The Scientific World Journal

Volume 2013 (2013), Article ID 935604, 13 pages

http://dx.doi.org/10.1155/2013/935604

## A Multihop Key Agreement Scheme for Wireless Ad Hoc Networks Based on Channel Characteristics

^{1}MicroStrategy, Hangzhou, China^{2}State Key Laboratory of Novel Software Technology, Nanjing University, Nanjing 210023, China^{3}Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China^{4}Department of Electronic Engineering and Information Science, University of Science and Technology of China, Hefei, Anhui 230027, China

Received 26 March 2013; Accepted 30 April 2013

Academic Editors: A. Miné and A. Paun

Copyright © 2013 Zhuo Hao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

A number of key agreement schemes based on wireless channel characteristics have been proposed recently. However, previous key agreement schemes require that two nodes which need to agree on a key are within the communication range of each other. Hence, they are not suitable for multihop wireless networks, in which nodes do not always have direct connections with each other. In this paper, we first propose a basic multihop key agreement scheme for wireless ad hoc networks. The proposed basic scheme is resistant to external eavesdroppers. Nevertheless, this basic scheme is not secure when there exist internal eavesdroppers or Man-in-the-Middle (MITM) adversaries. In order to cope with these adversaries, we propose an improved multihop key agreement scheme. We show that the improved scheme is secure against internal eavesdroppers and MITM adversaries in a single path. Both performance analysis and simulation results demonstrate that the improved scheme is efficient. Consequently, the improved key agreement scheme is suitable for multihop wireless ad hoc networks.

#### 1. Introduction

Network security (see, e.g., [1, 2]) has been studied extensively. In wireless networks, security problems are especially critical, because wireless channels are inherently broadcast channels. When a pair of nodes communicate with each other, nearby nodes within the communication range may be able to overhear their messages. In order to prevent eavesdropping, messages are often encrypted before being sent. Hence, key agreement is of great importance for security of wireless networks.

Recently, Mathur et al. [3] propose a novel key agreement scheme for wireless networks, which is based on the secrecy of the wireless channel itself. In their scheme, the two communicating nodes send probe signals to each other and measure the channels. Then, they extract secret bits from the channel measurements using a level-crossing algorithm. Because of the reciprocity of the channel, the two nodes can extract the same key from their own channel measurements. Any eavesdroppers that are more than half a wavelength away from both nodes can get no knowledge of the key, because their experienced channels are independent of the channel between the two communicating nodes. The broad applicability of this security alternative has been validated by Jana et al. [4], through a series of experiments in real environments.

However, both Mathur et al.’s and Jana et al.’s schemes require that two nodes are within the communication range of each other in order to establish a key. This requirement cannot always be satisfied. In many realistic scenarios, intermediate nodes are needed for relaying messages, because the end nodes cannot communicate directly.

In this paper, we show that it is feasible to build key agreement schemes based on wireless channel measurements in *multihop* wireless networks. We show that, by extracting secrets from the phase characteristics (it is feasible to extract secrets from phase characteristics—please see Section 3 for details) of channels, two end nodes that are more than one hop away from each other can establish a key between them. We propose a basic key agreement scheme for this purpose and show that it is secure against external eavesdroppers (i.e., eavesdroppers out of the paths connecting the two nodes). After that, we show that the basic scheme is subject to internal eavesdropping and Man-in-the-Middle (MITM) attacks. Therefore, we propose an improved key agreement scheme to prevent these two attacks. The improved scheme is based on the assumption that the network is biconnected. The secrets are extracted from two disjoint paths between the two end nodes. The improved scheme is secure against internal eavesdroppers and MITM adversaries in a single path. (Please see Section 5.3, Remark 7 for the possibility that adversaries control more than a single path.) In both the basic and the improved schemes, we follow the standard assumption [3–6] that adversaries are more than half a wavelength away from all the participating nodes. We give a theoretical analysis of the key agreement probability and show that it is affected by communication SNRs, sampling rates, and quantization parameters. We simulate the improved scheme in GlomoSim [7] and show that the established key has strong randomness and the key agreement efficiency is high.

In summary, we have the following contributions. (i)We propose a basic multihop key agreement scheme and prove that it is secure against external eavesdroppers. (ii)Since the basic scheme is not secure against internal eavesdroppers or MITM adversaries, we propose an improved multihop key agreement scheme, and prove that this improved scheme is secure against internal eavesdroppers and MITM adversaries in a single path between the two nodes. (iii)We give both performance analysis and simulation results of the improved scheme. The results show that the improved scheme is very efficient and the established key has strong randomness.

The rest of this paper is organized as follows. In Section 2, we review the related work. In Section 3, we present technical preliminaries. In Section 4, we present the basic multihop key agreement scheme and give a security analysis. In Section 5, we describe the improved multihop key agreement scheme and prove its security. In Sections 6 and 7, we show that the improved scheme is efficient by both theoretical analysis and simulation results. Finally, we conclude in Section 8.

#### 2. Related Work

Key agreement based on channel characteristics is firstly proposed in Hershey et al. [8], in which the secret key is extracted from the phase differences of continuous waves. After that, Hassan et al. [9] propose to use phase differences between two orthogonal subcarriers as extracted secrets. Tope and McEachen [10] propose a key generation scheme based on polarity of power envelope differences. Recently, a lot of schemes [3–6, 11–22] are proposed to enhance the security and/or improve the performance. In particular, Mathur et al. [3] propose a scheme to extract secret bits from wireless channel measurements. They design a level-crossing algorithm to increase the bit consistency rate. They do experiments using both customized 802.11 platform and off-the-shelf 802.11 network cards. In order to validate the effectiveness of the key extraction schemes based on signal strengths, Jana et al. [4] carry out extensive experiments in various environments. They propose adaptive quantization method to improve the performance. Patwari et al. [6] propose a high-rate uncorrelated bit extraction scheme based on fractional interpolation, decorrelation transformation and multibit adaptive quantization. Ye et al. [5] propose a secret key extraction approach that is suited for more general channel state distributions. Zhang et al. [21] find that mobility patterns have important impact on the correlation of channel measurements at the end nodes. They show that more diffusion in the mobility brings less correlation in the measured channel impulse responses. Gollakota and Katabi [23] propose a secret communication method based on receiver’s jamming. Their method eliminates the reliance on channel variance and has high secret communication speed.

