An Efﬁcient Advantage Distillation Scheme for Bidirectional Secret-Key Agreement

: The classical secret-key agreement (SKA) scheme includes three phases: (a) advantage distillation (AD), (b) reconciliation, and (c) privacy ampliﬁcation. Deﬁne the transmission rate as the ratio between the number of raw key bits obtained by the AD phase and the number of transmitted bits in the AD. The unidirectional SKA, whose transmission rate is 0.5, can be realized by using the original two-way wiretap channel as the AD phase. In this paper, we establish an efﬁcient bidirectional SKA whose transmission rate is nearly 1 by modifying the two-way wiretap channel and using the modiﬁed two-way wiretap channel as the AD phase. The bidirectional SKA can be extended to multiple rounds of SKA with the same performance and transmission rate. For multiple rounds of bidirectional SKA, we have provided the bit error rate performance of the main channel and eavesdropper’s channel and the secret-key capacity. It is shown that the bit error rate (BER) of the main channel was lower than the eavesdropper’s channel and we prove that the transmission rate was nearly 1 when the number of rounds was large. Moreover, the secret-key capacity C s was from 0.04 to 0.1 as the error probability of channel was from 0.01 to 0.15 in binary symmetric channel (BSC). The secret-key capacity was close to 0.3 as the signal-to-noise ratio increased in the additive white Gaussian noise (AWGN) channel.


Introduction
The one-time pad was developed by Vernam [1], by which a group of users can communicate messages among themselves securely if they share a common secret key beforehand.However, the key rate should be at least the message rate [2], and so the problem of secure communication effectively turns into the problem of secret-key agreement (SKA).In the SKA problem, legitimate users Alice and Bob aim at agreeing on a sequence of bits (key) that must be kept secret from the passive eavesdropper Eve.As shown in Figure 1, the classical SKA scheme includes three phases: (a) advantage distillation (AD), (b) reconciliation, and (c) privacy amplification [3].AD aims to provide the legitimate agents an advantage over the eavesdropper.Information reconciliation aims at generating an identical random sequence at both Alice and Bob.Privacy amplification is the step that extracts a secret key from the identical random sequence agreed upon by the legitimate agents [4].
Bounds for the secret-key capacity have been derived for a large variety of communication channels [5][6][7][8][9].Unfortunately, most do not provide direct insight into the design of practical secret-key capacity-achieving schemes.SKA based on noisy channels was presented in [5,10] using an additional insecure but authenticated public channel in which a third party can eavesdrop the communication but cannot forge it.This approach was recently extended in [11] to the model where the players share correlated Gaussian sources.In [12], opportunistic transmission was proposed for SKA over the quasi-static fading channel by sending signals only when the channel condition for the two legitimate players is better than the one for an adversary.The use of the reciprocity of wireless channels has been studied in [13][14][15] to study the key agreement.In [16], the SKA with public discussion was studied based on Gaussian and fading channels.It is well known that Wyner [17] introduced the wiretap channel, in which a sequence M is transmitted from Alice to Bob over the main channel, while Eve is wiretapping over the eavesdropper's channel.Wyner proved that Alice could send M to Bob in almost perfect secrecy if the main channel between Alice and Bob is better than Eve's eavesdropper channel.Nevertheless, the assumption that the main channel is better (lower error rate) than the eavesdropper's channel is generally impractical.This problem can be solved by using a two-way communication (TWC) as the main channel [18].By using TWC, the message received by Eve over the eavesdropper's channel is noisier than the message received by Bob.Therefore, the TWC scheme can be used as an AD scheme.Obviously, if we combine this AD scheme with any reconciliation and privacy amplification steps, the result can be used as secret keys between Alice and Bob [19].However, the SKA of [18] is unidirectional from Alice to Bob, and therefore the transmission rate of this SKA is slow.

Privacy amplification
In this paper, emphasis is placed on the AD over the binary symmetric channel (BSC) and additive white Gaussian noise (AWGN) channel.We present a novel approach in building the two-way wiretap channel (TWWC) for bidirectional SKA.Different from all previous works, we will modify the original TWC scheme to be a bidirectional AD scheme to increase the transmission rate of the SKA and study the proposed AD over BSC and AWGN channel.We calculate the secret-key capacity of the proposed AD scheme to measure how many secret key bits can be shared between Alice and Bob.The advantages of the proposed bidirectional AD scheme are as follows.

•
The proposed AD scheme provides an advantage of Alice and Bob over Eve when the channel between Alice and Bob is not less noisy than Eve's eavesdropper channel.

