Shengjun Zhang, Liang Jin＊, Yangming Lou, Zhou Zhong

National Digital Switching System Engineering & Technological Research Center, Zhengzhou 450002, China

Abstract: A novel secret key generation(SKG) method based on two-way randomness is proposed for TDD-SISO system. The legitimate transceivers mutually transmit their own random signal via reciprocal wireless channel,then the multiplication of transmitted and received signal is used as common randomness to generate secret keys. In quasi-static channel, the theoretical SKG rates (SKGRs) of the three SKG methods, namely wireless channel based, one-way randomness and two-way randomness, are derived and compared. Further,two practical SKG schemes based on twoway randomness, Scheme-1bit and Scheme-3bit, are completely designed and simulated.Generally, Scheme-1bit applies to low signal to noise ratio (SNR) scenarios and achieves 0.13～0.86bit/Ts SKGR and 10-2～10-5 level secret key outage probability (SKOP), while Scheme-3bit fits high SNR situation and obtains 0.93～1.35bit/Ts SKGR and 10-3～10-4 level SKOP. At last, the national institute of standards and technology (NIST) test is conducted to evaluate the secret key randomness(SKRD) and the test results show that both of the proposed schemes have passed the test.

Keywords: secret key generation; physical layer security; information reconciliation; information theory

I. INTRODUCTION

Wireless communication system is vulnerable to being eavesdropped for the inherent broadcast nature of radio propagation. One of the most important security measures for wireless communication is cryptography system which refers to the security architecture of wired communication [1]. However, the critical issue is how to generate and distribute secret keys between legitimate users, Alice and Bob, without leaking any information to the adversary,Eve [2]. To cope with this problem, many approaches based on computational complexity, such as Diffice-Hellman key exchange, are investigated. For the implicit assumption that Eve is not capable of solving a certain computational problem in feasible time, it is not clear whether these methods are still available with the development of quantum computer [3].On the contrary, secret key generation (SKG),which has no constraint on Eve’s ability, appears to be more credible from the perspective of information theory [4], [5].

In current studies, most SKG methods are designed based on wireless channel, i.e. Alice and Bob mutually send public pilot and estimate the reciprocal channel, such as channel impulse response (CIR), channel frequency response (CFR) and received signal strength(RSS) [6]. Obviously, the SKG rates (SKGRs)of this kind of methods only come from the randomness of wireless channel. In terms of Shannon’s one-time-pad principle, it achieves perfect security when the key length is not less than the message length. Therefore, the SKGR is a crucial factor to approach the perfect security. However, in time division duplex single input single output (TDD-SISO) system, both sides are equipped with single antenna, so there is only one wireless channel can be used to generate keys. Especially in quasi-static channel, which exists in indoor changeless environment and outdoor far field scenarios with few scatters, the only one wireless channel changes extremely slow, so the SKGR provided by wireless channel is too insufficient to meet the practical demands.

Therefore, [7] proposed a SKG method to improve the SKGR for quasi-static channel.Alice first sends public pilot and then Bob acknowledges local random signal. Different with the SKG methods using reciprocal wireless channel as common randomness, [7] utilized the received signal at Alice (it can be calculated at Bob using local random signal and estimated channel) to generate keys. Therefore, not only wireless channel but also Bob’s local random signal (called one-way randomness) is contained in common randomness, so it can obtain one-way secure transmission rate to improve the SKGR.

Summarizing the above two kinds of SKG methods, two-way exchange protocol is adopted, but two-way randomness has not been utilized yet. Inspired by [7], we propose a novel SKG method using two-way randomness to further increase the SKGR for TDD-SISO system in quasi-static channel. Compared with the existing SKG methods including [7], the advantages and contributions of this paper mainly include the followings.

1) The proposed method acquires common randomness by designing a generation function which can completely avoid the channel estimation;

2) Two-way random signal rather than public pilot is sent in the proposed method, so it can obtain two-way secure transmission rate with a much greater SKGR promotion;

3) Two complete SKG schemes for different signal to noise ratio (SNR) are designed and both of them pass the national institute of standards and technology (NIST) test.

Aiming at the improvement of SKGR for TDD-SISO system in quasi-static channel,this paper propose a novel SKG method based on two-way randomness.

