1

Practical Physical Layer Security Schemes for

MIMO-OFDM Systems Using Precoding Matrix
Indices
Chih-Yao Wu, Pang-Chang Lan, Ping-Cheng Yeh, Member, IEEE, Chia-Han Lee, Member, IEEE, and
Chen-Mou Cheng
AbstractIn physical-layer security, secret bits are extracted
from wireless channels. With the assumption of channel reci-
procity, the legitimate users share the same channel which
is independent of the channels between the legitimate users
and the eavesdropper, leading to secure transmissions. However,
practical implementation of the physical layer security faces
many challenges. First, for the correlated channel such as the
multiple-input and multiple-output (MIMO) channel, the security
is decreased due to the correlation between the generated secret
bits. Second, the nearby eavesdropper posts a security threat
due to observing the same channel as the legitimate users.
Third, the eavesdroppers might try to reconstruct the wireless
environments. In this paper, we propose two practical physical
layer security schemes for the MIMO orthogonal frequency-
division multiplexing (MIMO-OFDM) systems: the precoding
matrix index (PMI)-based secret key generation with rotation
matrix (MOPRO) and the channel quantization-based (MOCHA)
scheme. The former utilizes PMI and rotated reference signals
to prevent the eavesdroppers from learning the secret key
information and the latter applies channel quantization in order
to extract more secret key bits. It is shown that not only the secure
communication but also the MIMO gain can be guaranteed by
using the proposed schemes.
Index TermsPhysical-layer security, MIMO-OFDM, secret
key generation, cryptography, precoding matrix index.
I. INTRODUCTION
Making condential transmissions over wireless environ-
ments is a critical issue. Recently, building secure transmission
schemes on physical layer (PHY) has drawn great research in-
terest. The research on physical-layer security can be classied
into two categories: security schemes without secret key and
the key-based schemes. In his seminal work, Wyner introduces
the concept of wiretap channel [1]. His theoretical investiga-
tion has aroused many proposals on achieving information-
theoretic secrecy without the help of the traditional cryptogra-
phy key, such as [2][4]. On the other hand, generating secret
keys via correlated randomness provides another direction of
research on physical layer security. The idea, simultaneously
brought up by Maurer [5] and Ahlswede and Csiszr [6], is to
focus on the information-theoretic secret key distribution. The
secure transmission is then achieved by using the conventional
symmetric-key cryptography.
For the key-based physical layer security systems, the wire-
less transmission medium is considered a promising choice of
the randomness source for secrecy extraction since the rich
scattering in wireless environments results in different multi-
path fading at each mobile terminal. If the channel reciprocity
holds, the physical channels are only shared among legitimate
users and inaccessible to the malicious users, providing a
way for the secret key generation. However, several recent
publications point out the vulnerabilities of this approach. In
[7], a simple attack method is proposed to break the security
of channel reciprocity-based key generation schemes. By esti-
mating the reference signals
1
transmitted by legitimate nodes,
an eavesdropper is able to acquire the channel information
between itself and the legal parties, reconstruct the whole
physical surroundings, and then simulate the channels from
the reconstructed wireless environments. Another threat comes
from the nearby eavesdroppers [9]. It is usually believed that
the wireless channels are independent by a distance of several
wavelength. Unfortunately, some experiments on examining
the channel correlation have shown that this argument may be
questionablethe wireless channels are highly correlated even
though the two users are separated by one meter [9]. Another
problem is the MIMO channel correlation between antennas,
which results in the bit correlation of the generated secret
keys. As a result, several issues for the reciprocity-based key
generation schemes should be emphasized: The rst one is the
risk of the channel estimation through the reference signals,
the second one is the nearby eavesdropper problem which is
often ignored by the reciprocity-based schemes, and the last
one is the problem of correlated secret key bits.
In this paper, a multiple-input and multiple-output (MIMO)
orthogonal frequency-division multiplexing (OFDM) physical
layer key generation scheme utilizing the precoding matrix
index (PMI) and rotated reference signals, called MOPRO,
is proposed. It is well known that the performance of a
MIMO system can be enhanced by precoding at the transmitter
[10], i.e., multiplying the signal vector by a matrix before
transmission. With the optimal precoding at the transmitter,
the MIMO channel can be transformed into parallel subchan-
nels, and the optimal channel capacity can be achieved. In
order to reduce the feedback overhead and the complexity,
typically there is a universal codebook consisting of a -
nite number of precoding matrices. Due to different channel
realizations between the transmitter-legal receiver and the
1
Reference signals are signals with predened patterns known by both the
transmitter and receiver in advance. The transmitter sends the reference signal
to the receiver, which estimates channel based on the reference signal. There
is no restriction on the type of reference signals in this paper. One example is
CRS [8] which is dened by the 3rd Generation Partnership Project (3GPP)
community.
2
transmitter-eavesdropper pairs, the precoding matrix is only
known between the transmitter and the legal receiver. The
precoding matrix indices can then be used as secret keys.
To prevent the threats mentioned earlier, we introduce the
idea of rotating the reference signal by multiplying it with
a unitary matrix, which is inspired by the work by Cheng
et al. [11]. The secrecy information is hidden in the rotated
reference signals and the secret key information is obtained
during the channel estimation procedure. With the proposed
MOPRO scheme, the key disagreement probability is signi-
cantly reduced and the communication overhead of the public
discussion is decreased. Moreover, the proposed system resists
the attacks from the malicious users and resolves the nearby
eavesdropper problem. In addition, the generated secret key
bits are uniformly distributed, avoiding the channel correlation
problem. The greatest thing of all, with the proposed scheme,
the security can be achieved and the MIMO precoding gain
on system capacity can also be achieved without modication
on traditional MIMO precoding operations.
We also design a channel quantization-based MIMO-OFDM
scheme, called MOCHA, to utilize the whole channel matrix.
Although it is able to generate more secret bits than using
its corresponding precoding matrix, embedding secrecy in the
entire channel matrix makes the rotation on reference signals
non-unitary, increasing the channel estimation error. Thus, this
scheme is only suitable for the high signal-to-noise ratio (SNR)
scenarios.
With the proposed MOPRO or MOCHA key generation
mechanism, the shared secret key can be used as the seed to
generate pseudo random bit sequences, and then secure MIMO
communications can be achieved by using a stream cipher or
any other cryptographic techniques.
The rest of this paper is organized as follows. The related
work is reviewed in Sec. II. The background introduction of
the MIMO precoding and the system setup are described in
Sec. III. PMI-based secret key generation schemes are de-
scribed in Sec. IV, and the channel quantization-based scheme
is shown in Sec. V. Sec. VI then discusses the difculties of
analysis by information-theoretic approaches. In Sec. VII, the
performances of the proposed MOPRO and MOCHA schemes
are evaluated and discussed. Conclusions are addressed in
Sec. VIII.
II. RELATED WORK
Although the information-theoretic bounds on the secrecy
extraction from the wireless channel can be derived [5], [6],
how to design a practical key agreement scheme to achieve
the secret key capacity remains an open problem [12]. In
his paper, Maurer provides two fundamental steps to form
a feasible key agreement protocol: information reconciliation
and privacy amplication [13], [14] (see also the paper by
Jana et al. [15]). Information reconciliation aims at generating
two identical sequences based on the random observations
at the two legitimate users. The public discussion channel
helps legal users to communicate with each other to obtain the
same sequence. After the generation of the identical sequences,
information discussed through the public channel, which is
revealed to the passive attacker, should be wiped out. In
the step of privacy amplication, the secret key is extracted
from the sequences generated in the information reconciliation
phase by linear mapping or using universal hash function
[16] to eliminate the information leakage during the public
discussion [17].
For secrecy extraction from the channel state information,
an intuitive way is to quantize the complex channel coefcients
directly. The phase information [18], [19] or the amplitude
information [20], [21] of the complex channel can be uti-
lized to generate secret keys. Nevertheless, when considering
the practical situation with channel estimation error, those
schemes usually have poor key agreement probability. To
make the direct channel quantization more robust, protocols
utilizing the public discussion channel based on the principles
of information reconciliation and privacy amplication are
designed to improve the key agreement probability [22][24].
Due to the increased degree of freedom in the wideband
channel and the MIMO channel, more secret bits are expected.
The problems of secret sharing and the information-theoretic
bounds in wideband systems are discussed in [25], [26]. Due to
the channel correlation in the MIMO systems, direct channel
quantization faces the problem that the generated secret key
bits are correlated instead of uniformly distributed, resulting
in the signicant reduction in the security level. Jana et al.
address the problem of correlation in the bit sequences through
the use of universal hash functions [15]. It is also possible to
decorrelate the channels, but the price is the extremely high
feedback overhead for the decorrelation vectors [27], [28].
This paper proposes MOPRO and MOCHA to simultane-
ously combat the three threats mentioned at the beginning of
this paper. Although the close eavesdropper problem may be
tackled by using recongurable antennas [29][31], MOPRO
and MOCHA are the rst schemes that solve the close
eavesdropper problem through digital signal processing, which
results in a lower implementation cost. The method proposed
by Chen et al. [22] may look similar to the MOCHA scheme
proposed in this paper, but there are actually several differ-
ences. Their method requires both Alice and Bob to estimate
the wireless channel by normal reference signals in advance,
and the product of the secret key matrix and the channel matrix
are transmitted through public discussion. As a result, Eve
may guess the wireless channel between Alice and Bob by
the method in [7]. After gaining the channel information, Eve
can successfully decrypt the secret key information from the
public discussion. On the other hand, MOCHA rotates the
reference signals, and both Alice and Bob estimate the secret
keys through channel estimation. The abovementioned risk is
avoided.
III. SYSTEM SETUP
In this section, we rst review the MIMO-OFDM precoding
scheme, and then the system model is introduced. The nota-
tions in this paper are as follows. ()

denotes the Hermitian.

