Professional Documents
Culture Documents
ChirpKey: A Chirp-Level Information-Based Key Generation Scheme For LoRa Networks Via Perturbed Compressed Sensing
ChirpKey: A Chirp-Level Information-Based Key Generation Scheme For LoRa Networks Via Perturbed Compressed Sensing
net/publication/370496583
CITATIONS READS
2 490
8 authors, including:
yu Zhang Tao Gu
University of the Arts London RMIT University
46 PUBLICATIONS 1,061 CITATIONS 172 PUBLICATIONS 8,351 CITATIONS
All content following this page was uploaded by Huanqi Yang on 04 May 2023.
Abstract—Physical-layer key generation is promising in estab- and 5G [7]. Physical-layer key generation in LoRa networks
lishing a pair of cryptographic keys for emerging LoRa networks. poses new challenges due to its low data rate and long range.
However, existing key generation systems may perform poorly To address these new challenges, a number of efforts
since the channel reciprocity is critically impaired due to low data
rate and long range in LoRa networks. To bridge this gap, this have been made recently. The received signal strength indi-
paper proposes a novel key generation system for LoRa networks, cator (RSSI) (i.e., channel characteristic) based method with
named ChirpKey. We reveal that the underlying limitations are quantization [8] has been proposed to present the feasibility
coarse-grained channel measurement and inefficient quantization of physical-layer key generation in LoRa networks, but the
process. To enable fine-grained channel information, we propose a number of keys extracted by RSSI is limited due to course-
novel LoRa-specific channel measurement method that essentially
analyzes the chirp-level changes in LoRa packets. Additionally, grained channel characteristic. To improve the key generation
we propose a LoRa channel state estimation algorithm to rate, a register RSSI based method [9] has been proposed, but
eliminate the effect of asynchronous channel sampling. Instead the achieved key generation rate is still relatively low (e.g.,
of using quantization process, we propose a novel perturbed 13.8 bits/s only). Hence, we reveal that the following two
compressed sensing based key delivery method to achieve a fundamental challenges remain unsolved.
high level of robustness and security. Evaluation in different
real-world environments shows that ChirpKey improves the key (1) Coarse-grained and noisy channel measurement
matching rate by 11.03–26.58% and key generation rate by Physical-layer key generation is based on channel reci-
27–49× compared with the state-of-the-arts. Security analysis procity, which indicates the two communication parties will
demonstrates that ChirpKey is secure against several common have highly correlated channel measurements if the channel
attacks. Moreover, we implement a ChirpKey prototype and can be probed within the channel coherence time. Therefore,
demonstrate that it can be executed in 0.2 s.
Index Terms—Physical-layer key generation, LoRa, Com- accurate and fine-grained channel measurement is the basis
pressed sensing for efficient key generation. Unfortunately, the commonly used
physical-layer characteristics for LoRa networks is RSSI [8],
I. I NTRODUCTION [10], which can only provide coarse-grained channel informa-
tion. Some recent works [9], [11] utilize register RSSI to im-
A. Background and Limitations prove the granularity of wireless channel, but the register RSSI
LoRa is one of the Low-Power Wide Area Network (LP- measurements are still noisy [9]. Therefore, existing channel
WAN) technologies and it has received increasingly attention indicators cannot provide sufficient and accurate information
in recent years due to its open protocol standard and Chirp for physical-layer key generation in LoRa networks.
Spread Spectrum (CSS) modulation. Similar to legacy wire- (2) Inefficient quantization process
less technologies such as Wi-Fi and ZigBee, LoRa networks In most physical-layer key generation systems, after obtain-
are vulnerable to malicious attacks due to the broadcasting ing channel measurements, the next step is quantization which
nature of wireless communication. To secure communication, converts channel measurements into binary bits (i.e., 1 or 0).
physical-layer key generation has emerged as a promising Although a variety of quantization mechanisms have been
solution, which complements conventional security schemes proposed [8]–[12], the quantization process is inherently lossy
(i.e., public key cryptography [1], pre-shared key [2]) due to its and error-prone [6]. Due to noisy channel measurement and the
high efficiency and no prior requirements. Although secret key low data rate of LoRa networks [13], the quantization-based
generation has been extensively studied over the past decades, key generation system may need to exchange more packets to
existing studies mainly focus on ZigBee [3], Wi-Fi [4]–[6], obtain more channel information and run an additional infor-
mation reconciliation process to partially fix errors. Hence, it
* Weitao Xu is the corresponding author. may further lead to system inefficiency and lack of robustness.