Adopting two-way exchange protocol, we suppose Alice and Bob mutually transmit local random signal via reciprocal wireless channel and use the multiplication of their own transmitted and received signal as common randomness to generate keys. Thus, not only wireless channel but also Alice’s and Bob’s local random signals (called two-way randomness) are included in the proposed method, so it shows higher SKGR, compared with wireless channel based and one-way randomness methods. In quasi-static channel, the theoretical SKGRs of the above three methods are derived and compared. Simulated results confirm the correction of theoretical derivations and show higher SKGR of the proposed method. Further, we design two practical SKG schemes based on two-way randomness, i.e.Scheme-1bit and Scheme-3bit, and evaluate SKGR, secret key outage probability (SKOP)and secret key’s randomness (SKRD).

II. SYSTEM MODEL AND SKG PROTOCOL

As shown in figure 1, we consider a TDD-SISO system with three single antenna nodes.Alice and Bob are legitimate users expecting to generate secret keys in the presence of a passive eavesdropper Eve.hAB,hBA,hAEandhBEdenote the channels from Alice to Bob,Bob to Alice, Alice to Eve and Bob to Eve,respectively.

In addition, Alice and Bob use the same carrier frequency to satisfy channel reciprocity

and Eve is far away from Alice and Bob, so the eavesdropping channels are independent with legitimate channel for the nature of spatial decorrelation. Noted that, the above assumptions are only made to simplify the analyses. It can be easily extended to the correlation scenarios where all of the channels drown from a joint distribution.

Fig. 1. System model and SKG protocol.

Without loss of generality, we adopt the two-way exchange protocol in SKG methods.Alice first sendsxAand then Bob acknowledgesxB, so the received signals at Alice, Bob and Eve are

wherewA,wB,wAEandwBEare additive complex Gaussian white noise. For simplification, we assume all of them are independent and identically distributed (i.i.d) random variables satisfyingw～CN(0,1). The transmitted signalxAandxBsubject to the average power constraint

wherepAandpBare the maximum average power of Alice and Bob, respectively.

In terms of [4] and [5], SKGR is expressed as the conditional mutual information among Alice, Bob and Eve. Therefore, in the above SKG model, the key issue is whether the transmitted signal is public or not, which can signi ficantly affect SKGR.

III. ANALYSES OF SKG METHODS

According to the status ofxAandxB, three types of SKG methods are classi fied, i.e. wireless channel based (bothxAandxBare public), one-way randomness (xAis public,xBis random) and two-way randomness (bothxAandxBare random). In this section, the SKGRs of these three SKG methods are analyzed and compared from theoretical and practical respects.

3.1 Theoretical analyses

3.1.1 Wireless channel based method (WC)WhenxAandxBare public pilots, both Alice and Bob can perform channel estimation and further generate secret keys from the reciprocal wireless channel. Therefore, the SKGR of WC method can be expressed as

Intuitively, the secret keys only come from the correlation of legitimate channels and the performance of WC method only depends on the randomness of wireless channel. This is not enough especially in quasi-static channel(hBAandhABare complex constants) which leads to

However, in slow-fading wireless cannel,WC method can also provide relatively slow SKGR. In addition, it needs to estimate the reciprocal channel and can be easily integrated into the existing communication process.Therefore, many detailed schemes, such as RSS, CIR and CFR, have been designed and experimented [9].

3.1.2 One-way randomness method (OW)

To improve the SKGR especially in quasi-stat-ic channel, [7] proposed a SKG method using received signal. First, Alice sends public pilotxAto Bob. Then, Bob performs channel estimation and acknowledges local random signalxBto Alice. Therefore, the received signal at Alice can be considered as common randomness, because Bob can compute it out usingxBand the estimated channel. Such that, the SKGR of OW method is

Obviously,Rowconsists of two terms.The first term comes from the randomness of wireless channel which equals to the SKGR of WC method. The second term is less than or equals to the backward secure transmissionwhich contains the randomness ofxB. Therefore, the SKGC of OW method is

Especially, in quasi-static channel, the first term equals to zero, so the SKGC of OW method equals toAccording to [10], whenxBis complex Gaussian distribution,achieves the maximum value, so the SKGC of OW method is

where log denotes base 2 logarithms,deteinant operation,Hdenotes conjugate and transpose operation.

