Key Generation Method Based on Multi-Satellite Cooperation and Random Perturbation

In low-earth-orbit (LEO) satellite-to-ground communication, the size of satellite antennae is limited and the satellite motion trajectory is predictable, which makes the channel state information (CSI) of the satellite-to-ground channel easy to leak and impossible to use to generate a physical layer key. To solve these problems, we propose a key generation method based on multi-satellite cooperation and random perturbation. On the one hand, we use multi-satellite cooperation to form a constellation that services users, in order to increase the equivalent aperture of satellite antennae and reduce the correlation between the legal channel and the wiretap channel. On the other hand, according to the endogenous characteristics of satellite motion, a random perturbation factor is proposed, which reflects the randomness of the actual channel and ensures that the CSI of the legal channel is not leaked due to the predictability of satellite motion trajectory. Simulation results show that the proposed method can effectively reduce the leakage of the legal channel’s CSI, which makes the method of physical layer key generation safe and feasible in the LEO satellite-to-ground communication scene.


Introduction
With the development of wireless communication technology, LEO satellite communication technology has become an important part of global wireless communication [1,2]. Compared with ground communication, LEO satellite communication has wider coverage and larger communication capacity. Compared with geostationary earth orbit (GEO) satellite communication, LEO satellite communication has lower delay and transmission loss [3,4]. Therefore, the study of LEO satellite communication is of far-reaching significance for building 6G Space-Air-Ground Integrated Networks (SAGINs) and meeting the seamless global coverage of future communication networks [5][6][7][8].
However, due to the wide coverage and broadcasting characteristics of wireless LEO satellite communications, the satellite-to-ground signals can be freely transmitted within hundreds of kilometers on the ground, which allows eavesdroppers, ultra-long distances away, to wiretap the CSI of the legal channel.
At present, there are two main methods to solve the security problems in LEO satellite communications: 1.
Traditional Cryptography: Traditional cryptography generates secret keys through a cryptographic algorithm, and then distributes them to legitimate users to encrypt the plaintext. This method uses the computational complexity of cryptographic algorithms to ensure the security of cipher text. Actually, encryption and decryption calculations in this method require a lot of computing resources. Additionally, key management and distribution rely on complex protocol architecture. So, it is not suitable for LEO satellite communication systems with limited computing resources,

1.
The Insecurity of Satellite Trajectory: Different from the electromagnetic wave propagation conditions of the ground scenario, satellite-to-ground communication includes two parts: the space segment and the telephone segment. The CSI of the satellite-toearth channel is directly related to the position of satellites and ground receivers [3,15]. Due to the openness of satellite motion parameters, satellite orbits are predictable, which means eavesdroppers can directly obtain the position of satellites and ground receivers. This leads to the revelation of the legal channel's CSI and insecurity of physical layer key sources. 2.
The Insecurity of Satellite Signals: Due to the limited size, satellite antennae always have a small equivalent aperture and a wide signal beam in long-distance satellite-toground communication. When satellite signals reach the ground, they can be regarded as far-field parallel lights [16]. Therefore, each satellite signal can cover numerous ground receivers within a range of hundreds of kilometers, and each satellite-toground channel is highly correlated with another. This means eavesdroppers can easily obtain the CSI of the legal channel by estimating relevant channels. In this case, the physical layer key generation method is impractical.
To solve the above problems, we proposed a model of multi-satellite cooperation and random perturbation in a satellite-to-ground communication system, and put forward a key generation method based on it. The main contributions are as follows: • We proposed a multi-satellite coordination model to solve the problem that the channels between a single satellite and multiple ground receivers have strong correlations.

•
We introduced a satellite perturbation factor into the channel model to restore the endogenous randomness of the satellite-to-ground channel, which can improve the randomness of the channel and prevent eavesdroppers from predicting the satellite position precisely.
• Based on the above model, we proposed a key generation method to generate secret keys from the satellite-to-ground channel, which includes four parts: channel estimation, quantify, information negotiation and privacy magnification.

•
To verify the feasibility of the proposed method, we simulated and analyzed the randomness and safety of the generated key. The simulation results show that the proposed model has endogenous randomness and the proposed key generation method is feasible.