B. Contributions • We propose a novel fine-grained channel state indicator,
named CLSSI. Compared to existing channel indicators,
In this paper, we design and implement a novel physical- CLSSI can provide fine-grained and accurate channel state
layer key generation system for LoRa networks named Chirp- information. To improve the integrity of channel informa-
Key, which essentially addresses the above challenges. tion, we propose a lightweight channel state estimation
To enable fine-grained channel sampling, we take a closer method to comprehensively recover the channel information.
look at the CSS modulation of LoRa’s physical-layer. In our • We propose a novel PCS-based key delivery scheme to
preliminary study, we reveal that every chirp modulated in deliver secret keys. Compared to existing quantization-based
sender has a constant amplitude, which can be utilized to solutions, the proposed method improves the robustness
indicate channel state. Our insight is to divide a LoRa packet significantly. We demonstrate the security of the proposed
into multiple chirps and calculate the fine-grained changes scheme via rigorous proof and extensive evaluation.
of chirps. Following this idea, we propose a LoRa-specific • We conduct extensive experiments to evaluate ChirpKey
channel measurement named Chirp-Level Signal Strength In- in different real environments. Results show that ChirpKey
dicator (CLSSI) by analyzing the changes of the chirp units achieves an average key matching rate of 99.58% and a
in LoRa packets. Additionally, due to the half-duplex mode key generation rate of 13 bits per measurement. Compared
(i.e., asynchronous channel sampling) of LoRa transceivers, to the state-of-the-arts, ChirpKey improves key matching
channel information may be missed which impairs the channel rate and key generation rate by 11.03–26.58% and 27–49×,
reciprocity. Fortunately, with sufficient channel information respectively. Results also show that it takes less than 0.2 s to
provided by CLSSI, we observe that the missing channel generate a 128-bit key and incurs low power consumption.
information can be practically estimated. Therefore, we design
a channel state estimation algorithm by adopting a lightweight II. R ELATED W ORK
spline fitting method, and the estimated CLSSI provides an Wireless Key Generation. Wireless key generation has
accurate and comprehensive measurement of wireless channel. received considerable attention over the past decades. In the
To address the second challenge, we propose a novel literature, a large volume of systems have been proposed for
Perturbed Compressed Sensing (PCS) based key delivery different wireless technologies, such as Wi-Fi [6], [14], Zig-
method that can efficiently deliver a secret key generated bee [3], and Bluetooth [15]. In these studies, researchers have
by one LoRa device to another. Inspired by the success of used a variety of physical-layer features, including Channel
compressed sensing theory, our initial idea is to deliver the State Information (CSI) [6], [14], RSSI [9], [11], and phase
compressed key and reconstruct it on the receiver side directly [16]. For example, TDS [6] exploited Wi-Fi CSI as channel
using compressed sensing with fair robustness. However, since characteristics to generate keys for mobile devices. To enhance
standard compressed sensing requires the same measurement the channel reciprocity of CSI, Liu et al. [14] leveraged
matrix to be pre-shared by Alice and Bob, using channel channel response in multiple Orthogonal Frequency-Division
measurements may not be able to construct the matrix, hence Multiplexing (OFDM) subcarriers, coupled with a Channel
it may fail to apply in our work. Alternatively, we leverage Gain Complement (CGC) scheme for key generation.
PCS for the design of key delivery. Since PCS accepts the LoRa is an emerging wireless communication technology
tiny difference between the matrices of sender and receiver, designed specifically for long-range and low-power commu-
we intuitively use the channel measurements (i.e., similar but nications. The low data rate and long airtime feature of LoRa
not the same channel information) to construct the matrices, bring new research challenges. To address these challenges,
where one matrix is used for compressing the secret key and several key generation systems for LoRa networks have been
another matrix is used for decompressing the key. In particular, proposed in recent years. For example, LoRa-Key [8] is the
due to decoupling the need for quantization and information first RSSI-based key generation method for LoRa. In their
reconciliation process, the proposed method is able to effec- follow-up research [9], a variant RSSI feature, register RSSI,
tively achieve system efficiency and robustness for secret bit is exploited, which can provide finer granularity of channel
agreement. Moreover, different from the quantization-based sampling for key generation. Recently, Yang et al. [11] utilized
methods, since the secret key is obtained from a random key the mean value of adjacent rRSSI (arRSSI) of LoRa signals
generator, ChirpKey can build a key with strong randomness. for key establishment on Internet of Vehicles (IoV) scenarios.