()

represents the conjugate. ()

T
stands for the transposition.
C
mn
is the set of m by n complex matrices. is the ceiling
function. ()
1
means the matrix inversion.
3
Fig. 1. System model.
A. MIMO with Precoding
Precoding is an operation for the MIMO system to utilize
the best subchannel gains. After precoding, the optimal chan-
nel capacity can be achieved by appropriately allocating the
transmission power to subchannels following the water-lling
principle [10], [32]. A MIMO channel H can be decomposed
using the singular value decomposition (SVD) [33] and obtain
H = UV

, where U and V are complex unitary matrices,

and is a rectangular diagonal matrix with non-negative
real numbers on the diagonal. Love and Heath prove that
the optimal precoding matrix

V is which consists of the
rst several columns of the right singular vectors V [34].
The optimal precoding matrix requires the full channel state
information (CSI) to be available at the transmitter side, which
is, unfortunately, impractical due to the feedback overhead. In-
stead, the codebook-based precoding, which strikes a balance
between the feedback overhead, the equalizer complexity, and
the system performance [35], has been widely adopted by the
modern communication standards such as LTE and WiMAX
[36]. A universal codebook consisting of a nite number
of precoding matrices is shared among the communication
terminals, and each precoding matrix in the codebook has an
index called precoding matrix index (PMI). The suboptimal
precoding matrix is selected from the codebook by the receiver
and the corresponding PMI is then sent to the transmitter.
In the MIMO-OFDM system, the transmitter rst sends out
a reference signal for the receiver to estimate the channel
matrix H. Note that the channel here stands for the channel
on a subcarrier or on certain OFDM subcarriers. The receiver
nds the precoding matrix and its corresponding PMI from the
universal codebook F that maximizes the following channel
capacity [37]:
C
H,F
= log
2
det
_
I
n
+
E
s
n
s

2
F

HF
_
, (1)
where I
n
is the identity matrix with n denoting the minimum
number of antennas at the transmitter and the receiver, E
s
is the total power of the transmitted signal vector, n
s
is
the number of data,
2
is the noise variance, and F is the
precoding matrix. The best precoding matrix

F from the
codebook F is

F = argmax
FF
C
H,F
. (2)
Alice
Bob Eve
Start secure communication
Collect PMI (secret key)

Fig. 2. Signaling procedure of the MOP scheme.
Note that the optimal precoding matrix is constructed from the
right singular vectors (RSV).
B. System Model
The system model is shown in Fig. 1. Let us consider
three users, Alice, Bob, and Eve, and three wireless MIMO
channels, H
AB
, H
AE
, and H
BE
. The source user, Alice,
wants to transmit condential messages to the destination
user, Bob, through H
AB
. Due to the broadcasting nature
of wireless channels, these messages will be overheard by
the eavesdropper, Eve, through H
AE
. If Bob transmits some
signals to Alice, those signals will also be overheard by
Eve through H
BE
. It is assumed that the MIMO-OFDM-
based system uses time-division duplexing (TDD) and the
MIMO channel reciprocity holds in the transposed form, i.e.,
H
AB
= (H
BA
)
T
. Perfect channel reciprocity is assumed
throughout this paper, and scenarios with imperfect channel
reciprocity are left to future work. Alice, Bob, and Eve are
assumed to be equipped with M
A
, M
B
, and M
E
number of
antennas respectively. Note that there is no restriction on Eves
location.
The universal codebook containing precoding matrices and
the corresponding PMIs is available to Alice, Bob, and Eve.
Both Alice and Bob use the MIMO channel capacity function
for the PMI estimation, which is also known by Eve. The
mapping between precoding matrix and secrecy key sequence
is a predened, public information. Alice, Bob, and Eve have
the knowledge of this mapping in advance. The protocol used
by Alice and Bob is known by Eve, too. Eve is assumed to
be a passive attacker who will not jam the channel or falsify
the public discussion between Alice and Bob.
IV. PMI-BASED SECRET KEY GENERATION
Due to different channel realizations between the
transmitter-legal receiver and the transmitter-eavesdropper
4
pairs, the precoding matrix of a MIMO system is only
known between the transmitter and the legal receiver. The
precoding matrix indices can thus be used as secret keys. In
this section, we describe the proposed PMI-based secret key
generation schemes. We rst show the design based solely on
the PMI, called MOP, and explain the risks. Then, MOPRO,
the scheme based on both the PMI and the rotated matrix, is
introduced.
A. The MOP Scheme
In a typical MIMO system with codebook-based precoding,
Alice acquires PMI via the feedback from Bob, and Eve
can easily detect the PMI through eavesdropping. Now let us
consider this: What if the PMI is not fed back to Alice, and
instead, Bob sends the same reference signal to Alice? Under
the assumption of channel reciprocity, i.e., H
AB
= (H
BA
)
T
,
Alice and Bob are able to compute the same PMI, but Eve is
unable to obtain the PMI if H
AE
and H
BE
are independent to
H
AB
and H
BA
, respectively. The PMI, only shared between
Alice and Bob, can be used as secret keys. This is what exactly
MOP does.
We know that the estimated precoding matrix has the
minimum chordal distance from the optimal precoding matrix,
which spans the same space by the right singular vectors of
the channel matrix. Therefore, the estimated precoding matrix
can be regarded as a quantized version of the space spanned
by the right singular vectors. To extract more secret bits from
the channel matrix, the transposed channel matrix can also
be used for the PMI estimation to utilize the left singular
vectors (LSV). To fully utilize the channel information on each
subcarrier, the channel estimation results in the same subband
are averaged. This channel averaging method is similar to
what is described in [28]. While [28] aims at the temporally
and spatially correlated channels, MOP applies this method to
the correlated channels in frequency domain. If the channel
estimation errors on each subcarrier are independent, the
variance of the error can be reduced by a factor proportional
to the number of the correlated channels in one subband.
The signaling procedure of the MOP scheme is depicted
in Fig. 2, and the steps of the MOP scheme are detailed as
follows.
1) Alice transmits a reference signal r C
MANr
for
Bob to make channel estimation. N
r
is the length of
the reference signal.
2) Bob estimates the channel on a single subcarrier or a
subband which consists of several subcarriers, depending
on the channel coherence bandwidth and the precoding
granularity. H
AB
k
C
MBMA
is acquired for the kth
subcarrier at Bobs side.
3) Bob computes the averaged channel H
AB
=
1
n

n
k=1
H
AB
k
for the subband consisting of n subcarri-
ers.
4) Bob conducts the corresponding precoding matrix

F
Bob,RSV
= argmax
F
C
H
AB
,F
, where

F
Bob,RSV

C
MAns
. Bob regards the PMI i
Bob,RSV
of the precod-
ing matrix

F
Bob,RSV
as a key and puts it into his key
set K
Bob
.
5) Bob collects the PMI i
Bob,LSV
by nding

F
Bob,LSV
=
argmax
F
C
(H
AB
)
T
,F
, where

F
Bob,LSV
C
MBns
, and
puts it into K
Bob
, too.
6) During the next time slot, Bob sends a sounding ref-
erence signal to Alice. Alice nds the corresponding
precoding matrices