System Model
As shown in Figure 1, we consider a LEO satellite-to-ground communication network model, including N LEO satellites, a legitimate user Bob and an eavesdropper Eve. Each node is equipped with a single antenna. Bob hopes to extract secret keys from satellite-toground channels, and Eve passively eavesdrops on the process without interfering with the key generation process. When the satellites move along the orbits, define two complex random variables h k and g k as the channel from the kth satellite to Bob and Eve, respectively. Define the mean of h k and g k is 0, and the variance of them is σ 2 h k = σ 2 h and σ 2 g k = σ 2 g , k ∈ {1, 2, . . . , N}. Define the position shifts of satellites on ideal orbits caused by the gravitational force of stars, sunlight pressure and other factors as the perturbation factor. Considering the impact of satellite perturbation in the actual satellite communication scenario, we introduce the perturbation offset phase ∆ϕ = {∆ϕ 1 , . . . , ∆ϕ k } and ∆θ = {∆θ 1 , . . . , ∆θ k }. The actual channel from the kth satellite to Bob and Eve can be defined as h k e −jπ sin ∆ϕ k and g k e −jπ sin ∆θ k , respectively, where ∆ϕ ∼ U − π 2 , π 2 and ∆θ ∼ U − π 2 , π 2 . The channel from N satellites to Bob and Eve can be defined, respectively, as → h = h 1 e −jπ sin ∆ϕ 1 , h 2 e −jπ sin ∆ϕ 2 , · · · , h N e −jπ sin ∆ϕ N and → g = g 1 e −jπ sin ∆θ 1 , g 2 e −jπ sin ∆θ 2 , · · · , g N e −jπ sin ∆θ N . Obviously, the perturbation factor is a random and unpredictable factor, which indicates the unique endogenous attributes of satellites that differ from other communication entities.
In the LEO satellite-to-ground communication system, the electromagnetic wave signals sent by satellites need to penetrate outer space and the atmosphere to reach the ground, which is affected by many factors during the propagation process, such as the atmospheric effect, large-scale fading, the multi-path effect, shadow fading, and Doppler Le frequency shift. According to [17], the satellite-to-ground channel can be divided into two parts: the space segment and the ground segment, which represents satellite-to-ground propagation and ground-to-environment propagation, respectively. 1.
Space Segment The transmission of signals in the space segment is mainly affected by the atmospheric effect. The envelope and phase of the signal obey the normal distribution, which can be expressed by where r a and ϕ a represent the envelope and phase of the signal, and µ a and u a represent the mean of the envelope and phase, and σ 2 a and η 2 a represent the variance of the envelope and phase.

Ground Segment
Affected by the multi-path effect, the signal in the ground segment can be expressed as the sum of the LOS component and the multi-path component, which can be expressed as where r and θ represent the amplitude and phase of received signals, z and Φ z represent the amplitude and phase of the LOS component, s and Φ s represent the amplitude and phase of the multi-path component.
According to the influence of shadow fading on the LOS component, the three states of (3) and their probability distributions are as follows: When the LOS component is not blocked, the signal obeys the Rice distribution: where w 0 = ε[r 2 ] represents the average power of the multi-path component, A represents the power of the LOS component, and I 0 (·) represents the zero-order Bessel function of the first kind. When the LOS component is partially blocked, the signal obeys the Loo distribution: where µ and σ 0 represent the mean and variance of log-normal distribution. When the LOS component is completely blocked, the signal obeys the Rayleigh distribution: In order to describe the long-term dynamic characteristic of the channel, the above three states can be described by a Markov process, which can be given by P(r) = ω 1 P Ray1 (r) + ω 2 P Loo (r) + ω 3 P Ricn (r) (7) where ω i represents the probability that the system is in state i. Considering the channel characteristics of the space segment and the ground segment, the phase and envelope of the LEO satellite-to-ground channel can be expressed as P all (r) = P a (r a )·P(r) (8) P all (ϕ) = P a (ϕ a )·P(ϕ) (9) Entropy 2021, 23, 1653

of 19
It can be seen from (3) that the existence of the LOS path means the satellite-to-ground communication scenario cannot meet the channel uniqueness principle. Even if the distance between Eve and Bob is much longer than half of the wavelength, there is still a strong correlation between the legal channel and the wiretap channel.