We conduct extensive evaluations in both indoor and out- However, the performance of these systems is limited because
door environments. Results show that ChirpKey achieves a of the use of coarse-grained channel characteristics and ineffi-
high matching rate and outperforms the state-of-the-arts. We cient quantization mechanism. Our work differs from existing
also demonstrate the security of ChirpKey against common studies in two aspects. First, we propose a novel LoRa-specific
attacks via rigorous proof and evaluation. In summary, this channel characteristics that can provide fine-grained channel
paper makes the following contributions. state information. Second, we propose a novel PCS-based
• We propose ChirpKey, a novel physical-layer key generation key delivery method instead of using quantization-based key
scheme for LoRa networks. ChirpKey addresses two key generation methods.
limitations in existing work and enables fast and secure Compressed Sensing. Compressed sensing is a signal
physical-layer key generation. processing technique used to reconstruct signals efficiently
′
𝑺𝑩𝑨 𝑺𝑩𝑨 𝑨𝒂 𝑲𝑨𝒍𝒊𝒄𝒆
by finding solutions for underdetermined linear systems. In 01101 AES(0110)
Norm. Amplitude
Norm. Amplitude
Norm. Amplitude
Register RSSI
0.9 0.8 CLSSI
0.8 0.5
Correlation
0.8
0.6
0.6 0
0.7
1
Estimated CLSSI 0.4
0.6 0.4
RSSI Envelop
Register RSSI Chirp 0.5
0.5 CLSSI 0.2 0.2
0.4 0 0 0
0 250 500 750 1000 1250 0 100 200 300 400 500 0 200 800 1000 0 200 800 1000
Data rate (bps) Sample Time (ms) Time (ms)
Fig. 2: Correlation analysis. Fig. 3: Envelop of a chirp. Fig. 4: Channel state estimation. Fig. 5: CLSSI and RSSI.
Sa1 × Sa2 . . . San ×
CLSSI in the first step of ChirpKey (i.e., channel probing), as these CLSSI sequences is ,
shown in Fig. 1. In principle, the proposed CLSSI can enhance × Sb1 ×, . . . × Sbn
where × means missed channel measurement at that time. We
channel reciprocity to obtain sufficient and accurate channel
can see Sa1 and Sb1 are not calculated simultaneously due to the
information for key generation, compared with traditional
half-duplex mode of LoRa transceivers. To solve this problem,
packet-level RSSI. The calculation details are as follows.
we propose to interpolate to halfway between Alice and Bob’s
Recall each LoRa packet is composed of multiple chirps.
probing times. Take Alice as an example, we apply an inter-
According to the definition of chirp x(t) = sin(ϕ(t)), where ′
polation on Sa1 and Sa2 to estimate Sa1 , which is the channel
ϕ(t) is a linear function for LoRa signal, the frequency of chirp
characteristic measured at the same time as Sb1 . By repeat-
varies with time while the amplitude is constant; therefore, the
ing the same procedure on the remaining CLSSI sequences,
upper envelope of the received chirps can reflect the attenua- ′ ′ ′ ′
Alice can obtain SA = {Sa1 , Sa1 , Sa2 , Sa2 , . . . , San , San }. Sim-
tion of LoRa signal after propagating in the air, as illustrated
ilarly, Bob can obtain the estimated channel characteristics
in Fig. 3. Inspired by this observation, we first divide a LoRa ′ ′ ′ ′
SB = {Sb1 , Sb1 , Sb2 , Sb2 , . . . , Sbn , Sbn }. In this way, both Alice
packet into multiple chirp units. Then we detect the local
and Bob can obtain the complete channel characteristics
maxima of each chirp. Finally, we can obtain the CLSSI by
and each CLSSI is measured at the same time because the
calculating the mean amplitude of the envelope of the local
chronological order of the estimated CLSSI sequences is
maxima for each chirp. Compared to traditional RSSI and the 1 ′ ′
Sa Sa1 Sa2 . . . San San
recently proposed register RSSI [9], [11], CLSSI offers two ′ ′ ′ .