•
The unidirectional SKA-whose transmission rate is 0.5-can be realized by using the original TWWC as the AD scheme.However, a bidirectional SKA whose transmission rate is 1 can be realized by using the proposed AD scheme.
The remainder of this paper is organized as follows.Section 2 presents a general two-way wiretap channel; A single round of the SKA with the proposed AD scheme is introduced in Section 3; The proposed AD scheme is extended to multiple rounds and is introduced in Section 4; Section 5 proposes a bidirectional secret-key agreement over AWGN channel; Section 6 shows performances of the proposed systems; Finally, conclusions are drawn in Section 7.

Transmission Scheme
A TWWC between Alice and Bob was described in [18], in which the channel from Alice to Bob was considered to be error-free due to the powerful Low Density Parity Check (LDPC) codes.In this paper, we consider an original TWWC model shown in Figure 2, in which both main channel and eavesdropper channel are not error free.
The notations used throughout this paper are given in Table 1.In the conventional TWWC, to initiate a secure communication, Bob first transmits a random sequence Q to Alice.For i = 1, 2, • • • , l, the raw keys are M i ab and M i ba , the error vectors of the main channel and the eavesdropper's channel are E i ab , E i ba , E i ae , and E i be .E 0 ba denotes the error vector of the main channel and E 0 be denotes the error vector of the eavesdropper's channel.The superscript 0 represents the process where Bob sends a random sequence Q to Alice and i represents that a raw key M is transmitted in the i-th round.The subscripts ab, ba and ae, be denote sequences transmitted from Alice to Bob, from Bob to Alice and sequences wiretapped from Alice to Eve, and from Bob to Eve.We assume that the length of each sequence is n, so that the received sequences of Alice and Eve are respectively, where the binary operator ⊕ denotes exclusive OR (XOR) operation [20].Then, Alice uses the received sequence T 1 to calculate  Alice transmits U 1 to Bob through the main channel and Eve may wiretap this U 1 through the eavesdropper's channel.Bob and Eve can receive the noisy version of U 1 , respectively, as Since Bob knows the random sequence Q, he can XOR Q to U as Eve only knows TA 1 , which is the noisy version of Q, and she can only XOR TA 1 to W 1 as As shown in Figure 3, the raw key M is transmitted unidirectionally from Alice to Bob in the original TWWC.By comparing M1 ab and Z 1 ae , Eve has one more noisy term than Bob.Therefore, as long as the main channel is not worse than the passive eavesdropper's channel (the weight of E 0 ba is not higher than that of E 0 be and E 1 ae ), it is guaranteed that Eve is unable to arrive at the same sequence as Alice and Bob.Alice and Bob can use any reconciliation scheme and privacy amplification function to transform the raw key M1 ab and Z 1 ae into a much shorter secret key.Because of her errors, Eve is unable to predict Alice's or Bob's output of the privacy amplification.Finally, the secret key would be used as a one-time pad to ensure information-theoretic security between Alice and Bob.Furthermore, it is easy to see that this SKA is unidirectional from Alice to Bob.If Bob wants to send raw keys to Alice, they need another secure transmission with their roles exchanged.
Original two-way wiretap channel.

Transmission Rate
Following the literature [3], we denote η as the transmission rate of the AD scheme.Let L M be the number of raw keys, and L Q be the number of random sequences.Then, the transmission rate is calculated as Following the definition, the transmission rate η uni of the original unidirectional TWC scheme is

Bidirectional Secret-Key Agreement
If we use the above TWWC for AD in SKA, the raw keys are unidirectionally transmitted from Alice to Bob and the transmission rate η uni is just 1  2 .In order to increase the transmission rate of the SKA, we modify the original unidirectional TWWC to a bidirectional TWWC for the AD step of the SKA between Alice and Bob .

Proposed Advantage Distillation scheme
Assuming that there are l rounds of SKA between Alice and Bob, the first round of the proposed bidirectional AD scheme is as follows.

