Elsevier Editorial System(tm) for Computers & Electrical Engineering

Manuscript Draft

Manuscript Number: COMPELECENG-D-14-01203

Title: MuGKeG: Secure Multi-channel Group Key Generation Algorithm for Wireless Networks

Article Type: SI: wls4

Keywords: Security; Wireless networks; Group key generation.

Corresponding Author: Mr. Saad Saleh, MS-EE

Corresponding Author's Institution: National University of Sciences and Technology (NUST)

First Author: Naumana Ayub, MS-EE`

Order of Authors: Naumana Ayub, MS-EE`; Mamoon Raja; Saad Saleh, MS-EE; Muhammad U Ilyas, PhD

Abstract: The broadcast nature of communication channels in infrastructureless wireless networks

poses challenges to security. In this paper, we propose a novel technique namely Secure Multi-channel
Group Key Generation (MuGKeG) algorithm. We utilize the available channels switching behaviour
between multiple nodes to hide our key from eavesdropper. We provide descriptions for an illustrative
base case of three users and one eavesdropper and expand it for the case of N users with C channels
and M eavesdroppers. Repeated application of the MuGKeG algorithm on the order of O(logN) allows
scaling the size of the group in the order of millions. We provide an analytical closed-form solution for
the entropy of the secret group key generated when eavesdroppers follow an optimal attack strategy,
and verify it by ns-3 simulations. Comparison with previous state-of-the-art schemes suggests that
MuGKeG can provide upto 20kbps increase in secrecy rate with a scalable key size.
Cover Letter

Title: MuGKeG: Secure Multi-channel Group Key Generation Algorithm for Wireless Networks

Author Names and Affiliations:

1. Naumana Ayub
Department of Electrical and Electronic Engineering,
School of Mathematics, Computer Science and Engineering, City University London, UK
Email: naumana.ayub.1@city.ac.uk

2. Mamoon Raja
Department of Computer Science, Tufts University, Medford, Massachusetts-02155, US
Email: mamoon.raja@tufts.edu

3. Saad Saleh[1] (Corresponding Author)

School of Electrical Engineering and Computer Science (SEECS),
National University of Sciences and Technology (NUST),
Sector: H-12, Islamabad-44000, Pakistan.
Primary Email: saad.saleh@seecs.edu.pk
Secondary Email: saadsaleh100@gmail.com

4. Muhammad U. Ilyas
School of Electrical Engineering and Computer Science (SEECS),
National University of Sciences and Technology (NUST),
Sector: H-12, Islamabad-44000, Pakistan.
Email: usman.ilyas@seecs.edu.pk

Abstract: The broadcast nature of communication channels in infrastructureless wireless networks

poses challenges to security. In this paper, we propose a novel technique namely Secure Multi-channel
Group Key Generation (MuGKeG) algorithm. We utilize the available channels switching behaviour
between multiple nodes to hide our key from eavesdropper. We provide descriptions for an illustrative
base case of three users and one eavesdropper and expand it for the case of N users with C channels
and M eavesdroppers. Repeated application of the MuGKeG algorithm on the order of O(logN) allows
scaling the size of the group in the order of millions. We provide an analytical closed-form solution for
the entropy of the secret group key generated when eavesdroppers follow an optimal attack strategy,
and verify it by ns-3 simulations. Comparison with previous state-of-the-art schemes suggests that
MuGKeG can provide upto 20 kbps increase in secrecy rate with a scalable key size.

Disclaimer: I, Saad Saleh, as corresponding author of this paper, certify on behalf of all co-authors that
the paper is novel (unpublished) and has not been submitted for publication anywhere else. It will not
be submitted to a different journal until a decision has been made by Journal of Computers and
Electrical Engineering.

[1]
Ph: +92-344-5188421, Permanent (Postal) Address: House-5, Street-11, Sector-F, DHA-2, Islamabad.
*Manuscript
Click here to view linked References