Sb1 Sb1 Sb2 . . . Sbn Sbn
advantages. First, CLSSI is LoRa-oriented and its calculation In ChirpKey, we choose uni-variate spline fitting [32]
process is lightweight, making it suitable for LoRa network. method for the following reasons. First, compared with poly-
Second, CLSSI is based on the chirp-level information, which nomial fitting, the spline function uses low-order polynomial
can provide fine-grained channel state information. As will be for fitting, which is simple in calculation. Second, the spline
demonstrated in Sec. VI-C, the performance of ChirpKey is function is a piecewise function of low-order polynomial,
significantly improved after using CLSSI. which guarantees smooth transitions between points and the
B. Channel State Estimation ability to converge. Therefore, spline fitting can provide fast
and stable channel estimation for ChirpKey.
The proposed CLSSI can provide fine-grained channel in- To demonstrate the effectiveness of the above methods,
formation, but the non-simultaneous channel sampling in time- Fig. 5 plots the RSSI, register RSSI, and our CLSSI from
division duplex communication systems significantly impairs the same LoRa signal. We can observe that RSSI has fewer
the channel reciprocity. As shown in the upper figure of Fig. 4, sampling points and more outliers. Although register RSSI
the CLSSI sequences acquired by Alice or Bob after channel provides more sampling points, most of the sampling points
probing can only reflect half of the channel variance due to the are hardware noise. Moreover, only a small number of sam-
non-simultaneous channel sampling. In other words, Alice can pling points are similar to RSSI but they are unstable. In
only extract channel information when it is receiving a packet comparison, the proposed CLSSI can provide accurate and
but not when it is sending a packet to Bob, and vice versa. fine-grained channel measurement for LoRa signals.
Besides, the measurement noise caused by hardware imper-
fections also deteriorates the performance of key generation. V. PCS- BASED K EY D ELIVERY
To address these problems, we propose to use the channel As aforementioned, the traditional quantization process is
state when Alice and Bob are receiving packets to esti- inherently lossy and may cause mismatches between legitimate
mate the channel state when they are sending packets, thus nodes [6], e.g., the fixed threshold may lead to mismatched
both Alice and Bob can obtain the complete channel state quantized bits for Alice and Bob [4], [29], [33]. While simply
information during channel probing. Suppose the extracted using compressed sensing method may fail due to different
CLSSIs for Alice and Bob are SA = {Sa1 , Sa2 , . . . , San } matrics caused by the channel measurements. To address, this
and SB = {Sb1 , Sb2 , . . . , Sbn }, respectively, where Sai and Sbi section presents the proposed PCS-based key delivery method.
are the CLSSI sequences obtained by Alice and Bob after Since the proposed method is based on perturbed compressed
they receive the i-th packet. Note that because Bob first sensing, we first briefly describe the technical background of
sends a probe packet to Alice, the chronological order of PCS, then present the measurement matrix generation, key
compression and reconstruction. Finally, we provide a rigorous Perturbation matrix generation. Structured matrix per-
proof to demonstrate the security of the proposed method. turbation [35] is a commonly used perturbation with a fixed
structure in PCS. Each of its columns is an unknown constant,
A. Principle of Perturbed Compressed Sensing which is imposed with a known operation that defines the
Compressed sensing is a technique in the signal processing direction of the perturbation. In this paper, we use the circulant
field which allows acquiring signals while taking few samples. matrix as the structured perturbation matrix because it is
Assume there is a linear compression system y = Ax, where easy to be implemented in low-power LoRa end nodes. The
x ∈ RN is the original signal, A ∈ RM ×N (M < N ) is the construction method of a typical circulant matrix f (C) is
measurement or sensing matrix, and y ∈ RN is the compressed as follows. First, a random vector C is generated, that is,
signal. Compressed sensing states that if x is sparse, it can C = (c0 , c1 , · · · , cN −1 ) ∈ RN . Then the generated random
be reconstructed from far fewer samples than required by the vector C performs cyclic displacement for M times to con-
Nyquist–Shannon sampling theorem. struct the remaining M − 1 row vectors. Finally, all the row
In standard compressed sensing, the measurement matrix vectors are used to generate the entire matrix f (C) through
A is assumed to be exactly known and identical by the cyclic displacement as
compressor and receiver, so that the receiver can recover x c0 cN −1 ··· c1
by ℓ1 minimization: c1 c0 ··· c2
f (C) = .. .. .. .. . (4)
x̂ = arg min ∥x∥1 subject to ∥y − Ax∥2 < ϵ, (1)
. . . .