In general, the SKGR of OW method does not only depend on the randomness of wireless channel. The randomness ofxByields to the backward secure transmission rate which provides a signi ficant SKGR improvement.

3.1.3 Two-way randomness method (TW)

Furthermore, we treat bothxAandxBas local random signal inspired by [7], so the SKGR of TW method is

Similar with (7),Rtwconsists of four terms.The first term is still the SKGR of WC method. The second and the third terms are upper bounded by forward and backward secure transmission rate, i.e.respectively. The last term denotes the randomness of transmitted signal which always equals to zero because bothxAandxBare locally generated by themselves.Therefore, the SKGC of TW method is

Especially, in quasi-static channel, (11) has the similar formtion with (9). When bothxAandxBare complex Gaussian distribution,achieve the maximum values, so the SKGC of TW method is

Compared with the above three methods, it is obvious thatIn summary, WC method only depends on the natural randomness of wireless channel, while OW and TW methods introduce the randomness of transmitted signals which lead to significant SKGR improvements.

3.2 Practical analyses

For a SKG method, pre-processing is essen-tial to obtain the common randomness from the perspective of practice, so one can get the practical SKGR when given the processing of Alice, Bob and Eve. Obviously, it is not reasonable to restrict what processing Eve may do, but it is clear that Eve always tends to generate the same keys as Alice and Bob. Thus the similar processing with Alice and Bob should be a good option for Eve, because this could obtain similar randomness and further generate similar keys. In addition, Eve may do noting and directly use the raw data to generate keys. In fact, Eve reduces practical SKGR through the similar processing to a larger extent than doing nothing. To analyze the effects of different processing Eve adopts, we mainly consider the above mentioned special cases.

3.2.1 WC method

For WC method, bothxAandxBare public pilots and the reciprocal channel is used as common randomness, and this needs two-way channel estimation, i.e. both Alice and Bob perform channel estimation using the public transmitted signal. Meanwhile, Eve can also obtain the eavesdropping channels by channel estimation, so when Eve adopts the similar processing, the practical SKGR can be expressed as

On the other hand, if Eve does nothing and directly uses the raw data to generate keys, the corresponding SKGR is

Considering all the channels are quasi-static and independent, one can easily get thatThis shows the WC method is not feasible in quasi-static channel.

3.2.2 OW method

For OW method,xAis public pilot andxBis local random signal, then the received signal at Alice is used as common randomness [7].Therefore, Eve may use the similar received signal to generate keys, the SKGR is

Meanwhile, when Eve does nothing, the SKGR can be expressed as

For Eve, the information containedxB,namelyyEB, is the major factor in reducng SKGR, so there is

3.2.3 TW method

For TW method, bothxAandxBare local random signals, so there is not straightforward common randomness between Alice and Bob.Utilizing the condition of channel reciprocity, we design a public function with respect to transmitted and received signal to generate the common randomness, i.e.

Meanwhile, Eve also uses the public function to perform the similar processing and gets sogAandgBcan be used as the common randomness. When Eve adopts the similar processing, the SKGR is

In addition, when Eve does nothing, the SKGR is

Different with the above two SKG metods,TW method leads to a new random variable.Thus if Eve does nothing, she would not ob-tain the similar distribution and value, so there

Through these two special cases, when Eve adopts different processing, the effects on the SKGR can be analyzed. On the other hand,the SKGRs of these three SKG methods can be compared from the practical perspective.Meanwhile, (22) also shows the practical scheme of TW method.

IV. TW SKG SCHEME

According to Maurer’s summary, a complete SKG scheme includes four steps, i.e. common randomness, quantization, information reconciliation and privacy amplification [5], [11]-[13]. For TW method, bothxAandxBare local random signals, so the key problem is how to generate the common randomness. In addition, the other three steps can be realized through the existing mechanisms and algorithms.

4.1 SKG procedure

In practice, Eve may obtain the defined protocol and observe the exchanged information between Alice and Bob. We assume all the related algorithms are public to Eve, so Eve can perform similar processing to generate similar keys.

Figure 2 shows the general SKG procedure for TW method, which consists of 5 phases,two-way exchange, common randomness,quantization, information reconciliation and privacy ampli fication. The corresponding processing and algorithm are illustrated below.