Secret Key Generation Method
Based on the above system model and typical point-to-point physical layer key generation method, we proposed a key generation method for LEO satellite-to-ground communication scenarios, which includes four parts: channel estimation, quantify, information negotiation and privacy magnification [18][19][20].

Channel Estimation of Bob
Define x as the pilot transmitted from satellites to Bob. The signal received by Bob and Eve can be given by [21,22] g k e −jπ sin ∆θ k x + n e (11) where n b and n e denote the additive white Gaussian noise of Bob and Eve with mean 0 and variance σ 2 n , respectively. According to the reciprocity of the wireless channel, Bob and Eve can use pilot signals sent by satellites to estimate the channel [23]. The channel estimation results of Bob and Eve can be expressed as where x * is the conjugation of x and m + ni = √ m 2 + n 2 (m, n ∈ R).

Channel Estimation of Satellites
Define a as the pilot transmitted from Bob to satellites. Due to the reciprocity of uplink and downlink channels, the signal of kth satellite received can be given by y k = h k e −jπ sin ∆ϕ k a + n bk (14) where n bk represents the additive white Gaussian noise from kth satellite to Bob. The channel estimation results of kth satellite can be expressed as In order to obtain the same key source for both the sending and receiving ends, each satellite needs to share the channel estimation results obtained by itself to all satellites through the inter-satellite communication link. When information sharing between the satellites is completed, the key source obtained by each satellite can be expressed as Since this process transmits signals through the inter-satellite link, Eve cannot eavesdrop on relevant information.
From (12) and (16), it can be seen that both satellites and Bob have obtained the sum of CSI of N satellite-to-ground channels, which has intrinsic security attributes of time varying and randomness. In the proposed method, we used the sum of CSI as key source for physical layer key generation.

Quantify
After channel estimation, a continuous signal can be quantized into discrete signals by determining the quantization threshold. In order to maximize the information entropy after quantization, we adopted the method of equal probability quantization, so that the probability of samples falling into each quantization interval is equal.
Moreover, the amplitude and phase information are quantized separately, considering the distribution that they obey. Since Eve cannot obtain key source with the same distribution as Bob, she cannot obtain a quantitative result consistent with Bob.

Information Negotiation
In order to ensure that legitimate communication parties obtain a consistent key, information negotiation techniques based on protocol are usually used [24]; or an errorcorrecting code. In order to reduce the time of information exchange, we select a Low-Density Parity Check code (LDPC) with a code length of 2000 for information negotiation, which uses the error correction capability of LDPC to correct the inconsistent bits between the quantization results.

Privacy Magnification
To enhance the bit mismatch ratio (BMR) between the key generated by legal users and Eve, we use the hash function of the SHA256 algorithm for privacy amplification [25]. Although this procedure cannot increase the randomness of the original key, it avoids the possibility of weak keys causing loopholes in the encryption algorithm.

Equivalent Near-Field Model Analysis
Due to the limited size of satellite antennae and the long distance from the satellite to the ground, satellite signals are far-field parallel light when they reach Bob and Eve. Taking the kth satellite signal as an example, the far-field parallel light modeling of Bob and Eve is shown in Figure 2, where d denotes the distance between Bob and Eve, and θ k denotes the angle between the direction of the kth satellite signal and the normal. As shown in Figure 2, the channel between the kth satellite and Eve can be given by (17) where λ denotes the wavelength. In the far-field model, define d = λ/2, then