x
cM −1 cM −2 ··· cM
where ϵ is used to account for noise. Unfortunately, such
an ideal assumption is not always the case in practice. For Perturbed measurement matrix generation. We assume
example, when the compressed signal y and measurement there is a default sensing matrix A0 (we use random Gaussian
matrix A is transmitted from a compressor to a recoverer via matrix in ChirpKey), and the goal of Alice and Bob is to use
a wireless channel, the received y and A are often perturbed their channel measurements to generate a perturbation matrix
versions due to noise: which perturbs the default matrix. We find that using the
generated perturbation matrix to directly perturb the default
 = A + E and ŷ = y + e, (2) matrix will decrease the reconstruction capability when the
where E ∈ RM ×N and e ∈ RM ×1 denote unknown average value of the perturbation matrix is large. Thus, to
perturbations from different sources, such as ambient noise, control the magnitude of the generated perturbation matrix, we
measurement error, and coding error. In this case, the stan- apply a scale factor η to the estimated CLSSI values of Alice
′ ′
dard compressed sensing recovery process becomes how to SA and Bob SB to control the magnitude of the perturbation
′ ′
recover the original signal x from the perturbed compressed matrix of Alice: ŜA = η1 SA and ŜB = η1 SB . The analysis of
signal y and measurement matrix Â. According to perturbed selecting a suitable η is presented in Sec.V-D. Afterwards, the
compressed sensing theory [34], this problem can be solved generated perturbed measurement matrices of Alice and Bob
by the following ℓ1 minimization: can be obtained by adding generated perturbation matrix to
the default matrix A0 as
arg min ∥e∥22 + ∥E∥F + λ∥A∥1 subject to ŷ = Âx, (3)
x,e,E Aa = A0 (I + Ea ) and Ab = A0 (I + Eb ), (5)
where λ > 0 is the regularization parameter, ∥ · ∥2 , ∥ · ∥F , where I is the identity matrix, Ea = f ŜA and Eb =
and ∥ · ∥1 stand for ℓ2 , Frobenius, and ℓ1 norms, respectively.
To solve the above ℓ1 minimization problem, we can use the f ŜB are the generated circulant matrices of Alice and Bob.
fast reconstruction algorithm based on total least-squares and
proximal splitting [34]. C. Compression and Reconstruction
After obtaining the perturbation measurement matrices Aa
B. Perturbed Measurement Matrix Generation and Ab , Alice and Bob are able to perform information
Based on the above PCS theory, we propose a novel PCS- compression and reconstruction.
based key delivery method. The main idea of our method is Compression by Alice. First, Alice generates a random bi-
since Alice and Bob have similar but not the same channel nary sequence KA ∈ RN . Since compressed sensing requires
′ ′ ′ ′
measurements (i.e., SA and SB ), if we can use SA and SB sparse input, we sparse the random sequence by interpolating
to construct two measurement matrices that are similar to four zero bits (sparsity level > 4) between each bit to
s
A and  above, then Alice can compress the key which transform KA to be a spare vector KA . Next, Alice calculates
can be recovered by Bob. While for attacker Eve, since her a syndrome which is defined by Syn = [Syn1 , Syn2 ] =
s s
channel measurements are totally different, she cannot gen- [Aa KA , Aa KA ]. The first part of the syndrome (i.e., Aa KA )
s
erate a similar perturbed measurement matrix to successfully is a compression of the secret key KA . The second part of
reconstruct the key. In the following, we present the details the syndrome (i.e., Aa KA ) is used for error checking and
of the proposed method which includes perturbation matrix correction. Afterwards, Alice transmits the syndrome Syn to
generation, compression and reconstruction. Bob through the public channel.