There are also many analytical works [24–27] that provide theoretical analysis of secret key exchange protocols and propose improved algorithms. In addition, secret key extraction schemes from UWB (Ultra-WideBand) channels are proposed in [28–31]. Croft et al. [32] propose a secret bit extraction scheme for wireless sensors, while Ali et al. [33] develop a key extraction approach in body area networks.

It is important to note that all the previous approaches focus on one single channel between two nodes. Therefore, they have the requirement that the two nodes are within the communication range of each other. In contrast, in this paper, we propose schemes that are suitable for multihop networks, in which nodes can be out of the communication range of each other. Consequently, our proposed schemes can be used for key agreement in multihop wireless networks.

Recently Wang et al. [34] propose a group key agreement scheme in wireless networks. Wang et al.’s scheme is based on the phase characteristics of wireless channels. They use phase randomness for bit generation and remove the reliance on the node mobility. According to Ren et al. [35], phase-based methods [8, 9, 16, 34] have three advantages compared to RSS-based methods [3–6], including having uniform distribution, providing high resolution phase estimation, and enabling phase accumulation across multiple nodes. Similar to [34], the schemes proposed in this paper are also based on channel phase randomness. However, our proposed schemes consider a completely different setting, in which the involved nodes can be more than one hop away from each other. In fact, allowing nodes to be multiple hops away from each other is a major technical challenge addressed in this paper. Hence, our schemes are independent from, and complementary to, the results in [34].

#### 3. Technical Preliminaries

In a typical multihop mobile ad hoc network, there are no infrastructures. Each node is both an end host and a router. Denote the nodes in the network by . If node is within the communication area of , then we say is a neighbor of . Without loss of generality, we assume that wireless channels are symmetric; that is, whenever a node is a neighbor of , is also a neighbor of . Just as in previous work [3, 4], we assume the channel between any two neighboring nodes to be reciprocal. (This assumption implies that our work is most suitable for a homogeneous network. If the network is heterogeneous, then our work needs to be modified before it can be applied.) Denote the channel from to by , and denote the channel from to by . Then the channel reciprocity indicates that for any time .

We use the phase characteristics of both the initial signals and the channel as a random source to extract the shared secret key from. (Note that using the channel phase characteristics as a source of randomness is a feasible approach, which has been adopted in existing work, e.g., [34]. A possible way to implement this can be found in [35].) From the channel reciprocity, we know that within the channel coherence time, the channel between two nodes can be assumed to be invariant. We divide the channel coherence time to equal time slots: . Let the length of each time slot be , and denote the coherence time of the channel by . Let .

During one time slot , when sends the initial signal to , we denote the signal sent from by . has the following representation:
In (1), is the amplitude of . and are the center frequency and the initial phase of , respectively. We emphasize that it is *feasible* to send a signal with a given phase —in fact, some existing schemes like [34] already include such operations. In order to implement such an operation, one can use analog-to-digital converters [35].

*Definition of Adversaries.* In this paper, we consider three different kinds of adversaries: *internal eavesdropper*, *external eavesdropper*, and *MITM adversary*. Here both internal eavesdroppers and external eavesdroppers refer to *passive* adversaries that eavesdrop messages and attempt to figure out the established key. The difference between these two types of adversaries is that an internal eavesdropper is an intermediate node in a path selected for transmitting messages for key agreement, while an external eavesdropper is not an intermediate node in any such path. Unlike these two types of passive adversaries, an MITM adversary is an *active* adversary who controls one or more node in a path selected for transmitting messages for key agreement and carries out an MITM attack. A little more formally, we have the following definitions.

*Definition 1. *A multihop key agreement scheme is secure against a set of external eavesdroppers if, assuming all involved nodes follow the protocol faithfully, all signals overheard by this set of eavesdroppers are statistically independent from the final key generated by this scheme.

*Definition 2. *A multihop key agreement scheme is secure against a set of internal eavesdropper if, assuming all involved nodes follow the protocol faithfully, all packets received by this set of eavesdroppers, together with all signals overheard by this set of eavesdropper, are statistically independent from the final key generated by this scheme.

*Definition 3. *A multihop key agreement scheme is secure against a set of MITM adversaries if, assuming all involved nodes except this set of MITM adversaries follow the protocol faithfully, the final keys different nodes obtain are consistent; furthermore, all packets received by this set of MITM adversaries, together with all signals overheard by this set of adversary, are statistically indepedent from the final key generated by this scheme.

#### 4. The Basic Multihop Key Agreement Scheme

In this section, we propose a basic multihop key agreement scheme. The basic scheme is built on one selected path between the two nodes that want to agree on a secret key. It is secure against any external eavesdroppers as long as those eavesdroppers are more than half a wavelength away from all the nodes in the selected path.

##### 4.1. Scheme Outline

The basic idea of this multihop key agreement scheme is to use both the channel phase characteristics of the selected path and the randomly selected initial phases to extract common secrets (i.e., secrets known only to and ). By using quantization, these common secrets are quantized into common secret bits. After that, information reconciliation and privacy amplification are used [36–38] on the common secret bits, so that a secret key can be generated. When the external eavesdroppers are more than half a wavelength away, they will experience channels that are independent of the channels in the selected path [3, 4].

In order to have common secret bits, the two parties (denoted by and ) need to interact with each other for rounds, assuming in each round that they can get bits from quantization. In each round, picks a random phase value, and sends an initial signal with this initial phase value to using the selected path. Each intermediate node in this path estimates the phase of the signal received from its antecedent node and sends a new signal with this estimated phase to its subsequent node. Note that is the first node in the path, and is the last node in the path. Hence, has a subsequent node only, and has an antecedent node only. After receives the signal from its antecedent node, it picks a random phase value and sends an initial signal with this initial phase value back to , along the reverse path. Each intermediate node estimates the phase of the signal received from its subsequent node, and sends a new signal with the estimated phase to its antecedent node. Finally (resp., ) estimates the phase of the signal received from its antecedent (resp., subsequent) node and adds the estimated phase with its randomly generated initial phase. The sums generated by and both reflect characteristics of all the channels in the path and the random initial phase values picked by and . In order to make sure that they are highly correlated, each round is completed within the channel coherence time. The random initial phase values picked by and are sources of randomness of the extracted common secrets.