4.2 Phase 1: two-way exchange

According to the theoretical analyses in previous section, the maximum SKGR of TW method in quasi-static channel is achieved when bothxAandxBare complex Gaussian distribution. Hence, we suppose bothxAandxBare locally generated from complex Gaussian distribution with the average power constraint (3). In addition, we set the length of transmitted signal isLand assume all the channels are complex constants during the time of phase 1.

Fig. 2. SKG procedure for TW method.

Once phase 1 is completed, Alice, Bob and Eve acquire their own received signal as shown in (2). Considering the privacy ofxAandxB, one can summary the information that Alice, Bob and Eve owned respectively. Alice and Bob hold their transmitted and received signals, i.e. (xA,yA) and (xB,yB). Eve holds the two observations, i.e. (yEA,yEB). Next,the common randomness between Alice and Bob should be generated based on their owned information.

4.3 Phase 2: common randomness

According to the analyses in section III, the multiplication of transmitted and received signal is considered as common randomness for TW SKG method. (11) and (12) are the theoretical results based on information theory no matter what processing Eve may chose in practice. However, when consider the above speci fic SKG procedure, Eve is likely to perform similar processing to get similar keys. In fact, the similar processing may be the optimal strategy for Eve, because it seems to be the closest to the generated common randomness.Therefore, we utilize (22) to generate keys.

In quasi-static channel,xis generated from complex Gaussian distribution, which leads toyhas the same distribution. [14] derived the distribution of two complex Gaussian random variables’ multiplication. Such that the distribution ofgis described, but it’s too complex to derive the closed-form expression ofKtw.

In section V, we show the estimated values of all the practical methods to make up the absence of theoretical derivations.

4.4 Phase 3: quantization

The common randomness is generated by (17)and then it will be quantized to initial binary sequence. The quantization algorithm should have low quantized bit error ratio (QBER) to facilitate information reconciliation. QBER is de fined as the bit error ratio between quantized sequences and can be used in reconciliation algorithms.

The existing quantization algorithms are mainly uniform quantization, equal-probability quantization and vector quantization [15].Considering the complicated distribution of(17), the theoretical QBER is difficult to be derived and equal-probability quantization seems to be not feasible for the generated common randomness. In addition, theLsamples are mutually independent and do not have vector features, so vector quantization is also not necessary. Thus, we select the simple uniform quantization and adopt gray code to reduce the QBER [16].

Assuming the uniform quantization bit isq, the gray code and the corresponding quantization partition can be easily calculated.Therefore, theqbit uniform quantizer can be designed to quantizeg(x,y) and output binary sequence. The uniform quantization algorithm is shown in algorithm 1.

Although Eve may also quantize (20) based on the same quantization algorithm, the QBER between Alice and Eve is still higher than the one between Alice and Bob because of (21).In next phase, the output sequences should be agreed by information reconciliation.

4.5 Phase 4: information reconciliation

After quantization, the quantized sequences with specific QBER are obtained, so information reconciliation is needed to agree the inconsistent bits. Reconciled bit error ratio(RBER), which is de fined as the bit error ratio after information reconciliation, may be used in privacy amplification and further affects SKGR and SKOP.

Generally, error correcting code (ECC)based information reconciliation is very efficient, but it may leak the exchanged information to Eve [9]. According to the principle of ECC-based reconciliation, systematic code is better and the detailed steps are illustrated below.

Step1:Alice encodes her quantized sequence in block and sends the supervisory bits to Bob via public noiseless channel (non-error transmission);

Step2:Bob combines the supervisory bits with his quantized sequence as new code words and further decodes to correct the error bits.

The QBER can be modeled as a binary symmetric channel (BSC) with crossover probabilityP=QBERwhich leads to the error bits. Polar code happens to use channel polarization to correct the error bits [17]. Therefore, we adopt systematic polar code (SPC)to realize ECC-based reconciliation algorithm[18]. Assuming the code length and the code ratio areNandr, there isis flooring operation. Then, the (N,K)SPC can be easily constructed using the QBER between Alice and Bob. The reconciliation algorithm based on SPC at Alice is shown in algorithm 2.

