Secret Key Generation Via Localization and Mobility: Onur Gungor, Fangzhou Chen, and Can Emre Koksal, Senior Member, IEEE

2214
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 64, NO. 6, JUNE 2015
Secret Key Generation Via Localization and Mobility

Onur Gungor, Fangzhou Chen, and Can Emre Koksal, Senior Member, IEEE
AbstractWe consider secret key generation by a pair of mobile nodes utilizing observations of their relative locations in the
presence of a mobile eavesdropper. In our proposed algorithm, the
legitimate node pair makes noisy observations of the relative locations of each other. Based on these observations, the nodes generate
secret key bits via information reconciliation, data compression,
and privacy amplification. We characterize a theoretically achievable secret key bit rate in terms of the observation noise variance
at the legitimate nodes and the eavesdropper and show that the
performance of our algorithm is comparable to the theoretical
bounds. We also test our algorithm in a vehicular setting based
on observations made using wireless beacon exchange between the
legitimate nodes. To achieve this, we used TelosB wireless radios
mounted on the sides of the vehicles on local roads and freeways.
Note that our approach relies solely on distance reciprocity, and
thus, it is not restricted to the use of wireless radios and can be
used with other localization systems (e.g., infrared and ultrasound
systems) as well. Overall, this study proves, via both information
theoretic and practical analysis, that localization information provides a significant additional resource for secret key generation in
mobile networks.
Index TermsInformation theoretic secrecy, localization, secret
key generation, vehicular security, wireless security.
I. I NTRODUCTION
E CONSIDER the generation of a common key in a pair

of nodes, which move in R2 (continuous space) according to a stochastic mobility model. We exploit the reciprocity of
the distance between a given pair of locations, view the distance
between the legitimate nodes as a common randomness shared
by these nodes and utilize it to generate secret key bits using the
ideas from source models of secrecy [1].
Unlike the recent plethora of studies (see Section I-A for a
brief list of related papers) that focuses on wireless channel
reciprocity, a variety of technologies can be used for localization (e.g., ultrasound, infrared, lidar, radar, and wireless radios),
which makes distance reciprocity an additional resource for
generating secret key bits. Such versatility makes the key
generation systems more robust since different technologies
may have different capabilities that wireless RF does not have.
Manuscript received November 28, 2013; revised March 24, 2014 and
May 26, 2014; accepted July 8, 2014. Date of publication July 24, 2014;
date of current version June 16, 2015. This work was supported in part by
the National Science Foundation under Grant CNS-1054738, Grant CNS0831919, and Grant CCF-0916664. This work was presented in part in the
Workshop on Physical Layer Security, Globecom 2011. The review of this
paper was coordinated by Dr. M. Elkashlan.
The authors are with the Department of Electrical and Computer Engineering, The Ohio State University, Columbus, OH 43210 USA.
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TVT.2014.2342714
For instance, the narrow beamwidth of infrared systems would

make them less susceptible to eavesdropping from different
angles. Distance reciprocity is highly robust since the distance
measured between any pair of points is identical, regardless
of which point the measurement originates (e.g., when there
is no line of sight or when different frequency bands are used
each way). However, there are various challenges in obtaining
reciprocal distance measurements.
To that end, we propose a key generation algorithm, in which
the legitimate nodes use a three-stage key generation process:
1) In the first stage, they obtain observations regarding the sequence of distances between them over a period of time as they
move in the area. The measurements can be obtained actively
through the exchange of wireless radio, ultrasound, and infrared
beacons or passively by processing existing video images, etc.
The beacon signal may contain explicit information such as
a time stamp, or the receiving node can extract other means
of localization information by analyzing the angle of arrival,
received signal strength, etc. The nodes perform localization
based on the observations of distances and the statistics of the
mobility model and obtain estimates of their relative locations
with respect to each other. 2) In the second stage, the nodes
communicate over the public channel to agree on an initial
key based on their relative location estimates. Meanwhile, the
eavesdropper also obtains some information correlated with the
generated key. 3) In the final stage, the legitimate nodes perform
universal data compression and privacy amplification on the
initial key to obtain the final key.
The generated final key bits satisfy three quality measures:
1) reliability; 2) secrecy; and 3) randomness. For reliability,
we show that the probability of mismatch between the keys
generated by the legitimate nodes decays to 0 with increasing
block length. In our attacker model, we consider a passive
eavesdropper that overhears the exchanged beacons in the first
phase and the public discussion in the third phase and tries to
deduce the generated key based solely on these observations.
The attacker can follow various mobility strategies in order
to enhance its position statistically to reduce the achievable
key rate (possibly to 0). We assume that the attacker does not
actively interfere with the observation phase, e.g., by injecting
jamming signals, etc., in order not to reveal its presence. For
secrecy, we consider Wyners notion, i.e., the rate at which
mutual information on the key leaks to the eavesdropper, to be
arbitrarily low. For randomness, the generated key bits have to
be perfectly compressed, i.e., the entropy should be equal to the
number of bits that it contains.
Next, we focus on information theoretic limits. Using a
source model of secrecy [1], we characterize the achievable
secret key bit rate in terms of the observation noise parameters
at the legitimate nodes and the eavesdropper under two different
0018-9545 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
GUNGOR et al.: SECRET KEY GENERATION VIA LOCALIZATION AND MOBILITY
cases of global location information (GLI): 1) no GLI, in which

the nodes do not observe their global locations directly, and
2) perfect GLI, in which the nodes have perfect observation
of their global locations, through a GPS device for example. While the bounds that we provide are general for a
large set of observation statistics, we further investigate the
scenario in which the observation noise is independent and
identically distributed (i.i.d.) Gaussian for all nodes: 1) First,
we study the observation SNR asymptotics and show a phasetransition phenomenon for the key rate. In particular, we prove
that the secret key rate grows unboundedly as the observation
noise variance decays if the eavesdropper does not obtain the
angle of arrival observations. Otherwise, it is not possible to
increase the secret key rate beyond a certain limit. 2) Then, we
provide an opportunistic modification to our algorithm, with the
additional assumption that the eavesdropper mobility statistics
are available at the legitimate nodes.1 In this case, legitimate
nodes exchange beacons only when they predict a geographic
advantage over the eavesdropper. 3) We evaluate the theoretical
performance numerically for a simple grid-type model, as a
function of beacon power. We compare the bounds with our
algorithm and show that our key generation algorithm achieves
a key rate close to the theoretical lower bounds. We show that,
with our opportunistic modification, nonzero key rates can be
achieved even when the eavesdropper obtains better localization information on average (e.g., when the eavesdropper has
multiple location sensors/antennas and better GLI). We also
evaluate the performance for the case where the eavesdropper
strategically changes its location to reduce the secret key rate.
Specifically, we consider the strategy where the eavesdropper
moves to the middle of its location estimates of the legitimate
nodes. With this strategy, the eavesdropper can significantly
reduce the secret key rate compared to the case where it follows
a random mobility pattern, yet the key rate remains positive.
Finally, we test our algorithm using real experimental measurements taken in a vehicular environment, where two vehicles, equipped with TelosB motes with omnidirectional wireless
radios, cruise in local streets and freeways. We show that our
algorithm achieves nonzero secret key rates at very low keymismatch rates even under extremely pessimistic settings, in
which the attacker makes observations in the immediate vicinity
of one of the legitimate nodes throughout the process and
without any prior statistical model at the nodes on the mobility
patterns. We also show that the generated key passes all the
randomness tests in the National Institute of Standards and
Technology (NIST) test suite [28].
In summary, our main contribution is to illustrate that relative
localization information can be used as an additional resource
for secret key generation (see Section I-A for a comparison with
related work). To that end, we did the following:
1) Analyze information theoretic limits, and show that arbitrarily large secret key rates can be attained when the
adversary does not obtain any angle information.
2) Introduce and implement a secret key generation algorithm to illustrate that our idea can be realized in practice.
1 Despite the fact that the eavesdropper is passive, it is reasonable to assume
certain mobility models under specific settings (e.g., vehicular applications).
2215
3) Evaluate the performance of our algorithm via simulations, and show that it is comparable to the information
theoretic bounds on key capacity, i.e., the loss that we
attain by implementing computationally feasible algorithms is not large.
4) Illustrate via real-world experiments in vehicular settings that our algorithm can be implemented using
on-the-shelf devices without any modification on the
physical layer, and demonstrate that provably secure
keys can be generated even under extremely pessimistic
settings.
5) Develop an opportunistic beacon exchange algorithm that
achieves positive secrecy rates even when the adversary
obtains better localization information on average.
To the best of our knowledge, this is the first work that provides
both theoretical and practical analyses on secret key generation
via localization. Our system can be valuable in a number of possible applications, including intelligent transportation systems,
tactical networks, mobile secure crowd sensing, wireless LANs,
and Internet of things. We would like to emphasize that, in
any application, our system based on localization and mobility
does not have to be the only mechanism to generate secret key
bits. Instead, its robustness puts our system in a position to
play an excellent supporting role for other existing methods,
particularly for key generation via wireless channel gains.
A. Related Work
The generation of a secret key from relative localization
information can be categorized under source model of information theoretic secrecy, which studies the generation of secret key
bits from common randomness observed by legitimate nodes.
In his seminal paper [1], Maurer showed that, if two nodes
observe correlated randomness, then they can agree on a secret
key through public discussion. He provided upper and lower
bounds on the achievable secret key rates. Although the bounds
have been improved later [2], [3], the secret key capacity of
the source model, in general, is still an open problem. Despite
this fact, the source model has been utilized in several different
settings [4][6].
There is a vast amount of literature on localization (see,
e.g., [8] and [9] for wireless localization, [15] for infrared
localization, and [16] for ultrasound localization). There has
been some focus on secure localization and position-based
cryptography [10][13]; however, these works either consider
key generation in terms of other forms of secrecy (i.e., computational secrecy) or fall short of covering a complete information
theoretic analysis.
A similar line of work in wireless network secrecy considers channel identification [14] for secret key generation using
wireless radios. Based on the channel reciprocity assumption,
nodes at both ends experience the same channel, corrupted
by independent noise. Therefore, nodes can use their channel
magnitude and phase response observations to generate secret
key bits from public discussion. The literature on channel
identification-based secret key generation is vast. The authors
of [20][25] study key generation with on-the-shelf devices,
under the 802.11 development platform using a two-way radio
2216
signal exchange on the same frequency. Mathur et al. [27], on

