Secure communication between various devices is becoming ever more important in an increasingly interconnected world, and in many applications represents an essential requirement for the acceptance, and thus also for the commercial success, of the applications in question. Depending on the application, this includes various protection objectives, such as protecting the confidentiality of the data to be transmitted, mutual authentication of the participating nodes, or ensuring data integrity.
For achieving these protection objectives, suitable cryptographic methods are typically used, which in general may be divided into two different categories: symmetrical methods, in which the sender and the receiver have the same cryptographic key, and asymmetrical methods, in which the sender encrypts the data to be transmitted with the public key (i.e., possibly also known by a potential attacker) of the receiver; however, the decryption can take place only with the associated private key, which ideally is known only by the receiver.
Asymmetrical methods have the disadvantage, among other things, that they generally have a very high level of computational complexity. Therefore, they are not very suitable for resource-limited nodes, such as sensors, actuators, or the like, which usually have only relatively low computing power and small memory capacity, and which are intended to operate in an energy-efficient manner, for example based on battery operation or the use of energy harvesting. In addition, frequently only a limited bandwidth is available for data transmission, which makes the exchange of asymmetrical keys having lengths of 2048 bits, or even more, unattractive.
In contrast, in symmetrical methods it must be ensured that both the receiver and the sender have the same key. The associated key management generally represents a very challenging task. In the area of mobile communication, keys are introduced into a mobile telephone with the aid of SIM cards, for example, and the associated network may then associate the corresponding key with the unique identifier of a SIM card. In contrast, in the case of wireless LANs, the key to be used is usually entered manually (generally by entering a password) in the configuration of a network. However, such key management quickly becomes very complicated and impracticable when a very large number of nodes is present, for example in a sensor network or other machine-to-machine communication systems. In addition, changing the key to be used, if possible at all, often requires a great deal of effort.
For this reason, for quite some time new approaches under the heading of “physical layer security” have been investigated and developed, with the aid of which keys for symmetrical methods may be automatically generated based on the transmission channels between the involved nodes. The ascertainment of random numbers or pseudorandom numbers from channel parameters is discussed in WO 1996/023376 A2, for example, and the generation of secret keys from channel parameters is discussed in WO 2006/081122 A2 and DE 10 2012 215326 A1. Pilot signal sequences (which may be known on both sides) generally are initially transmitted from the first node to the second node, and pilot signal sequences are then transmitted from the second node to the first node. The particular receiver may estimate channel properties from the received pilot signal sequences, and on this basis may derive suitable parameters for generating a key. An important step is the so-called quantization, i.e., the derivation of a digital bit sequence from the estimated channel properties.
Likewise, various algorithms for quantization and protocols for the key and secret reconciliation (information reconciliation) between the users have already been provided. Known quantization methods are usually based on one or multiple thresholds which may be defined based on the distribution of the obtained measured values. A quantized value is associated with a measured value, depending on which side of the threshold the measured value lies. The quantization generally takes place independently on both sides (in both users) with identical quantization methods (and identical thresholds). In practice, the resulting sequence is generally not identical for the users due to measuring inaccuracies and fluctuations in the channel properties, for which reason a reconciliation of the ascertained secret information is advantageous. This reconciliation is based essentially on the exchange of information which allows what may be few conclusions to be drawn concerning the actual cryptographic key or the actual secret between the users.
For example, the CASCADE protocol, described among others in the publication by Brassard, Salvail: “Secret-Key Reconciliation by Public Discussion,” Advances in Cryptology, 1994, as well as error correction codes, described among other things in the publication by Y. Dodis, R. Ostrovsky, L. Reyzin, A. Smith: “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” Advances in Cryptology—EUROCRYPT 2004, Lecture Notes in Computer Science, Volume 3027, 2004, pp. 523-540, may be used for such a reconciliation. The parity bits exchanged during such a reconciliation reveal information with which an attacker may deduce portions of the secret key. The secret key thus loses quality and entropy. In the case of a “brute-force” attack, the attacker does not have to test as many combinations, since he/she already knows portions of the key. To keep the quantity of exchanged information low, it may be important to use robust quantization methods. The more robust the quantization method, the fewer portions of a secret (generally bits of a particular created bit sequence) are different between the users, and the fewer pieces of information have to be exchanged between the users during a reconciliation of the secret.
A quantization method is described in Wallace: “Secure Physical Layer Key Generation Schemes: Performance and Information Theoretic Limits,” IEEE International Conference on Communications, 2009. Two different quantizers (or quantization methods) per party are used. One party determines, for each measured value of the channel, which of the two quantizers is better suited, i.e., for which the measured value is farther from the interval limit, and quantizes using this quantizer. The selection is communicated to the other party.
Another quantization method is described in Shehadeh, Alfandi, Hogrefe: “On Improving the Robustness of Physical-layer Key Extraction Mechanisms against Delay and Mobility,” Wireless Communications and Mobile Computing Conference, 2012. The quantization of the complex-valued measured values takes place in each case on one of a number of predetermined constellation points, each of which is associated with a bit sequence. The association with constellation points is mapped by areas in the complex plane whose boundaries correspond to the above-mentioned thresholds. The deviation from the constellation point (but not the constellation point itself) is transmitted from one party to the other. This party then correspondingly changes its measured value. The transmission of the deviation does not allow a conclusion to be drawn concerning the constellation point itself (or thus, concerning the ascertained bit sequence).