Using algorithm 2, Alice transmits the supervisory sequence via public noiseless channel to Bob. However, Eve can also correctly acquire the transmitted information.Assuming that the constructed SPC is totally known to Eve (including all the parameters),then she can also use the observed supervisory sequence to correct her error bits. The reconciliation algorithm based on SPC at Bob and Eve is shown in algorithm 3.

Using the reconciliation algorithm based on SPC, one can select proper SPC parameters to compromise the RBER between Alice and Bob and the one between Alice and Eve. In section V, we determine the proper code ratio by simulation.

4.6 Privacy ampli fication

After ECC-based reconciliation, Bob is likely to get the same sequence as Alice, while Eve may be not. However, it is not surprised that the sequence reconciled at Eve is still similar with Alice, i.e. the RBER between Alice and Eve may be lower than 0.5. Therefore, privacy ampli fication, which is usually realized by hash function, is needed to mess the reconciled bits up and pass the NIST test [19]. Considering the feasibility of hash function and the strength of generated keys, we choose the message-digest algorithm 5 (MD5) to generate 128 bit keys, which is enough and appropriate for now [20].

In privacy amplification, the key issue is how to determine the input length of MD5.Intuitively, it is significantly affected by the RBER between Alice and Eve. When adopting 128 bit keys, the probability of Eve cracking is 1 2128. To ensure the equivalent key strength,we assume the input length of MD5 isM, so there is

Generally, the RBER between Alice and Eve is lower than 0.5, soMis usually greater than 128. After privacy amplification, 128 bit keys are generated and then the NIST test should be conducted to evaluate the randomness of generated keys.

4.7 Key performance indicators(KPI)

For a practical SKG scheme, the KPI mainly include SKGR, SKOP and SKRD. When given theqbit uniform quantizer, information reconciliation and privacy amplification, one can easily get the corresponding SKGR

Combining (25) and (26), one can see that quantization, information reconciliation and privacy amplification determine the SKGR,and common randomness also affects quantization. Therefore, it is obvious that the four steps of a SKG method are tightly interactive and all the steps should be matched to pursue the appropriate performance. Generally speaking, the higher quantization bit may lead to higher SKGR, but the SKOP is also higher.SKOP is defined as the probability of SKG failure, which consists of two parts, i.e. the inconsistent probability of generated keys between Alice and Bob (SKOP of the first kind)and the consistent probability of generated keys between Alice and Eve (SKOP of the second kind). Therefore, a proper quantizer and the other matched steps may result in appropriate SKG schemes. Meanwhile, SKRD should been also evaluated by NIST test which is widely used as a randomness test tool.

Therefore, designing a specific SKG scheme should be a systematic project and it is difficcult to make a complete implementation plan using a uni fied theory. As an alternative,the experimental simulations may be a feasible approach, so we completely experiment the TW SKG method and design two speci fic SKG schemes in section V.

V. SIMULATION RESULTS

We assume that a generation period consists of 2000 samples.Tsis the sampling period.In quasi-static channel, all wireless channels are complex constants in a generation period.Rayleigh channel is adopted withCN(0,1)in different generation periods. In addition,10000 Monte Carlo experiments are performed in each SNR point to average the results. To achieve the optimal SKG performance, both Alice and Bob send complex Gaussian signal.

5.1 SKGR analyses

In order to evaluate the superiorities of TW SKG method, we compare the three kinds of SKG methods in quasi-static channel from theoretical and practical respects.

5.1.1 Theoretical SKGR

In section III, the SKGRs of these three SKG methods are derived based on information theory. Meanwhile, [21] proposed an estimation algorithm of mutual information based on Copula entropy, so the SKGR can be estimated by transforming conditional mutual information to the summation of mutual information,namely

wherex,yandzare multi-dimensional column vectors.

Therefore, the correction of theoretical SKGR can be confirmed by its estimation.Taking TW method as an example, the derived result (12) should be equal to the estimation(10). Similarly, (9) and (7) are OW method,(6) and (4) are WC method. The detailed theoretical and estimated SKGRs of these three SKG methods are shown in figure 3.