F
Alice,RSV
and

F
Alice,LSV
. Alice
then puts i
Alice,LSV
and i
Alice,RSV
into its key set K
Alice
.
7) Repeat steps 3 to 6 for all subbands in the OFDM
system.
8) Alice uses a stream cipher to encrypt data X with the
key set K
Alice
, along with the SHA-256 digest of X
in plaintext. Afterwards, Alice transmits the encrypted
data to Bob, and Bob decrypts the data using its own
key set K
Bob
. Bob calculates the SHA-256 digest of the
decrypted data, and checks if it matches the received
digest. A key agreement error is declared if there is a
mismatch. During the transmission, MIMO precoding is
applied in order to achieve better performance.
Since we assume that the channel reciprocity holds, i.e.,
H
BA
= (H
AB
)
T
,

F
Bob,RSV
and

F
Alice,LSV
are the same,
and so are

F
Bob,LSV
and

F
Alice,RSV
. As a result, K
Bob
and
K
Alice
are identical. Note that Alice and Bob may drop out-
of-date keys to make sure K
Bob
= K
Alice
at any time. Also
note that a well-designed codebook, e.g., DFT codebook [38],
can be easily extended to different size. This means that the
codebook size in the MOP scheme can be adaptively adjusted
according to the instantaneous condition, thus providing ex-
cellent exibility.
B. Risks of MOP
In the reciprocity-based secret key generation schemes, the
distance of the eavesdropper to the legitimate users determines
the security level. In general, the distance of several wave-
length provides nearly independent channels. For the MIMO
case, Eve experiences an even difcult situationthe antenna
arrangements and the direction of movement of Alice and Bob
have dramatic impacts on the MIMO channel between them.
Nevertheless, some risks might threaten the feasibility and
the security of the reciprocity-based key generation schemes,
including MOP. The rst risk is the following. If the MIMO
channels have no correlation, it can be expected that the
keys will be uniformly distributed. However, realistic channels
usually have correlation such that the generated keys may have
correlation, which decreases the security level. This is the
common risk of the reciprocity-based security schemes. In the
papers by Patwari et al. [27] and Chen et al. [28], they try to
make the generated key bits uniformly distributed by using the
decorrelation vector. Yet, it is shown that the key disagreement
probability is very high due to the estimation error if Alice
and Bob estimate the decorrelation vector independently. On
the other hand, if the decorrelation vector is estimated by one
user and then transmitted to the other user, extremely large
communication overhead is needed. The second risk comes
from the channel estimation error. If, unfortunately, during
the process of nding the optimal PMI, the wireless channel is
mapped to a point at the boundary of two different quantization
regions, Alice and Bob might estimate the biased keys and fail
5
Alice
Bob Eve
Start secure communication
Collect PMI (secret key)

Fig. 3. Signaling procedure of the MOPRO scheme.
to achieve the secret key agreement. Information reconciliation
and privacy amplication [23], utilizing channel coding (e.g.,
LDPC codes [20] and the coset assignment [26]) and the
universal hash function [15], can reduce the error rate of
the PMI estimation. Since additional public transmissions are
required, the complexity and the feedback overhead on both
terminals are increased. The third risk is that the eavesdropper
might be able to reconstruct the full wireless environments.
Dottling et al. propose an attack method using both H
AE
and
H
BE
to reconstruct the reectors surroundings by with the
geometric methods [7]. They show that under simple wireless
environments, it is possible for Eve to recover H
AB
. The last
risk is the nearby malicious user problem. The security of the
MOP scheme and other PHY secret key generation schemes
are all based on the spatial separation between legitimate users
and the eavesdropper. If the wireless channels experienced by
Eve are similar to those estimated by Alice and Bob, the
security will easily be breached. These four risks urge us
to seek for further solutions, and our answer is the MOPRO
scheme, which is described in the next subsection.
C. The MOPRO Scheme
MOPRO, the enhanced version of MOP, is inspired by
the idea of rotated reference signal in the MOPI scheme
[11]. While the rotated reference signals are used to create
articially fast varying channel in [11], the rotated reference
signals are introduced to overcome the threats mentioned in
Introduction and Sec. IV-B. Note that the secret keys are not
extracted directly from the wireless channel. Instead, the key
information is embedded in the wireless channel.
Let us rst see how the MOPRO scheme works, and the
details will be explained later. The signaling procedure of the
proposed MOPRO scheme is depicted in Fig. 3, and the block
diagram is shown in Fig. 4. The procedure is summarized
below.
Fig. 4. Block diagram of the MOPRO scheme.
1) Alice transmits the reference signal Gr for Bob to make
channel estimation, where G C
MAMA
is a ran-
dom complex unitary matrix and independent for each
subband. Bob estimates the averaged channel H
AB
i
G
i
for the subband i, and then decomposes H
AB
i
G
i
by
SVD to obtain H
AB
i
G
i
= U
B,i

i
(V

B,i
G
i
), where
U
B,i
C
MBMB
and V

B,i
C
MAMA
are unitary
matrices and
i
C
MBMA
is a diagonal matrix.
2) According to the required secret key length, Bob gener-
ates an n-bit random secret key sequence S
B
by using
some random bit generators and puts it into K
Bob
. Bob
then optionally applies channel coding on S
B
and gets
the coded key sequence C
B
.
3) If a p-bit codebook is used, Bob divides C
B
into
_
n
p
_
groups of p-bit sequences. Each p-bit sequence is
denoted by C
B,i
.
4) For the subband i, Bob nds the corresponding precod-
ing matrix F
B,i
which has the index equivalent to C
B,i
.
Note that the precoding matrix used here is typically a
tall matrix which is not full-rank. Bob appends some
random orthogonal columns to the original precoding
matrix and makes it a full-rank unitary matrix

F
B,i

C
MBMB
.
5) Bob transmits the rotated reference signal G
1,i
r to
Alice, where G
1,i
= U

B,i

B,i
. Alice then estimates
the PMI for the rotated averaged channel H
BA
i
G
1,i
on
the ith subband.
6) Steps 2 to 6 are done repeatedly for all subbands. After
collecting the PMIs for all subbands, Alice combines
all PMIs to form the secret key S
B
. If channel coding
is applied, Alice decodes the coded key sequence and
acquires the secret key.
7) Alice generates another secret key sequence S
A
and
optionally encodes it to C
A
, which is then divided into
several p-bit sequences, denoted by C
A,i
.
8) For each subband i, Alice rst searches for the precoding
matrix F
A,i
corresponding to C
A,i
, and renes it to a
full-rank unitary matrix

F
A,i
C
MAMA
with some
random orthogonal columns.
9) Alice computes SVD on H
BA
i
G
1,i
= (H
AB
i
)
T
G
1,i
to
6
obtain (H
AB
i
)
T
G
1,i
= V

A,i

T
i
(U
T
A,i
G
1,i
) and acquire
the singular vectors V
A,i
. Then Alice transmits the
rotated reference signal G
2,i
r to Bob, where G
2,i
=
V
A,i

A,i
.
10) Bob conducts the PMI estimation on the rotated channel
H
AB
i
G
2,i
. The same steps are applied to all subbands
to get the secret key S
A
.
11) To achieve the MIMO capacity, Alice nds the opti-
mal MIMO precoding matrix from the codebook by

F = argmax
F
C
(H
AB
)
T
G1,F
, where

F C
MBns
. Alice
generates a random unitary matrix R
u
C
nsns
and
makes

F =

FR
u
the MIMO precoding matrix. The
purpose of R
u
is to prevent the eavesdropper from
acquiring H
AE
through exhaustive search since

F is in
the codebook which has limited number of entries.
12) Alice transmits another rotated reference signal

Fs,
where s C
nsNs
has a different length N
s
to r.
13) Bob estimates the precoded channel H
AB