the other hand, utilize the fact that fading is highly correlated
on locations that are less than a half wavelength apart, instead
of exploiting the reciprocity. Therefore, very close nodes can
use public radio signals (e.g., frequency modulation (FM),
television (TV), and Wi-Fi) to generate secret key bits.
In most of these works, the security analysis is based on
the assumption that the channel gains are modeled as random
processes that are independent of the distances between the
nodes and are independent at locations that are more than a few
wavelengths apart. While being appropriate for a non-line-ofsight and highly dynamic media, these models do not capture
wireless propagation in environments where attenuation is a
function of the propagation distance. In such environments,
an attacker that has some localization capabilities will gain a
statistical advantage by estimating the channel gains based on
its distance observations. If the key generation process ignores
this advantage, part of the key may be recovered by the attacker,
and thus, the key cannot be perfectly secure. For instance,
Jana et al. [21] focus on a scenario in which secret key bits are
based on the received signal strength indicator (RSSI) and show
that an eavesdropper that knows the location of the legitimate
nodes can launch a mobility attack to force the legitimate nodes
to generate deterministic key bits, by periodically blocking and
unblocking their line of sight. Similarly, if the eavesdropper is
close (less than a wavelength) to one of the legitimate nodes,
then the eavesdropper will obtain correlated information [27];
therefore, the generated key will not be perfectly secure, and
secrecy outage occurs. The practical applicability of exploiting
channel reciprocity for secret key generation has also been
questioned recently in [26]. It is shown that, particularly when
the nodes have sufficient mobility, the eavesdroppers and the
legitimate receivers channels can be significantly correlated
depending on the locations, which breaks the secrecy of the
initial generated key.
On the other hand, our approach of key generation based
on locations does not make such independence assumptions.
We take into account the dependences in the locations of the
legitimate nodes and the observations of the attacker with those
of the legitimate nodes to provide provably security against a
mobile eavesdropper with localization capability. Thus, the insights provided in this paper can also be valuable for the class of
studies on key generation based on wireless channel reciprocity,
as we show how one should capture a variety of capabilities of
the attackers in finding the correct rate for the key and in designing the appropriate mechanisms to generate a truly secret key.
The rest of this paper is organized as follows. In Section II,
we give the system model, and in Section III, we provide
our key generation algorithm. In Section IV, we provide the
general theoretical performance limits of key generation from
localization. In Section V, we study the performance limits
in detail for the case where the observation noise terms are
additive i.i.d. Gaussian and propose our opportunistic beacon
exchange algorithm. In Section VI, we apply our key generation
algorithm to a vehicular setting. We conclude in Section VII.
Several proofs and derivations are collected in the Appendix.
Due to the page limitation, technical details of secondary importance are provided in our technical report [34].
TABLE I
L IST OF VARIABLES
Fig. 1.
Legitimate nodes and the eavesdropper form a triangle.
A word about notation: We use [x]+ = max(0, x), and .

denotes the L2-norm. A brief list of variables used in the paper
can be found in Table I.
II. S YSTEM M ODEL
A. Mobility Model
We consider a simple network consisting of two mobile
legitimate nodes, called users 1 and 2, and a possibly mobile
eavesdropper e. We divide time uniformly into n discrete
slots. Let lj [i] L be the random variable that denotes the
coordinates of the location of node j {1, 2, e} in slot i
{1, . . . , n}, where nodes are restricted to the field L R2 .
We use the boldface notation lj = {lj [i]}ni=1 to denote the
n-tuple location vectors for j {1, 2, e}. The distance between
nodes 1 and 2 in slot i is d12 [i] = l1 [i] l2 [i]. Similarly,
d1e [i] and d2e [i] denote the sequence of distances between
nodes (1, e) and nodes (2, e), respectively. We use the boldface
notation d12 , d1e , d2e for the n-tuple distance vectors. Note
that, in any slot, the nodes form a triangle in R2 , as depicted
in Fig. 1, where 12 [i], 21 [i], 1e [i], and 2e [i] denote the
angles with respect to some coordinate axis. We assume that
the distances d12 [i], d1e [i], d2e [i] take values in the interval
[dmin dmax ] since the nodes cannot be closer to each other than
dmin due to physical restrictions and they cannot be further than
dmax away from each other due to their limited communication
range. We assume that the location vectors l1 , l2 , le are ergodic
2217
TABLE II
N ODES O BSERVATIONS
C. Attacker Model
Fig. 2. With GLI, the nodes obtain noisy observations of the relative orientation of each other with respect to the x-axis.
processes. We will use the notation s = [l1 , l2 , le ] to summarize

the state variables related to mobility in the system. Note that
s[i] L3 = L L L for any i.2
B. Localization
At each time slot, there is a period in which the legitimate
nodes obtain information about their relative position with
respect to each other. As discussed in Section I-A, there are
various methods to establish the localization information. In
this paper, we will not treat these methods separately. We will
simply assume that, during measurement period i, when node 1
transmits a beacon, nodes 2 and e obtain a noisy observation of
d12 [i] and d1e [i], respectively. Let these observation be d2 [i] and
d1e [i], respectively. Similarly, when node 2 follows up with a
beacon, nodes 1 and e obtain the distance observations d1 [i] and
d2e [i], respectively. The nodes may also independently observe
their global positions, e.g., through a GPS device. They may
also observe the angle that they make with respect to each other
if they are equipped with direction sensitive localizers (e.g.,
directional antennas in wireless localization). We consider two
extreme cases on the GLI.
1) No GLI: The nodes do not have any knowledge of their
global location. However, with the observations of both
the beacons, the eavesdropper also obtains a noisy observation e [i] of the angle between the legitimate nodes.
2) Perfect GLI: Each node has perfect knowledge of its
global location and a sense of orientation with respect to
some coordinate plane as shown in Fig. 2. In this case,
2 of the
1,
nodes 1 and 2 obtain noisy observations
angle 12 . Similarly, node e obtains noisy observation
2e of the angles 1e , 2e .
1e ,
Let oj [i] denote the set of observations of the node during
We assume that there exists a passive eavesdropper e, which

does not transmit any beacons. However, node e can strategically change its location to obtain a geographical advantage against the legitimate nodes. Overall, we consider two
strategies.
Random Mobility: The eavesdropper moves randomly, without regard to the location of the legitimate nodes. We will
assume that the eavesdropper adopts random mobility unless
otherwise stated.
Mobile Man in the Middle: Node e controls its mobility such
that it can move accordingly to obtain a geographic advantage
compared to legitimate nodes. We consider the strategy where
node e moves to the midpoint of its maximum likelihood
estimates of the legitimate nodes locations. For j {1, 2}, let
us denote node es maximum likelihood estimate of node js
location at slot i based on its observations up to slot i 1 as
lj,e [i]. Then
lj,e [i] = arg max P (lj [i]|oe [1], . . . , oe [i 1]) .
lj [i]L
In other words, node 1 and node 2s locations at slot i are

predicated by node e by its observations in the previous slots.
Then, at the beginning of each slot i, node e moves to the
midpoint of the estimates, which is (l1,e [i] + l2,e [i])/2.
In this paper, we also discuss the implications of multiple
and more capable eavesdroppers. The eavesdroppers may utilize their observations in two possible ways: 1) Noncolluding
eavesdroppers do not communicate or share their observations
with each other, whereas 2) colluding eavesdroppers combine
their measurements to obtain less noisy measurements. The
theoretical secret key capacity under the colluding eavesdropper scenario is lower, due to the cooperation of the eavesdroppers, as discussed in Section IV. An eavesdropper with
multiple location sensors (e.g., multiple antennas in the case of
wireless radio-based localization) is a special case of colluding
eavesdroppers, as each sensor could be viewed as a separate
eavesdropper, with perfect links between them. Theoretical
bounds, considering a more capable eavesdropper with multiple
location sensors, are evaluated numerically in Section V-C.
slot i, and oj = {oj [i]}ni=1 . The observations oj for each case

are provided in Table II. We emphasize that the observations
in each slot are obtained solely from the beacons exchanged
during that particular slot. The nodes final estimates of the
distances depend also on the observations during other slots,
due to predictable mobility patterns.
2 It is not necessary to use absolute coordinates for l , l , l . For example,
1 2 e
when global locations are not available at the nodes, we may assume that
node 1 is at the origin, i.e., l1 [i] = [0 0] for all i.
D. Notion of Security
We consider the typical definition of source model of information theoretic secrecy under a passive eavesdropper: We
assume that there exists an authenticated error-free public
channel, in which the legitimate nodes can communicate to
agree on secret keys, based on the observations of the distances
and angles (o1 and o2 ) obtained during beacon exchange.
This process, commonly referred to as public discussion [1],
is a T step message exchange protocol, where, at any step
2218
node and is responsible for making several decisions. Let us

assume that node 1 is the master node.
Algorithm 1 Key Generation From Localization
Fig. 3. Key generation algorithm, steps for node 1.
t {1, . . . , T }, node 1 sends message C1 [t] and node 2 replies

back with message C2 [t] such that, for t > 1

t1
(1)
H C1 [t]|o1 , {C1 [i]}t1
i=1 , {C2 [i]}i=1 = 0, odd t

(2)
H C2 [t]|o2 , {C1 [i]}ti=1 , {C2 [i]}t1
i=1 = 0, even t.
At the end of the T step protocol, node 1 obtains k1 , and
node 2 obtains k2 as the secret key, where