1
Algorithm 1: PCS-based key delivery.
0.8
Input: ŜA and ŜB : estimated CLSSI sequences measured by feasible range
CDF
Output: KA and KB : secret keys for Alice and Bob. 0.4
1 Alice: 0.2 Legitimate
2 Aa = A0 + f ŜA Eve
0
3 KA = P RN G(seed) ▷ generate random key 0 0.2 0.4 0.6 0.8 1
s ε
4 KA = sparse(KA ) ▷ sparse the key Fig. 6: Security of the proposed method.
s
5 Syn = [Syn1 , Syn2 ], Syn1 = Aa KA , Syn2 = Aa KA syn′ . With the knowledge of syn′ , she can then perform
6 Send Syn to Bob via public channel
7 Bob:
the three types of attacks discussed in Sec. III to derive her
8 Receive noised syndrome Syn′ = Syn + e own key KEve using the same method as Bob. We now
quantitatively demonstrate that the above vulnerability can be
9 Ab = A0 + f ŜAB
s addressed by properly choosing the perturbation matrices.
10 KB = solve ℓ1 (Syn1 , Ab )
11
′
KB = de-sparse(KB s
) ▷ reconstruct the key Corollary 1: Suppose the perturbation matrix of Alice, Bob
12 ∆ = Ab KB ′
− Syn2 and Eve are Aa , Ab , and Ae , respectively. The PCS-based key
13 ∆AB = solve ℓ1 (∆, Ab ) delivery method is perfectly effective (i.e., Bob can reconstruct
′
14 KB = KB ⊕ ∆AB ▷ solve the mismatched bits KA successfully) and secure (i.e., Eve is unable to reconstruct
15 return KA , KB KA successfully) if there exists a parameter ε satisfying
∥Ab − Aa ∥2 ∥Ae − Aa ∥2
≤ε< . (9)
∥Aa ∥2 ∥Aa ∥2
Reconstruction by Bob. Let Syn′ be the received syndrome
Proof 1: If Bob cannot recover ∆AB and KA with a ε
with some noise Syn′ = Syn+e = [Syn1 +e, Syn2 +e]. After
that satisfies condition ∥A∥A
b −Aa ∥2
a ∥2
≤ ε, it is contradictory to
receiving the syndrome, Bob uses the first part of syndrome
s the sufficient condition for successful recovery according to
(Syn1 + e) to reconstruct a sparse key KB by solving the
following ℓ1 -regularized total least-squares problem: PCS theory [35]. If Eve can recover KA with ∥A∥A e −Aa ∥2
a ∥2
≤ ε,
it is contradictory to the necessary condition for successful
arg min ∥e∥22 + ∥Ep ∥F + λ∥KB
s
∥1 compressed sensing decoding [35].
s
e,Ep ,KB (6) Therefore, the problem becomes finding a feasible range
s
subject to (Ab + Ep )KB = Syn1 + e,
of ε that satisfies the Corollary 1 (successful reconstruction
where Ep is the perturbation difference between Ab and Aa , of the legitimate node and the unsuccessful reconstruction
s
namely Ep = Ab − Aa . After obtaining the sparse key KB , of the attacker). Fig. 6 plots the distribution of the lower
′
Bob de-sparses it to obtain KB . After this step, Bob obtains bound and upper bound of ε. We can see that there is a
′
an estimated key KB from the first part of the syndrome. feasible range [0.41, 0.56] to use. In other words, if ε lies
′
In practice, KB is not exactly the same as Alice’s original in the feasible range, Equation. 9 holds, meaning that Eve
key KA because of noise. Therefore, Bob uses the second part cannot use her observed message syn′ to obtain the same
of the syndrome to correct the errors. To this end, Bob first key. Therefore, we control ε within the feasible range in the
calculates a mismatched vector ∆ as follows following experiments.