F. With the
help of the estimation results, the zero-forcing (ZF) or
the minimum mean-squared error (MMSE) receiver can
be utilized by Bob to receive the precoded data.
After the above steps, both Alice and Bob acquire S
A
and
S
B
. Secure transmissions can be achieved and the MIMO
capacity gain is also fully utilized by the communication
parties.
In MOPRO, with the proper design of the rotation matrix,
both Alice and Bob are able to control the PMI estimated
by others. This provides several advantages over MOP. First,
uniformly distributed secret keys are easily generated by
controlling the rotation matrix. Note that it is impossible
to control the key generation by unitary matrix if we use
direct channel quantization working on the whole channel
matrix. The reason of using the unitary rotation is that it only
has impact on the singular vectors and changes the optimal
precoding matrix alone, resulting in smaller estimation errors.
The rotation matrix, therefore, is better to work along with
the PMI-based methods. Second, with the rotation matrix,
the instantaneous channel experienced by the users can be
transformed into an optimal channel for the universal code-
book. The optimal precoding matrix for the original channel
may not be in the codebook, but it is possible to apply the
rotation matrix such that the optimal precoding matrix for the
rotated channel is in the codebook. Since now the optimal
decoding matrix is mapped to a point at a further distance
from the decision boundary, the perturbation of the estimation
error can be minimized. The third advantage over MOP is
that the attack proposed in [7] is prevented. Eve loses its
ability to acquire either H
AE
or H
BE
since only the rotated
version is sent. Without the knowledge of these two channels,
Eve is unable to reconstruct the complete wireless physical
surroundings. The last risk avoided is the nearby malicious
user problem. The rotation of the reference signal successfully
refrains the eavesdropper from acquiring the complete secret
key information. In fact, the eavesdropper is forced to lose
track of half the secret key bits.
Now let us discuss how Alice and Bob achieve the secret key
agreement. Bob obtains PMI through the channel estimation of
the rotated reference signal G
2
r and the corresponding right
singular vectors. Bob only gets half of the keys through the
channel estimation and generates the other half by himself:
the PMI obtained by Bob is the key sequence generated by
Alice, which is embedded in the reference signal G
2
r; the
PMI obtained by Alice is the key sequence generated by
Bob, which is embedded in the reference signal G
1
r. As a
result, both Alice and Bob do channel estimation with the
rotated reference signals. The secret keys are embedded in
the rotated reference signals. After transmission of rotated
reference signals, the wireless channel between Alice and Bob
naturally makes the channels estimated by them decodable. On
the other hand, Eve experiences different wireless channels
from the wireless channel between Alice and Bob. Therefore,
the channels estimated by Eve are non-decodable. To recover
the secret key S
B
generated by Bob, Alice estimates the
precoding matrix for the rotated channel H
BA
i
G
1,i
. After the
singular value decomposition, the rotated channel H
BA
i
G
1,i
can be decomposed as
H
BA
i
G
1,i
= (H
AB
i
)
T
G
1,i
= (U
B,i

i
V

B,i
)
T
U

B,i

B,i
= V

B,i

T
i
U
T
B,i
U

B,i

B,i
= V

B,i

T
i

F

B,i
. (3)
It is well-known that the optimal precoding matrix which
achieves the maximum capacity is the right singular vectors of
the estimated channel. Therefore, the optimal precoding matrix
is exactly

F

B,i
. Note that although the SVD is not unique (and
so is U
B,i
), the optimal precoding matrix still spans the same
space as

F

B,i
does. The corresponding PMIs, S
B
, and C
B
are
thus the same for Alice and Bob. At Bobs side, he estimates
the PMI from the rotated channel H
AB
i
G
2,i
to obtain S
A
. The
rotated channel can be decomposed as
H
AB
i
G
2,i
= U
A,i

i
V

A,i
V
A,i

A,i
= U
A,i

A,i
. (4)
As a result, the optimal precoding matrix for H
AB
i
G
2,i
is

F

A,i
or a unitary matrix which spans the same space. Alice and
Bob are thus able to acquire the identical secret keys. In our
design, although

F, instead of

F, is used in the codebook for
the MIMO precoding, the same MIMO capacity is achieved
[37].
Applying channel coding to the pseudo-random keys before
transmitting the rotated reference signal has advantages over
the traditional ways of using information reconciliation and
privacy amplication since the usage of channel coding is
embedded in the procedure of channel estimation and no
additional public communication is needed. This reduces the
transmission overhead and the complexity of using the uni-
versal hash function. Although the transmission of reference
signals can also be regarded as a kind of public discussion,
public discussion has been shown to be unavoidable in the
secret key generation [39].
7
TABLE I
INFORMATION ACQUIRED BY EVE UNDER MOPRO.
Eves position Acquired information
Arbitrary H
AE
G, H
BE
G
1
, H
AE
G
2
, H
AE
F
Near Alice H
AE
G, H
BA
G
1
, H
AE
G
2
, H
AE
F
Near Bob H
AB
G, H
BE
G
1
, H
AB
G
2
, H
AB
F
D. Security Guarantee of MOPRO
Now we discuss how the eavesdropper, especially the nearby
eavesdropper, is stopped under the MOPRO scheme.
To obtain the complete secret key information S
A
and S
B
,
knowing the channels H
BA
G
1
and H
AB
G
2
are necessary for
Eve. From Fig. 3, we know that the information revealed to
Eve includes H
AE
G, H
BE
G
1
, H
AE
G
2
and H
AE

F. If Eve
is far away from the legitimate users, H
AE
G
2
and H
BE
G
1
will be independent of H
BA
G
1
and H
AB
G
2
such that Eve is
unable to acquire any information about the keys. When Eve
comes near Alice, H
BE
H
BA
, and so H
BE
G
1
H
BA
G
1
.
Therefore, Eve has the information of the secret key S
B
by
conducting the PMI estimation on H
BE
G
1
. She can also learn
the information about right singular vectors by applying SVD
on H
BE
G
1
. Then if Eve has access to G
2
= V
A

A
, she
can obtain the secret key S
A
. Fortunately, H
AE
is unavailable
for her to obtain G
2
. As a result, when Eve comes close
to Alice, she can only acquire S
B
but loses track of the
information about S
A
. Similarly, if Eve is near Bob, she
fails to decode the secret key S
B
. TABLE I summarizes the
information that Eve can access under different situations. If
Eve intends to gain secret key information by approaching
Alice or Bob, it is hopeless for her to obtain the complete
secret key information. Although Eve can still have about
half of the secret key information such that the security level
is reduced by half, to our best knowledge, the proposed
MOPRO scheme is a pioneering work on preventing this kind
of threats using digital signal processing methods ( [29][31]
use recongurable aperture antennas). However, it should be
noted that the proposed method is not unconditionally secure
if the channel does not change. An eavesdropper may use
brute-force attacks by trying every possible channel matrix.
In addition, the security level of the generated keys depends
on the properties of the original non-rotated wireless channel.
If there is information lost, some traditional methods such as
information reconciliation and privacy amplication could be
applied after the proposed scheme.
V. CHANNEL QUANTIZATION-BASED SCHEME
In MOPRO, we only utilize the space spanned by the
singular vectors to carry the secret key information. Inspired
by the traditional reciprocity-based key generation scheme,
it is worth investigating the efciency of using the whole
channel matrix to carry the secret key information. In this
section, we propose the channel quantization-based MIMO-
OFDM (MOCHA) secret key generation scheme to examine
the feasibility of extracting secret bits by direct channel
quantization.
Alice
Bob Eve
Start secure communication
Collect secret key

Coherence Time
Collect secret key

Fig. 5. Signaling procedure of the MOCHA scheme.
A. The MOCHA Scheme
In order to prevent the eavesdropper from learning H
AB
through observing H
AE
and H
BE
, either one of the reference
signals transmitted by Alice and Bob should be rotated. In
MOCHA, to hide the secret information in the rotated refer-
ence signal, the rotation matrix G is designed as (H
AB
)
1
K,
where K is the secret key matrix. The real part and the
imaginary part of each channel element of K have the format

1
(S/N), where is the cumulative density function (CDF)
of Gaussian distribution, S denotes the decimal value of the
secret bits, and N is the quantization level. At the receiving
side, the receiver simply quantizes the received channel and
obtains the secret bits. For the detailed information of secrecy
extraction from the Gaussian source, one may refer to [20].
The detailed steps of the MOCHA scheme are as follows
and depicted in Fig. 5.
1) Alice transmits the reference signal r for Bob to make
the channel estimation of H
AB
.
2) Bob generates secret key sequence S
B
and optionally
encodes it to C
B
.
3) Bob generates the secrecy matrix K by hiding the secret
key information into the real part and the imaginary part
of the channel elements.
4) Bob transmits the rotated reference signal G
1
r to Alice,
where G
1
= (H
BA
)
1
K. Alice quantizes the channel
elements and decodes it into S
B
.
5) Bob estimates the optimal precoding matrix and feed-
backs the PMI to Alice.
6) After the coherence time, the above steps are repeated
8
but the roles of Alice and Bob are exchanged to prevent
the nearby eavesdropper.
7) In order for Bob to receive the precoded data symbols
correctly, Alice transmits another rotated reference sig-
nal