MuGKeG: Secure Multi-channel Group Key

Generation Algorithm for Wireless Networks

Naumana Ayuba , Mamoon Rajab , Saad Salehc , Muhammad U. Ilyasc

a Department of Electrical and Electronic Engineering,

School of Mathematics, Computer Science and Engineering, City University London, UK

b Department of Computer Science,

Tufts University, Medford, Massachusetts-02155, US

c School of Electrical Engineering and Computer Science (SEECS),

National University of Sciences and Technology (NUST), Islamabad-44000, Pakistan

Abstract

The broadcast nature of communication channels in infrastructureless wireless

networks poses challenges to security. In this paper, we propose a novel tech-
nique namely Secure Multi-channel Group Key Generation (MuGKeG) algo-
rithm. We utilize the available channels switching behaviour between multiple
nodes to hide our key from eavesdropper. We provide descriptions for an il-
lustrative base case of three users and one eavesdropper and expand it for the
case of N users with C channels and M eavesdroppers. Repeated application of
the MuGKeG algorithm on the order of O(log N ) allows scaling the size of the
group in the order of millions. We provide an analytical closed-form solution
for the entropy of the secret group key generated when eavesdroppers follow
an optimal attack strategy, and verify it by ns-3 simulations. Comparison with
previous state-of-the-art schemes suggests that MuGKeG can provide upto 20
kbps increase in secrecy rate with a scalable key size.
Keywords: Security; Wireless networks; Group key generation.

Email addresses: naumana.ayub.1@city.ac.uk (Naumana Ayub),

mamoon.raja@tufts.edu (Mamoon Raja), saad.saleh@seecs.edu.pk (Saad Saleh),
usman.ilyas@seecs.edu.pk (Muhammad U. Ilyas)

Preprint submitted to Journal of Computers and Electrical Engineering October 20, 2014
1. Introduction

1.1. Background and Motivation

Encrypted communication among users of a wireless network protects the
group from interception or eavesdropping. Till now, huge amount of crypto-
graphic research has been carried out to protect communication from eavesdrop-
ping [1]. Even after then, one of the largest security breach of 45 million users
credit card data occurred by breaking into insecure wireless communications
of TJX [2]. The ability to establish secure communication links in a wireless
network has major applications in infrastructureless ad hoc wireless networks
used for military surveillance, medical monitoring, fire eruption and vehicu-
lar networks etc. Safety, secrecy and privacy constraints for wireless networks
motivate us to think, “Can highly susceptible and vulnerable ad hoc wireless
communication network be secured from eavesdroppers’ hampering?”

1.2. Prior State of the Art

Several prior approaches for generating shared (group) keys depend on differ-
ences in channel conditions between channels of legitimate receivers and eaves-
droppers [3, 4][5]. Others like [6][7][8] depend on the generation of controlled
jamming performed by either the receiver or an assisting node. Safaka et al. [9]
placed pre-conditions on the location of the eavesdropper and depends on the
eavesdropper’s channel conditions to be worse than those of the group of nodes
attempting to establish a secret group key. Only a few previous approaches
have considered the case of multiple eavesdroppers, including Vasudevan et al.
[7], Sankararaman et al. [10] and Dong et al. [11].

1.3. Proposed Approach

In this paper we leverage the availability of multiple wireless channels to cre-
ate a secret group key for use among groups of at least three nodes. The Secure
Multi-channel Group Key Generation (MuGKeG) algorithm proposed here is
independent of variations in channel conditions, remains effective in the pres-
ence of eavesdroppers and places no pre-requisite conditions on eavesdropper’s

2
locations and channel conditions. The basic idea is to “overwhelm” the eaves-
dropper(s) by concurrently transmitting random sequences over more channels
at the same time than there are eavesdroppers. Our proposed approach does
not require any artificial / controlled jamming and is capable of key generation
for millions of nodes in any wireless network. The efficacy of the proposed al-
gorithm drops significantly when the number of eavesdroppers increases beyond
the number of channels.

1.4. Results

An analytical model is developed for the entropy of the group key generated
by the Secure MuGKeG algorithm and verified by simulations. Our model
keeps a track of the number of bits that remain unknown to the eavesdroppers.
We used the network simulator-3 (ns-3) platform [12] for generating simulation
results. Our findings show that MuGKeG provides upto 76 kbps secrecy rate
for a key size of 256 bits for IEEE 802.11b radio. Moreover, unlike the previous
strategies, key size for MuGKeG is highly scalable. We show that MuGKeG
provides reasonable transmissions depending upon the number of nodes and
transmission rounds per node only.

1.5. Contributions

The contributions of this paper are three-fold:

1. An algorithm that creates a shared group key among at least three nodes.
2. An analytic derivation of the entropy of the shared secret for general
problem settings.
3. Verification of the shared group secret generation algorithm by simulating
a wireless sensor network with an IEEE 802.11b PHY / MAC using the
ns-3 platform.