(3)
H kj |oj , {C1 [t], C2 [t]}Tt=1 = 0, j {1, 2}.
Definition 1: Secret key bits are generated (with respect to
the described attacker model) at rate R if, for all > 0 and
> 0, there exists some n, T > 0 such that (1)(3) are
satisfied, and
H(kj )/n = R,
P(k1 = k2 )

I kj ; oe , {C1 [t], C2 [t]}Tt=1 /n ,
j {1, 2}
(4)
(5)
j {1, 2}.
(6)
Here, (4)(6) correspond to perfect randomness, reliability,

and security constraints, respectively. The schemes proposed in
the literature typically use a random coding structure, where
{C1 [t], C2 [t]}Tt=1 are generated by using a binning strategy
[1][6]. In Section IV, we will make use of these existing results
to provide computable theoretical bounds on the achievable
key rates.
In practical scenarios, equivocation at e (6) is difficult to
analyze, particularly at finite block lengths [32]. To that end,
we consider an approximate version of Definition 1 in our key
generation algorithm, which is explained in Section III-E.
Step 0: Quantization
(, ) : L L = {1 . . . M }2
lj [i] (lj [i])
s
j [i] [l1 [i], l2 [i], le [i]]
Step 1: Localization
a: Beacon Exchange
for slot i = 1 : n do
if No GLI then
oj [i] dj [i], j {1, 2}
oe [i] [d1e [i], d2e [i], e [i]]
else if Perfect GLI then
oj [i] [dj [i], j [i]], j {1, 2}
oe [i] [d1e [i], d2e [i], 1e [i], 2e [i]]
end if
end for
b: Viterbi Algorithm
node j {1, 2}
for s [i 1] {1 . . . M }6 do
for s [i] {1 . . . M }6 do
if f (oj [1], . . . , oj [i], j (s [i1]), s [i]) > f (oj [1],
. . . , oj [i], j (s [i])) then
j (s [i]) (j (s [i 1]), s [i])
end if
end for
end for
end for
s
j [n] arg maxj (s [n]) f (j (s [n]), oj )
Step 2: Public Discussion
vj [i] (d
j [i] dj [i 1])
end for
(u1 , u2 , ue ) CASCADE(v1 , v2 , ve )
Step 3: Data Compression
qj Hc (uj ), j {1, 2}
Step 4: Privacy Amplification
kj Ha (qj , nR), j {1, 2}
A. Quantization
First, the nodes quantize the field L. Quantization is required
for the nodes to efficiently calculate the location estimates and
store them in their buffers for use in the subsequent public
discussion phase. In our algorithm, we consider the uniform
2-D quantization function , which is
(l, ) =
III. K EY G ENERATION A LGORITHM
In this section, we briefly explain our algorithm in five parts
and provide the complete scheme in Algorithm 1. For guidance,
the main steps are sketched in Fig. 3 for node 1. Prior to the first
stage, one of the legitimate nodes is appointed to be the master
arg min
,uZ2
k:k= u
k l
where = maxx |x (x)| is the resolution of quantization.

Hence, we obtain the quantized field L = {(l, )}lL and
quantized states s = [l
= (L )3 .
1 , l2 , le ], where s S
B. Beacon Exchange and Localization

In this phase, the legitimate nodes localize to develop the
common randomness which serves as the basis for key generation in the following steps. First, beacons are exchanged over n
subsequent slots to form the observation vectors o1 and o2 as
explained in Section II-B. Node e, on the other hand, overhears
the beacons and obtains the observations oe .
Note that each observation vector oj [i] depends solely on
the signals exchanged on slot i for all j {1, 2, e} and i
{1 . . . n}. In the case where the statistics of the mobility is
available at the nodes, each node can find the maximum likes
lihood estimates s
1 and
2 of the quantized location triple

s = [l1 , l2 , le ], where
s
j = arg max P(s |oj ),
s S
j {1, 2}.
(7)
Note that s
j = [l1,j l2,j le,j ], where l1,j is node js maximum
likelihood estimate of the node 1 location vector.3 The terms
s
j are obtained efficiently by using the Viterbi algorithm as
explained in our technical report [34]. Note the following.
1) For very small , it is not computationally feasible to
run the Viterbi algorithm since the quantized state size
|S | as 0.
2) If mobility statistics is not available at the nodes, then the
ML estimate of the node locations at a given slot depends
solely on the observations on the particular slot.
For these cases, we skip the Viterbi algorithm. For the perfect
GLI, instead of (7), we use
l [i] = l [i] + d1 [i]1 [i], l [i] = l [i] + d2 [i]2 [i]
2,1
1
1,2
2
i. Note that, in perfect GLI, each node knows its global
[i] for j {1, 2}. On the other hand, for

location: lj [i] = lj,j
no GLI, the angle and global location observations are not
available at the legitimate nodes. Hence, the nodes do not
have any useful information about each others 2-D location.
Therefore, they only use their 1-D distance observations in the
following public discussion stage, instead of their 2-D location
s
estimates, i.e., we set s
1 = d1 and
1 = d2 .
C. Binary Conversion and Public Discussion
First, each node j {1, 2} obtains an initial m bit binary
sequence

vj [i] = l1,j
[i] l2,j
[i], m
(8)
2219
to the noisy nature of the observations, the bit mismatch

rate (BMR) between the sequences v1 and v2 , denoted as
BMR(v1 , v2 ), can be significant. To correct bit mismatches,
nodes 1 and 2 exchange T binary messages (C1 [1], . . . , C1 [T ])
and (C2 [1], . . . , C2 [T ]) over the public channel, to agree on
almost identical initial keys u1 and u2 , respectively, such that
BMR(u1 , u2 ) <
(9)
where > 0 can be chosen low enough such that the reliability
constraint is satisfied. The process is referred to as information
reconciliation by public discussion [1]. In our algorithm, we use
the cascade reconciliation protocol [29], which is covered in
our technical report [34]. Cascade protocol performs efficiently
when the BMR of the initial sequences is low enough such
that [29]
BMR(v1 , v2 ) < 0.15.
(10)
Parameter m is chosen as large as possible such that (10) is

satisfied. On the other hand, T is variable and depends on bit
sequences and intermediate cascade parameters, as explained
in our technical report [34].
D. Universal Compression
After the public discussion phase, we have satisfied the
reliability constraint. However, we have yet to satisfy the randomness and secrecy constraints: Due to predictable mobility
patterns of legitimate nodes, it is possible that vj , hence uj ,
may not be perfectly random. Furthermore, the eavesdropper
obtains information correlated with uj due to two reasons:
The eavesdroppers observations oe are correlated with the
legitimate nodes observations o1 , o2 , and the parity bits exchanged during the cascade protocol in the public discussion
phase reveal some information about the keys u1 and u2 to
the eavesdropper. Therefore, in the following two stages, we
compress and hash the keys u1 and u2 to obtain smaller keys
that satisfy randomness and secrecy constraints.
Legitimate nodes first compress their key sequences u1 and
u2 using a universal compression function Hc () to obtain
qj = Hc (uj ),
j {1, 2}
(11)
where the bit sequences qj are of size nR bits. In our

algorithm, we use the deflate/inflate compression library for
function Hc () [30]. Let the compression ratio be denoted by
= R /m.
where (, m) = (L L ) {1 . . . 2m } is a Gray coder,

which maps the 2-D difference of location estimates to m
bit binary sequences. Let vj = [vj [1] . . . vj [n]] represent the
concatenated version of bit sequences, of size nm bits. Due
3 Since node e is assumed to be passive and does not transmit any beacons,
l depends solely on the eavesdropper mobility statistics at the legitimate
e,j
nodes. If this information is not available, then it can safely be assumed that
l = .
e,j
E. Privacy Amplification
Legitimate nodes will map their compressed keys q1 and q2
into shorter sequences, k1 and k2 , of key bits in such a way that
perfect secrecy condition (6) in Definition 1 is satisfied. We use
the following universal hash function for privacy amplification.
Let Ha (x, R) denote
Ha (x) = LSBnR (a x)
(12)
2220
where LSBnR is the least significant nR bits, a is an ele

ment over the binary Galois field GF(2nR ), and x {0, 1}nR

is interpreted as an element of GF(2nR ) with respect to a
fixed basis of the extension field over the prime field GF(2).
Consequently, {Ha (x)}aGF(2nR ) is a universal class of hash
functions [7].
In the privacy amplification stage, node 1 first chooses a

randomly and uniformly over GF(2nR ) and broadcasts on the
public channel. Then, nodes 1 and 2 apply privacy amplification
k1 = Ha (q1 , nR) and k2 = Ha (q2 , nR), respectively.
Choice of Rate R: Due to the imperfections associated with
quantization and cascade reconciliation protocol, rate R cannot
be chosen to be the theoretical secret key capacity, which is
studied in the following section. To satisfy the perfect secrecy
condition (6), it suffices to choose rate R as R < R , where R
is the equivocation rate at node e [7], [18]
R =

1
H q1 |oe , {C1 [t], C2 [t]}Tt=1 .
n
(13)
However, the calculation of (13) may be computationally infeasible, as discussed in [32]. In our technical report [34], we
approximate R to obtain
R = BMRe log(BMRe )
(1 BMRe ) log(1 BMRe )
T
n

(14)
is much easier to evaluate. Here, BMRe =

i=1 1(v1 [i] = ve [i])/nm is the BMR at node e before
public discussion, assuming that node e follows quantization
and localization steps as described for legitimate nodes and
obtains initial bit sequence ve .
Note that BMRe is not perfectly available at the legitimate
nodes since it requires the perfect knowledge of ve [i]. However, when the mobility, and observation noise statistics of the
eavesdropper are available at the master node, BMRe can be
approximated using Monte Carlo simulations. Note that this
is a reasonable assumption, as security is generally defined
with respect to a certain threat model. It even suffices if we
do not know the exact statistics but only know the set of
mobility/observation noise statistics that the eavesdropper belongs to (there is a compound nature of the eavesdropper
model). For example, we can consider a variety of a class of
attackers with distinct mobility patterns. Then, we can choose
to secure the keys with respect to the worst possible attacker.
R
While one may think that it is not possible to generate a secret
key at a nonzero rate with this conservative approach, our
experimental observations presented in Section VI are highly
encouraging.
which
nm
IV. T HEORETICAL P ERFORMANCE L IMITS