Preprocessing
Bob sends a random sequence Q, Q = (q 0 , q 1 , • • • , q n−1 ) to Alice.The received sequences by Alice and Eve, respectively, are where and 3.1.2.SKA from Alice to Bob (A1. 1) Alice uses the received sequence T 1 to calculate where . Alice sends U 1 over the main channel and Eve wiretaps U 1 through the eavesdropper's channel.
(A1. 2) Bob and Eve receive the noisy version of U 1 as V 1 and W 1 , respectively, as where M1 ab = ( m1 ab 0 , m1 is the received raw key.Eve only knows the noisy version of Q, which is TA 1 .Therefore, she can only XOR TA 1 to W 1 as where in the eavesdropped raw key. 3.1.3.SKA from Bob to Alice (B1. 1) Before Bob sends the raw key M 1 ba to Alice, he has to make Then, we can calculate and send U 2 to Alice through the main channel when Eve wiretaps it via the eavesdropper's channel.
(B1. 2) In this step, when Bob transmits the sequence U 2 to Alice, the noise of the two channels are E 1 ba and E 1 be , respectively.Both Alice and Eve receive a noisy version of U 2 as V 2 and W 2 : 3) Alice has the knowledge of U 1 and Eve has the knowledge of W 2 , therefore Alice can obtain the intended raw key by and Eve can obtain the intended sequence by Step A1 and Step B1 correspond to the first round of our proposed bidirectional AD scheme for SKA, which is shown in Figure 4.Note that Steps A1.1-A1.3provide raw keys M 1 ab and M1 ab ; we can do the reconciliation to correct errors between M 1 ab and M1 ab and do the privacy amplification to get the secret keys shared between Alice and Bob.Similarly, Steps B1.1-B1.3provide raw keys M 1 ba and M1 ba , based on which we can also do the reconciliation and privacy amplification steps and obtain secret keys between Alice and Bob.

Let us define L i
M as the number of the raw keys, L Q as the number of the random sequence Q.Then, the transmission rate η i bi of the proposed bidirectional AD over i round is For example, for i = 1, 2, η 1 bi and η 2 bi equals to 2 3 and 4 5 , respectively.However, for a large number of rounds, such as l = 100, η 100 bi almost equals to 1. Now, let us analyze the error probability of the main and eavesdropper's channels in the following theorem.

Theorem 1. Let the error probability of E i
ba and E i ab be denoted as Pr(e i ba k = 1) = Pr(e i ab k = 1) = α and the error probability of E i be and E i ae be denoted as Pr(e i be k = 1) = Pr(e i ae k = 1) = β.After a round of the bidirectional TWC, the bit error probability of the main channel is 2α(1 − α), and the bit error probability of the eavesdropper's channel is α

Proof. Since Bob receives M1
ab = M 1 ab ⊕ E 0 ba ⊕ E 1 ab and the raw key is M 1 ab , the bit error probability of raw key M 1 ab is Pr( m1 Since Eve only has Pr(e 0 be k = 0) Pr(e 1 ae k = 0) + Pr(e 0 ba k = 0) Pr(e 0 be k = 1) Pr(e 1 ae k = 0) + Pr(e 0 ba k = 0) Pr(e 0 be k = 0) Pr(e 1 ae k = 1) + Pr(e 0 ba k = 1) Pr(e 0 be k = 1) Pr(e 1 Let C m and C w , p m = 2α(1 − α), and 2 denote the capacity of the main channel and eavesdropper's channel, bit error probability of main channel and eavesdropper's channel, respectively.Assuming α = β, the BER of the main channel and the eavesdropper's channel are summarized in Table 2.We can also receive the secret-key capacity C s , where H b (p) is the binary entropy function.Assuming α = β, p(m Then, we can obtain For the varying α and β, the corresponding C m , C w and C s are summarized in Table 3.

Multiple Rounds of Secret-Key Agreement
Assume that there are l rounds of SKA.Then, the ith round of bidirectional AD (shown in Figure 5) is as follows.

Alice Bob
i ba Then, Alice sends the raw key M i ab to Bob by 2) Bob and Eve can receive the noisy version of U 2i−1 as (A2. 3) Bob and Eve have the knowledge of U 2i−2 and W 2i−2 .Therefore, they can obtain the noisy version of M i ab by XOR U 2i−2 and W 2i−2 to V 2i−1 and W 2i−1 , respectively.The result is calculated as and 4.2.SKA from Bob to Alice (B2. 1) In the i-th round, Bob has to make Then, he sends the raw key M i ba in the noisy form, which is over the main channel.Meanwhile, Eve may wiretap it by the eavesdropper's channel.
(B2. 2) Alice can receive V 2i , consisting of the noisy vector E i ba and U 2i , and Eve can receive W 2i , which consists of the noisy vector E i be and U 2i , (B2. 3) Alice and Eve have the knowledge of U 2i−1 and W 2i−1 , respectively.Therefore, they can obtain the noisy version of M i ba by XOR U 2i−1 and W 2i−1 to (36) and (37).The Mi ba and Z i be can be received by and As shown in Figure 6, the secret sequence M is transmitted bidirectionally between Alice and Bob in our proposed scheme.The BER of the main channel and eavesdropper's channel in the i-th round is the same as that of the first round.Transmission rate after l rounds of the proposed AD is which is close to 1 when l is large enough.