Fs similar to what is done in MOPRO.
8) The secret keys obtained are mixed using, for example,
linear mapping.
Unlike MOPRO, MOCHA cannot rotate both reference
signals, or the MIMO precoding will not be valid. In MOPRO,
only the space spanned by either the right or left singular
vectors is rotated, and the space spanned by the other singular
vectors is not affected. The rotation in MOCHA, however,
destroys the whole channel matrix and the PMI estimation is
no longer correct.
To prevent the nearby eavesdropper, Alice and Bob do the
same thing with the role exchanged. For the malicious Eve
trying to eavesdrop the transmission, she will have to move
close to Bob for obtaining the secret key information from
Alice and then move to Alice for the secret key information
from Bob within the coherence time. Eve is forced to move
from Alice to Bob and then back to Alice in a very short
period, which is basically impractical and thus guarantees
secure transmissions between Alice and Bob.
The feedback of PMI from Bob to Alice is to make sure that
the MIMO transmission from Alice to Bob can be correctly
handled. It should be noted that the MIMO transmission is
secured by some old keys which are generated in the past.
B. Limitations of MOCHA
Although the MOCHA scheme provides more secret bits,
some limitations restrict its performance. First, the users
should wait at least the coherence time to make sure that
the secret keys are secure. Second, (H
AB
)
1
does not exist
for non-square matrices. When Alice and Bob have different
number of antennas, some channel elements will be dropped
in order to form a square channel matrix, which decreases
the secrecy rate. Additionally, the rotation matrix G is not
unitary, making the transmission power of the rotated reference
signals deviate from the intended power level. When H
AB
is
correlated, (H
BA
)
1
has larger power. If we assume that Bob
estimates the channel H
AB
with the estimation error Z
B
, what
he obtains is G
1
= (H
BA
+Z
T
B
)
1
K. After the transmission
of the rotated reference signals, what Alice estimates is
H
BA
(H
BA
+Z
T
B
)
1
K+Z
A
=(I Z
T
B
(H
BA
+Z
T
B
)
1
)K+Z
A
, (5)
where Z
A
is the estimation error at Alices side. This shows
that the estimation error Z
B
may be amplied. On the other
hand, in the MOPRO scheme, the rotation matrix G used
by Bob is (U

+ U)

F, where U is the singular vector

perturbation caused by the channel estimation error. What is
estimated by Alice becomes
H
BA
(U

+ U)

F +Z
A
=V

T
(

F +U
T
U

F) +Z
A
, (6)
which means that the perturbation power of the singular vector
will not be amplied since U
T
and

F are unitary matrices.
As a result, MOPRO outperforms MOCHA when the channel
estimation error cannot be omitted. Although MOCHA is able
to provide more secret bits, it only works under high SNR.
VI. INFORMATION-THEORETIC ANALYSIS
In this section, we perform information-theoretic analysis
on the proposed MOPRO and MOCHA schemes.
First consider the case where the secret key generation
is simply based on the channel estimation without using
MOPRO or MOCHA. Under the assumption of perfect channel
estimation, the achievable secrecy key rate is upper-bounded
by [6]
R = I(H
BA
; H
AB
|H
AE
, H
BE
). (7)
Assume that the entries of all the channel matrices are i.i.d.
complex Gaussian distributed with unit variance and zero
mean. A closed-form expression of R is possible from [40].
In the MOPRO and MOCHA schemes, secret keys are not
extracted from the channel matrix but instead, embedded in the
reference signals and controlled by both Alice and Bob. The
resulting secrecy rates of the MOPRO and MOCHA schemes
are both upper-bounded by
R
MOPRO
= I(H
BA
G
1
; H
AB
G
2
|H
AE
G, H
AE
G
2
, H
BE
G
1
).
(8)
While for MOPRO scheme, G, G
1
, and G
2
are modeled by
a random unitary matrix uniformly distributed with H
BA
G
1
,
H
AB
G
2
, H
AE
G, H
AE
G
2
, and H
BE
G
1
are, in general, not
Gaussian and hard to nd. Hence, it is difcult to analyze the
proposed MOPRO with the information-theoretic approach.
For MOCHA scheme, G, G
1
, and G
2
do not even have
known random matrix distributions like MOPRO. As a result,
complete information theoretical analysis is not tractable.
Although it is hard to analyze the MOPRO and MOCHA
schemes precisely, we can still gain some insights by studying
a simplied version of our MOPRO scheme. Let us assume
that Alice has a large number of antennas while both Bob
and Eve have a single antenna. Such model is similar to
the downlink channel in practice. Now the channel matrices
H
AB
, H
BA
, and H
AE
are replaced with h
AB
C
1MA
,
h
BA
C
MA1
, and h
AE
C
1MA
. Note that for the
MOPRO scheme, the maximum number of uncorrelated key
bits that can be extracted from the channels without the
presence of Eve is the same as that of the scheme simply using
channel estimation, i.e., I(h
BA
; h
AB
). Thus, we focus on the
quantity of key bits that cannot be extracted by Eve, which is
referred to as equivocation. Let R
AB
= E[(h
AB
)
T
(h
AB
)

],
R
AE
= E[(h
AE
)
T
(h
AE
)

], and R = E[(h
AB
)
T
(h
AE
)

].
For the pure channel estimation scheme, the equivocation of
the channel between Alice and Bob h
AB
, which cannot be
deduced from the channel between Alice and Eve h
AE
, is
9
given by
h(h
AB
|h
AE
)
=log(e)
MA
det(R
AB
R(R
AE
)
1
R
H
)
=log(e)
MA
det(I RR
H
) (9)
log(e)
MA
MA

k=1
(1 R
kk
) (10)
=log(e)
MA
MA

k=1
_
1
MA

l=1

E[h
AB
k
(h
AE
l
)

2
_
log(e)
MA
_
1
1
M
A
MA

k=1
MA

l=1

E[h
AB
k
(h
AE
l
)

2
_
MA
,
(11)
where R
k,l
is the (k, l)th entry of RR
H
, and h
AB
k
and h
AE
l
are the kth and lth components of h
AB
and h
AE
respectively.
In (9), we apply R
AB
= R
AE
= I since the entries of the
channel matrices are assumed to be i.i.d. CN(0, 1). In (10),
we apply Hadamards inequality since R
AB
R(R
AE
)
1
R
H
is positive semidenite by the property of MMSE. (11) results
from the arithmetic inequality. For the MOPRO scheme, since
we assume M
A
to be large, by the central limit theorem
h
AB
G
2
and h
AE
G
2
are complex Gaussian distributed
as well. Suppose that G
2
is generated independent of
h
AB
and h
AE
. Let R

AB
= E[G
T
2
(h
AB
)
T
(h
AB
)

2
],
R

AE
= E[G
T
2
(h
AE
)
T
(h
AE
)

2
], and R

=
E[G
T
2
(h
AB
)
T
(h
AE
)

2
]. Then the equivocation of the
rotated channel between Alice and Bob h
AB
G
2
, which
cannot be deduced from the rotated channel between Alice
and Eve h
AE
G
2
, is given by
h(h
AB
G
2
|h
AE
G
2
)
=log(e)
MA
det(R

AB
R

(R

AE
)
1
R
H
)
=log(e)
MA
det(I R

R
H
), (12)
where (12) holds since we suppose that G
2
is gener-
ated independent of h
AB
and h
AE
. As a result, R

AB
=
E[E[G
T
2
(h
AB
)
T
(h
AB
)

2
|G
2
]] = I and R

AE
follows in the
same way. Note that
R

ij
=
MA

k=1
MA

l=1
E[G
2,ki
G

2,lj
] E[h
AB
k
(h
AE
l
)

]
=
_

MA
k=1
1
MA
E[h
AB
k
(h
AE
k
)

] , if i = j,
0 , otherwise,
(13)
where G
2,ki
is the (k, i)th entry of G
2
. The last equality
results from the following properties: by the property of
unitary matrices, we have E[

MA
i=i
|G
2,ki
|
2
] = 1 and, hence,
E[|G
2,ki
|
2
] =
1
MA
for all i, k; E[G
2,ki
G

2,lj
] = 0 for i = k or
k = l according to the property of the random unitary matrix
shown in Lemma 1.1 in [41]. Hence, R

is a diagonal matrix
TABLE II
SIMULATION SETUP.
Channel model SCME channel model
MIMO system 2 2, 4 4 single user MIMO
Subcarrier bandwidth 15 kHz
Total bandwidth 20 MHz
Center frequency 2 GHz
SCME scenario Urban macro
Codebook DFT codebook
Channel coding [5, 7] convolutional code
which gives
det(I R

R
H
) =
_
_
1
1
M
2
A
_
MA

k=1
E[h
AB
k
(h
AE
k
)

]
_
2
_
_
MA

_
1
1
M
A
MA

k=1
MA

l=1

E[h
AB
k
(h
AE
l
)

