The invention relates to a method for univalent and unequivocal extraction of keys from the propagation channel. These keys, which are made secret because of the univalency of the method, are intended to be used to secure the exchange of data between at least one first user and at least one second user, in a data exchange system, notably wireless communication systems (portable terminals, computers, etc.).
For data exchanges, notably wireless communication systems, it is preferable to secure the information transmitted between two users, so as to prevent a malicious third party from accessing this information.
The majority of secure transmission systems use secret keys that are shared beforehand between the emitters and the receivers, this involving complex (and often expensive) mechanisms for generating and distributing said keys in order to share them between the users. In addition, when this generation and this distribution have to be performed on a large scale, such as for example in public radio communication networks, the increase in the parties involved (manufacturers, operators, distributors, subscribers) and in the routing circuits leads to strong risks of data leakage, as numerous recent events in the field have demonstrated.
There are some devices in existence for generating secret keys from the propagation channel. These devices use the received signal strength indication (RSSI). Technologically speaking, this strength measurement is fairly easy to access. However, the RSSI takes into account only a small part of the wealth of the propagation channel, ignoring the channel phase coefficients that offer a much more random nature than the single signal strength parameter that is usually utilized. On account of this, in frequent cases, generating a key by utilizing the RSSI is not univalent as the keys that are generated have high correlations, thereby enabling a third party to recover them.
The idea behind the method according to the invention is notably to take full advantage of the highly random nature of wireless transmission channels so as to generate, in a univalent and unequivocal manner, a secret key for protecting data exchanged between at least one emitter and one receiver. Said univalency stems from the fact that just one measurement of the channel, performed simultaneously and at the same location, would allow a third party, who is not informed of said measurements, to reproduce these keys by applying the same selection, quantification and formatting procedures; said unequivocality stems from the formatting and correction mechanisms applied in the method according to the invention.
In the remainder of the description, the expression ‘user A’ or ‘transceiver A’ is used indiscriminately to refer to a user Alice and likewise for the user Bob.
The invention relates to a method for univalent and unequivocal extraction of keys from a propagation channel (EUC_CP), said keys being intended to protect data exchanged between a first user and a second user, a user including one or more emitters and one or more receivers, the data being transmitted via the propagation channel, characterized in that it comprises at least the following steps:
a) Measuring, by way of the receiver(s) of the first and of the second user, signals S coming from each emitter of the other user, measuring the parameters of the corresponding propagation channel, and estimating the corresponding complex impulse responses of the propagation channel or corresponding complex frequency responses of the propagation channel,
b) Selecting, in a univalent manner, for each user, a set of complex channel coefficients resulting from the estimations of the complex impulse responses of the propagation channel or of the complex frequency responses of the propagation channel, and retaining the coefficients that exhibit a cross-correlation lower than an adjustable predetermined threshold value,
c) Quantifying and formatting, for each user, the selected complex channel coefficients by applying a geometrical mesh of the complex plane in which the channel coefficients take their value, numbering the complex coefficients according to the mesh to which they belong, and by applying error correction techniques to said numbering,
d) Using, in a univalent and unequivocal manner, for each user, digital data resulting from said quantification and from said formatting in the form of secret keys so as to encrypt the string of transmitted data.
The method uses, for example, as communication mode between the users, a temporal duplex mode employing one and the same carrier frequency for the emission and reception exchanges in both transmission directions.
The method may be duplicated over all of the carrier frequencies employed by users in frequency duplex mode employing different carrier frequencies for their emission and reception exchanges according to the transmission direction.
The method may apply an error correction coding function to the keys that are extracted by the users, with minimal transmission of data from the first user to the second user, in order to eliminate the differences between the keys of the first and of the second user.
According to one variant embodiment, the method implements a hash function and a length reduction on the extracted keys, the function being designed to eliminate any residual leakage of information to a third party and improve the random qualities of the keys.
The steps of the method according to the invention may be repeated from one transmission to another and be repeated regularly over the course of one and the same transmission.
The method may use a noise and beamforming protocol for the transmission of the data, and the signals are for example signals that are emitted and received within the framework of said artificial noise and beamforming protocol.
According to one variant embodiment, the signals are signals that are emitted and received within the framework of a simultaneous emission and reception (‘full duplex’) protocol.
According to another variant, the signals are public or non-public, covert or non-covert, self-interfering or non-self-interfering marking signals that are emitted and received within the framework of a transceiver system identification protocol or within the framework of a user authentication protocol for such a system or within the framework of a protocol for verifying the integrity of the messages emitted and received by such a system.