′ ′
∆ = Ab KB − Syn2 = (Ab KB − Aa KA ) + e Prior studies also show that when the same measurement
′
= Ab KB ′
− (Ab + Ep )KA = Ab (KB − KA ) + e (7) matrix A0 is used repeatedly, the syndrome could be condi-
= Ab ∆AB + e, tionally accessed [8], [36]. This issue can be easily solved by
updating the original measurement matrix A0 periodically. For
where ∆AB means the mismatches between Alice’s original example, after Alice and Bob agree on the same key, they can
′
key KA and Bob’s estimation KB . Since Alice and Bob are use it as a seed of Gaussian random matrix generator to update
legitimate devices, there are only few mismatches in their A0 . Note that although we need to pre-store A0 in ChirpKey,
keys, i.e, ∆AB is sparse. Therefore, Bob can reconstruct the it is a public knowledge rather than a pre-shared secret.
mismatches by solving the following ℓ1 -regularized total least-
squares problem: E. Privacy Amplification
arg min ∥e∥22 + λ∥∆∥1 subject to Ab ∆AB = ∆ + e, (8) Although the PCS-based key delivery method achieves high
∆,e reliability as evaluated in Sec. VI, it also reveals some infor-
With ∆AB , Bob can deduce KA by simply calculating mation to attackers because Alice and Bob have to transmit the
KB = KB ′
⊕ ∆AB , where ⊕ is XOR operation. Finally, both syndrome in the public channel. This problem can be solved by
Alice and Bob agree on the same key KA = KB . The above privacy amplification techniques, such as hash functions [8],
key delivery process is summarized in Algorithm 1. [29]. In ChirpKey, We employ the widely used hash function
SHA-128 as a privacy amplification technique to increase the
D. Security of the Proposed Method randomness of the final keys. After generating the same key,
Since the syndrome Syn is transmitted via an unauthenti- Alice and Bob can use AES-128 or other symmetric key
cated channel, the attacker Eve can also eavesdrop the message encryption methods to encrypt/decrypt their communications.
VI. E VALUATION Vehicle-key [11], the compressed size of autoencoder is set
A. Experimental Setup to 64. For these methods, we use Arduino Uno with Dragino
LoRa Shield1 to collect RSSI and register RSSI values.
Data collection. As shown in Fig. 7, we use three USRP The results of different methods in various environments
N210 SDR with WBX Daughterboard as Alice, Bob, and Eve, are presented in Fig. 8, Fig. 9, and Fig. 10, respectively. From
respectively. We use the following LoRa parameters: F = Fig. 8, we observe that ChirpKey achieves the highest KMR in
915 MHz, BW = 125 kHz, SF = 12, and CR = 4/8, where all the scenarios. The average key matching rate of ChirpKey
F denotes frequency, SF denotes spread factor, BW denotes is 25.61% higher than LoRa-liSK [10], 26.58% higher than
bandwidth and CR denotes code rate. Alice is configured to be LoRa-Key [8], 16.31% higher than Vehicle-key [11], and
an end-device, and it is connected to a Raspberry Pi module 11.03% higher than Gao et al. [9]. The stability (i.e., standard
with 1.5 GHz Quad core Cortex-A72 and 4 GB RAM via deviation) of the KMR obtained by ChirpKey also outperforms
Ethernet cable. Bob is configured to be a LoRa Gateway, and other methods. From Fig. 9, we can see that the KGR of
it is connected to a server with AMD EPYC 7522 64-core ChirpKey is 27.5× higher than LoRa-key [8], 26.9× higher
processor via Ethernet cable. The LoRa radio signal processing than Vehicle-key [11], 49× higher than Gao et al. [9], and
algorithm is implemented in C++ with GNU Radio in SDR. 27.5× higher than LoRa-liSK [10], respectively. Fig. 10 shows
The key generation algorithm is implemented in the server the entropy of the keys generated by different methods. We
and Raspberry Pi for Alice and Bob, respectively. As shown observe that ChirpKey improves entropy by 6-8% compared
in Fig 7, we conduct experiments in both indoor and outdoor with baselines. Additionally, as shown in Fig. 8 and Fig. 9,
environments. In both environments, we consider two different the KMR in outdoor environment is lightly lower than that
scenarios: static scenario where both Alice and Bob are static, of indoor areas because there are less multi-path effect in
and mobile scenario where Bob is static but Alice is moving. outdoor areas. The KGR in mobile scenario is slightly higher
This setting is realistic because LoRa can be used in both static than that of static scenario because there are more channel
wireless sensor networks and mobile networks. The attacker variations when Alice is moving. To sum up, the results show
Eve is placed 1 m away from Alice. The whole experiment that ChirpKey improves KMR, KGR, and entropy significantly
lasted for two weeks and we collected more than 2,000,000 compared to the state-of-the-arts in different scenarios.
channel measurements at different times of different days.