2
_
MA
(14)
for sufciently large M
A
. It then follows from (11) that
h(h
AB
|h
AE
) h(h
AB
G
2
|h
AE
G
2
). (15)
Hence, it can be observed that the MOPRO scheme
helps decrease Eves information about the rotated chan-
nel between Alice and Bob given the rotated chan-
nel between Alice and Eve. Although we only prove
the equivocation for h
AB
and h
AE
, the equivocation
h(h
BA
G
1
, h
AB
G
2
|h
AE
G, h
AE
G
2
, h
BE
G
1
) can be calcu-
lated in a similar way.
VII. PERFORMANCE EVALUATION
In this section, we show the feasibility of the proposed
MOPRO and MOCHA schemes by computer simulations.
A. Simulation Setup
To provide convincing simulation results, realistic scenarios
are considered. We follow the simulation setup generally used
by the Long Term Evolution (LTE) [42], [43]. The detailed
simulation parameters are provided in TABLE II.
The number of secret keys N
key
generated in one OFDM
symbol is computed using the following equation:
N
key
=
B
n
NR(1 KER), (16)
where B denotes the total bandwidth of the OFDM system,
n the size of a subband, i.e., the number of subcarriers of a
subband, N the total number of bits generated for the whole
channel matrix, KER the key error probability, and R the code
rate of channel coding (R = 1 if there is no channel coding
applied).
The total number of subcarriers used in the simulations is
obtained by dividing the total bandwidth by the subcarrier
bandwidth, which is
20M
15k
1333. Considering that the
precoding with lower-rank codebook provides more capacity
10
0 50 100 150 200
0
0.25
0.5
0.75
1
Subcarrier index
C
o
r
r
e
l
a
t
i
o
n
Fig. 6. Channel correlation among the subcarriers under noiseless Spatial
Channel Modeling Extended (SCME) urban-macro channel model. The sub-
carrier bandwidth is 15 kHz.
gain compared to that with higher-rank codebook [44], it
is expected that using the codebook with lower rank will
be more robust to the PMI estimation error. Therefore, the
rank-1 codebook is used in our simulations to evaluate the
performance.
From (16), it is clear that the subband size has a great
impact on the number of the generated secret key bits. The
larger the subband size, the fewer secret key bits can be
generated, but the estimation error is reduced. Therefore, the
subband size should be chosen carefully. From the security
point of view, the subband size should at least equal to the
channel coherent bandwidth, or Eve can easily break the
security through observing the highly correlated channels.
Fig. 6 shows the simulation result of the channel correlation
among the subcarriers in the SCME urban-macro channel
model. In general, a correlation below 0.5 can be regarded
as nearly uncorrelated. We see that in Fig. 6 the correlation
decreases to 0.5 at about a 20-subcarrier separation, which
shows that the coherence bandwidth of the channel is about
2015 kHz = 300 kHz. With the total system bandwidth being
20 MHz and the subband size being 300 kHz, the number
of independent PMIs can be acquired is 20MHz/300kHz

=
66 in one time slot. If we use a 2-bit codebook, 2266
= 264 bits are generated as the cryptographic key, and this
number easily outperforms the required security level of the
conventional cipher. As a result, the subband size is chosen as
20 (subcarriers) in our simulations.
B. Secret Key Distribution
As mentioned earlier, a good set of secret keys should be
uniformly distributed. For the traditional secrecy extraction
from wireless channels, the correlated channel leads to the
correlated secret keys and the security level is decreased. The
decorrelation methods using decorrelation vectors result in
tremendous feedback overhead. This problem is solved by
5 10 15
0
0.02
0.04
0.06
0.08
Decimal value of quantized bits
(per 4bits)
U
s
a
g
e

p
r
o
b
a
b
i
l
i
t
y
(a) Direct channel quantization
5 10 15
0
0.02
0.04
0.06
0.08
Decimal value of quantized bits
(per 4bits)
U
s
a
g
e

p
r
o
b
a
b
i
l
i
t
y
(b) MOCHA
5 10 15
0
0.02
0.04
0.06
0.08
PMI
U
s
a
g
e

p
r
o
b
a
b
i
l
i
t
y
(c) MOPRO
Fig. 7. Secret key distribution using direct channel quantization, MOCHA,
and MOPRO.
the proposed MOPRO and MOCHA schemes, as depicted
in Fig. 7. A 4-bit codebook with 2-bit quantization on each
channel element is used in the simulation. We divide the secret
keys into groups of 4-bit long (equal to the PMI size in
11
0 10 20 30 40
10
3
10
2
10
1
10
0
SNR (dB)
K
e
y

e
r
r
o
r

r
a
t
e


MOP
MOPRO
MOPRO with coding
Fig. 8. Key error rate comparison of MOP, MOPRO, and MOPRO with
channel coding.
0 10 20 30 40
10
3
10
2
10
1
10
0
SNR (dB)
K
e
y

e
r
r
o
r

r
a
t
e


1bit
2bit
3bit
4bit
5bit
6bit
7bit
Fig. 9. Key error rate of MOPRO with different size of DFT codebook.
MOPRO) and observe the distribution of its decimal value.
The secret keys are unevenly distributed and concentrated
on certain decimal values of the quantized bits when using
direct channel quantization, but the secret keys are uniformly
distributed when using either MOPRO or MOCHA. The reason
is that in MOPRO and MOCHA the secret keys are generated
randomly by the users and not affected by the instantaneous
channel.
C. Secret Key Error Rate and Secret Key Length
The secret key agreement probability is the most important
metric for the secret key generation scheme. In the ideal
situation where there is no annoying channel estimation error
and Alice and Bob estimate the channel simultaneously, the
secret key error rate (KER) should be zero. However, in
0 10 20 30 40 50 60
0
5
10
15
20
25
30
35
SNR (dB)
S
e
c
r
e
t

k
e
y

l
e
n
g
t
h

(
p
e
r

s
u
b
b
a
n
d
)


MOPRO
MOPRO with coding
MOCHA
MOCHA with coding
(a) Secret key length under different SNR.
0 10 20 30 40 50 60
10
4
10
3
10
2
10
1
SNR (dB)
K
E
R


Desired KER
MOPRO
MOPRO with coding
MOCHA
MOCHA with coding
(b) KER under different SNR.
Fig. 10. Secret key length comparison of MOPRO and MOCHA. The target
KER is 10
2
.
practical scenarios, the channel estimation error should be
taken into account. Fig. 8 presents the KER of different
schemes under the 22 MIMO with a 4-bit DFT codebook.
The secret key size is 80 bits. We assume that the legitimate
users estimate the same channel, but the estimation error
happens independently on each user and is modeled as an
additive noise with Gaussian distribution. The subband size is
chosen as 20. It is found that the KER of the MOP scheme is
about 0.5 at 30 dB SNR. However, after the introduction of the
rotation matrix (the MOPRO scheme), the KER is decreased
to nearly 10
3
at the same SNR. If channel coding is further
applied, about 10 dB SNR gain at KER 10
3
is obtained.
Fig. 9 shows how the size of the codebook affects the KER
in the MOPRO scheme. As expected, the smaller codebook
results in lower KER, and the inuence of the channel esti-
mation error becomes more signicant with the growth in the
12
codebook size. However, as the larger codebook provides more
secret bits, the adaptive codebook size is necessary to strike
a balance between the key agreement probability and the key
length. The DFT codebook proposed in [38] can be extended to
the desired size easily, and is a suitable choice for the proposed
MOPRO scheme. Nevertheless, determining the threshold for
changing the codebook size is critical. Here we consider two
different objectives: maximizing the secret key length and min-
imizing the key error rate [27]. Since checking the correctness
of the secret keys needs additional public discussion, the loss
in system throughput will be huge if the secret keys acquired
by Alice and Bob disagree often. For that reason, we start with
a small codebook size and target the KER at 10
2
. If a larger
codebook still results in a KER smaller than the desired KER,
the codebook size is extended. Similarly for the MOCHA
scheme, the number of quantization regions can be adaptively
adjusted. The performances of MOPRO and MOCHA using
adaptive codebook size and quantization level are depicted in
Fig. 10. At large SNR, MOCHA provides more secret key bits,
but due to the errors introduced by the non-unitary rotation
on reference signals, MOCHA fails to maintain the desired
error rate of 10
2
at low SNR. On the other hand, MOPRO
performs well at the SNR as low as 15 dB, and channel
coding further extends its operation region to nearly 0 dB SNR.
With the addition of channel coding, the secret key length is
sacriced for the better key agreement probability. MOCHA
with channel coding outperforms MOCHA without channel
coding at low SNR, but the performance of MOCHA with
channel coding is still worse than MOPRO without channel
coding. At high SNR, however, channel coding helps little for
MOCHA.
It is also interesting to investigate the effect of the number of
MIMO antennas. Fig. 11 shows the performance comparison
of MOPRO under the 22 and 4 4 MIMO scenarios. As
expected, the increase in the number of MIMO antennas leads
to better performance, but MOCHA fails to achieve the target
KER with the 44 MIMO when the SNR is lower than 55 dB,
as shown in Fig. 12. This is because for MOCHA, a larger
MIMO matrix may lead to larger power deviation, increasing
the channel estimation error.
D. Nearby Eavesdroppers Performance
The major concern about the traditional reciprocity-based
secret key generation schemes is the existence of nearby
malicious users. When Eve estimates a highly correlated
channel similar to H
AB
, the secret keys may be obtained by
Eve. With the proposed MOPRO and MOCHA schemes, Eve
is prevented from learning both H
AE
and H
BE
even when
she is very close to the legal users due to the rotation of the
reference signals. Additionally, the attack method proposed in
[7] is also ineffective. Fig. 13 shows the power delay prole
of the original channel H
BE
and the one after rotation. These
two channels are very different and Eve cannot reconstruct
H
BE
without knowing the rotation matrix.
To verify the security level that MOPRO and MOCHA
provide, we investigate how much secret key information a
nearby eavesdropper can acquire. Two metrics are dened:
0 10 20 30 40
0
2
4
6
8
10
12
14
SNR (dB)
S
e
c
r
e
t

k
e
y

l
e
n
g
t
h

(
p
e
r

s
u
b
b
a
n
d
)