Theorem 1.
In the far-field model, the larger the number and spacing of satellites, the larger the equivalent aperture of satellite antennae, the narrower the signal beam, and the lower the correlation between the channel from satellite to Bob and Eve. In this case, the far-field model can be equivalent to the near-field model for analysis.
Proof of Theorem 1. According to the actual communication scenario, we model the N satellites with an overall line model. l is the satellite spacing distance (100-120 km), L is the linear array length, λ is the wavelength, and H is the distance between the line array and Bob (1000-2000 km). The LEO satellite-to-ground communication frequency is in the ka band (29.1-29.3 GHz). The equivalent antenna aperture of the uniform linear array can be expressed by [26]: According to the definition of the electromagnetic near-field model and the far-field model, when H ≥ 2ρ 2 0 /λ min , this system can be considered as a far-field model. Conversely, when H < 2ρ 2 0 /λ min , this system can be considered as a near-field model [26]. Substituting the relevant parameters above into (19), it can be seen that H << 2ρ 2 0 /λ min , in which case the terminal distance can be degenerated from the far-field model to the near-field model. Therefore, a constellation composed of multiple satellites can be equivalent to an antenna with a super-large aperture, and the equivalent aperture increases as the number of satellites and the distance between adjacent satellites increase. In the near-field model, due to the spatial uniqueness of the wireless channel, Eve cannot obtain the relevant information of the legal channel. In this case, Bob can use the sum of N satellite-to-earth channels to generate the physical layer key.

Security Analysis
In the physical layer key generation method, the security of the key source comes from the legal channel cannot be eavesdropped on. In order to prove that the proposed method can guarantee the security of the legal channel and further study the influence of number of satellites and the perturbation factor on it, we analyzed the security of the legal channel in this section.
According to the definition of the correlation coefficient, define A and B as two complex random variables, and ρ(A, B) as the correlation coefficient between A and B [27,28].
where Cov (A, B) indicates the covariance of A and B, and Var[·] indicates the variance of a random variable. The correlation coefficient between the legal channel h and the wiretap channel g can be given by µ c and σ 2 c are the mean and variance of cos(π sin α k ) and µ s and σ 2 s are the mean and variance of sin(π sin α k ), where k ∈ {1, 2, . . . , N} and α k ∈ {∆ϕ k , ∆θ k , θ k }. The derivation process of (21) is provided in Appendix A.
When N = 1, this indicates that in the case of a single satellite, Eve can infer the CSI of the legal channel through the wiretap channel. At this time, since the electrical size of the satellite antennae when it is normalized to the wavelength is very small, the satellite-toground communication model is a far-field parallel light model, and Bob cannot use the satellite-to-ground channel between herself and the LEO satellite to generate secret keys.
When N > 1, ρ( h, g) decreases as N increases. When the number of satellites N is large enough, the legal channel and the wiretap channel are regarded as uncorrelated, and Eve cannot infer the CSI of the legal channel through the wiretap channel. Bob can use the satellite-to-ground channel between herself and the LEO satellite to generate secret keys.

Influence of the Perturbation Factor
Due to the openness of satellite motion parameters, eavesdroppers can predict the current theoretical position of the satellite when it moves along the orbit, thereby obtaining the CSI of the legal channel. To ensure that Eve cannot obtain the CSI of the legal channel in this way, we consider the channel phase shift caused by the random perturbation of the satellite, and introduce a random perturbation factor to express the endogenous randomness of the satellite-to-ground channel, which can also ensure the security of the key source. We analyze the impact of the perturbation factor on the security of the key source in this section.
Define h as the legal channel information obtained by Eve by calculating the satellite trajectory, which can be expressed as The correlation coefficient between the legal channel h and the channel calculated by Eve h can be expressed as The derivation process of (23) is provided in Appendix B. When N = 1, since the satellite-to-ground channel is not affected by the multi-path effect when there is only a single satellite, the random perturbation of the satellite only changes the phase of one main path. At this time, the predicted channel and the actual channel only differ by one phase, and the security of the key source cannot be guaranteed.
When N > 1, ρ h, h decreases as N increases. If ρ h, h ≤ 0.3, Eve cannot obtain the CSI of the legal channel by calculating satellite trajectory. The above analysis indicates that one phase shift caused by a single perturbation factor is meaningless, and only the superposition of different phase shifts caused by multiple perturbation factors is reliable. Therefore, by introducing the perturbation factor method, the security of the key source in the multi-satellite cooperative communication system can be guaranteed. In this case, the superposition of multiple perturbation factors causes drastic changes in the channel phase, which greatly increases the randomness and time-varying nature of the satellite-to-ground channel.