Bidirectional Secret-Key Agreement over AWGN Channel
Now, let us demonstrate the proposed AD scheme over the AWGN channel.Assume that there are l rounds of SKA over AWGN channel as well.Then, the i-th round shown in Figure 7 is as follows.

Alice
Bob Then, Alice sends the raw key M i ab to Bob by 2) Bob and Eve can receive the noisy version of U 2i−1 as where the variance of AWGN over the main channel and the eavesdropper's channel are σ 2 m and σ 2 w , respectively.

(A3. 3) Bob and Eve can obtain the noisy version of M i
ab by minusing U 2i−2 and W 2i−2 to V 2i−1 and W 2i−1 , respectively.The result will be Mi and where the variance of AWGN n be or n ae is σ 2 w .
Comparing to the AD schemes using the original two-way wiretap channel, the advantage of our scheme is that we need fewer rounds of communication between Alice and Bob to obtain the same amount of keys.Furthermore, since we need fewer rounds of communication, we also need less XOR operations to obtain the same amount of keys.In each round of the unidirectional AD scheme, using the original two-way wiretap channel, Alice and Bob need 1 XOR operation, respectively, in (3) and (6).In each round of the proposed bidirectional AD scheme, Alice needs 2 operations in ( 12) and (21), and Bob needs 2 operations in (15) and (18).Therefore, in each round of the proposed bidirectional AD scheme, the number of XOR operations is two times higher than that in the unidirectional AD scheme.However, our bidirectional scheme also has a transmission rate of secret keys which is two times greater than that of the unidirectional AD scheme.Therefore, our scheme needs the same number of XOR operations to obtain the same amount of secret keys as the unidirectional AD scheme.We have listed the transmission rate, XOR operations of the unidirectional AD scheme and the proposed bidirectional AD in Table 4.

Scheme Transmission Rate Number of XOR Operations
Unidirectional TWWC scheme 0.5 2l Bidirectional TWWC scheme 1 4l

Conclusions
In this paper, we modified the original unidirectional TWWC to a bidirectional TWWC for the AD step of the SKA between Alice and Bob over BSC channel and AWGN channel.The proposed bidirectional secret-key agreement can be used to distribute keys between Alice and Bob and its transmission rate is better than the secret-key agreement of unidirectional TWWC.The BER and capacity were calculated first, and then we evaluated the performance of the proposed AD scheme in terms of BER over BSC channel and secret-key capacity over both channels.The BER of the main channel is lower than the eavesdropper's channel, and analysis of the transmission rate is nearly 1 when the number of rounds is large.Moreover, The secret-key capacity C s is from 0.04 to 0.1 as the error probability of channel is from 0.01 to 0.15 in the BSC channel.In the AWGN channel, the secret-key capacity is close to 0.3 as the SNR increases.

Figure 1 .
Figure 1.Block diagram of the secret key agreement (SKA) scheme.

Figure 2 .
Figure 2. Advantage Distillation Scheme based on the original two-way wiretap channel.

Figure 4 .
Figure 4. First round of bidirectional secret-key agreement.

Figure 5 .
Figure 5.The i-th round of bidirectional secret-key agreement.

Figure 7 .
Figure 7.The i-th round of bidirectional secret-key agreement over AWGN channel.

Figure 8 .
Figure 8.The BER performance of the main channel and eavesdropper's channel over binary symmetric channel (BSC).

Figure 9 .
Figure 9.The secret-key capacity and capacities of the main channel and eavesdropper's channel over BSC channel.

Figure 10 .
Figure 10.The secret-key capacity and capacities over additive white Gaussian noise (AWGN) channel.
ab noisy version of raw keys obtained by Bob or Alice Z 1 ae noisy version of raw keys obtained by Eve L M number of raw keys M L Q number of random sequence Q α cross over probability between Alice and Bob β cross over probability between legitimate users and Eve n i ab noise vector from Alice to Bob over AWGN channel n i ba noise vector from Bob to Alice over AWGN channel n i ae noise vector from Alice to Eve over AWGN channel n i be noise vector from Bob to Eve over AWGN channel C m capacity of the main channel C w capacity of the eavesdropper's channel C s secret-key capacity

Table 2 .
Bit error rate (BER) of main channel and the eavesdropper's channel.

Table 3 .
Channel capacity and secret-key capacity.

Table 4 .
Transmission rate number of XOR operations of different schemes with l rounds, l is large enough.TWWC: two-way wiretap channel.