4x4 MIMO
2x2 MIMO
4x4 MIMO with coding
2x2 MIMO with coding
Fig. 11. Secret key length of MOPRO under 22 and 44 MIMO scenarios.
0 10 20 30 40 50 60
10
3
10
2
10
1
10
0
SNR (dB)
K
E
R


4x4 MIMO (2bit quan.)
4x4 MIMO with coding (2bit quan.)
2x2 MIMO (8bit quan.)
2x2 MIMO with coding (8bit quan.)
Fig. 12. KER of MOCHA under 2 2 and 4 4 MIMO scenarios.
the probability that Eve successfully obtains the complete
secret key information and the number of identical bits in a
key between Eves and Bobs. The former one measures the
probability that the security is breached and the second one
quanties how much security level is decreased. Fig. 14 shows
how Eve performs under these two metrics using 22 MIMO.
In the simulations, a 4-bit codebook with 2-bit quantization is
used to generate a 80-bit secret key. Note that according to the
near eld electromagnetic (EM) theory [45], [46], there will
be a signicant coupling effect between the antennas if Eves
antenna is close to Alices or Bobs within one wavelength.
Even under this situation, Eve has no chance to gain full
information when either MORPO or MOCHA is used. The
ratio of the correct secret bits Eve can acquire when MOPRO
or MOCHA is applied is also much lower than the case when
the direct channel quantization scheme is used.
13
0 0.5 1 1.5 2 2.5 3
x 10
6
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
Delay (s)
C
h
a
n
n
e
l

p
o
w
e
r


H
BE
H
BE
G
1
Fig. 13. Power delay prole for H
BE
and its rotation.
VIII. CONCLUSIONS
In this paper, we have proposed MOPRO and MOCHA
as efcient secret key generation mechanisms for MIMO-
OFDM systems. The proposed MOPRO scheme utilizes the
precoding matrix indices as secret keys while the MOCHA
scheme quantizes the channel coefcients directly. With the
properly designed rotation matrix applied on the reference
signals, the public communication overhead and the secret
key error rate are reduced signicantly. The vulnerabilities
of the traditional reciprocity-based key generation schemes,
such as the nearby eavesdropper problem, channel simulation
attacks, and correlated keys, are prevented. The computer
simulations have shown that MOCHA provides more secret
keys but only works well under high SNR scenarios since
the channel estimation error is enhanced by the non-unitary
rotation applied on the reference signals. On the other hand,
MOPRO is capable of providing robust secrecy extraction
at low SNR. Although the reference signals are rotated, the
MIMO precoding is still valid and both the MIMO gain and
the secure transmissions are achieved by using the proposed
MOPRO or MOCHA secret key generation scheme.
REFERENCES
[1] A. D. Wyner, The wire-tap channel, Bell Syst. Tech. J., vol. 54, no. 8,
pp. 13551387, 1975.
[2] S. Goel and R. Negi, Guaranteeing secrecy using articial noise, IEEE
Trans. Wireless Comm., vol. 7, no. 6, pp. 21802189, June 2008.
[3] M. Kobayashi and M. Debbah, On the secrecy capacity of frequency-
selective fading channels: A practical Vandermonde precoding, in Proc.
IEEE Int. Symp. Personal, Indoor and Mobile Radio Communications
(PIMRC), 15-18 Sept. 2008, pp. 15.
[4] S. Lakshmanan, C.-L. Tsao, R. Sivakumar, and K. Sundaresan, Secur-
ing wireless data networks against eavesdropping using smart antennas,
in Proc. Int. Conf. Distributed Computing Systems, 17-20 June 2008, pp.
1927.
[5] U. Maurer, Secret key agreement by public discussion from common
information, IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733742, May
1993.
0 1 2 3 4 5
0
0.005
0.01
0.015
0.02
0.025
0.03
0.035
Legal usereavesdropper distance
(wavelength)
D
e
c
r
y
p
t
i
o
n

p
r
o
b
a
b
i
l
i
t
y


Direct channel quantization
MOPRO
MOCHA
(a) Probability that Eve decrypts a 80-bit key.
0 1 2 3 4 5
20
30
40
50
60
70
80
Legal usereavesdropper distance
(wavelength)
N
u
m
b
e
r