After extracting common secrets from the channels and the random initial phase values, and perform independent quantization on these secrets and get common secret bits. The discrepancies between common secret bits of and are corrected by information reconciliation. The lost entropy of performing the information reconciliation is reduced by privacy amplification. In the following, we give detailed descriptions of these steps. After that, we give analysis of the basic scheme.

##### 4.2. Common Secret Extraction

The common secret extraction consists of rounds, and each round contains time slots. Figure 1 illustrates the signal transmission involved in one round.

In the following, we describe steps involved in one round.(1) In the time slot , sends the initial signal with phase to , where the value of is randomly picked by from (and thus *known to *). Without loss of generality, we assume that has a unit power level. Denote the signal received at by . Then we get that , where and denote the amplitude and phase of the signal received from , and denotes the receiver noise at . (2) The phase of is , in which denotes the phase offset of the channel between and . computes the estimate of , which we denote by . After that in , sends a unit signal to whose phase is tuned to . (3) For , in the time slot , computes the phase estimate of the signal received from and sends a new unit signal with this phase estimate to . In , sends the signal to . (4) In the time slot , sends the initial signal with phase to , where also has a unit power level, and is picked randomly by from (and thus *known to *). Denote the signal received at by . Then . The phase of is , in which denotes the phase of the channel between and . (5) For , in , sends the signal to . In , sends the signal to . (6) From the previous steps receives , and receives . It is easy to see that
where and denote the signal phases of and , respectively. computes , and computes . From and , and extract common secret bits.

We denote such a round by . Apparently needs to take time slots.

From the previous protocol process, we can get that and . From the channel reciprocity, and are highly correlated if the measurements are within the channel coherence time. Hereafter, suppose that and carry out rounds of , and denote the extracted secret vectors by and , respectively.

##### 4.3. Quantization

After rounds of common secret extraction, has got the secret vector , and has got the secret vector . For and , is in the range of . Now and quantize each value in their vectors into common secret bits. Specifically, we divide the interval into equal subintervals. Denote these subintervals by . We quantize each subinterval into bits using the Gray code [39]. By using Gray code, adjacent subintervals have only one bit discrepancy after quantization, which reduces the number of bit errors caused by estimation errors.

Denote the length of the targeted secret key by . In order to generate the key, and need to interact with each other for at least rounds.

##### 4.4. Information Reconciliation and Privacy Amplification

Because there exist noises and interferences at the receivers, and can get discrepancies at some common secret bits. They can achieve secret bits reconciliation by transmitting error correcting information through a public channel, which is called information reconciliation [40, 41]. We use the classic Cascade protocol [40] to perform reconciliation between the extracted secret bits. For completeness we briefly review the Cascade protocol.

Denote the two secret bit strings at and by and . In the Cascade protocol, each of the two bit strings are divided into disjoint blocks. One party sends the parity values of all the blocks to the other party. If an odd number of errors are found within any block, and perform an interactive binary error search on that block, until one bit error is corrected. The Cascade protocol consists of several rounds, depending on the rate of bit discrepancies between and . If in the th () round, one error is corrected at the th bit, and then any other block that contains the th bit also contain an odd number of errors, which need to be corrected subsequently. Only minimal information gets leaked out if the number of rounds and the block size are selected appropriately.

After the information reconciliation, privacy amplification [36–38] is used to reduce the side information leaked during information reconciliation. We use the following 2-universal hash family [4]: where is a prime number that satisfies . This 2-universal hash family consists of all the functions that map from to . One party randomly selects and and sends them to the other party. We divide the secret bits after reconciliation into blocks of bits, and is decided based on the required secret key length.

After these two processes, the generated keys at and are cryptographic secure keys. and can use the generated key for secret communications.

##### 4.5. Security Analysis of the Basic Scheme

In this section, we present a security analysis of the basic scheme. Firstly we argue that the basic scheme is secure against any external eavesdroppers that are more than half a wavelength away from all the nodes in the selected path. Secondly we show that threats from internal adversaries can affect the security of the scheme. Finally we show that MITM attack is possible in the basic scheme. (Recall that internal eavesdroppers, external eavesdroppers, and MITM adversary are defined at the end of Section 3.)

###### 4.5.1. Security against Any External Eavesdropper

If all the external eavesdroppers are more than half a wavelength away from all the nodes in the selected path, then their experienced channels are independent of channels between nodes in the selected path.

In the following we analyze the security of the basic scheme when there exists only one external eavesdropper. The analysis can be similarly extended to the case in which there are more than one eavesdroppers. In Figure 2, denote the eavesdropper by . From , gets the following estimated phases from its received signals:

In (4), gets at from and gets at from , . On the other hand, gets at from and gets at from , .

Because and are randomly selected by and , respectively, these estimated phases are also random. Because is independent of , cannot get any knowledge of from . Similarly, cannot get any knowledge of , from , . Finally, during the channel coherence time, no probe signals are transmitted between the nodes in the selected path, so , , and are unknown to . Therefore, from these estimated phase values, gets no knowledge of the extracted secrets at or .

We stress that it is realistic to assume that the external eavesdroppers are at least half a wavelength away. When the carrier frequency is 2.437 GHz (one of the frequency band of 802.11 b), the wavelength of the carrier is . Half a wavelength is only about 6 centimeters. Within such a distance, it is hard for an eavesdropper to avoid being detected.

###### 4.5.2. Threats of Internal Adversaries

In the basic scheme, each of the internal nodes can get the complete knowledge of the extracted secrets at and . If one of them is corrupted, then the scheme is not secure. For example, if is corrupted, based on its received signals from and , it gets and . By adding up these two values, gets an estimate, which is highly correlated to both and . Therefore, if one of the intermediate nodes is corrupted, the basic scheme is not secure.

###### 4.5.3. MITM Attack

Because there are intermediate nodes between and , any of them can carry out an MITM attack. Suppose that intends to carry out an MITM attack and establish two different keys with and , respectively. Specifically, agrees on one key with , based on the subpath ; agrees on another key with , based on the other subpath . The MITM attack consists of the following steps:(1) In each round, performs the following steps: (a) When receives the signal from , it picks a random value and sends to . (b) When receives the signal from , it picks a random value and sends to . (c) computes the estimates of and . Denote these two estimates by and , respectively. (d) computes and . then quantizes and to generate secret bit strings and . Denote the length of and by bits. (2) After rounds, gets and , in which denotes the string concatenation operation. Both and have a length of bits. uses to agree on a secret key with , and uses to agree on a secret key with .