Paper Organization: The remainder of this paper is organized as fol-

lows; Section 2 reviews some of the most relevant related work on the problem
of secret key generation in wireless networks. Section 3 describes the system

3
model, including the attacker model. Section 4 describes the proposed group
key generation algorithm using a base case of three nodes and an eavesdropper.
Section 5 presents the possible attack strategies for the eavesdropper. Section 6
presents a generalized group key generation algorithm and presents the scaling
of MuGKeG for large number of channels and nodes. Section 7 gives an ana-
lytical derivation of the entropy of the group key. Section 8 shows the results
of multiple ns-3 simulations of the group key generation algorithm. Section 9
lists the limitation of MuGKeG algorithm. Section 10 presents a comparison of
MuGKeG’s performance with previous schemes. Finally, Section 11 concludes
the paper.

2. Related Work

Many previous works such as Jana et al. [3], Croft et al. [4], and Wang et
al. [5] used errors inherent in wireless channels between communicating nodes
to generate shared secret keys. However, the efficiency of all these methods
depends solely on variations in channel conditions. On more static channels,
the entropy of shared keys is low, which makes it relatively easier for Eve to
‘guess’ the correct key. Xiao et al. [13] proposed an approach that exploits the
frames transmitted only once between legitimate nodes for secret generation, but
stops short of determining the entropy of shared keys created by this method.
Another group of approaches are classified as cooperative jamming methods.
Sankararaman et al. [10] describe a cooperative jamming technique for RFID
systems to secure communication between RFID reader and transponder (RFID
tag) in a warehouse. Dong et al. [11] employed relay nodes for achieving secure
communication. Vasudevan et al. [7] used artificial noise to counter eavesdrop-
pers. The principal disadvantage of all these schemes is the requirement of
additional nodes.
Among the techniques that do not depend on channel variations is the chan-
nel hopping method employed by Zan and Gruteser [14]. However, the proba-
bility of two nodes listening to the same channel at the same time is very small

4
and becomes smaller with increasing number of channels. There is also a signif-
icant cost in terms of number of transmissions per unit bit of key entropy. Tsai
et al. [15] used sequences of random bits to generate keys but this approach
only applies to storage bound adversaries which is usually not the case. Miller
and Vaidya [16] exploited channel diversity for secret key generation but their
approach requires a trusted third party to pre-load keys in each node’s memory
as a pre-requisite requirement. Basilico et al. [17] utilized non-cooperative game
theory approach to identify malacious nodes. However, their technique requires
extra nodes and verifiers to perform verifiable multilateration calculations to
locate the attacker.
Cooperative jamming also falls in the category of techniques in which key
generation is independent of channel variations. Arora and Sang [6] used jam-
ming to generate secret key. However, jamming is carried out by the receiver
here, instead of collegial nodes. In iJam [8], Gollakota and Katabi used the
same technique discussed by Arora and Sang [6] but adapted it for orthogonal
frequency division multiplexing (OFDM). iJam is specifically designed to work
on links using OFDM on the physical layer. Otherwise eavesdroppers may be
able to distinguish between jammed and clear signals. Safaka et al. [9] proposed
a more general approach, independent of the physical layer and applicable in
a broad range of wireless systems. However, it requires sufficient noise in the
channel to make eavesdropper miss some of the packets transmitted between
communicating nodes. Safaka et al. [18] further improved on their earlier tech-
nique in [9] by making it independent of the eavesdropper’s location.
Recently, Zhu et al. [19] have utilized received signal strength indication for
key extraction in vehicular networks. Their technique addresses the problem of
securing the link between two moving vehicles and depends on channel dynamics.
In another study [20], Hu et al. proposed a key generation scheme named as
ordered physiological feature based key agreement (OPFKA). Overlap among
the physiological signal features is used to generate key among sensor and is only
applicable in body area networks. In [21], Liu et al. used the key extraction
method by using channel state information obtained from OFDM subcarriers.

5
However, it is physical layer technology dependent, especially not suitable for
wireless networks with power constraints.
It should be noted that majority of the above mentioned techniques assumed
or made an effort to ensure that the eavesdropper’s channel conditions are worse
than the channel between communicating nodes.

3. System Model

We develop a system model assuming a group of N nodes, where N is at

least three, each equipped with a single radio. It is also assumed that there are
at least N −1 independent communication channels available to each radio. The
nodes do not have any pre-shared key or other secret information other than the
protocol itself. Communicating nodes are not assumed to have any particular
capability of producing artificial noise or smart jamming. No particular pre-
requisites are assumed at either the Physical or Medium Access Control layers.
The only assumption we make is that packet losses on wireless channels between
pairs of nodes (including eavesdroppers) are independent.