As shown in figure 3, all the theoretical SKGRs of these three SKG methods approximately equal to their estimated values. This mutually veri fies the correction of theoretical derivation and estimation algorithm. With the raising of SNR, the SKGRs of OW and TW methods gradually increase, but WC method almost keeps constant and closes to 0. When SNR is high, all the SKGRs tend to be unchanged and the estimation errors become serious. Meanwhile, the simulated results show that TW method obtains higher theoretical SKGR, compared with the other methods.

5.1.2 Practical SKGR

When given a specific SKG method, Eve is likely to adopt different strategy to generate the similar keys with Alice and Bob. In section III, we have chosen two special cases to analyze the effects on practical SKGR, namely Eve performs similar processing or does nothing. After the confirmation of the estimation algorithm in [21], all the practical SKGRs for the above two special cases can be estimated and shown in figure 4. Specifically, (13) and(14) are WC method, (15) and (16) are OW method, (22) and (23) are TW method.

As shown in figure 4, Eve reduces practical SKGR through the similar processing to a larger extent than doing nothing for TW method. This is because the processing of Alice and Bob leads to a new random variable as common randomness, and Eve does the same processing can obtain a more similar value than doing nothing. However, for WC and OW method, the SKGRs of adopting similar processing are almost equivalent to the ones of doing nothing. This is because the raw data Eve received itself is similar with the chosen common randomness. All the results are consistent with the practical analyses in section III. Meanwhile, from the results of figure 4,one can see that the proposed TW method acquires higher practical SKGR, compared with the other SKG methods. Therefore, we suppose Eve adopts similar processing in the designation of practical TW SKG schemes.

5.2 TW SKG Schemes

5.2.1 Quantization

Fig. 3. Theoretical SKGR veri fication and comparison.

Fig. 4. Practical SKGR when Eve adopts different strategy.

According to the previous analyses, uniform quantization is chosen and it is difficult to derive the theoretical QBER, so we use algorithm 1 to simulate the QBER and find the proper quantization bitq.

As shown in figure 5, it is clear that the QBER reduces with the increase of SNR.Whenq=1, the QBER is higher than the others for the shorter length of quantized sequence. Moreover, the QBER between Alice and Eve is about 0.5, this is because the 1 bit quantizer is too rough to unfold the relevance between (18) and (20). Whenq＞1, the relevance is gradually revealed and the QBER between Alice and Eve is around 0.25. Whenq=2 andq=3, the QBER between Alice and Bob is almost equivalent. Based on the above analyses, 1 bit and 3 bit uniform quantizer are proper for the practical SKG scheme and we denote them asScheme-1bitandScheme-3bit.

Fig. 5. QBER: uniform quantization.

Fig. 6. RBER: SPC with BSC P1=0.0795.

In wireless communication system, the SNR mainly belongs to 10-30 dB and the QBER is different at each point, so we list this partial QBER whenq=1 andq=3 in table 1 and table 2, which will be used in information reconciliation.

5.2.2 information reconciliation

As shown in table 1 and table 2, the QBER is signi ficantly affected by SNR. QBER is considered as the BSC crossover probability in reconciliation algorithms, so it is necessary to determine the SPC parameters based on SNR.Taking SNR=20dB as an example, we simulate the RBER with different code ratiorand code lengthN. The related polar code materials including encode and decode algorithms can be downloaded in [22]. In 3GPP RAN1#88, the maximum SPC lengths of downlink and uplink are 512 and 1024, so we set the code length is 256, 512 and 1024 [23].

ForScheme-1bit, the QBER between Alice and Bob is, so the SPC is constructed with BSC parameterP1=0.0795.Based on algorithm 2 and algorithm 3, we perform information reconciliation with different code ratio and figure 6 shows the corresponding RBER.

As shown in figure 6, the RBER between Alice and Bob is low and gradually increases with the rising of code ratio, while the one between Alice and Eve is high and approaches to 0.5. To ensure the low SKOP, we choose code ratior=0.4 for the SNR=20dB scenario. In this case, the RBER between Alice and Bob is very low (almost 0) while the one between Alice and Eve is relatively high (about 0.45). In addition, for different code length, there is not obviously distinction at the chosen code ratio point, so all the SPC withN=256,512,1024 andr=0.4 can be adopted in information reconciliation.

Similarly, forScheme-3bit, the QBER between Alice and Bob is, so the SPC is constructed with BSCP3=0.0459 and the RBER is shown in figure 7.