From the attack process we can see that , and . Both and can be viewed as estimates of . By using follow-up quantization, information reconciliation and privacy amplification techniques, and can agree on a secret key . Similarly, both and can be viewed as estimates of . So and can also agree on a secret key . In this way, carries out the MITM attack successfully.

##### 4.6. Possible Reduction of Estimation Errors

Given the basic scheme we have designed, there are possible ways to reduce the estimation errors. For instance, the intermediate nodes between and may append fix phase delay on forward and backward paths; that is, let . This would not reduce secrecy because and are random and unknown to the intermediate nodes.

#### 5. The Improved Multihop Key Agreement

Because the basic scheme suffers from threats of internal adversaries and the MITM attack, in this section, we propose an improved multihop key agreement scheme.

##### 5.1. Scheme Outline

In the improved multihop key agreement scheme, we assume that the network is biconnected. Therefore, between any pair of nodes, we can find at least two disjoint paths. The basic scheme suffers from threats from internal adversaries and the MITM attack because the signals are only transmitted in one path. Any node in that path can get knowledge of the extracted common secret bits and can perform the MITM attack. We design the improved multihop key agreement scheme to make it impossible for nodes in one path to get knowledge of the secret key or control it.

We emphasize that the previous goal of security is nontrivial to achieve. In particular, we consider a simple protocol, which we call SMPP hereafter. Assume that there are two disjoint paths and between and . SMPP starts by letting and generate key over and key over . Then, generates two random sequences and , respectively, and sends over to and over to . Finally, computes by XORing his received value of with ; similarly, he computes . The final key agreed by and is the .

Note that SMPP cannot really work against MITM attacks. For example, suppose that there is a node controlled by the adversary in the middle of . When and try to generate over , launches an MITM attack and makes them disagree on the value of . (This is very easy in general, because can simply play ’s role when talking to its neighbor on ’s side and play ’s role when talking to its neighbor on ’s side. In this way, and agree on one value of , while and agree on another value of .) Hence, believes that the value of is , while believes that the value of is . Both values ( and ) are private against nodes in path . Also suppose that all nodes in are honest and so and agree on the value of , which is private against nodes in . Next, generates and and sends over path and over path . Assume that does not tamper with these transmitted values. Therefore, receives these values correctly. However, since has a different belief about the value of , when tries to recover the value of , he will get instead of . In other words, and will disagree on the value of , which is part of the final key.

In order to achieve our goal of security, we use a better approach. We send the initial signals along two disjoint paths between and , perform estimation, and forwarding at intermediate nodes and add up the estimated phases of received signals from two paths at the two end nodes. In this way, the sum of phases contain not only the initial random values picked for phases, but also channel phase characteristics of both the two paths. Any adversaries within one single path can neither get the established secret key nor carry out a successful MITM attack.

In the improved multihop key agreement scheme, and jointly discover two disjoint paths between them. Denote the lengths of the two paths by and , respectively. After that, and carry out along the first path and along the second path. They interact with each other for sufficient rounds in order to get the targeted common secret bits. In each round, they add up extracted secrets from both rounds together. Finally, and perform quantization, information reconciliation and privacy amplification to get the secret key.

When performing the first step, existing node-disjoint routing discovery protocols [42, 43] can be used. In the improved scheme, we do not assume that there are any preloaded keys or public key infrastructures in the network. Secure routing protocols based on malicious node detection and trust based routing protocols [44–46] can meet this requirement. Using one of these protocols, can find two disjoint paths to . After that, and perform the rest of the multihop key agreement protocol by using the two paths.

##### 5.2. The Improved Scheme—Detailed Description

Denote the two disjoint paths between and by and , as shown in Figure 3.

The improved scheme consists of the following steps.(1)For to , and perform along the first path and perform along the second path. Without loss of generality, let (resp., ) use the same initial phase (resp., ) for and . We reset the starting time to after each round. From , and get and as their extracted common secrets; from , and get and as their extracted common secrets. and get their final common secrets by computing and , respectively. Denote their extracted secret vectors by and , respectively. (2) quantizes each value in the vector , and quantizes each value in the vector . Denote their generated bit strings by and , respectively. (3) and perform information reconciliation and privacy amplification on and . After these two processes, they get the secret key.

##### 5.3. Security Analysis

In this section, we give a security analysis of the improved scheme. This security analysis is based on the assumption that all participating nodes are more than half a wavelength away from each other. Just as mentioned in Section 4.5.1, this is a reasonable assumption.

The security of the improved scheme is guaranteed against adversaries in a single path. Collusion attack from adversaries of both paths is not considered. In the following we first prove that the improved scheme is secure against any internal eavesdroppers in a single path. After that we prove that the improved scheme is secure against any MITM adversaries in a single path. (Recall that internal eavesdroppers and MITM adversary are defined at the end of Section 3.)

Theorem 4. *Under the assumption that all nodes are more than half a wavelength away from each other, the improved multihop key agreement scheme is secure against any internal eavesdroppers in a single path. *

*Proof. *In this proof we enumerate all the phase information that the routing nodes can extract and then point out that they cannot generate any useful information about and ’s secrets.

In the following we consider the collected phase information at an intermediate node in one round. Because the extracted common secrets at each round are quantized separately, they cannot be used for getting knowledge of secrets of other rounds. Consider in the first path . receives signals from both and . From the signals received from and , gets and , respectively. From these two phase estimates, can only get the value of . However, the secrets obtained by and also include the phase estimates through the other path . So we can see that can get no information about the secrets.

For each intermediate node in the first path, we enumerate its estimated phases as follows:
Because all the intermediate nodes are more than half a wavelength away from other nodes, they cannot get the phase information from the other path; that is, . No matter how many nodes in the first path combine their phase information, they cannot gain any knowledge about this value.

Therefore, we can see that the proposed protocol is secure against any internal eavesdroppers in one single path.