o
f

c
o
r
r
e
c
t

b
i
t
s


Direct channel quantization
MOPRO
MOCHA
(b) Average number of correct bits Eve decrypts in a 80-bit key.
Fig. 14. Performance of Eve under different schemes.
[6] R. Ahlswede and I. Csiszr, Common randomness in information theory
and cryptography, Part I: Secret sharing, IEEE Trans. Inf. Theory,
vol. 39, no. 4, pp. 11211132, July 1993.
[7] N. Dottling, D. Lazich, J. Muller-Quade, and A. de Almeida, Vul-
nerabilities of wireless key exchange based on channel reciprocity,
in Information Security Applications, ser. Lecture Notes in Computer
Science, 2011, vol. 6513, pp. 206220.
[8] 3GPP TS 36.211 V9.0.0, 3GPP RAN1 RP-46, 3rd Generation Partner-
ship Project Std., 2009.
[9] M. Edman, A. Kiayias, and B. Yener, On passive inference attacks
against physical-layer key extraction, in Proc. ACM European Work-
shop on System Security, ser. EUROSEC 11. New York, NY, USA:
ACM, 2011, pp. 8:18:6.
[10] D. Tse and P. Viswanath, Fundamentals of wireless communication.
Cambridge University Press, 2005.
[11] J.-P. Cheng, Y.-H. Li, P.-C. Yeh, and C.-M. Cheng, MIMO-OFDM
PHY Integrated (MOPI) scheme for condential wireless transmission,
in Proc. IEEE Wireless Comm. and Networking Conf. (WCNC), 2010,
pp. 16.
[12] A. Mukherjee, S. A. A. Fakoorian, J. Huang, and A. L. Swindlehurst,
Principles of physical layer security in multiuser wireless networks: A
14
survey, 2010. [Online]. Available: http://arxiv.org/abs/1011.3754
[13] U. Maurer and S. Wolf, Information-theoretic key agreement: From
weak to strong secrecy for free, in Lecture Notes in Computer Science.
Springer-Verlag, 2000, pp. 351368.
[14] C. Cachin and U. Maurer, Linking information reconciliation and
privacy amplication, J. of Cryptology, vol. 10, pp. 97110, 1997.
[15] S. Jana, S. N. Premnath, M. Clark, S. K. Kasera, N. Patwari, and
S. V. Krishnamurthy, On the effectiveness of secret key extraction from
wireless signal strength in real environments, in Proc. ACM MobiCom,
2009, pp. 321332.
[16] J. L. Carter and M. N. Wegman, Universal classes of hash functions,
J. of Computer and System Sciences, vol. 18, no. 2, pp. 143154, April
1979.
[17] C. H. Bennett, G. Brassard, C. Crepeau, and U. M. Maurer, Generalized
privacy amplication, IEEE Trans. Inf. Theory, vol. 41, no. 6, pp. 1915
1923, Nov. 1995.
[18] A. A. Hassan, W. E. Stark, J. E. Hershey, and S. Chennakeshu, Cryp-
tographic key agreement for mobile radio, Digital Signal Processing,
vol. 6, pp. 207212, 1996.
[19] H. Koorapaty, A. A. Hassan, and S. Chennakeshu, Secure information
transmission for mobile radio, IEEE Comm. Lett., vol. 4, no. 2, pp.
5255, Feb. 2000.
[20] C. Ye, A. Reznik, and Y. Shah, Extracting secrecy from jointly Gaussian
random variables, in Proc. IEEE Int. Symp. Information Theory, July
2006, pp. 25932597.
[21] M. Bloch, J. Barros, M. R. D. Rodrigues, and S. W. McLaughlin, Wire-
less information-theoretic security, IEEE Trans. Inf. Theory, vol. 54,
no. 6, pp. 25152534, June 2008.
[22] C. Chen and M. A. Jensen, Secrecy extraction from increased random-
ness in a time-variant MIMO channel, in Proc. IEEE GLOBECOM,
Dec. 2009, pp. 16.
[23] C. Ye, S. Mathur, A. Reznik, Y. Shah, W. Trappe, and N. B. Mandayam,
Information-theoretically secret key generation for fading wireless
channels, IEEE Trans. Inf. Forens. Security, vol. 5, no. 2, pp. 240
254, June 2010.
[24] C. Chen and M. Jensen, Improved channel quantization for secret key
establishment in wireless systems, in Proc. IEEE Int. Conf. on Wireless
Information Technology and Systems, Sept. 2010, pp. 14.
[25] A. Sayeed and A. Perrig, Secure wireless communications: Secret keys
through multipath, in Proc. IEEE ICASSP, April 2008, pp. 30133016.
[26] R. Wilson, D. Tse, and R. A. Scholtz, Channel identication: Secret
sharing using reciprocity in ultrawideband channels, IEEE Trans. Inf.
Forens. Security, vol. 2, no. 3, pp. 364375, Sept. 2007.
[27] N. Patwari, J. Croft, S. Jana, and S. K. Kasera, High-rate uncorrelated
bit extraction for shared secret key generation from channel measure-
ments, IEEE Trans. Mobile Comput., vol. 9, no. 1, pp. 1730, Jan.
2010.
[28] C. Chen and M. A. Jensen, Secret key establishment using temporally
and spatially correlated wireless channel coefcients, IEEE Trans.
Mobile Comput., vol. 10, no. 2, pp. 205215, Feb. 2011.
[29] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka, Wireless
secret key generation exploiting reactance-domain scalar response of
multipath fading channels, IEEE Transactions on Antennas and Prop-
agation, vol. 53, no. 11, pp. 37763784, Nov. 2005.
[30] R. Mehmood and J. Wallace, Channel security enhancement using
recongurable aperture antennas, in European Conference on Antennas
and Propagation, April 2011.
[31] , Experimental assessment of secret key generation using parasitic
recongurable apertures, in European Conference on Antennas and
Propagation, 2012.
[32] D. J. Love, R. W. Heath Jr., and T. Strohmer, Grassmannian beamform-
ing for multiple-input multiple-output wireless systems, IEEE Trans.
Inf. Theory, vol. 49, no. 10, pp. 27352747, Oct. 2003.
[33] V. Klema and A. Laub, The singular value decomposition: Its com-
putation and some applications, IEEE Trans. Autom. Control, vol. 25,
no. 2, pp. 164176, April 1980.
[34] D. J. Love and R. W. Heath Jr., Limited feedback unitary precoding for
spatial multiplexing systems, IEEE Trans. Inf. Theory, vol. 51, no. 8,
pp. 29672976, Aug. 2005.
[35] , Limited feedback precoding for spatial multiplexing systems, in
Proc. IEEE GLOBECOM, vol. 4, Dec. 2003, pp. 18571861.
[36] D. Astely, E. Dahlman, A. Furuskar, Y. Jading, M. Lindstrom, and
S. Parkvall, LTE: the evolution of mobile broadband, IEEE Comm.
Mag., vol. 47, no. 4, pp. 4451, Apr. 2009.
[37] J. Choi, B. Mondal, and R. W. Heath Jr., Interpolation based unitary
precoding for spatial multiplexing MIMO-OFDM with limited feed-
back, IEEE Trans. Signal Process., vol. 54, no. 12, pp. 47304740,
Dec. 2006.
[38] Samsung, MIMO for Long Term Evolution, in R1-050889, 3GPPTSG
RANWG1 42,London,UK, Aug.-Sept. 2005.
[39] P. Gacs and J. Korner, Common information is far less than mutual
information, Probl. Inform. Control, vol. 2, no. 2, pp. 149162, 1973.
[40] J. Wallace and R. Sharma, Automatic secret keys from reciprocal
mimo wireless channels: Measurement and analysis, IEEE Trans. Inf.
Forensics Security, Sept. 2010.
[41] F. Hiai and D. Petz, Asymptotic freeness almost everywhere for random
matrices, Acta Sci. Math. Szeged, vol. 66, pp. 801826, 2000.
[42] 3GPP TR 25.996 V9.0.0, 3GPP RAN1 SP-46, 3rd Generation Partner-
ship Project Std., 2009.
[43] 3GPP TR 36.814 V9.0.0, 3GPP RAN1 RP-47, 3rd Generation Partner-
ship Project Std., 2010.
[44] B. Clerckx, Y. Zhou, and S. Kim, Practical codebook design for limited
feedback spatial multiplexing, in Proc. IEEE Int. Conf. on Comm., May
2008, pp. 39823987.
[45] A. Derneryd and G. Kristensson, Signal correlation including antenna
coupling, Electronics Letters, vol. 40, no. 3, pp. 157159, Feb. 2004.
[46] S. Krusevac, P. B. Rapajic, R. A. Kennedy, and P. Sadeghi, Mutual
coupling effect on thermal noise in multi-antenna wireless communica-
tion systems, in Proc. Communications Theory Workshop, Feb. 2005,
pp. 209214.
Chih-Yao (Derrick) Wu received his B.S. degree
and M.S. degree in electrical engineering from Na-
tional Taiwan University in 2009 and 2011, respec-
tively. Since September 2011, he has been with HTC
Corporation, where he is responsible for physical
layer research on LTE and LTE-advanced, system-
level and link-level simulation building, patent l-
ing, and technical consulting. He is currently the
3GPP RAN1 delegate of HTC Corporation. His
research interests include MIMO techniques, coor-
dinated multiple point transmission and reception
(CoMP), heterogeneous network, physical layer security, and interference
mitigation/cancellation techniques.
Pang-Chang Lan received the B.S. and M.S. de-
grees, both in electrical engineering, from the Na-
tional Taiwan University, Taipei, Taiwan in 2009 and
2011 respectively. Since August 2012, he has been
a Research Assistant with Media Communications
Lab at the Department of Electrical Engineering
in University of Southern California (USC), Los
Angeles. He is currently working towards the Ph.D.
Degree in USC. His research interests include co-
operative communications, multiantenna signal pro-
cessing, and physical-layer security.
15
Ping-Cheng Yeh received his B.S. degree in Math-
ematics and M.S degree in Electrical Engineering
from the National Taiwan University, in 1996 and
1998, respectively. In 2005, he received his Ph.D.
degree in Electrical Engineering and Computer Sci-
ence from the University of Michigan, Ann Arbor.
He joined the Department of Electrical Engineering
and the Graduate Institute of Communication En-
gineering at the National Taiwan University in Au-
gust 2005. His research interests include molecular
communications, wireless multimedia transmissions,
physical layer security, cooperative communications, cross-layer design in
wireless networks, and online education platform design. Dr. Yeh has received
various awards in the past, including EECS Outstanding GSI Award (2002),
University of Michigan Outstanding GSI Award (2003), NTU Excellence
in Teaching Award (2008, 2009), and NTU Distinguished Teaching Award
(2010). He is currently the Associate Director of Center for Teaching and
Learning Development at the National Taiwan University.
Chia-Han Lee received his B.S. degree from Na-
tional Taiwan University, Taipei, Taiwan in 1999,
M.S. degree from the University of Michigan, Ann
Arbor in 2003, and Ph.D. from Princeton University
in 2008, all in electrical engineering. From 1999 to
2001, he served in the R.O.C. army as a missile
operations ofcer. From 2008 to 2009, he was a
postdoctoral research associate at the University of
Notre Dame, USA. Since 2010, he has been with
Academia Sinica, Taipei, Taiwan, as an Assistant Re-
search Fellow. His research interests include wireless
communications, wireless networks, and signal processing.
Chen-Mou Cheng received his BS and MS in Elec-
trical Engineering from National Taiwan University
in 1996 and 1998, respectively, and his PhD in
Computer Science from Harvard University in 2007.
He joined the Department of Electrical Engineering
of National Taiwan University in 2007, where he is
currently an Assistant Professor.
His main research area is in cryptographic hard-
ware and embedded systems (CHES), as well as
electronic system-level (ESL) design. Currently, his
main research activities focus on the design and
analysis of efcient algorithms to solve several important problems arising
from cryptology, as well as the development and implementation of these
algorithms on massively parallel computers. These problems include solving
systems of polynomial equations over nite elds, integer factorization,
elliptic-curve discrete logarithm, and lattice reduction.