Information Theoretic Security for Wireless Channels - Theory and Practice Matthieu Bloch ∗ , Jo˜ ao Barros † , Miguel R. D. Rodrigues ‡ and Steven W. McLaughlin ∗ ∗ School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA † Department of Computer Science & LIACC/UP, Universidade de Porto, Portugal ‡ Computer Laboratory, University of Cambridge, United Kingdom Abstract—We present a physical-layer approach aimed at providing information-theoretic security in wireless communi- cation systems. We study the fundamental security limits of quasi-static fading channels and develop a practical secret key agreement protocol. The protocol uses a four-step procedure to secure communications: establish common randomness via an opportunistic transmission, perform message reconciliation, establish a common key via privacy amplification and use of the key. We provide a performance analysis of the proposed security system in the case of perfect an imperfect knowledge of the eavesdropper’s channel. I. I NTRODUCTION All wireless systems today separate the problems of secure and reliable communication. Conventional cryptographic se- curity is typically handled at the upper layers of the proto- col stack, once the physical layer has been established and the communication between the friendly parties is error-free. However there exist both theoretical and practical results sup- porting the idea that extra security, and especially information theoretic (perfect) security, can be obtained by exploiting the physical layer. The fundamental notion of perfect secrecy was introduced by Shannon [1], who showed that the one-time pad was perfectly secure, i.e. an infinitely powerful attacker can extract precisely zero information from the encoded stream. In spite of its conceptual power, this result was very pessimistic since the problem of secure communications reduced to the problem of secure key distribution, and it was widely believed that perfect secrecy is not achievable in practical systems. Information theoretic security was revived by the seminal work by Wyner [2] on the so called wiretap channel, and subsequent generalizations by Csisz´ ar and K¨ orner [3], who prove (in a non-constructive way) that there exist channel codes guaranteeing both robustness to transmission errors and a prescribed degree of data confidentiality. The secrecy capacity of the Gaussian wiretap channel, i.e. the maximum transmission rate at which an eavesdropper is unable to decode any information, was characterized by Leung and Hellman [4]. In [5], Maurer shows how legitimate users (say Alice and Bob) can generate a secret key through public communication over an insecure yet authenticated channel, still ensuring that an eavesdropper (Eve) is unable to decode any useful information. Privacy amplification (see Bennet et al. [6]) provides Alice and Bob with the means to distill perfectly secret symbols (e.g. a secret key) from a large set of only partially secret data. More recently, Barros and Rodrigues [7] showed that in the presence of fading information-theoretic security is achievable even when the eavesdropper has a better average signal-to- noise ratio (SNR) than the legitimate receiver [7]. In [8], Hero introduces space-time signal processing techniques for secure communication over wireless links. Practical secrecy capacity-achieving codes for erasure channels were presented by Thangaraj et al. in [9]. LDPC codes were also shown by Bloch et al. [10] to be useful tools for reconciliation of correlated continuous random variables, with implications in quantum key distribution. Motivated by the results in [7] and [10], we seek to develop a secret key agreement scheme that is capable of exploiting the physical properties of the wireless channel to provide information-theoretic security. The main idea of our secret key agreement protocol is for the legitimate partners to share common randomness when the instantaneous secrecy capacity is strictly positive. In the remaining time, a class of LDPC codes is used for reconciliation, thus allowing the extraction of a secret key that can ultimately be distilled using privacy amplification. The remainder of the paper is organized as follows,. In Section II we review the theoretical results associated to the security of quasi-static fading channels. Section III presents an opportunistic secure communication protocol for wireless channels, and in Section IV we finally analyze the performance of the protocol and discuss its effectiveness. II. SECURE COMMUNICATION OVER QUASI - STATIC RAYLEIGH FADING CHANNELS A. System setup and definitions We consider the system setup described in Fig. 1, where a legitimate user (Alice) wants to send secure messages w to another user (Bob). Each k-bit message w k is encoded into a n-bit codeword x n before transmission. Bob observes the output of a discrete-time Rayleigh fading channel (the main channel) given by y M (i)= h M (i)x(i)+ n M (i), where h M (i) denotes the main channel complex Gaussian fading coefficient with zero-mean and unit variance, and n M (i) denotes a zero-mean circularly symmetric complex Gaussian noise. Likewise, a third party (Eve) is also capable of eavesdropping Alice’s transmissions, and observes the output