bob and Eve differences can be easier spotted out.

PLS-Box filter-bank examples
In the following, two examples of PLS-Box CRKG are given: a OFDM example, compliant to actual system as 5 G or WiFi [128] (Fig. 5), and an UWB example, as an emerging technology for indoor localization [129] (Fig. 6). Both examples follow the general diagram depicted by Fig. 3, but differentiating between a case of modem-aided PLS-Box and a case of blind PLS-Box, respectively

Modem-aided filter-bank
PLS in OFDM systems is not new, as shown by [99,[130][131][132][133][134]. All the essential structures for our time-frequency CRKG processing are ready: RF impairments are compensated [106], radio channel is estimated [99,135], and the bandwidth spans from tens to hundreds of MHz.
In this example, the filter-bank is directly implemented via FFT/IFFT, inside the PHY OFDM modem. Ideally, all the sub-carriers should be used to sound the channel at once, over the full bandwidth. In practice, the PLS-Box might use the CSI collected from the sub-carrier pilots for key generation, according to the pilot allocation of the OFDM system. In terms of signal acquisition for PLS, this solution is somehow equivalent to well-known channel sounding technique based on Vector-Network-Analyzer (VNA) [136].
Assuming independent sub-carriers and 1 bit quantization for each sub-carrier, the resulting key generation rate is increased by a factor proportional to the FFT size, e.g., in the range of 64-6400, with respect to RSSI schemes. Approximately, considering 15 KHz as sub-carrier spacing and 100 MHz of bandwidth, at least 6666 sub-carriers/-bands are available for the filter-bank, for example. Of course, dedicating radio resources to PLS-Box security reduces the communication performance. However, the pilot tones and the preamble are already part of the OFDM PHY, so in principle, the PLS-Box is only re-using information available in the modem, with negligible overhead.
In terms of security, the proposed OFDM CRKG solution is even supported by the literature [42]. In [137], Eve attacks Alice/Bob introducing controlled movements of an object in a static indoor environment, causing intentionally predictable changes in Alice/Bob received power, (i.e., LOS/NLOS switching). So dictating the RSSI oscillations, the key generated has predictable periodic bit sequences. Then, [42] proposes a PLS scheme in a OFDM systems against such channel attack, showing that the LOS/NLOS strikes are not present in all the OFDM sub-carriers, and so, a high-entropy key can be anyway extracted, thanks to frequency diversity.
Moreover, assuming that complex CSI is attainable at OFDM PHY and reciprocal [138][139][140], the CSI phase domain represent a CRKG opportunity to be further explored for several reasons. In line-of-sight (LOS)-dominant scenario, the channel is flat (i.e., non-selective) inhibiting the filter-bank method. Therefore, the channel phases represent the last resort to harvest entropy. In fact, as shown in [141] by means of ray-tracing Eve's attack, the CSI phases cannot be predicted accurately as good as the CSI magnitude. In addition, analyzing the signal phases over multi-antenna ports allows to estimate angle-of-arrival (AoA) spectrum (e.g., using MUltiple SIgnal Classification (MUSIC) algorithms), opening the opportunity to use also the angle domain for PLS [142]. In the end, taking into account the aforementioned RF impairments and practical non-reciprocity issues, it is not completely clear if the CSI phase is an effective reliable parameter for practical CRKG. Actually, there is no sufficient evidence in literature to be confident that phase CRKG could work in practical systems. Moreover, radio channel phase estimation is definitively more challenging rather than RSSI or scalar CSI. Further research is necessary.

Blind filter-bank
UWB systems perform indoor localization and communication, in line with IEEE 802.15.4 [143][144][145][146]. Several works [147][148][149][150][151] have already performed investigations on PLS in UWB systems: [152] obtains a key generation rate of 18 bps and [41] shows that Eve correlation can reach 50%. However, to our knowledge, no investigation has been published so far regarding a time-frequency approach for UWB PLS key generation, such as the filterbank here presented. In order to do so, we can in fact take advantage of the natural GH span of bandwidth of the UWB waveform [121]. We assume to have a blind PLS-Box which is filtering the received UWB frame, independently from the UWB modem. The processing is described as shown in Fig. 6: a (2020) 2020: 114 Page 17 of 24 localization anchor of the UWB system placed in a corner of an office scenario is communicating with a portable device. The goal is to locate the position of the device in the room. Even though the UWB link range is a few meters and LOS, the frequency selectivity is expected to be significant, thanks to the impulsive nature of the UWB waveform.
In terms of signal acquisition, this solution is indeed equivalent to well-known channel sounding technique [153]. Moreover, there is an interesting synergy between UWB and PLS [154]. The localization information about the terminal positions (attained by the UWB system) represents a threat for the PLS schemes, due to ray-tracing attacks [155]. This means that if the UWB modem is compromised, the positions of Alice and Bob might be spoiled. Then, Eve might simulate correctly the radio channel and try to predict the CRKG key. For example, in [141], a ray-tracing attack is investigated in a common office scenario at 2.4 and 5 GHz: the mean absolute error is less than 2 dB, between the narrowband received power predicted by the ray tracing and the measurements (i.e., comparable to real-life case). It is hard to forecast the impact of this attack on real mobile wideband system. With the increasing trend of environment digitization and virtual/augmented reality, indoor/outdoor digital maps be easily available online. Furthermore, with increasing computational power of devices, the time required for a complete ray-tracing simulation may be in the same order of magnitude as that of CRKG protocol (i.e., msec). Further research is necessary.