3.1. Attacker Model

There are M passive attackers with equal capability of tuning to any of

the N − 1 channels. Several previous works make the assumption that the
eavesdropper(s)’s wireless channel conditions are not better than the channel
between the legitimate N users. There are no prior assumptions about the
placement or location of the eavesdropper(s). Eavesdroppers are able to switch
channels at the same rate as the users attempting to establish a shared secret.

4. Proposed Algorithm

This section describes the proposed MuGKeG algorithm. Firstly, we describe

the base case for a group of three nodes, then we provide a scalable description
for groups of nodes greater than three in section-6.

6
 Three nodes, Alice, Bob and Calvin want to establish secure communications
amongst themselves and generate a secret group key. Also present is a user Eve
who is eavesdropping on transmissions between Alice, Bob and Calvin. As we
mentioned previously in Section 3.1, Eve may receive transmissions with even
fewer errors than the actual intended recipient of a transmission. Alice, Bob and
Calvin will securely generate a secret group key using a two-phase algorithm in
six stages as shown in Appendix Fig. A.6.

4.1. Phase I: Pairwise Key Generation

Phase I consists of three stages, with each stage consisting of R rounds. In

the first stage, Alice and Bob transmit, while Calvin receives. Alice transmits
on channel CA for R rounds, while Bob simultaneously transmits on CB for
R rounds. The contents of Alice and Bob’s transmissions in all R rounds are
generated randomly. All of Alice’ transmissions during all rounds of stage one
are collectively denoted by KAC . Similarly, all of Bob’s transmissions during all
rounds of stage one are collectively denoted by KBC .
In the first stage, before each round, Calvin randomly selects between Al-
ice and Bob’s channels CA and CB . Calvin also records the channel number
it selected in each round. At the end of R rounds of stage one, Calvin will
have received approximately half the transmissions made by Alice and half the
KAC KBC
transmissions made by Bob. These are denoted by 2 and 2 , respectively.
Since Calvin’s channel switching schedule is random, only Calvin knows pre-
cisely which round it received from Alice and which from Bob. At the end of
this stage, Calvin communicates the channel switching schedule vector it used
to both Alice and Bob. This way Alice and Bob will both know which of their
respective transmissions were received by Calvin. This transfer of information
is depicted in the row corresponding to Stage one of Tab-1.
Stage two proceeds similarly. However, this time Alice and Calvin trans-
mit sequences KAB and KCB on channels CA and CC , respectively, while Bob
maintains a random channel switching schedule between these two channels.
The data known to Alice, Bob, Calvin and Eve at the end of stage two is shown

7
Table 1: Information sharing between Alice, Bob and Calvin during Phase I and information
eavesdropped by Eve.

Stage Alice Bob Calvin Eve (random) Eve (fixed)

(A) (B) (C) (Er ) (Ef )

KAC KBC K0 K0
1 [KAC ] [KBC ] [ 2 , 2 ] [ AC
2 , BC
2 ] [KAC ]

KAB KCB K0 K0
2 [KAB ] [ 2 , 2 ] [KCB ] [ AB
2 , CB
2 ] [KAB ]

K K K0 K0
3 [ BA
2 , CA
2 ] [KBA ] [KCA ] [ BA
2 , CA
2 ] [KCA ]

K0 K0 K0
Aggre. [KAC , KAB , [KBC , KBA , [KCB , KCA , [ AC , BC , AB , [KAC , KAB ,
2 2 2

KBA K KAB K KAC K K0 K0 K0

Infor. 2 , CA
2 ] 2 , CB
2 ] 2 , BC
2 ] CB
2 , BA
2 , CA
2 ] KCA ]

in the row corresponding to Stage two of Tab-1.

Finally, in stage three Bob and Calvin transmit sequences KBA and KCA
on channels CB and CC , respectively, while Alice maintains a random channel
switching schedule between these two channels. The data known to Alice, Bob,
Calvin and Eve at the end of stage three is shown in the row corresponding to
stage three of Tab-1.
At the end of these three stages, Alice, Bob and Calvin will each know
a subset of the sequences KAC , KBC , KAB , KCB , KBA and KCA that were
transmitted during Phase I. The aggregate information known to each user at
the end of three stages is given in the last row of Tab-1. Very importantly,
at this point there is no sequence that is known to all three users yet. Each
pair of nodes uses its shared information as input to a hash function like SHA-
1, MD-5, SHA-256, SHA-512 etc. [22] to generate a new bit string that is
used as a symmetric key to an encryption algorithm. For example, Alice and
KAB KBA
Bob share information 2 and
2 between them. Both Alice and Bob pass
KAB KBA
the concatenated sequence [ 2 , 2 ] to a hash function that returns a bit
string that is used as a symmetric encryption key for any encryption algorithm,
e.g. AES, 3DES, Twofish, Serpent etc. Using the shared sequences between
Alice, Bob and Calvin, users will create shared symmetric keys [ KAB KBA
2 , 2 ],

[ KAC KCA KBC KCB

2 , 2 ] and [ 2 , 2 ] shared between pairs of users. Thus each node will

8
have a separate key to encrypt and decrypt transmissions to and from each of
its neighbors.