Simulation Analysis
In order to verify the effectiveness and feasibility of the proposed method, we conducted a series of simulation experiments in MATLAB R2016a environment to analysis the randomness and security of the generated key. We use the Monte Carlo method to conduct 10,000 experiments, and each experiment randomly generates channel and noise data to ensure the accuracy of the experiment. The simulation conditions are as follows: 1.
The number of LEO satellites is N = 4.

3.
σ The satellites are evenly distributed on a circular arc centered on Bob with a radius of 2000 km, the distance between adjacent satellites is 110 km.

5.
The satellite-to-ground communication frequency is 29.3 GHz (ka band).

Randomness Analysis
We use the NIST [29] suite of statistical tests to test the randomness of the key. There are 15 items in NIST test totally, and all items return a p-value to summarize the strength of the evidence against the null hypothesis. When the p-value is larger than the chosen significance level (α ∈ [0.001, 0.01]), the sequence is accepted as random.
In this paper, due to the extremely long sequence (larger than 10 6 ) required in some test items which are not available in the current simulation, we run 8 items (over half of all the 15 test) to evaluate the randomness of the key sequence, which still satisfies NIST's requirements [29,30]. Moreover, we choose α as 0.01 and perform 8 NIST tests for 100,000 trials, where each key has a length of 256 bits. The test results are shown in Table 1. It can be seen that the key generated by the proposed method has passed the NIST test, which indicates that the key has high randomness.  Figure 3 simulates the relationship between the distance from Bob to Eve and ρ h, g in the case of different satellite numbers. It can be seen from Figure 3 that in the case of a single satellite communication scene, when Eve is within 97 km from Bob, the correlation coefficient of the two channel estimation results is close to 1, and the correlation information of the legal channel can be obtained at any position within 110 km. Define d min as the minimum distance between Eve and Bob when ρ h, g ≤ 0.3 is satisfied. d min keeps decreasing with the number of satellites. When N = 1, d min = 110 km. When N = 4, d min .decreases to 83 m. The results show that Bob's safety distance can be effectively reduced by increasing the number of satellites, making it feasible for Bob to use satellite-to-ground channels to generate physical layer keys.

Security Analysis
In order to prove that the proposed model in this paper can guarantee the security of the legal channel, we analyze the amplitude and phase of the ground receiving signal in the satellite-to-ground communication models with a single satellite or four satellites when Bob and Eve are 83 m away.   (c) (d) The simulation results show that the proposed method can effectively reduce the correlation between the signals received by Bob and Eve, and ensure that the CSI of the legal channel cannot be eavesdropped on. At the same time, due to the random perturbation factor introduced, the changes in channel amplitude and phase caused by satellite perturbation can be expressed precisely, which ensures that the proposed method has practical feasibility. The simulation results show that the proposed method can effectively reduce the correlation between the signals received by Bob and Eve, and ensure that the CSI of the legal channel cannot be eavesdropped on. At the same time, due to the random perturbation factor introduced, the changes in channel amplitude and phase caused by satellite perturbation can be expressed precisely, which ensures that the proposed method has practical feasibility.