The method may implement emitters and receivers adapted for radio communication. It may also use emitters and receivers adapted for acoustic transmissions or else for optical transmissions.
The invention also relates to a device for univalent and unequivocal extraction of keys from a propagation channel (EUC_CP), said keys being intended to protect data exchanged between a first user and a second user, a user including one or more emitters and one or more receivers, the data being transmitted via the propagation channel, characterized in that each user comprises at least one calculating unit adapted for executing the steps of the method according to the invention.
The emitters and the receivers are, for example, radio communication transceivers, or emitters and receivers adapted for acoustic transmissions or else emitters and receivers for optical transmissions.
Other features and advantages of the present invention will become more clearly apparent upon reading the description, given by way of wholly non-limiting illustration, alongside the appended figures, in which:
To better understand the method according to the invention, the example is given in the case of an exchange between a first transceiver user A (Alice) and a second transceiver user B (Bob), in the presence of an unauthorized third-party receiver E (Eve) liable to intercept the communications and to access the content of the data exchanged between A and B.
The user A is for example a node or a terminal of a communication network including a calculating unit 11, a coding/decoding module 12, a demodulation module 13, a module formed of antennae 14, a set of filters 15 and radio emission and reception means 16e, 16r. These elements are known to those skilled in the art and will not be described in detail. The subject of the invention will consist notably in executing an algorithm for calculating a key by utilizing the measurements performed on the parameters of the channel, as will be explained hereinafter.
Likewise, the user B, 20 includes for example a calculating unit 21, a coding/decoding module 22, a demodulation module 23, and a module formed of antennae 24, of filters 25 and of radio emission and reception means 26e, 26r.
The unauthorized third-party receiver E, 30 includes a calculating unit 31, a data logger 32 and an analysis module 33, and a block of antennae 34 and of filters 35 and of radio reception means 36.
With the transceivers Alice A and Bob B wishing to communicate completely securely, A and B wish to extract a shared secret key KA, based on the parameters of the propagation channel that each measures. For example, when the unauthorized third party Eve E is situated at a distance of a few wavelengths from B, the measurements of the channel will still be independent of the legitimate channel and, in fact, the key KE that E will be able to extract will be independent of the secret key KA extracted by A and B. In many cases, a distance of a few wavelengths is enough to ensure independence between the keys KA and KE.
Considering exchanges between users A and B in temporal duplex mode (emission and reception on the same carrier frequency in the direction A to B and B to A), the invention utilizes the natural reciprocity of the propagation channel (during its period of stationarity) insofar as the angles of incidence and the lengths of the outward and return paths are the same.
Considering exchanges between users A and B in frequency duplex mode (emission and reception on different carrier frequencies depending on the direction A to B or B to A), implementing the invention involves duplicating, on each carrier, the steps of the method described hereinafter to take advantage of the natural reciprocity of the propagation channel on each of the carriers.
With the aim being to generate a secret key to protect the data exchanges between the transceiver A and the transceiver B, the method will implement, for example, the following steps:
The error correction code in reconciliation step d) may be a simple algebraic code that is well known to those skilled in the art, and the hash function used in confidentiality amplification step e) may be a 2-universal hash function family, known to those skilled in the art.
Optional steps d) and e) may be omitted when the users have sufficient guarantees as to the reliability and the secret of steps a), b) and c); in this case we have directly KS=KA=KB.
The steps of the method summarized above will now be described in detail.
Estimation of the Propagation Channel (Step a)
The generation of a secret key KS is based on the use of the information regarding the state of the propagation channel, known under the expression ‘channel state information’. This information may be measured in the frequency domain (channel frequency response (CFR) or channel transfer function (CTF)), denoted Hf hereinafter, or in the temporal domain (channel impulse response or CIR), denoted Ht hereinafter.
In the frequency domain, the estimation of the channel Hf quantifies the fading applied to each sub-carrier.
In a system in which the signals are appropriately (i.e. in accordance with the rules known to those skilled in the art—compliant with the Nyquist criterion) filtered and sampled in baseband with a period Tech, considering a finite-bandwidth channel response, the kth component of the sampled CFR response Ĥf(k) corresponding to the frequency fk=k/Tech is calculated using the formula:
where Y(fk) is the received signal in the frequency domain at the frequency fk, and X(fk) is the emitted signal or the reference signal in the frequency domain at the frequency fk.
This method is particularly well-suited to multicarrier waveforms using orthogonal frequency division multiplexing or OFDM, for example WiFi, LTE or Bluetooth.
