Suppose that two terminals, used by User A and User B, communicate with each other on the same frequency in a wireless environment. These two terminals are able to apply training sequences in their transmissions to estimate a channel impulse response (CIR) of their reciprocal wireless channel. A wireless channel is modeled by a collection of discrete pulses with different scales and delays. Each pulse represents a single-path fading channel, preferably Rayleigh or Rician fading. Mathematically, the wireless channel is modeled as follows:
                                          a            ⁡                          (              t              )                                =                                    ∑                              l                =                1                            L                        ⁢                                          α                l                            ⁢                              δ                ⁡                                  (                                      t                    -                                          τ                      l                                                        )                                                                    ,                            Equation        ⁢                                  ⁢                  (          1          )                    where Lε[1,+∞) and αl, τl represent amplitude and delay of the lth path in the wireless L-path fading channel. In the Rayleigh fading channel, the amplitudes α1, . . . , αL are zero-mean complex Gaussian random variables.
The CIR of a wireless channel can be written as follows:h(t)=p(t)*a(t),  Equation (2)where p(t) is the “pulse shape” resulting from the pre-determined band-limited transmitter and receiver filters. By putting Equation (1) into Equation (2),
                                          h            ⁡                          (              t              )                                =                                    ∑                              l                =                1                            L                        ⁢                                          α                l                            ⁢                              p                ⁡                                  (                                      t                    -                                          τ                      l                                                        )                                                                    ,                            Equation        ⁢                                  ⁢                  (          3          )                    which implies that the CIR is the superimposition of multiple delayed and scaled copies of the pulse shape p(t).
User A and User B respectively observe a sampled noisy version of the CIR h(t). Their observations may be written as follows:hA[n]=CAh(nTS−τA)+ZA[nTS],and  Equation (4)hB[n]=CBh(nTS−τB)+ZB[nTS],  Equation (5)where TS is the sample interval, which is assumed to be the same at both terminals and τA and τB are the sampling time offsets associated with each receiver. The sample interval TS should be large enough (at least larger than the coherence time interval) to guarantee the independence of two successive observations.
Hence, the sampling time difference between the two terminals is |τA−τB|. Values CA and CB are complex constants, reflecting different amplification and phase offset associated with each receiver. It is assumed that CA=CB=1 for simplicity. Values ZA[nTS] and ZB [nTS] are independent additive Gaussian noise sequences.
Since User A and User B's observations hA[n] and hB[n] are based on their reciprocal wireless channel, h(t), they are correlated with each other. On the other hand, a third terminal, used by User C and located in a geographically different place from User A and User B more than a wavelength away, possesses no relevant information on the channel.
Based on their correlated channel observations, User A and User B wish to generate a common secret key. In generating such a secret key, they can communicate over an error-free authenticated wireless channel. The generated secret key should be concealed from a potential eavesdropper, who may observe the transmissions on the public channel. In particular, the generated secret key is required to be nearly “statistically independent” of the public transmissions.
Let Xn=(X1, . . . , Xn) and Yn=(Y1 . . . , Yn) be n independent and identically distributed repetitions of the correlated random variables X and Y. User A and User B respectively observe the sequences Xn and Yn. Furthermore, User A and User B can communicate with each other over an error-free wireless channel, possibly interactively in many rounds. Let V denote all the transmissions on the wireless channel. After the transmissions, User A generates a bit string SA, based on (Xn,V), and User B generates a bit string SB, based on (Yn, V). A bit string S constitutes a secret key if the following conditions are satisfied.Pr(S=SA=SB)≈1;  Equation (6)I(S;V)≈0; and  Equation (7)H(S)≈|S|,  Equation (8)where |S| denotes the length of the bit string S, I(S;V) denotes the mutual information between S and V, and H(S) denotes the entropy of S. The first condition above means that User A and User B generate almost the same secret key, the second condition means that this secret key is nearly statistically independent of User C's information, (i.e., the transmissions V on the wireless channel), and the third condition means that this secret key is nearly uniformly distributed. Hence, this secret key is effectively concealed from User C. Here, the eavesdropper, User C, is passive, (i.e., unable to tamper with the transmissions V on the public channel).
The (entropy) rate of a secret key, H(S)/n, is called a secret key rate. The largest secret key rate is called the secret key capacity, denoted by CS. The concept of secret key capacity indicates the length of the longest secret key that can be generated by User A and User B, based on their observations Xn and Yn. The secret key capacity for the model above is as follows:CS=I(X;Y).  Equation (9)It is known that in certain scenarios, such as those described here, the secret key capacity can be achieved by a single transmission from User A to User B, or vice versa.
Suppose that the wireless channel between User A and User B is an L-path fading channel with average path power (p1, . . . , pL). Suppose that the average power of the additive white Gaussian noise (AWGN) on the wireless channel is N. Hence, the mutual information between User A and User B's CIR observations on the lth path is given by:
                              I          l                =                              log            ⁡                          (                              1                +                                                                            p                      l                                        N                                                        2                    +                                          N                                              p                        l                                                                                                        )                                .                                    Equation        ⁢                                  ⁢                  (          10          )                    
By the union bound, the mutual information between User A and User B's overall CIR observations is upper bounded by
      ∑          l      =      1        L    ⁢            I      l        .  This is actually the upper bound on the secret key rate that can be achieved by User A and User B.
When the first path in an L-path fading channel is set as a reference path, the relative average path power of this channel can be written as ( p1, . . . , pL), with
            p      _        l    =                    p        l                    p        1              .  Then, the secret key rate is upper bounded by:
                                          ∑                          l              =              1                        L                    ⁢                      log            (                          1              +                                                SNR                  ·                                                            p                      _                                        l                                                                    2                  +                                      1                                          SNR                      ·                                                                        p                          _                                                l                                                                                                                  )                          ,                            Equation        ⁢                                  ⁢                  (          11          )                    where the
  SNR  =            p      1        N  is defined for the reference path.
For uses in cryptographic applications, it is desirable to generate full entropy strings (independent bits with Pr(0)=Pr(1)=½). Therefore, it is desirable to remove the correlation among the samples. For a single-path channel, this can be done by simply selecting one sample, (e.g., the one with the largest value), from all the samples. However, for multipath channels, just several samples, (one sample per path), cannot be selected from all the samples, as those selected samples will be correlated with each other. Hence, how to remove the correlation among samples is a significant challenge.
Another practical problem comes from the sampling time difference at two terminals. Sampling the same CIR with different sampling time offsets may lead to totally uncorrelated samples. This problem can be lessened with increased sampling rate. However, increasing the sampling rate has a disadvantage of generating highly redundant samples. Therefore, instead of merely increasing the sampling rate, it would be desirable to align the sampling time at both terminals, which may involve the estimation of the sampling time difference. Other practical problems include an SNR difference at two terminals and DC offsets, (i.e., non-zero mean random variables).