In this section, we provide information theoretic bounds on
the achievable key rate with perfect reliability. To evaluate these
bounds, we assume an idealized system by ignoring the issues
associated with quantization, cascade reconciliation protocol,
and privacy amplification. Thus, these bounds are valid for any
key generation scheme that satisfies Definition 1.
Theorem 1: A lower bound RL and an upper bound RU
on the perfectly reliable key rate achievable through public
discussion are

1
RL = max lim [I(o1 ; o2 ) I(o1 ; oe )]+
n n

1
+
lim [I(o2 ; o1 ) I(o2 ; oe )]
(15)
n n
1
min {I(o1 ; o2 ), I(o1 ; o2 |oe )}
n n
RU = lim
(16)
respectively, where o1 , o2 , and oe are as given in Table II for

different possibilities of GLI.
The theorem follows4 from [18, Proposition 7], which generalizes Maurers results on secret key generation through public
discussion [1] to non-i.i.d. settings. Although tighter bounds
exist in the literature [2], [3], we use the aforementioned bounds
since they provide clearer insights due to their simplicity.
For the special case where observations (o1 [i], o2 [i], oe [i])
are i.i.d., we can safely drop the index i and denote the joint
probability density function of observations as f (o1 , o2 , oe ).
Therefore, the conditioning on the past and future observations
in RL and RU disappears, and the bounds reduce to

RL = max [I(o1 ; o2 ) I(o1 ; oe )]+ ,
[I(o1 ; o2 ) I(o2 ; oe )]+
RU = min (I(o1 ; o2 ), I(o1 ; o2 |oe )) .
(17)
(18)
Also, note that Theorem 1 can be extended to provide key

rate bounds against multiple eavesdropper models discussed
in Section II-C. Consider K eavesdroppers, with observations
oe,1 , . . . , oe,K . For the noncolluding eavesdropper model, since
the eavesdroppers are not communicating, we can safely consider the most capable eavesdropper k. In other words, in
(15) and (16), we can replace oe with oe,k for k {1, . . . K}
which yields the lowest bounds and discard the rest of the
eavesdroppers. For the colluding eavesdropper model, we can
replace the term oe in (15) and (16) with oe,1 , . . . , oe,K since
the eavesdroppers perfectly communicate with each other. It
can be directly observed that the bounds for the colluding case
are lower with respect to the noncolluding case.
V. G AUSSIAN O BSERVATIONS
To obtain more insights from theoretical results in
Section IV, we focus on the following special case: First,
we assume that the node locations are individually Markov
processes such that
lj [i 1] lj [i] lj [i + 1],
j {1, 2, e}
4 In [18, Prop. 7], general upper and lower bounds are provided, including
the case where the source processes are not ergodic. In our system model, o1 ,
o2 , and oe are ergodic processes, and therefore, these lower and upper bounds
reduce to (15) and (16), respectively [17].
holds for any i and their joint probability density function

f (l1 , l2 , le ) is well defined. Second, all observations of distance
and angle terms are i.i.d. Gaussian processes. This model is
typically used in the literature to characterize the observation
noise [8], [19]. Using the insights, we develop our opportunistic
beacon exchange algorithm and evaluate the theoretical bounds
on a simple 2-D grid. To that end, for no GLI, j {1, 2}

(d12 [i]) j
dj [i] = d12 [i] + wj [i], wj [i] N 0,
(19)
P

(dje [i]) e
dje [i] = dje [i] + wje [i], wje [i] N 0,
(20)
P

(d1e [i], d2e [i]) e
e [i] = e [i] + we [i], w [i] N 0,

P
(21)
are Gaussian noise processes, where P is the beacon power.
The observation noise variances are increasing functions of
the distance, which are modeled by the increasing functions
for distance observations and for angle observations.
The parameter j depends on the capability of the nodes. For
instance, in wireless localization, and depend on the
path-loss exponent, and depends on the receiver antenna
gain, number of antennas, etc. [8], [19]. For perfect GLI, we
additionally assume5 that, for j {1, 2}

(d12 [i]) j
j [i] = j [i] + wj [i], wj [i] N 0,

(22)
P

(dje [i]) e
je [i] = je [i] + wje [i], wje [i] N 0,

.
P
2221
the beacon power P , which indicates that arbitrarily large secret

key rates can be obtained. However, when the eavesdropper
observes the angle information, then RU remains bounded,
which indicates that the advantage gained by increasing the
beacon power is rather limited. To clearly illustrate our insights,
we present our results for the no GLI scenario. However, the
same conclusion holds for the perfect GLI case as well.
Note that transmitting multiple beacons at a given slot delivers the same effect as increasing the beacon power. Since
the observation noise terms are i.i.d. Gaussian, the arithmetic
mean of these observations at the receiver is a sufficient statistic. In other words, transmitting a single beacon at power
KP is equivalent to transmitting K beacons at power P ,
for K 1.
Theorem 2: When the eavesdropper obtains the angle infor e ; e ) > 0
mation, i.e., I(
lim RU < .
The proof is in Appendix B, where we show that limP RU ,

where
1
= log
2

e d212 1
2E 2
(d12 )
d12
e
+ 4(d1e +d2e )2
5 For perfect GLI, the angle information is obtained according to a fixed

coordinate plane, and hence, the function has a single argument.
6 Note that, in some cases, the nodes cannot obtain any useful angle information, e.g., in wireless localization, when each node is equipped with a single
omnidirectional antenna.
(d1e ) +
2
(d2e )
+ 8(d1e + d2e )d1e d2e
(d1e ) +
(d2e )

(d1e , d2e )

+ 64(d1e + d2e ) ((d1e ) + (d2e ))

1
E [log (21 (d12 ))] .
2
(25)
The parameter remains finite since the distances take on

values in some bounded range [dmin , dmax ] with probability 1.
Therefore, the secret key rate remains bounded.
Theorem 3: When the eavesdropper does not obtain any
e ; e ) = 0
angle information, i.e., I(
A. Beacon Power Asymptotics

In this part, we analyze the beacon power asymptotics of the
system. We show that, if the eavesdropper does not observe
the angle,6 i.e., e = , then RL increases unboundedly with

+ 4d1e d2e +64(d1e d2e )2 (d1e , d2e )
(23)
Clearly, the achievable key rates depend highly on the functions , , and . In Section V-C, we evaluate the key rate
performance of our algorithm for particular choices of , ,
and and compare with the theoretical bounds in Section IV.
We emphasize that our key generation algorithm works in
the general case, without the aforementioned assumptions on
the node locations following a Markov process and with the
distance and angle observations being Gaussian, as illustrated
in experimental results in Section VI.
Note that there may be a bias on these observations due to
small scale fading [19]. The effect of biased observations is
considered in our technical report [34].
(24)
lim
P 1
2
RL
= lim
log(P ) P
1
2
RU
= 1.
log(P )
The proof is provided in Appendix B. Theorem 3 implies

that, without the angle observation at the eavesdropper, an
arbitrarily large key rate can be achieved with sufficiently large
beacon power P . However, the key rate increases with log(P ),
which means that increasing the beacon power would provide
diminishing returns.
2222
B. Opportunistic Beacon Exchange Algorithm

Note that observation noise variance terms (19)(23) are
increasing functions of distance. Therefore, at certain states s[i]
(e.g., when the eavesdropper is located in between the legitimate nodes), the eavesdroppers observation noise variance can
be smaller compared to legitimate nodes. Formally speaking,
when o1 [i] and o2 [i] are both stochastically degraded versions
of oe [i], i.e., there exists a density function f such that the
condition

f (x|s[i]) f (oj [i]|x) dx
(26)
f (oj [i]|s[i]) =
x=oe [i]
holds for j {1, 2}, the transmission at slot i benefits the

eavesdropper more than it benefits the legitimate nodes. This
is due to the fact that, since node locations are not independent
across time, the eavesdropper can use the advantage obtained
at slot i to obtain better estimates at slot i + 1. Therefore,
skipping the beacon transmission at slots when condition (26)
occurs will yield higher key rates compared to the case where a
beacon is exchanged in every slot. However, it is not feasible for
legitimate nodes to verify condition (26) due to the following
two facts.
1) It is not computationally feasible to verify condition (26).
2) The legitimate nodes do not know each others exact
location, and they do not observe the eavesdroppers
location at all.
To circumvent these two issues, we consider an approximate
version of (26) and consider the likelihood of that new condition, based on the nodes statistical knowledge of each others
and the eavesdroppers location. The details are provided in
Algorithm 2. Beacon transmission decisions are made by the
master node. Let
A[i] =
(d1e [i] d2e [i] cos (e [i]))2 (d1e [i])

d12 [i]2
(d2e [i] d1e [i] cos (e [i]))2 (d2e [i])
d12 [i]2
(27)
(d1e [i]d2e [i] sin (e [i]))2 (d1e [i], d2e [i])

d12 [i]2
(28)
B[i] =
where max = max(1 , 2 ). The master node decides to skip

the beacon exchange at slot i either when the condition

P (d12 [i])max < (A[i] + B[i]) e |{ok [l]}i1
l=1 < (29)
occurs for some predetermined threshold and when a beacon
exchange has occurred in the previous c slots, chosen appropriately in order to avoid long droughts leading to the possibility
for the nodes to get out of each others range. The derivation
of (29) follows from applying a series of linear approximations
to (26) and is provided in Appendix A. Note that the master
node do not know the exact values of A[i], B[i], nor d12 [i], but
rather, it knows the probability distribution, conditioned on its
observations, and the statistical knowledge of each others and