The sampled CFR response Ĥf(k) may also be obtained by directly utilizing the outputs of the processing operations applied in the frequency domain by the receivers of each user for the needs specific to the quality of their reception and demodulation of the signals emitted by the other users: equalization on pilot sub-carriers in the nodes, base stations and terminals employing techniques for the radio-based accessing of the OFDM modulations and associated protocols, for example of O-FDMA (orthogonal-frequency division multiple access) or SC-FDMA (single carrier-frequency division multiple access) type, such as in radio broadcast networks using the DVB-T (Digital Video Broadcast-Terrestrial) standard, or fourth-generation cellular radio networks using the LTE (Long Term Evolution) standard, these techniques being well known to those skilled in the art.
In the temporal domain, the estimation of the channel Ht quantifies the distribution of the propagation paths over time in the band of the carrier of the signal. In the example given, considering a finite approximation of the temporal response of the channel, the Ith sample of the sampled CIR response Ht(l), corresponding to the instant tI=l. Tech, the sampled CIR response Ht(l) is obtained, for example, from the sampled CFR response using the inverse fast Fourier transform as follows:
H
t
=IFFT(Ĥf).
It may also be obtained directly in the temporal domain from reference signals xA(t+t0) and xB(t+t0) emitted by the users A and B, from a reference instant t0, and by applying, to the signals yA(t+t0) and yB(t+t0) received by the receivers of the users A and B after propagation in the transmission channel, for which a finite length L approximation is considered, the following steps:
Such a function is explained in the following formula:
The sampled CIR response Ht(l) may also be obtained by directly utilizing the outputs of the processing operations applied in the temporal domain by the receivers of each user, for the needs specific to the quality of their reception and demodulation of the signals emitted by the other users:
The secret keys KS that are generated should preferably be completely random so as to be unpredictable to the unauthorized third party E. To this end, the second step of the method (step b) uses a selection algorithm in the temporal and frequency domains that makes it possible to retain only the decorrelated channel coefficients that is to say that have the ability to generate digital data or bits with equal and uncorrelated probability distributions.
In order to eliminate the temporal and frequency correlation, the method may, for example, implement one or the other of the algorithms described hereinafter.
It is possible to use an algorithm for reducing the temporal correlation between the channel coefficients. The set of channel coefficients measured at one and the same acquisition instant t constitutes a temporal frame. The temporal coefficients of cross-correlation Ccc,t are calculated between two consecutive frames Ri, Ri+1 using algorithms known to those skilled in the art. The method selects the frames for which the coefficient of cross-correlation Ccc,t is lower than a threshold value Tt.
It is also possible to use an algorithm for reducing the frequency correlation between the coefficients of the channel. The method is explained below, by way of illustration and without limitation, for an OFDM (orthogonal frequency division multiplexing) sub-carrier-modulated signal. For such a signal, the frequency coefficients of cross-correlation Ccc,f are calculated between two consecutive carrier frequencies Pj, Pj+1 using algorithms known to those skilled in the art. The method selects the carriers for which the coefficient of cross-correlation Ccc,f is lower than a threshold value Tf. In addition, the lowest-frequency and highest-frequency sub-carriers are eliminated. The method would apply in the same way to the complex spectral components of a general signal, at the outputs of a Fourier transform of said signal performed in accordance with the rules of the art.
Finally, Alice will transmit to Bob the temporal t and frequency f indices of the selected channel coefficients, using the public transmission channel. Only the indices of these coefficients are transmitted, thereby not leading to any disclosure of information regarding the value of these coefficients to an unauthorized third party E.
A second algorithm for decorrelating the measurements of the channel concatenates the above two algorithms as follows: first, the temporal frames Ccc,t for which the coefficients of cross-correlation with all of the other frames are all lower than a fixed threshold Tt are preselected. Next, for the temporal frames resulting from the above preselection, the carrier frequencies for which the coefficients of cross-correlation Ccc,f are all lower than a fixed threshold Tf are selected.
Assuming that the propagation channel is reciprocal and random, it may be considered to be a common source of random bits bi between a pair of legitimate terminals, where i is an integer. Thus, after having measured the radio channel, the emitter 16e of A and the receiver 26r of B jointly use a quantification algorithm to generate a sequence of bits b1, . . . , bN that are intended to produce a secret key from the channel common to A and B. However, on account of the presence of noise and estimation errors of the propagation channel, the emitter 16e of A and the receiver 26r of B may disagree over some bits of the secret key that is generated, that is to say that the keys KA and KB do not completely match. To limit this phenomenon, the method will execute a configured quantification algorithm.