PLS-Box CRKG optimization
Recalling all the previous sections, the PLS-Box performance can be optimized in time and frequency and throughout the CRKG protocol. The optimization parameters are collected in Table 3.
• kT is the key generation time required for CRKG. Ideally, an exchange of frames (or packets) would be the minimum number: one for authentication, one for channel probing and one for reconciliation. In literature, kT is in the order of tens/hundreds of milliseconds, depending on the channel conditions; • kS is the size of the final key, in number of bits (i.e., 128 bit). The key size can be shortened after reconciliation, discarding erroneous bits, and even more, after privacy amplification to maximize its randomness [61]; • kR = kS/kT is the key generation rate, in terms of bps or, alternatively, bits-per-frame. For example, in [44], a kS = 256 bit key is obtained in kT = 5 s of CRKG, achieving a rate kR = 51 bps. Generally, in literature kR = 10 ∼ 100. • kM is the key generation mismatch, indicating the number of bits which are not corresponding at Alice and Bob sides. It is equivalently to the bit-error-rate for communications. Generally, in literature kM = 2 ∼ 20%. • kL is the key leakage to Eve, expressing how capable Eve is to wiretap Alice and Bob. It can given directly by the number of key bits sniffed correctly or can be characterized by the mutual information among Alice, Bob, and Eve [61].
• kH is the key entropy. In literature, the quality of the key is usually addressed by means of the National Institute of Standards and Technology (NIST) tests, specifically tackling randomness [156] and entropy [157]. It is worth noticing that not all NIST randomness tests are suitable for short keys. For example, the FFT test seems to be unreliable [99,158]. Even flaws in the NIST entropy estimators have been debated [159,160], leaving the entropy estimation an open issue [61].
• kC is the key generation energy consumption. Equivalently in communications, the energy efficiency of CRKG can be computed as kS/kC in terms of bit/J. It is naturally hardware-dependent and useful to benchmark CRKG schemes versus conventional cryptography methods [44]. For instance, a comparison of energy consumption by [61], shows that the RSSI scheme proposed in [137] consumes 2.4 mJ versus the 101.2 mJ of ECC-DHE, implementing both algorithms in an ARM Cortex M3 processor. These are very good results, but further energy consumption comparisons are necessary to outline the advantages of PLS in practical systems.
In conclusion, the optimization of PLS-Box faces a trade-off in the CRKG: kM and kL must be minimized, that is minimum key mismatching errors and Eve's leakage; but kS and kH must be maximized, that is long keys with high entropy. The problem is that Alice and Bob have no knowledge about Eve and cannot communicating anything clear-text over the the radio channel. Moreover, their PLS-Boxes are not likely to be able to jointly cooperate to optimize the CRKG filter-bank.
However, we envision that machine learning algorithms can be utilized for this task [161][162][163], in order to handle the variations of the radio channel and the key quality.
For example, in case of classification of the radio channel LOS and time-invariant, the entropy is very limited. So, the PLS-Box might adaptively reduce the filter-bank number of filters entropy (i.e., LOS and time-invariant), the PLS-Box might adaptively drive the filter-bank reducing the number of filters to limit the correlation in the key bits, or fall back to RSSI-methods, or even use the phase information. Eventually, it might notify the upper layers about the inconvenient channel conditions at PHY, advising to rely on conventional schemes for key generation. This cross-layer feedback needs further investigation.

Conclusions and future work
After an initial overview of the security landscape of today, we have outlined the motivations of Physical-Layer Security, providing a summary of the state of the art of this promising field. In this regard, we have presented the PLS-Box as a new flexible paradigm towards an effective PLS implementation. We have discussed the open issues and challenges of this concept, such as RF impairments, accessibility to the PHY baseband modem, and attacker capabilities. In details, we have focused on channel-reciprocitykey-generation, presenting a novel strategy for time-frequency key-generation, based on