the eavesdroppers location.
Algorithm 2 Opportunistic Beacon Exchange
BEACON:
j Master Node
CTR 0
6
6
P(s
1 [0]) 1/M , s1 [0] {1 . . . M }
0
for s [i 1] {1 . . . M }6 do
for s [i] {1 . . . M }6 do
x1 1((d12 [i]) > A[i] + B[i]|s [i])
x2 f (oj [1], . . . , oj [i 1], s [i 1])
x3 P(s [i]|s [i 1])
+ x1 x2 x3
end for
end for
if < or CTR c then
NODE 1 TX BEACON
NODE 2 TX BEACON
oj [i] (dj [i], )
CTR 0
else
NODE 1 SILENT
NODE 2 SILENT
oj [i]
CTR CTR + 1
end if
end for
If the other legitimate node receives a beacon during slot i, it
replies back with a beacon; otherwise, it remains silent. At the
end of slot i, the nodes update their observations such that, if no
beacons have been transmitted, then oj [i] = for j {1, 2, e}.
The probability in (29) can be efficiently approximated with
linear complexity using the forward algorithm, as provided in
Algorithm 2 and illustrated in Appendix A-1.
Remarks:
If the mobility is i.i.d., then no advantage in terms of secret
key rate can be obtained by using opportunistic beacon
transmission. Still, power would be more efficiently utilized due to less beacon exchanges.
The algorithm works when the statistical knowledge of
eavesdropper mobility is available at the legitimate nodes.
Despite the fact that the eavesdropper is passive, it is reasonable to assume certain mobility models under specific
settings (e.g., vehicular applications).
In Section V-C, we show that our algorithm achieves nonzero
secret key rates for some cases that yield zero secrecy rates
when a beacon is transmitted every time slot. We also compare
our algorithm with the genie-aided case, in which a genie knows
the exact locations of all the nodes in the field and tells the
nodes to skip beacon transmission at slot i when the condition
(d12 [i]) max > (A[i] + B[i]) e
2223
is satisfied. The genie-aided case provides us an upper bound on

the achievable key rate among algorithms that use this condition
for beacon transmission decisions.
C. Numerical Evaluations
We evaluate the key rate performance of our key generation
algorithm and the theoretical bounds in Section IV for the
Gaussian observations model using Monte Carlo simulations.
We also study the theoretical performance gains of the proposed
opportunistic beacon exchange strategy.
Setup: We consider a simple (M M ) discrete 2-D grid,
which simulates a city with M blocks that covers a square field
of area A2 , such that, for any j {1, 2, e}, i {1, . . . , n}, lj [i] =
[x y] {A/M, . . . , M (A/M )}{A/M, . . . , M (A/M )}. Node
mobilities are Markov and characterized by parameter B, where
1
AB
(B+1)2 , if |xx | M

P(lj [i]= [x y]|lj [i1]= [x y ])=
|yy | AB
M
0,
otherwise.
For no GLI, we choose (d) = 0.1 + d2 and (d1e , d2e ) =
(/(1.1 + (d21e + d22e ))), and for perfect GLI, we choose
(dje ) = (/(1.1 + d2je )) such that both parameters are
strictly increasing functions of the distances.7 We assume that
nodes employ identical location sensors, and the observation
variance term is a function of the number of sensors: Since
the observation noise in different sensors is i.i.d. Gaussian, the
maximum ratio combining yields
a single less noisy Gaussian
observation such that 1 = 1/ K1 , where K1 is the number of
sensors in node 1, and we similarly define 2 , e . We consider
identical nodes (1 = 2 = e = 1) unless stated otherwise.
The theoretical key rates are calculated using the forward
algorithm procedure described in our technical report [34].
Results: Due to computational limitations explained in
Section III-B, we consider examples in which M 11 and
B 3. Note that this choice limits the maximum achievable
secret key rate.8 First, we compare the performance of our
key generation algorithm with the theoretical capacity bounds
in Section IV. Recall that the theoretical lower bound RL is
achieved by using random coding arguments which are not feasible to implement due to computational complexity. Therefore,
our algorithm is expected to perform worse than RL since it is
implemented using computationally efficient tools, such as the
Viterbi algorithm, cascade algorithm, etc. In Fig. 4, we plot the
key rates with respect to the normalized beacon power P/02 for
M = 5, A = 5, and B = 1, where 02 denotes the variance of
distance observations dj [i] of legitimate nodes at unit distance.
We show that, even in this grid with a small number of possible
locations, we can generate reliable key bits comparable with
RL . The key rate starts to decrease at a certain beacon power,
7 A similar model for distance observation noise is used in [8]. Since
e
[0, ], the angle observation error variance cannot diverge with distance, and
we upper bounded the variance term by /1.1. To avoid zero error variances at
zero distance, we introduce a 0.1 offset to the numerator and denominator of
and , respectively.
8 For instance, for B = 1, there are 13 different possible distance combinations. Consequently, a key rate of log 13 is an absolute upper bound for no GLI,
even in the case when the eavesdropper obtains no observation.
Fig. 4. Our algorithm performance versus theoretical bounds. No GLI.
Fig. 5. Theoretical bounds, with no GLI, for different M , B = 1, and

A/M = 1.
beyond which the rate of information accumulation at the

eavesdropper exceeds that at the legitimate nodes.
Then, we analyze the effect of grid size, field area, and GLI
on the theoretical key rates. In Figs. 5 and 6, we plot the bounds
on the achievable key rate with respect to the normalized
beacon power P/02 for different grid size M for no GLI and
perfect GLI cases, respectively. We assumed a constant ratio
of field size and grid size, A/M = 1, and considered B = 1.
We can see that there is a diminishing return on the increased
power levels for the achievable key rate. Furthermore, we can
see that increasing the field area A2 has a negative impact on
the key rate despite the increase in M , which is due to the fact
that the common information of the legitimate nodes decreases
as a result of the increase in their observation error variance.
We also study a more capable eavesdropper with multiple
sensors (antennas), where the observations in each sensor are
combined to obtain less-noisy observations via maximum ratio
combining. In Fig. 7, we plot the theoretical bounds, where we
assume no GLI for all nodes, and the legitimate nodes have a
single sensor (1 = 2 = 1), M = 5, A = 5, and B = 1. It is
2224
Fig. 6. Theoretical bounds, with perfect GLI, for different M , B = 1, and

A/M = 1.
Fig. 8.
Bounds for opportunistic beacon exchange.
Fig. 7. Eavesdropper with multiple sensors, NO GLI.
Fig. 9.
Effect of eavesdropper mobility on the key rate.
observed that the achievable rate remains positive, even with a

slightly more capable eavesdropper.
Next, we show that, for an even more pessimistic scenario,
positive key rates can be achieved by our opportunistic scheme,
which would not be possible with the nonopportunistic case.
We assume the following: 1) Node e has three location sensors
compared to the single sensor in the legitimate nodes (e
0.6), 2) node e has perfect GLI, whereas the legitimate nodes
have no GLI; and 3) node e stays fixed at the center of the M
M grid for M = 7, A = 5, and B = 1. Since the observation
noise variance is an increasing function of the distance, this also
gives node e a geographic advantage over the legitimate nodes 1
and 2. We can see from Fig. 8 that the secret key rate decays to 0
with the nonopportunistic scheme. On the other hand, nonzero
secret key rates can be achieved with our opportunistic strategy
outlined in Section III, for parameters = 0.5 and c = 4. On
the same figure, we also plot the achievable key rates for the
genie-aided scheme, which has the reach to the perfect side
information on whether the legitimate nodes have a geograph-
ical advantage or not at any given point in time. With such

side information, the key rate is roughly doubled compared
to our opportunistic scheme. Note that our algorithm obtains
information on the presence of a geographical advantage, based
solely on the beacon observations.
Assuming that node e has perfect GLI and legitimate nodes
have no GLI, we analyze the effect of eavesdropper mobility on
the achievable key rate. In Fig. 9, for M = 7, A = 5, and B = 1,
we plot the secret key rate bounds for the cases where node e
does the following: 1) follows the random mobility pattern
described in the setup with parameter B = 1, 2) stays at the origin, and 3) follows the man-in-the-middle strategy described in
Section II-C. We can see that, compared to following a random
mobility pattern, the eavesdropper can reduce the achievable secret key rate significantly by following this strategy. The eavesdropper can also reduce the key rate by simply staying static at a
certain favorable location, rather than moving randomly. However, in practice, this may not be feasible since, by staying put, it
will lose connection with the legitimate nodes in a large region.
2225
TABLE III
ACHIEVED K EY R ATES (B ITS /S ECOND )
VIA OUR K EY G ENERATION A LGORITHM
Fig. 10. Antenna placement on vehicles.
VI. E XPERIMENTAL E VALUATIONS