One conventional example of a quantification algorithm consists in meshing the complex plane (then called quantification plane) in which the channel coefficients take their values. Conventionally, the real axis and the imaginary axis of the complex plane are partitioned into intervals, with guard bands between these intervals. The quantification algorithm assigns a complex channel coefficient with the numbers of the intervals in which its real part and its imaginary part are located, but it rejects all of the real or imaginary parts of complex coefficients that are situated outside of an interval, that is to say in one of the guard bands, this thus leading to ineffective utilization of the measurements of the channel and to a reduced amount of digital data or extracted bits.
Other models use multiple quantification planes, in which each plane is adjusted to the current frame of the channel coefficients, such as the channel quantification algorithm CQA described in the document by J. Wallace and R. Sharma, “Automatic secret keys from reciprocal MIMO Wireless channels: measurement and analysis,” IEEE Trans. on Info. Foren. and Sec., vol. 5, no. 3, pp. 381-392, September 2010. The principle that is implemented consists in choosing the quantification plane least sensitive to the conflict of the current frame of the channel coefficients.
The method according to the invention will, for example, apply a CQA algorithm to the channel coefficients in order to generate the bits of the secret key.
An illustrative and non-limiting example is given in
The function of distributing the real and imaginary parts of the complex channel coefficients is used to divide the measurement space into equiprobable regions. All of these regions then constitute a first quantification plane P0. A second quantification plane P1 is obtained after translating the first one, in accordance with a model described in the abovementioned document by J. Wallace and R. Sharma. Thus, for each observation, the emitter of A chooses the quantification plane for which the measurement is furthest away from a border, so as to minimize the risk of error after quantification. Then, the emitter of A transmits, to the receiver of B, a message MA on the public channel indicating which quantification plane is the one used for each channel measurement. This message reveals only the index of the quantification plane that is used, and no information regarding the value of the channel coefficients.
In the example given in
In illustrative
For example in
In the reconciliation step, the method will remove the remaining conflicts between the key generated by A, KA, and the key generated by B, KB, using an error correction code. The key calculated by A, KA, is considered to be the secret key, and B wishes to recover the key from A, KA, by correcting the key KB extracted from its own channel measurements.
The reconciliation step comprises, for example, the following steps:
On the part of A:
The reconciliation step is successful when B manages to perfectly decode the code word c selected by Alice, that is to say when ĉ=c. B thus recovers the exact value of the key from A: =KA.
As a result, although it is transmitted on the public channel, the secure sketch allows exact recovery of the secret key KA without disclosing its exact value.
However, E may also use the secure sketch to get close to the secret key KA. It is then necessary to delete the information made vulnerable by sending the secure sketch on the public channel.
A final step makes it possible to remove this information leakage and to improve the quality of the secret key.
As was mentioned above, the aim of this last step is to delete the information that has leaked to the third party E during the reconciliation step and to improve the random nature of the key. To achieve this result, it is possible to use hash functions.
The following example is given for a ‘2-universal’ hash function family.
A family of functions → is said to be 2-universal if, for x1≠x2:
where g is chosen randomly from .
One way of constructing a 2-universal family is to select a random element a∈GF (2n) and to interpret the secret key KA as an element of GF (2n).
The function {0,1}n→{0,1}r assigning, to KA, the r first bits of the product a.KA ∈GF (2n) is a 2-universal hash function family for 1≤r≤n. It should be noted that a.KA is a product defined in the Galois field GF (2n).
The steps of the method described in detail above may be repeated from one data transmission to another transmission and/or regularly within one and the same transmission. The method recalculates the secret code upon each new transmission and upon each new message as a function of the strength monitoring and of the propagation fluctuations and possible bit rate adjustments.
The method may be implemented within a transmission system using a noise and beamforming protocol for the transmission of the data, the signals then being signals that are emitted and received within the framework of said artificial noise and beamforming protocol.
The signals may also be signals that are emitted and received within the framework of a simultaneous emission and reception protocol.
According to another variant embodiment, the signals used for the extraction of keys are public or non-public, covert or non-covert, self-interfering or non-self-interfering marking signals that are emitted and received within the framework of a transceiver system identification protocol or within the framework of a user authentication protocol for such a system or within the framework of a protocol for verifying the integrity of the messages emitted and received by such a system.
The emitters and the receivers of the device will be chosen for example from the following list: emitters and receivers configured for radio communication, emitters and receivers configured for acoustic transmissions, emitters and receivers configured for optical transmissions.
Advantageously, the method according to the invention makes it possible to extract a secret key in a univalent and unequivocal manner, thus allowing data exchanged between users to be protected.
Number | Date | Country | Kind |
---|---|---|---|
15/02712 | Dec 2015 | FR | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2016/082874 | 12/29/2016 | WO | 00 |