As shown in figure 7, we choose the code ratior=0.5 for SNR=20dB scenario. At this point, the RBER between Alice and Bob is still almost 0. On the contrary, the RBER between Alice and Eve are near to 0.2.

Similarly, one can determine all the proper code ratio at each SNR point forScheme-1bitandScheme-3bitthrough algorithm 2 and algorithm 3. The chosen code ratios are listed in table 3.

Without loss of generality, we set the code length of SPC is 512 and use the chosen code ratio to perform information reconciliation at each SNR point. Considering the RBER between Alice and Eve is needed in privacy ampli fication, so we list the corresponding RBER in table 4.

Noted that, we assume Alice sends the supervisory bits to Bob (forward link) only once.In fact, the backward link can also be used to realize multiple reconciliation, but it probably produces bigger resource costs and more information losses.

5.2.3 privacy ampli fication

To ensure the equivalent key strength, we use the RBER between Alice and Eve in table 4 and to calculate the input length of MD5. The detailed results are shown in table 5.

OnceMis determined, 128 bit keys can be generated and saved as .txt file to perform NIST test later.

5.2.4 Practical performance

Through the complete simulation ofScheme-1bitandScheme-3bit, the practical SKGR can be calculated by computing (26). Table 6 shows the SKGR at each SNR point. As shown in table 6, the SKGR is better and better with the SNR rising. When SNR is low,Scheme-1bitshows higher SKGR thanScheme-3bit.When SNR is high,Scheme-3bitachieves a better performance.

Fig. 7. RBER: SPC with BSC P3=0.0459.

Table I. QBER between Alice and Bob.

Table II. QBER between Alice and Eve.

Table III. The chosen code ratio at each SNR.

Table IV. RBER between Alice and Eve

Table V. The input length of MD5.

Table VI. SKGR at each SNR point.

Table VII. The whole SKOP at each SNR point.

Table VIII. The SKOP of the first kind.

Table IX. The SKOP of the second kind.

Table X. NIST test results of Scheme-1bit

Table XI. NIST test results of Scheme-3bit.

In addition, the whole SKOP is shown in table 7. One can see thatScheme-1bitis capable of achieving lower SKOP andScheme-3bitachieves 10-4level SKOP when SNR is high.Therefore,Scheme-1bitshould be applied to low SNR scenarios andScheme-3bithas priority when SNR is high. Meanwhile, we list the SKOP of the first kind (the generated keys at Bob is not the same as Alice) and the SKOP of the second kind (the generated keys at Eve is the same as Alice) in table 8 and table 9,respectively. From the results of table 8 and table 9, one can see thatScheme-1bithas the lower SKOP of the first kind, whileScheme-3bitachieves the lower SKOP of the second kind.

At last, we run the NIST test to evaluate the SKRD of generated keys. The related NIST test materials see [24]. Table 10 and table 11 list the test results ofScheme-1bitandScheme-3bit, respectively. For each STATISTICAL TEST, it passes when its P-VALUE is greater than 0.01. Obviously, bothScheme-1bitandScheme-3bitpass the NIST test and satisfy the statistical requirement.

VI. CONCLUSION

Aiming at the improvement of SKGR for TDD-SISO system in quasi-static channel, this paper propose a novel SKG method based on two-way randomness. By designing a public generation function, the common randomness is obtained without channel estimation. This allows both Alice and Bob to transmit random signal, thus greatly improving the SKGR that contains forward and backward secure transmission rate. Meanwhile, we classify three kinds of SKG methods from the perspective of information theory, namely WC, OW and TW,and compared their corresponding theoretical SKGRs. Furthermore, the strategies that Eve may adopt are analyzed, and two speci fic SKG schemes supposing Eve performs the similar processing are completely designed. By evaluating the KPI of the proposed schemes, one can see thatScheme-1bitandScheme-3bitare suited to low and high SNR scenarios respectively. In addition, it is worthy to mention that the idea of generation function can be extended to multiple input and multiple output(MIMO) scenarios and this should be further studied in the future.

ACKNOWLEDGEMENT

This work was supported by National Natural Science Foundation of China (61521003,61501516, 61471396, 61401510) and Postdoctoral Science Foundation of China(2016M592990).