To illustrate that our algorithm can be implemented in
practice, we test our key generation algorithm in a vehicular
setting with wireless radios. We used two vehicles A and B,
each equipped with TelosB motes. Omnidirectional antennas
placed above wheels of each vehicle, as shown in Fig. 10,
are connected to TelosB motes. Beacons are transmitted from
antennas periodically, and RSSI measurements are collected for
transmitterreceiver antenna pairs, which are mapped to obtain
distance observations using a path-loss model.
We chose to utilize long term-averaged RSSI as the source
of distance observations because we want to illustrate that our
algorithm can be easily implemented in practice using on-theshelf devices. Note that RSSI can be easily obtained from
higher layers, without any modification on the physical layer.
It is clear that the success of a scheme that utilizes RSSIs is
dependent on channel reciprocity, and this approach, at first
glance, seems similar to works on channel reciprocity [20]
[25]. Our main differences from these works are the following:
1) We utilize long term-averaged RSSI and hence eliminate
the fluctuations in RSSI due to fading and shadowing, which
are the main sources of keys generated via channel reciprocity
approaches; and 2) we can explicitly calculate the equivocation
rate and hence obtain perfectly secure key bits, without encountering secrecy outages.
We use the rear left antenna of vehicle A and the front left
antenna of vehicle B as nodes 1 and 2, respectively. Similarly,
we take the measurements from the rear right antenna of vehicle
A to be the eavesdropper observations. Note that, in this case,
the distance between node 1 and node e is fixed and we assume
that this distance d1e and the angle e are known perfectly by
node e. We also assume that nodes 1 and 2 do not have the
mobility statistics or their individual global locations (hence
no GLI). Thus, the scenario that we are trying to emulate
with this experiment is one that is extremely favorable for the
eavesdropper (an attacker that collects observations directly
from one of the legitimate vehicles). We illustrate that, even
in such highly pessimistic cases, it is possible to generate secret
keys at a nonzero rate.
Our key generation algorithm has been tested on vehicles
driven in the following: 1) freeway and 2) local roads, where
beacon exchange occurs roughly every second. For both settings, we utilized the following: 1) sedan and 2) Sports Utility
Vehicle (SUV)-type. For sedan vehicles, we were also able to
test our algorithm under heavier traffic conditions, during the
busy hours. The achieved key rates, in terms of bits per second,
are provided in Table III. As expected, key rates achieved under
Fig. 11. Distance observations for freeway data.
heavier traffic conditions are lower compared to lighter traffic

conditions, due to multipath and non-line-of-sight effects from
the physically interfering cars. Due to similar reasons, we also
see that key rates achieved in freeway roads are consistently
higher compared to local roads.
We go over the details of our key generation algorithm for
sedanfreeway setting and consider the first n = 1000 slots.
We use a path-loss model to obtain distance observations9 from
long term-averaged beacon RSSI [31]
dj [i] = 22 log10 (0.1RSSIj [i]+0.9RSSIj [i1])44.8 (30)
where RSSIj [i] is associated with node j at measurement
slot i (the unit is dBm) and dj [i] is the distance measurement
in meters. Note that the operation inside the parenthesis in
(30) provides the exponential moving average of RSSI measurements, where the weights are chosen sufficiently large to
eliminate the fluctuations in RSSI due to fading and shadowing.
2 at the legitimate nodes and
1, d
The distance measurements d
d2e at node e, each of size n-samples, are provided in Fig. 11.

Recall that d1e and e are known perfectly at the eavesdropper.
Recall from Section III-B that, in case of the lack of mobility
statistics and GLI at the legitimate nodes, we generate keys
based on 1-D relative distance information, instead of 2-D relative location information. Therefore, we skip the Viterbi algorithm and consider the m-bit quantization function, and we use
an m-bit Gray coder to obtain the initial binary sequences v1 ,
v2 , and ve , each of size nm bits. As discussed in Section III-C,
9 The accuracy of the model is not that critical, as long as the same mapping
is used by both users.
2226
VII. C ONCLUSION
Fig. 12. Bit error patterns before and after public discussion.
TABLE IV
R ANDOMNESS T EST R ESULTS FOR THE K EY G ENERATION A LGORITHM
we choose m to be the largest possible value that satisfies (10),

which turns out to be m = 2 for the sedanfreeway experiment.
In Fig. 12, we provide v1 , along with the bit mismatches in
node 2, i.e., (v1 v2 ), and the bit mismatches in node e,
i.e., (v1 ve ) before information reconciliation. The BMRs
are (BMR(v1 , v2 )) = 0.0935 and (BMR(v1 , ve )) = 0.4095.
Then, we use the cascade reconciliation protocol to correct
bit mismatches at node 2. The legitimate nodes obtain u1 and
u2 , where bit mismatches (u1 u2 ) at the legitimate node 2
are shown in Fig. 12, The bit mismatches at legitimate
nodes are almost completely corrected during reconciliation,
as (BMR(u1 , u2 )) = 0.001. However, T = 1301 message bits
are exchanged each way on the public channel and revealed
to node e. Finally, the legitimate nodes compress their bit
sequences u1 and u2 using universal compression to obtain
compressed sequences q1 and q2 , each of size 1248 bits,
and hence, the compression ratio is = 0.624. Finally, the
legitimate nodes apply privacy amplification to the compressed
sequences to obtain shorter messages k1 and k2 of size nR.
Choosing R = 0.4065 bits/slot is sufficient for perfect secrecy,
according to (14), which corresponds to 0.4065 bits/second
since a sample is acquired in each slot. Note that this rate
can be increased by taking observations more frequently. In
Table IV, we provide the results of the NIST randomness tests
applied to key sequence k1 . Here, a value greater than 0.01 is
considered as a pass [28]. It can be observed that k1 passes all
the randomness tests.
We showed, through both practical and theoretical analyses,

that relative localization information is an additional resource
for generating secret key bits in mobile networks. To illustrate
practical feasibility, we developed an algorithm using computationally efficient tools, which works in three main steps: localization, public discussion, and privacy amplification. We also
studied the information theoretic limits of secret key generation
and characterized lower and upper bounds of key rates, utilizing
results for the cases in which the nodes are/are not capable of
observing their global locations. Focusing on the special case
where the observation noise is i.i.d. Gaussian, we studied the
beacon power asymptotics and observed that, when the eavesdropper cannot observe the angle information, the secret key
rate grows unboundedly. Via our novel opportunistic beacon
exchange algorithm, we illustrated that nonzero secret key rates
are achievable even when the eavesdropper is more capable on
average. We also tested our algorithm on a vehicular setting and
showed that our algorithm can be implemented using on-theshelf devices, without any modification on the physical layer.
We showed that nonzero key rates are achievable in practice,
even under extremely pessimistic settings. The following research directions can be further investigated: 1) performance
analysis of secret key generation in large networks, taking into
account the recent advances in network information theoretic
security; and 2) security analysis of various adversarial models,
such as jamming attacks or impersonation attacks in unauthenticated networks.
A PPENDIX A
O N O PPORTUNISTIC B EACON E XCHANGE
We do not directly use (26) for beacon transmission decisions
due to certain challenges. Here, we address them and justify
why we use (29) instead. The first issue is that it is difficult
to verify condition (26). To see whether there exists a valid
probability density function f that satisfies (26), we can pose
the problem as that of calculus of variations:

= min f d1 [i]|d12 [i]
f

f (x|d12 [i])
e [i])
x=(d1e [i],d2e [i],

subject to

f d1 [i]|x dx
f(u)du = 1.
If = 0, then the legitimate nodes observations are the

stochastically degraded version of the eavesdroppers observations. However, due to the fact that there may exist no closedform expression for f (d1e [i], d2e [i], e [i]|d12 [i]), this problem
can be highly complex. Instead, in our algorithm, the legitimate
nodes make their decisions based on an approximate version of
(26) at the expense of some loss in the key rate. Define de [i] as

+
(31)
de [i] =
d1e [i]2 + d2e [i]2 2d1e [i]d2e [i] cos e [i]
Fig. 13. Hidden Markov structure.
which corresponds to the cosine law estimate of d12 [i] of the

eavesdropper. Through a sequence of first-order approximations on de [i], described in our technical report [34], we end
up with
de [i] = d12 [i] + we [i]
for j {1, 2}, the condition

(33)
would be sufficient to verify that the actual node measurement

is more degraded than the eavesdropper measurement.10 Note
that the legitimate nodes cannot make use of (33) for beacon
transmission decisions directly since they only have the statistics of the eavesdropper location and they do not know the
parameters A[i], B[i], and d12 [i] exactly. However, using the
statistical knowledge, they can calculate the probability of event
(33), conditioned on their observations, which is (29). Therefore, (29) is used as a basis for beacon transmission decisions.
A. Forward Algorithm
Due to the Markov assumption on the mobility model and
the fact that the observations oj [i] depend solely on the current
locations, s [i]s and oj [i]s form a hidden Markov chain as
depicted in Fig. 13. The forward algorithm follows from the
simple observation that, for any slot i

f oj [1], . . . , oj [i], s [i] = f oj [1], . . . , oj [i1], s [i1]

P s [i]|s [i 1] f oj [i]|s [i] ds [i 1].
The term P(s [i]|s [i 1]) is called state transition

probability and is independent of current time slot i since
the mobility model is stationary. The term f (oj [i]|s [i])
is called emission density, which is Gaussian, as described
by (19)(21). Thus, (34) gives us an iterative relationship to
calculate f (oj [1], . . . , oj [i], s [i]) using f (oj [1], . . . , oj [i 1],
s [i 1]). Iterating over (34) for n slots, we obtain f (oj , s ).

Recall that s = [l
1 , l2 , le ], the quantized states, contain the
quantized version of all the distance and angle information in
(29), e.g., (d
12 , dje , e ). Hence, the probability in (29) can be
efficiently calculated.
(32)
where we [i] N (0, (e (A[i] + B[i])/P )) such that A[i] given

in (27) is the uncertainty that comes from the distance observation errors and B[i] given in (28) is the uncertainty that
comes from the angle estimate error. The idea behind the
described approximation is the linearization of de [i], and the
approximation becomes more accurate as the beacon power
increases (i.e., in the high SNR regime).
In our algorithm, the legitimate nodes use the term de [i] for
beacon transmission decisions. Clearly, d12 [i] (d1e [i], d2e [i],
e [i]) de [i] forms a Markov chain. Consequently, when d1 [i]
and d2 [i] are stochastically degraded versions of de [i], they
are also stochastically degraded versions of the eavesdropper
observations (d1e [i], d2e [i], e [i]); hence, the condition (26) is
satisfied. Since the legitimate nodes observations follow the
distributions:

(d12 [i]) j
dj [i] N d12 [i],

P
max (d12 [i]) > e (A[i] + B[i])
2227
(34)
10 However, the converse is not true since d [i] is not a sufficient statistic of
e
(d1e [i], d2e [i], e [i]).
A PPENDIX B
P ROOFS OF T HEOREMS IN S ECTION V-A
A. Proof of Theorem 2
We provide three lemmas that will be useful in the proof.
Lemma 1: Let x and y be random variables. Then
Var(x + y) 2Var(x) + 2Var(y).
(35)
If x, y are independent, then Var(x + y) = Var(x) + Var(y).