Conclusions
This paper mainly studies the physical layer key generation method in LEO satelliteto-ground scenarios. Aiming at the problem that the legal channel information is easy to leak in LEO satellite-to-ground communication scenarios, a physical layer key generation method based on multi-satellite cooperation random perturbation is proposed. In this method, the method of multi-satellite cooperation is used to increase the equivalent aperture of satellite antennae and reduce the safety distance of legal users. At the same time, the perturbation factor is introduced in channel modeling to increase the randomness of the actual channel and prevent eavesdroppers from obtaining legal channel information by predicting the position of satellite movement. The simulation results show that the method proposed in this paper can realize physical layer key generation in LEO satellite-to-ground communication scenarios, and as the number of satellites increases, the security distance of legal users can be reduced from hundreds of kilometers to tens of meters. The proposed method provides a good solution to generation of a physical layer key in the LEO satelliteto-ground communication scenario, and provides a new idea for the application of PLS in 6G SAGINs.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A
Define X = X R + jX I as a complex random variable, where X ∈ {h k , g k , n b , n e }. X R and X I represent the real and imaginary parts of X, respectively. In the same way as [31][32][33], define X R and X I as independent and identically distributed. The mean and variance of X R and X I can be given by indicates the mean of a random variable. From (12) and (13), h and g can be given by g k e −jπ sin ∆θ k + x * x 2 n e = N ∑ k=1 g R k + jg I k (cos(π sin ∆θ k ) − j sin(π sin ∆θ k )) + x * x 2 n e = N ∑ k=1 g R k cos(π sin ∆θ k ) + g I k sin(π sin ∆θ k ) +j N ∑ k=1 −g R k sin(π sin ∆θ k ) + g I k cos(π sin ∆θ k ) + x * x 2 n e (A4) Define h R , h I , g R and g I as g R k cos(π sin ∆θ k ) + g I k sin(π sin ∆θ k ) −g R k sin(π sin ∆θ k ) + g I k cos(π sin ∆θ k ) From (A3) and (A4), (A5) and (A6) can be derived as Since h R and h I are independent of n b , from (A7), the variance of h can be given by In a similar way to (A9), the variance of g can be given by From (A5), the variance of h R in (A9) can be given by Var h R k cos(π sin ∆ϕ k ) + h I k sin(π sin ∆ϕ k ) Var h R k cos(π sin ∆ϕ k ) + Var h I k sin(π sin ∆ϕ k ) +2Cov h R k cos(π sin ∆ϕ k ), h I k sin(π sin ∆ϕ k ) Since h R k , h I k and ∆ϕ k are independent of each other, Cov h R k cos(π sin ∆ϕ k ), h I k sin(π sin ∆ϕ k ) = E h R k cos(π sin ∆ϕ k ) · h I k sin(π sin ∆ϕ k ) − E h R k cos(π sin ∆ϕ k ) E h I k sin(π sin ∆ϕ k ) So, (A11) can be derived as Var h R k cos(π sin ∆ϕ k ) + Var h I k sin(π sin ∆ϕ k ) (A13) In a similar way to (A13), the variance of h I k can be given by Var −h R k sin(π sin ∆ϕ k ) + h I k cos(π sin ∆ϕ k ) Var h R k sin(π sin ∆ϕ k ) + Var h I k cos(π sin ∆ϕ k ) Since that ∆ϕ k , ∆θ k and θ k are independent and identically distributed, define the mean and variance of cos(π sin α k ) as µ c and σ 2 c , and the mean and variance of sin(π sin α k ) as µ s and σ 2 s , where k ∈ {1, 2, . . . , N} and α k ∈ {∆ϕ k , ∆θ k , θ k }.
Var h R k cos(π sin ∆ϕ k ) = E h R k cos(π sin ∆ϕ k ) In a similar way to (A15), it can be obtained that Var h I k sin(π sin ∆ϕ k ) = Var h R k sin(π sin ∆ϕ k ) = Var h I k cos(π sin ∆ϕ k ) = Var h R k cos(π sin ∆ϕ k ) = From (A13), (A14), (A16) and (A17), it can be obtained that From (A9), (A18) and (A19), the variance of h can be given by In a similar way to (A20), from (A10), the variance of g can be given by From (A7), the mean of h can be given by In a similar way to (A22), the mean of g can be given by From (A5), the mean of h R in (A22) is In a similar way to (A24), from (A5), the mean of h I in (A22) is From (A22), (A24) and (A25), In a similar way to (A26), From (A7), (A8), (A26) and (A27), the covariance of h and g can be given by From (A5) and (A6), the mean of h R g R can be given by g R k cos(π sin ∆θ k ) + g I k sin(π sin ∆θ k ) (A29) Since h i and g j are independent of each other when i, j ∈ {1, 2, . . . , N} and i = j, so it can be obtained that E h R i cos(π sin ∆ϕ i )g R j cos(π sin ∆θ j ) = E h R i E cos(π sin ∆ϕ i )g R j cos(π sin ∆θ j ) = 0 (A30) where i, j ∈ {1, 2, . . . , N} and i = j.

Appendix B
From (22), it can be obtained that The mean and variance of h can be given by In a similar way to (A28), from (A7), (A26), (A43) and (A45), the covariance of h and h can be given by In a similar way to (A29) and (A33), from (A5)