*Remark 5. *If an eavesdropper is not an intermediate node in either path, and he is more than half a wavelength away from all participating nodes, then he cannot gain any knowledge on the secret key either. This is similar to our analysis in Section 4.5.

Theorem 6. *The improved multihop key agreement scheme is secure against any MITM adversaries in a single path. *

*Proof. *Without loss of generality, suppose that try to perform the MITM attack to and . The purpose of MITM attack is to establish two different keys with and , respectively, and after that to relay encrypted messages between them.

In , in , receives the signal from . If is an honest node, it will perform the phase estimation of the signal received from and send the signal to . However, wants to perform the MITM attack, so it generates and sends a different signal to . If all other nodes in the first path are honest, then the signal received by should be

In (6), .

On the other hand, when receives from in , generates another phase and sends to . If , and behave honestly, and then the signal receives should be

In (9), .

Now can get his secret bits by quantizing . can get its secret bits by quantizing . has and . However, does not know and either, because is more than half a wavelength from the other path.

From the previous analysis we know that cannot agree on two different keys with and . Therefore, it cannot carry out MITM attack successfully. This analysis can be directly extended to the case that any number of intermediate nodes in the first path carry out MITM attacks collaboratively. Because their experienced channels are statistically independent of channels of the second path, they cannot gain any information of or .

We conclude that the improved protocol is secure against any MITM adversaries in a single path.

*Remark 7. *If the adversary can place cheating nodes on two disjoint paths, there are straightforward ways to extend our protocol to achieve security. For example, we can consider using three disjoint paths between and . In general, in order to prevent cheating nodes on disjoint paths, and can use disjoint paths between them for key extraction, as long as there exist disjoint paths between them. (If there are cheating nodes on all disjoint paths between and , then no solution is possible because these nodes can choose to simply block all communications between and .) This will lead to higher complexity of the protocol—so, there is a tradeoff between security and efficiency.

#### 6. Performance Analysis

As the improved protocol has more than just a pair of nodes, the estimation errors at each intermediate node will aggregate. In this section we present performance analysis of the improved protocol. We mainly focus on the agreement probability of and ’s common secrets.

From the protocol description, we know that the ideal values of and are as follows:

From the channel reciprocity and the assumption that one protocol round is performed within the channel coherence time, we can see that . We denote this value by ; that is, . However, due to the estimation errors of the phase information, there may be discrepancies between and . In the following we analyze the probability of during one protocol round. We denote this probability by .

When one node transmits signals to another node, they use the same frequency, so that the receiver does not need to do frequency estimation. Without loss of generality, the noises at the receivers are independent Gaussian noises with zero mean and variance . The receiver samples the received signal and computes the phase estimate. When the sampling rate is high enough, the estimated phase is a Gaussian random variable whose variance is bounded by the Cramér-Rao bound [47].

From [47], when the signal frequency is known, the variance of the phase is bounded by

In (9), is the amplitude of the received signal. From (9), we can see that the lower bound of the phase variance depends on the signal to noise ratio (SNR) and the sampling rate. When the SNR is higher, the phase variance can achieve a smaller lower bound. When the sampling rate is increased at the receiver, the lower bound can be further decreased. This is in accordance with the intuition that we should get more precise estimation given a higher SNR and sampling rate. In the following we use the Cramér-Rao bound for our analysis.

The estimation error at each node is modeled as a Gaussian noise, with the zero mean and standard deviation relying on the SNR and the sampling rate. Without loss of generality, we assume that the SNR and the sampling rate are all the same at all the participating nodes. From the protocol execution process, we know that the accumulated estimation error at the source or the destination is the sum of all the intermediate estimation errors. We can write as

represents the accumulated estimation error at . According to the previous analysis, . Because , . For ease of analysis, let . From the protocol execution process, we know that . Because , from the property of Gaussian distribution, the probability is much higher when and are close to .

The probability is a function of . It can be computed using the following equation:

Because of the independent noise accumulations at and , we can get

Denote the interval by . Let . Then from the distribution function of Gaussian distribution, . Because and have the same distributions, can be computed by the following expressions:

From (13) we can see that is the sum of the probability that and fall into the same quantization subinterval; that is, , . For each subinterval , the magnitude of is affected by whether . Suppose that , and then will be larger than any other for . This is because the Gaussian distribution function has a larger value when the variable value is closer to the mean (in this case, ). Therefore, is dominated by , for . On the other hand, is affected by ’s position in . If is close to the center of , then will be large; if is close to the end points of , then will be small. This is because when is close to the end points, the probability that and fall into two adjacent subintervals increases. In addition, the standard deviation also has impact on . A smaller will result in a larger , because when is smaller, the probability of or being close to is larger.

#### 7. Simulation Results

In order to measure the performance of the proposed scheme, we simulate the proposed scheme using GlomoSim [7]. By using the PARSEC programming language [48], we write programs for the proposed scheme in the physical layer of GlomoSim protocol stack. We simulate the proposed scheme for different SNRs. Because the receiver SNR is affected mainly by distances between adjacent nodes, we select a set of communication distances, which is {10 m, 20 m, 30 m, 40 m, 50 m, 100 m, 150 m, 200 m, 250 m, 300 m}. For each communication distance (denote it by ), we randomly generate a geometric distribution of 6 nodes. The distance between any pair of adjacent nodes is randomly generated in . We denote these distances by . Because we select 10 communication distances, we also generate 10 random distributions of nodes. One common node distribution for the simulation is shown in Figure 4. We measure average SNRs under different communication distances. The results are shown in Figure 5.

To best simulate the wireless communication environment in reality, we set the center carrier frequency to be 2.437 GHz and the baseband bandwidth to be 11 MHz. This is one of the standard carrier band of 802.11 b. According to Nyquist-Shannon sampling theorem, the sampling rate should be no less than 22 MHz. We choose the sampling rate to be 25 MHz, so that the estimation at the receiver is more accurate. is chosen to be 10 *μ*s. For the large scale signal propagation, we use the two-ray ground reflection model [49] which can be expressed by (14)
In (14), is the transmission power, and is the received power at a distance away from the transmission antenna. and are the antenna gains at the transmitter and the receiver, respectively; and are the antenna heights at the transmitter and the receiver, respectively; is the distance between the transmitter and the receiver.