Lemma 2: Let x be a random
variable such that
E[x]
,
where
>
1.
Let
=
1 + /(1 + ). Then,

Var( [1 + x]+ ) Var(x).
Lemma 3: Let x, y be random variables. Then

Var E 1 (1 + x)+ |y E (E [|x| | y])2 .
The proofs of Lemmas 1, 2, and 3 are provided in our technical
report [34] due to space constraints. Assume, without loss of
e =
generality, that min = min(1 , 2 ) = 1 . When
1
I(d1 ; d2 |d1e , d2e , e )
n n

1
1 |d12 ) (36)
h(d1 |d1e , d2e , e ) h(d
lim
n n
n
1
e [i])
lim
h(d1 [i]|d1e [i], d2e [i],
n n
i=1

h(d1 [i] d12 [i]|d12 [i])
RU = lim
e ) h(d1 d12 |d12 )

= h(d1 |d1e , d1e ,
(37)
1 d12 (d
2, d
1e ,
where (36) follows from the fact that d
d2e , e ) forms a Markov chain and (37) follows from the

fact that all of the random variables d1 [i], d1e [i], d2e [i], e [i]
have a stationary distribution, denoted as d1 , d1e , d2e , and e ,
respectively. The second term in (37) can be found as

(d12 )1
1
h(d1 d12 |d12 ) = E log

(38)
2
P
from the definition of d1 [i]. Now, we bound the first term in
(37). Let us define

+
de =
d21e + d22e 2d1e d2e cos(e ) .
2228
Then
h(d1 |d1e , d2e , e ) h(d1 |de ) h(d1 de ).
(39)
Note that, for a given variance, Gaussian distribution maximizes the entropy. Therefore, the entropy of a Gaussian random
variable that has a variance identical to that of d1 de will be
an upper bound for (39). We proceed as follows:

Var(d1 de ) = E Var(d1 de |d12 , d1e , d2e )

(40)
+ Var E[d1 de |d12 , d1e , d2e ]
where (40) follows since, for any dependent random variables x
and y, Var(x) = E[Var(x|y)] + Var(E[x|y]). Now, we upper
bound the first term of (40). Note that
Var(d1 de |d12 , d1e , d2e ) = Var(d1 |d12 )
+ Var(de |d12 , d1e , d2e )
(41)
due to Lemma 1, since d1 (d12 , d1e , d2e) (d1e , d2e , e) de

forms a Markov chain, and the fact that d1 is independent of
d1e , d2e given d12 . The first term in (41) is equal to
Var(d1 |d12 ) = Var(w1 |d12 ) =
(d12 )1
.
P
(42)
We bound the second term in (41) as follows. Let us define

1
2
= 2 2 d1e d2e cos(e ) w1e + w1e
d12

2
+ w2e
+ 2 d2e d1e cos(e ) w2e

+ 2d1e d2e cos(e )cos(e ) 2w1e w2e cos(e ) .
where (45) follows from the fact that, since we is zero

mean Gaussian,
|we | follows a half-normal distribution with
E(|we |) = 2 (d1e , d2e )e /P . We can choose P1 such
that, for any beaconpower P > P1 , E[] > (3/4). Let =
(3/4), and = 1 + /(1 + ) = 2. Due to Lemma 2,
we obtain

d212 Var
[1 + ]+
d212 Var()

42
2 Var 2 d1e d2e cos(e ) w1e
d12

+ Var 2 d2e d1e cos(e ) w2e

+ Var 2d1e d2e cos(e ) cos(e )

2

2
+Var 2w1e w2e cos(e ) +Var w1e

+Var w2e
(46)
16e
E
4(d1e + d2e )2 ((d1e ) + (d2e ))
P d212

1
+ 4(d1e d2e )2 (d1e , d2e ) + o
P
(47)
(48)
where (46) follows from applying Lemma 1 to Var() twice

and (48) follows from the fact that

Var 2 die dje cos(e ) wie Var (2(die + dje )wie )
Then
for i, j {1, 2} and

Var 2d1e d2e cos(e ) cos(e ) Var(2d1e d2e w ).
|d12 , d1e , d2e )

Var(de

d21e + d22e + 2(d1e d2e cos e )w1e
= Var
Now, we upper bound the second term of (40) as

Var E[d1 de |d12 , d1e , d2e ]
+ 2(d2e d1e cos e )w2e 2d1e d2e cos e +w1e2

+ 0.5
+ w2e 2 2w1e w2e cos e
|d12 , d1e , d2e
d212 Var
[1 + ]+

= Var d12 E 1 (1 + )+ |d12 , d1e , d2e
(49)

E d212 (E [|| |d12 , d1e , d2e ])2
(50)
(43)
(44)
where (43) follows due to the definitions of d1e , d2e , and e .

(44) follows due to definition of , and the cosine law d212 =
d21e + d22e 2d1e d2e cos(e ). Now we will apply Lemma 2 to
bound (44). First, note that

1 2
2
+ w2e
2d1e d2e (cos e cos e )
E[] = 2 E w1e
d12
2

1
2
+ w2e
2d1e d2e |we |
2 E w1e
P d12

e
2P (d1e ,d2e )
2 E (d1e )+(d2e )2d1e d2e
P d12
e
(45)

1
2
2
E
2(d1e + d2e ) (|w1e | + |w2e |) + w1e
+ w2e
d212
2
+ 2d1e d2e |we | + 2|w1e w2e | |d12 , d1e , d2e

2e
=E
P d212

2(d1e + d2e )

(d1e ) + (d2e )
+ 2d1e d2e (d1e , d2e ) +

+2
(d1e ) + (d2e )
P e
(d1e ) + (d2e )
P
2
(51)
2e
=E
P d212
2

4(d1e + d2e )2
(d1e ) + (d2e )
e
+ 4 (d1e d2e (d1e , d2e ))
First, we show that the first term in (56) is finite

8(d1e +d2e )d1e d2e
(d1e )+ (d2e )
e

1
(d1e , d2e ) + o
.
(52)
P

where (49) follows from the fact that de = d12 (1 + )+ , and
(50) follows from Lemma 3. Finally, we obtain
+
(54)

2

+ 4(d1e +d2e )2 (d1e )+ (d2e )

+ 4d1e d2e +64(d1e d2e )2 (d1e , d2e )
+ 8(d1e + d2e )d1e d2e

(d1e )+ (d2e ) (d1e , d2e )
1
E log
2
>
(58)
where (57) follows since a triangle is either characterized

by three sides (d12 [i]d1e [i], d2e [i]) or two sides and an angle
(d12 [i]d1e [i], e [i]). Equation (58) follows from the cosine law.
Since the probability density function of e , d12 , d1e , d2e is
well defined, we can see that h(e [i]|d1e , d2e , {e [j]}i1
j=1 ) >
. The second term is bounded as
1
1
h(d1 |d2 ) h(d

1 d2 ) = h(w1 w2 )
n
n

4max (d12 )
1
log 2E
2
P
1
1
= log (2E [4max (d12 )]) log(P )
2
2
(59)
(60)

Therefore, we can see that limP (RL /(1/2) log(P )) 1

Now, we find an upper bound on RU . Note that
+ 64(d1e + d2e ) ((d1e ) + (d2e ))
{e [j]}i1
j=1

+o
0.5
2d1e [i]d2e
[i] cos (e [i])) |d1e , d2e
where (59) follows due to the fact that conditioning reduces

entropy and (60) follows from the fact d1 [i] d2 [i] = w1 [i]
w2 [i] for any i. Dropping the index i, we can see that h(w1
w2 ) is upper bounded by the entropy of a Gaussian random
variable that has the same variance as w1 w2 , which is

4max (d12 )
Var(w1 w2 ) = Ed12 (Var[w1 w2 ]) E
.
P
1
P
(57)
(53)
1
log
2

e d212 1
2E 2
(d12 )
d12 P
e
1
h(d1 |d1e , d2e )
n
1
= lim h(d12 |d1e , d2e )
n n
n

1
h d12 [i]|d1e , d2e , {e [j]}i1
= lim
j=1
n n
i=1

n

1
= lim
h d1e [i]2 + d2e [i]2
n n
i=1
lim
P,n
RU h(d1 de ) h(d1 d12 |d12 )

1
log 2Var(d1 de ) h(w1 |d12 )
2
2229
21 (d12 )
P
(55)
1
I(d1 ; d2 |d1e , d2e )
n
1
1 |d
1e , d
2e ) h(d
1 |d12 )
lim (h(d
n n
RU = lim
where (53) follows from (37) and (39), and (54) follows from
(61)
the fact that the entropy of d1 de is upper bounded by the
entropy of a Gaussian random variable with the same variance. where the first term of (61) is finite. The second term can be
The first term of (55) is obtained by combining (42), (48), and upper bounded as
(52), and the second term of (55) follows from (38). As P
1
, the P terms in (55) cancel each other since, for any random
h(d1 |d12 ) = h(w1 |d12 )
n
variables u and v

21 (d12 )
1

log
E
1
u
v
2
P
+o
E log
= log E[u] E[log v]
lim log E
P
P
P
P
1
1
= E [log (21 (d12 ))] log(P )
2
2
hence, limP RU < .
therefore, limP (RU /(1/2) log(P )) 1. Since RL RU
by definition, the proof is complete.
B. Proof of Theorem 3
e = .
When the eavesdropper does not observe the angle,
Hence