17m 200m
C. Evaluation of Chirp-level Channel Information
Impact of CLSSI. We now demonstrate the advantage of
Bob
100 the proposed CLSSI over two widely used channel measure-
8m m Eve
Alice Bob Alice ments in LoRa networks, namely RSSI and register RSSI.
Eve
As shown in Fig. 11, the proposed CLSSI achieves higher
KMR and KGR compared with both RSSI and register RSSI.
(a) Indoor experiment. (b) Outdoor experiment. Specifically, the KGR is increased by 2.72% and 2.94%, while
Fig. 7: Experimental setup. the KGR is increased by 55.32× and 26.73× compared with
Metrics. For a key generation system, we follow two widely using RSSI and register RSSI, respectively. Therefore, our
used metrics: 1) Key matching rate (KMR) is the percentage of CLSSI can provide fine-grained and accurate channel state
the matching bits over all bits; 2) Key generation rate (KGR) information for LoRa networks.
is the number of bits generated in one second. Impact of channel state estimation. In this experiment,
we evaluate the performance of the proposed channel state
B. Overall Performance estimation method. To this end, we compare the KGR with
Baselines. We select below state-of-the-art quantization- and without channel state prediction. As shown in Fig. 12, the
based key generation systems in LoRa as our baselines. proposed method consistently achieves higher matching rate in
• LoRa-key [8] uses RSSI channel measurement and com- all scenarios, indicating our method is effective in improving
pressed sensing based reconciliation. the channel reciprocity for legitimate nodes and hence the
• LoRa-liSK [10] uses RSSI channel measurement and error- KGR. Specifically, the KGR is increased by 2×, 2.1×, 1.9×,
correction code based reconciliation. and 1.95× in indoor-static, indoor-mobile, outdoor-static, and
• Gao et al. [9] uses register RSSI channel measurement and outdoor-mobile scenarios, respectively. Besides, the channel
compressed sensing based reconciliation. state estimation method can also decrease the deviation of the
• Vehicle-key [11] uses register RSSI channel measurement KGR, indicating it improves the stability of ChirpKey.
and autoencoder based reconciliation. D. Evaluation of Parameters in the PCS Method
To be fair, we adjust their settings to get the best results. Impact of measurement matrix size. We examine the
Specifically, for LoRa-liSK [10] and LoRa-Key [8], we set α impact of the size of measurement matrix on ChirpKey by
(the guard band ratio in quantization) to 0.8. For Gao et al. [9], changing the matrix size from 40 × 128 to 58 × 128 (i.e.,
the interval is set to 20 and the round number is set to 50. For increase M from 40 to 58 gradually). As shown in Fig. 13, the
CS-based reconciliation method in LoRa-Key [8] and Gao et
al. [9], the measurement matrix size is set to 50 × 128. For 1 https://www.dragino.com/products/lora/item/102-lora-shield.html
100 60 1 100 60
50 50
90 0.95 90
KGR (bits/sec)
KGR (bits/sec)
40
KMR (%)
KMR (%)
Entropy
ChirpKey
LoRa-key 80 30
Vehicle-key
Gao et al. 20
ChirpKey Gao et al. LoRa-lisk CLSSI
70 0.85 ChirpKey Gao et al. 70
LoRa-key LoRa-lisk RSSI
10 LoRa-key LoRa-lisk 10
Vehicle-key Register RSSI
Vehicle-key
60 0 0.8 60 0
Indoor-static Indoor-mobile Outdoor-static Outdoor-mobile Indoor-static Indoor-mobile Outdoor-static Outdoor-mobile Indoor-static Indoor-mobile Outdoor-static Outdoor-mobile KMR KGR
Fig. 8: Comparison of matching Fig. 9: Comparison of genera- Fig. 10: Comparison of entropy. Fig. 11: Impact of CLSSI.
rate. tion rate.
60 100 220 100 100
95 90
40 Outdoor-static 180 80
KMR (%)
KMR (%)
KMR (%)
85 Legitimate
Outdoor-mobile 70 99.500