We use the Rayleigh distribution [49] for the small scale wireless fading model. Both the two-ray ground reflection model and the Rayleigh fading model are directly supported by the GlomoSim network simulator [7].

We measure the quantization agreement probability of and under different communication distances. We also measure the randomness of the secret key. In addition, we measure the key efficiency of the proposed scheme. The results are shown in Sections 7.1, 7.2, and 7.3.

##### 7.1. Quantization Agreement Probability

Under different communication distances, we measure quantization agreement probabilities and bit error rates (BERs) of the quantized common secret bits. For the quantization step, we choose . Therefore, the interval of is divided into subintervals of equal length. We use the Gray code to encode the quantization indices, so that only one bit discrepancy is introduced for adjacent intervals.

The results are shown in Figures 6 and 7, respectively. From Figures 6 and 7, we can see that when the communication distance is 50 m (approximately 38.23 dB SNR), the quantization agreement probability is 0.9535, and the BER is 0.0093. Even when the communication distance is increased to 300 m (approximately 10 dB SNR), the quantization agreement probability is still 0.906, and the BER is 0.019.

##### 7.2. Randomness of the Generated Key

We test the randomness of the generated key using the NIST randomness test suite [50]. We use the 8 tests in the NIST test suite to validate the randomness of one 1024-bit key. The results are shown in Table 1. From Table 1 we can see that the generated key passes all the 8 tests.

##### 7.3. Key Efficiency

In this section, we focus on measuring how long it takes in order to generate a 256-bit key. In order to generate a 256-bit key, and need to get more common secret bits, because the Cascade protocol causes entropy loss. We compute the lost entropy rate of Cascade protocol according to the theoretical results in [40]. After that we measure the key efficiency under different Cascade parameters.

We have completely implemented the Cascade protocol and the privacy amplification method described in Section 4.4. We use the MIRACL library to implement the prime generation and large number arithmetics required for 2-universal hash family. We choose 4~5 rounds for the Cascade protocol, in order that the key agreement ratio is high. We compute the entropy loss rate when the Round-1 block size has different values. For each Round-, its block size is two times the block size of Round-. The results are shown in Figure 8.

As can be seen from Figure 8, when the Round-1 block of Cascade protocol increases, the lost entropy rate decreases. When the communication distance decreases, the lost entropy rate also decreases, because less bits need to be corrected. For example, when the communication distance is 50 m and the round-1 block size is , the lost entropy rate is . Under such a lost entropy rate, in order to generate a -bit key, at least common secret bits need to be collected. When the communication distance is 300 m and the round-1 block size is , the lost entropy rate is . Under such a lost entropy rate, in order to generate a -bit key, at least common secret bits need to be collected.

Under the 10 distributions generated for different communication distances, we measure the efficiency of generating a -bit key using the multihop key agreement protocol. Different combinations of Cascade rounds and Round-1 block sizes are used. The simulation is run at a laptop with Intel Core2 CPU of 2.33 GHz and 2.0 GB memory. For each different setting, we run the key agreement scheme for times and measure the average time. In all these executions, and achieve successful key agreement. The efficiency results are shown in Figure 9.

From Figure 9, we can see that when the Cascade Round-1 block size is decreased, the key efficiency is also decreased. This is because the block number is increased, which increases transferred bits in each round. Furthermore, when the number of Cascade rounds is decreased, the key efficiency is increased. Specifically, for the Cascade parameter , when the communication distance is 50 m, the time of generating a -bit key is seconds. At this speed, the proposed key agreement scheme can achieve Kbps rate. Even when the communication distance is 300 m, the proposed scheme can still achieve 3.17 Kbps rate.

#### 8. Conclusions and Discussions

In this paper, we propose two key agreement schemes as a novel physical-layer technique in multihop wireless networks. The proposed key agreement schemes enable secret key generation between nodes in multihop wireless networks, even if they cannot communicate with each other directly. The proposed basic scheme is secure against external eavesdroppers. And the improved two-path-based scheme is secure against external eavesdroppers, as well as internal eavesdroppers and MITM adversaries in a single path. The proposed scheme can achieve high key efficiency under different communication distances among nodes. The secret key generated by the proposed scheme has very strong randomness. By properly selecting the protocol parameters, the proposed scheme can achieve high success ratio. The proposed scheme is suitable for establishing secret keys for multihop wireless networks.

It is worth noting that our paper has covered only key agreement for unicast communications between two nodes. Broadcast and multicast communications may require different protocols for key agreement. In particular, key agreement for broadcast communications in a wireless network is relatively easy if there are only passive eavesdroppers. A straightforward solution is to establish key agreement between neighbor nodes and then transmit a global key in encrypted form throughout the network. If some nodes in the network are dishonest, then leaking the final global key is unavoidable.

For multicast communications, this problem becomes the pretty challenging problem of group key agreement. Existing solutions such as Wang et al.’s [34] are suitable for this case, but further improvement in security and/or efficiency is also possible.

#### Acknowledgments

This work was partly done while Zhuo Hao and Sheng Zhong were both with University at Buffalo and supported in part by NSF CNS-0845149 and CCF-0915374. Sheng Zhong is currently supported by RPGE and NSFC-61021062.