1
1 |d
2) .
h(d1 |d1e , d2e ) h(d
(56)
RL = lim
n n
ACKNOWLEDGMENT
The authors would like to thank Prof. P. Sinha and his team
for sharing the vehicular experiment data.
2230
R EFERENCES
[1] U. M. Maurer, Secret key agreement by public discussion from common information, IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733742,
May 1993.
[2] R. Ahlswede and I. Csiszar, Common randomness in information theory
and cryptography. I. Secret sharing, IEEE Trans. Inf. Theory, vol. 39,
no. 4, pp. 11211132, Jul. 1993.
[3] U. M. Maurer and S. Wolf, Unconditionally secure key agreement and
the intrinsic conditional information, IEEE Trans. Inf. Theory, vol. 45,
no. 2, pp. 499514, Mar. 1999.
[4] I. Csiszar and P. Narayan, Secrecy capacities for multiterminal channel models, IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 24372452,
Jun. 2008.
[5] U. M. Maurer and S. Wolf, Secret-key agreement over unauthenticated
public channels.I. Definitions and a completeness result, IEEE Trans. Inf.
Theory, vol. 49, no. 4, pp. 822831, Apr. 2003.
[6] I. Csiszar and P. Narayan, Common randomness and secret key generation with a helper, IEEE Trans. Inf. Theory, vol. 46, no. 2, pp. 344366,
Mar. 2000.
[7] U. M. Maurer and S. Wolf, Information-theoretic key agreement: From
weak to strong secrecy for free, in Advances in Cryptology, EUROCRYPT 2000. Berlin, Germany: Springer-Verlag, 2000, pp. 351368.
[8] S. Gezici et al., Localization via ultra-wideband radios: A look at positioning aspects for future sensor networks, IEEE Signal Process. Mag.,
vol. 22, no. 4, pp. 7084, Jul. 2005.
[9] Y. Shen and M. Z. Win, Fundamental limits of wideband localization,
part I: A general framework, IEEE Trans. Inf. Theory, vol. 56, no. 10,
pp. 49564980, Oct. 2010.
[10] H. Buhrman, N. Chandran, V. Goyal, R. Ostrovsky, and C. Schaffner,
Position-based quantum cryptography: Impossibility and constructions,
SIAM J. Comput., vol. 43, no. 1, pp. 150178, 2014.
[11] A. Srivinasan and J. Vu, A survey on secure localization in wireless sensor networks, in Encyclopedia of Wireless and Mobile Communications.
Boca Raton, FL, USA: CRC, 2007.
[12] R. Poovendran, C. Wang, and S. Roy, Secure Localization and Time
Synchronization for Wireless Sensor and Ad-Hoc Networks. New York,
NY, USA: Springer-Verlag, 2007.
[13] N. Chandran, V. Goyal, R. Moriarty, and R. Ostrovsky, Position based
cryptography, in Advances in CryptologyCRYPTO 2009. Berlin,
Germany: Springer-Verlag, 2009.
[14] R. Wilson, D. Tse, and R. A. Scholtz, Channel identification: Secret sharing using reciprocity in ultrawideband channels, in Proc. IEEE ICUWB,
Sep. 2426, 2007, pp. 270275.
[15] N. Kirchner and T. Furukawa, Infrared localisation for indoor UAVs, in
Proc. ICST, 2005, pp. 6065.
[16] A. R. Jimenez and F. Seco, Ultrasonic localization methods for accurate
positioning, Inst. Autom. Ind., Madrid, Spain, 2005.
[17] S. Verdu and T. S. Han, A general formula for channel capacity, IEEE
Trans. Inf. Theory, vol. 40, no. 4, pp. 11471157, Jul. 1994.
[18] M. R. Bloch and J. N. Laneman, Strong secrecy from resolvability,
IEEE Trans. Inf. Theory, vol. 59, no. 12, pp. 80778098, Dec. 2013.
[19] D. Jourdan, D. Dardari, and M. Win, Position error bound for UWB
localization in dense cluttered environments, IEEE Trans. Aerosp.
Electron. Syst., vol. 44, no. 2, pp. 613628, Apr. 2008.
[20] S. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik, Radiotelepathy: Extracting a secret key from an unauthenticated wireless channel, in Proc. ACM MobiCom, New York, NY, USA, pp. 128139.
[21] S. Jana et al., On the effectiveness of secret key extraction from wireless
signal strength in real environments, in Proc. ACM MobiCom, New York,
NY, USA, pp. 321332.
[22] J. Zhang, S. K. Kasera, and N. Patwari, Mobility assisted secret key
generation using wireless link signatures, in Proc. IEEE INFOCOM,
Mar. 1419, 2010, pp. 15.
[23] N. Patwari, J. Croft, S. Jana, and S. K. Kasera, High-rate uncorrelated bit extraction for shared secret key generation from channel
measurements, IEEE Trans. Mobile Comput., vol. 9, no. 1, pp. 1730,
Jan. 2010.
[24] C. Ye et al., Information-theoretically secret key generation for fading
wireless channels, IEEE Trans. Inf. Forensics Security, vol. 5, no. 2,
pp. 240254, Jun. 2010.
[25] S. Banerjee and A. Mishra, Secure spaces: Location-based secure
group communication for wireless networks, in Proc. ACM MobiCom,
Sep. 2002, vol. 7, pp. 6870.
[26] A. Pierrot, R. Chou, and M. Bloch, Practical Limitations of SecretKey Generation in Narrowband Wireless Environments, Dec. 2012,
arXiv:1312.3304 [cs.IT].
[27] S. Mathur, R. Miller, A. Varshavsky, W. Trappe, and N. Mandayam,

Proximate: Proximity-based secure pairing using ambient wireless signals, in Proc. ACM MobiSys, Jun. 2011, pp. 211224.
[28] A. Rukhin, et al., A Statistical Test Suite For Random and Pseudorandom
Number Generators for Cryptographic Applications, Nat. Inst. Stand.
Technol., Special Pub., pp. 800822.
[29] G. Brassard and L. Salvail, Secret-key reconciliation by public discussion, in Proc. EUROCRYPT, T. Helleseth, Ed., 1993, pp. 410423.
[30] [Online]. Available: https://code.google.com/p/miniz/
[31] O. Oguejiofor, V. Okorogu, and O. B. Adewale Abe, Outdoor localization
system using RSSI measurement of wireless sensor network, Int. J.
Innov. Technol. Exploring Eng., vol. 2, no. 2, pp. 16, Jan. 2013.
[32] D. Klinc, H. Jeongseok, S. W. McLaughlin, J. Barros, and K.
Byung-Jae, LDPC codes for the Gaussian wiretap channel, IEEE Trans.
Inf. Forensics Security, vol. 6, no. 3, pp. 532540, Sep. 2011.
[33] O. Gungor, F. Chen, and C. E. Koksal, Secret key generation from
mobility, in Proc. IEEE GLOBECOM Workshop Phys. Layer Security,
Dec. 59, 2011, pp. 874878.
[34] O. Gungor, F. Chen, and C. E. Koksal, Secret Key Generation Via Localization and Mobility, Tech. Rep., arXiv:1112.2793.
Onur Gungor received the B.S degree in electrical
engineering from the Middle East Technical University, Ankara, Turkey, in 2008 and the Ph.D degree in
electrical and computer engineering from The Ohio
State University, Columbus, OH, USA in 2014.
He interned with the Network Systems Engineering group at AT&T Labs, San Ramon, CA, USA,
during the spring and summer of 2012. He is a
certified Labview Associate Developer. His general
areas of interest are information theory, security, and
wireless communications.
Dr. Gungor received the Ohio State University Fellowship Award in 2008.
He is a reviewer of top IEEE journals such as the IEEE T RANSACTIONS ON
I NFORMATION T HEORY, the IEEE T RANSACTIONS ON W IRELESS C OMMU NICATIONS , and the IEEE T RANSACTIONS ON V EHICULAR T ECHNOLOGY ,
as well as conferences such as the IEEE Infocom, Globecom, and Mobihoc.
Fangzhou Chen received the B.S. degree in electrical and communication engineering from Zhejiang
University, Hangzhou, Zhejiang, China in 2010. He
is currently working toward the Ph.D. degree with
the Department of Electrical and Computer Engineering, The Ohio State University, Columbus,
OH, USA.
His research interests include wireless communication and networks and information theoretic
security.
Can Emre Koksal (S96M03SM13) received

the B.S. degree in electrical engineering from
the Middle East Technical University, Ankara,
Turkey, in 1996 and the S.M. and Ph.D. degrees in
electrical engineering and computer science from
the Massachusetts Institute of Technology (MIT),
Cambridge, MA, USA, in 1998 and 2002,
respectively.
He was a Postdoctoral Fellow at MIT until 2004
and a Senior Researcher with the Swiss Federal Institute of Technology (EPFL), Lausanne, Switzerand,
until 2006. Since then, he has been with the Electrical and Computer Engineering Department, The Ohio State University (OSU), Columbus, OH, USA,
currently as an Associate Professor. His general areas of interest are wireless
communication, communication networks, information theory, stochastic processes, and financial economics.
Dr. Koksal received the National Science Foundation CAREER Award in
2011 and the OSU College of Engineering Lumley Research Award in 2011
and co-received an HP Labs Innovation Research Award in 2011. The paper
that he coauthored was a best student paper candidate at MOBICOM in
2005. Currently, he is an Associate Editor for the IEEE T RANSACTIONS ON
I NFORMATION T HEORY, the IEEE T RANSACTIONS ON W IRELESS C OMMU NICATIONS , and Elsevier Computer Networks.

Secret Key Generation Via Localization and Mobility: Onur Gungor, Fangzhou Chen, and Can Emre Koksal, Senior Member, IEEE

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Secret Key Generation Via Localization and Mobility: Onur Gungor, Fangzhou Chen, and Can Emre Koksal, Senior Member, IEEE

Uploaded by

Copyright:

Available Formats

2214

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 64, NO. 6, JUNE 2015