#### References

- S. Subashini and V. Kavitha, “A survey on security issues in service delivery models of cloud computing,”
*Journal of Network and Computer Applications*, vol. 34, no. 1, pp. 1–11, 2011. View at Publisher · View at Google Scholar · View at Scopus - H. J. Schumacher and S. Ghosh, “A fundamental framework for network security,”
*Journal of Network and Computer Applications*, vol. 20, no. 3, pp. 305–322, 1997. View at Google Scholar · View at Scopus - S. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik, “Radio-telepathy: extracting a secret key from an unauthenticated wireless channel,” in
*Proceedings of the 14th Annual International Conference on Mobile Computing and Networking (MobiCom '08)*, pp. 128–139, ACM, New York, NY, USA, September 2008. View at Publisher · View at Google Scholar · View at Scopus - S. Jana, S. N. Premnath, M. Clark, S. K. Kasera, N. Patwari, and S. V. Krishnamurthy, “On the effectiveness of secret key extraction from wireless signal strength in real environments,” in
*Proceedings of the 15th annual international conference on Mobile computing and networking (MobiCom '09)*, pp. 321–332, ACM, New York, NY, USA, September 2009. View at Publisher · View at Google Scholar · View at Scopus - C. Ye, S. Mathur, A. Reznik, Y. Shah, W. Trappe, and N. B. Mandayam, “Information-theoretically secret key generation for fading wireless channels,”
*IEEE Transactions on Information Forensics and Security*, vol. 5, no. 2, pp. 240–254, 2010. View at Publisher · View at Google Scholar · View at Scopus - N. Patwari, J. Croft, S. Jana, and S. K. Kasera, “High-rate uncorrelated bit extraction for shared secret key generation from channel measurements,”
*IEEE Transactions on Mobile Computing*, vol. 9, no. 1, pp. 17–30, 2010. View at Publisher · View at Google Scholar · View at Scopus - X. Zeng, R. Bagrodia, and M. Gerla, “GloMoSim: a library for parallel simulation of large-scale wireless networks,” in
*Proceedings of the 12th Workshop on Parallel and Distributed Simulation (PADS '98)*, vol. 28, pp. 154–161, July 1998. View at Scopus - J. E. Hershey, A. A. Hassan, and R. Yarlagadda, “Unconventional cryptographic keying variable management,”
*IEEE Transactions on Communications*, vol. 43, no. 1, pp. 3–6, 1995. View at Publisher · View at Google Scholar · View at Scopus - A. A. Hassan, W. E. Stark, J. E. Hershey, and S. Chennakeshu, “Cryptographic key agreement for mobile radio,”
*Digital Signal Processing*, vol. 6, no. 4, pp. 207–212, 1996. View at Publisher · View at Google Scholar · View at Scopus - M. A. Tope and J. C. McEachen, “Unconditionally secure communications over fading channels,” in
*Proceedings of the Communications for Network-Centric Operations: Creating the Information Force (Milcom '01)*, vol. 1, pp. 54–58, October 2001. View at Scopus - T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka, “Wireless secret key generation exploiting reactance-domain scalar response of multipath fading channels,”
*IEEE Transactions on Antennas and Propagation*, vol. 53, no. 11, pp. 3776–3784, 2005. View at Publisher · View at Google Scholar · View at Scopus - L. Zang, X. Wenyuan, R. Miller, and W. Trappe, “Securing wireless systems via lower layer enforcements,” in
*Proceedings of the 5th ACM Workshop on Wireless Security (WiSE '06)*, pp. 33–42, ACM, September 2006. View at Publisher · View at Google Scholar · View at Scopus - C. Ye, A. Reznik, and Y. Shah, “Extracting secrecy from jointly Gaussian random variables,” in
*Proceedings of the IEEE International Symposium on Information Theory (ISIT '06)*, pp. 2593–2597, July 2006. View at Publisher · View at Google Scholar · View at Scopus - B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener, “Robust key generation from signal envelopes in wireless networks,” in
*Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07)*, pp. 401–410, November 2007. View at Publisher · View at Google Scholar · View at Scopus - C. Ye, A. Reznik, G. Sternberg, and Y. Shah, “On the secrecy capabilities of ITU channels,” in
*Proceedings of the IEEE 66th Vehicular Technology Conference (VTC '07-Fall)*, pp. 2030–2034, October 2007. View at Publisher · View at Google Scholar · View at Scopus - A. Sayeed and A. Perrig, “Secure wireless communications: secret keys through multipath,” in
*Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP '08)*, pp. 3013–3016, April 2008. View at Publisher · View at Google Scholar · View at Scopus - S. Nitinawarat, “Secret key generation for correlated Gaussian sources,” in
*Proceedings of the IEEE International Symposium on Information Theory (ISIT '08)*, pp. 702–706, July 2008. View at Publisher · View at Google Scholar · View at Scopus - M. Bloch, J. Barros, M. R. D. Rodrigues, and S. W. McLaughlin, “Wireless information-theoretic security,”
*IEEE Transactions on Information Theory*, vol. 54, no. 6, pp. 2515–2534, 2008. View at Publisher · View at Google Scholar · View at Scopus - X. Tang, R. Liu, P. Spasojević, and H. V. Poor, “Secret-key sharing based on layered broadcast coding over fading channels,” in
*Proceedings of the IEEE International Symposium on Information Theory (ISIT '09)*, pp. 2762–2766, July 2009. View at Publisher · View at Google Scholar · View at Scopus - S. T.-B. Hamida, J.-B. Pierrot, and C. Castelluccia, “An adaptive quantization algorithm for secret key generation using radio channel measurements,” in
*Proceedings of the 3rd International Conference on New Technologies, Mobility and Security (NTMS '09)*, pp. 1–5, December 2009. View at Publisher · View at Google Scholar · View at Scopus - J. Zhang, S. K. Kasera, and N. Patwari, “Mobility assisted secret key generation using wireless link signatures,” in
*Proceedings of the IEEE International Conference on Computer Communications (IEEE INFOCOM '10)*, pp. 1–5, March 2010. View at Publisher · View at Google Scholar · View at Scopus - S. Xiao, W. Gong, and D. Towsley, “Secure wireless communication with dynamic secrets,” in
*Proceedings of the IEEE International Conference on Computer Communications (IEEE INFOCOM '10)*, pp. 1–9, March 2010. View at Publisher · View at Google Scholar · View at Scopus - S. Gollakota and D. Katabi, “Physical layer wireless security made fast and channel independent,” in
*Proceedings of the 30th IEEE International Conference on Computer Communications (IEEE INFOCOM '11)*, pp. 1125–1133, IEEE, Shanghai, China, April 2011. View at Publisher · View at Google Scholar · View at Scopus - M. A. Zafer, D. Agrawal, and M. Srivatsa, “A note on information-theoretic secret key exchange over wireless channels,” in
*Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton '09)*, pp. 754–761, October 2009. View at Publisher · View at Google Scholar · View at Scopus - J. Wallace, “Secure physical layer key generation schemes: performance and information theoretic limits,” in
*Proceedings of the IEEE International Conference on Communications (ICC '09)*, pp. 1–5, June 2009. View at Publisher · View at Google Scholar · View at Scopus - J. W. Wallace, C. Chen, and M. A. Jensen, “Key generation exploiting MIMO channel evolution: algorithms and theoretical limits,” in
*Proceedings of the 3rd European Conference on Antennas and Propagation (EuCAP '09)*, pp. 1499–1503, March 2009. View at Scopus - S. C. Draper, A. M. Sayeed, and T.-H. Chou, “Minimum energy per bit for secret key acquisition over multipath wireless channels,” in
*Proceedings of the IEEE International Symposium on Information Theory (ISIT '09)*, pp. 2296–2300, July 2009. View at Publisher · View at Google Scholar · View at Scopus - R. Wilson, D. Tse, and R. A. Scholtz, “Channel identification: secret sharing using reciprocity in ultrawideband channels,” in
*Proceedings of the IEEE International Conference on Ultra-Wideband (ICUWB '07)*, pp. 270–275, September 2007. View at Publisher · View at Google Scholar · View at Scopus - M. G. Madiseh, M. L. McGuire, S. W. Neville, and A. A. B. Shirazi, “Secret key extraction in ultra wideband channels for unsynchronized radios,” in
*Proceedings of the 6th Annual Communication Networks and Services Research Conference (CNSR '08)*, pp. 88–95, May 2008. View at Publisher · View at Google Scholar · View at Scopus - M. G. Madiseh, M. L. McGuire, S. S. Neville, L. Cai, and M. Horie, “Secret key generation and agreement in UWB communication channels,” in
*Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM '08)*, pp. 1842–1846, December 2008. View at Publisher · View at Google Scholar · View at Scopus - S. T.-B. Hamida, J.-B. Pierrot, and C. Castelluccia, “Empirical analysis of UWB channel characteristics for secret key generation in indoor environments,” in
*Proceedings of the IEEE 21st International Symposium on Personal Indoor and Mobile Radio Communications (PIMRC '10)*, pp. 1984–1989, September 2010. View at Publisher · View at Google Scholar · View at Scopus - J. Croft, N. Patwari, and S. K. Kasera, “Robust uncorrelated bit extraction methodologies for wireless sensors,” in
*Proceedings of the 9th ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN '10)*, pp. 70–81, ACM, April 2010. View at Publisher · View at Google Scholar · View at Scopus - S. T. Ali, V. Sivaraman, and D. Ostry, “Secret key generation rate vs. reconciliation cost using wireless channel characteristics in body area networks,” in
*Proceedings of the IEEE/IFIP 8th International Conference on Embedded and Ubiquitous Computing (EUC '10)*, pp. 644–650, December 2010. View at Publisher · View at Google Scholar · View at Scopus - Q. Wang, H. Su, K. Ren, and K. Kim, “Fast and scalable secret key generation exploiting channel phase randomness in wireless networks,” in
*Proceedings of the IEEE International Conference on Computer Communications (IEEE INFOCOM '11)*, pp. 1422–1430, April 2011. View at Publisher · View at Google Scholar · View at Scopus - K. Ren, H. Su, and Q. Wang, “Secret key generation exploiting channel characteristics in wireless communications,”
*IEEE Wireless Communications*, vol. 18, no. 4, pp. 6–12, 2011. View at Google Scholar - C. H. Bennett, G. Brassard, and J. M. Robert, “Privacy amplification by public discussion,”
*SIAM Journal on Computing*, vol. 17, no. 2, pp. 210–229, 1988. View at Google Scholar · View at Scopus - R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generation from one-way functions,” in
*Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC '89)*, pp. 12–24, ACM, May 1989. View at Scopus - C. Cachin, “Linking information reconciliation and privacy amplification,”
*Journal of Cryptology*, vol. 10, no. 2, pp. 97–110, 1997. View at Google Scholar · View at Scopus - E. N. Gilbert, “Gray codes and paths on the n-cube,”
*Bell Systems Technical Journal*, vol. 37, pp. 815–826, 1958. View at Google Scholar - G. Brassard and L. Salvail, “Secret-key reconciliation by public discussion,” in
*Proceedings of the Workshop on the Theory and Application of of Cryptographic Techniques (EUROCRYPT '93)*, pp. 410–423, Springer, Lofthus, Norway, May 1994. - B. Kanukurthi and L. Reyzin, “Key agreement from close secrets over unsecured channels,” in
*Proceedings of the 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '09)*, pp. 206–223, Springer, Berlin, Germany, 2009. - A. Srinivas and E. Modiano, “Minimum energy disjoint path routing in wireless Ad-Hoc networks,” in
*Proceedings of the 9th Annual International Conference on Mobile Computing and Networking (MobiCom '03)*, pp. 122–133, ACM, September 2003. View at Scopus - J. Tang and G. Xue, “Node-disjoint path routing in wireless networks: Tradeoff between path lifetime and total energy,” in
*Proceedings of the IEEE International Conference on Communications (ICC '04)*, pp. 3812–3816, June 2004. View at Scopus - S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc networks,” in
*Proceedings of the 6th Annual International Conference on Mobile Computing and Networking (MOBICOM '00)*, pp. 255–265, August 2000. View at Scopus - S. Buchegger and J. Y. Le Boudec, “Performance analysis of the CONFIDANT protocol (Cooperation of nodes: fairness in dynamic ad-hoc networks),” in
*Proceedings of the 3rd ACM International Symposium on Mobile ad Hoc Networking & Computing (MobiHoc '02)*, pp. 226–236, June 2002. View at Scopus - P. Michiardi and R. Molva, “Core: a collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks,” in
*Proceedings of the IFIP TC6/TC11 6th Joint Working Conference on Communications and Multimedia Security*, pp. 107–121, Kluwer BV, Deventer, The Netherlands, 2002. - D. C. Rife and R. R. Boorstyn, “Single tone parameter estimation from discrete-time observations,”
*IEEE Transactions on Information Theory*, vol. IT-20, no. 5, pp. 591–598, 1974. View at Google Scholar · View at Scopus - R. Bagrodia, R. Meyer, M. Takai et al., “Parsec: a parallel simulation environment for complex systems,”
*Computer*, vol. 31, no. 10, pp. 77–85, 1998. View at Google Scholar · View at Scopus - T. Rappaport,
*Wireless Communications: Principles and Practice*, Prentice Hall PTR, Upper Saddle River, NJ, USA, 2001. - NIST, “A statistical test suite for random and pseudorandom number generators for cryptographic applications,” 2001. View at Google Scholar