4.2. Phase II: Group Key Generation (Hardening)

Alice, Bob and Calvin each generate long sequences SA , SB and SC , re-
spectively. Alice uses pairwise symmetric keys [ KAB KBA KAC KCA
2 , 2 ] and [ 2 , 2 ] to

encrypt and transmit SA to Bob and Calvin, respectively. Similarly, Bob uses
pairwise symmetric keys [ KBC KCB KAB KBA
2 , 2 ] and [ 2 , 2 ] to encrypt and transmit

SB to Calvin and Alice, respectively. Calvin uses pairwise symmetric keys

[ KAC KCA KAB KBA
2 , 2 ] and [ 2 , 2 ] to encrypt and transmit SC to Alice and Bob, re-

spectively. After these exchanges Alice, Bob and Calvin will all be in possession
of sequences SA , SB and SC . The sum of entropies of these three sequences is
the entropy of the shared group secret. Similar to Phase I, the concatenated
sequences [SA SB SC ] are passed to a hash function that returns a new bit string
that is used as a symmetric group key GKA,B,C shared between Alice, Bob and
Calvin.

5. Attacks and Counter measures

5.1. Phase I Attack Strategies for Eve

Now we consider Phase I from Eve’s perspective and consider two different
attack strategies. We call the first strategy the random strategy, denoted by Eve
(rand) and Er in Tab-1. When Eve follows this strategy it also follows a random
switching schedule in the hope of selecting a schedule that will match that of the
receiver. This means that during stage one, Eve will also receive approximately
half the transmissions made by Alice and half the transmissions made by Bob.
0 0
KAC KBC
The sequences overheard by Eve are denoted by 2 and 2 and may or may
not be identical to the ones received by Calvin. If the number of rounds R in
each stage is sufficiently large, the probability that Eve’s received sequences will
match those of Calvin will progressively decrease with higher values of R. As
can be seen from Tab-1, the aggregate information obtained by Eve at the end

9
of the third stage will most likely not be enough for it to compromise any of the
three pairwise links.
An alternative strategy that Eve may adopt is called the fixed strategy de-
noted by Eve (fixed) Ef . When it uses the fixed strategy, Eve chooses one of
the two channels in use during a stage and listens to all transmissions on it.
While the entropy of the sequences overheard by Eve using either strategy is
the same, there is a qualitative difference between what can be achieved with
the eavesdropped sequences. The result of deploying the fixed strategy on the
information eavesdropped by Eve is shown in the last column of Tab-1. We
also assume that Eve is able to eavesdrop on the channel switching schedule
vectors communicated by receiving users at the end of each stage. However,
unlike in the random strategy, when Eve adopts the fixed strategy it is able to
breach one of the three links. In the example depicted in Appendix Fig. A.6
and Tab-1, Eve will be able to reconstruct the pairwise key between Alice and
Calvin. Thus, if Eve adopts the fixed strategy it will be able to compromise at
most one of the three links between Alice, Bob and Calvin.

5.2. Phase II Attack Strategies for Eve

When following the random strategy, Eve is unlikely to breach and eavesdrop
on any of the encrypted communications progressing in Phase II. However, if
Eve follows the fixed strategy Eve may be able to compromise one out of three
links (see Appendix Fig. A.6). In this example that is the link between Alice and
Calvin. This may become possible if the set of packets on the channel between
Alice and Eve’s are a subset of the packets between the Alice and Calvin in that
stage, and the same also needs to be true for the stage when Calvin transmits
and Alice receives. Together with the information Eve overhears in the channel
switching schedules of Alice and Calvin, Eve is now able to reconstruct KAC
and KCA . That means, Eve will be able to eavesdrop on all communications
between Alice and Calvin (SA and SC ) that are encrypted using these symmetric
keys. Note, however, that sequence SB remains unknown to Eve because each
time its transmission is encrypted using keys [ KBC KCB KAB KBA
2 , 2 ] or [ 2 , 2 ], both

10
of which are unknown to Eve. This way, when Alice, Bob and Calvin create
GKA,B,C , one of the three sequences SA , SB and SC will be unknown to Eve.
Therefore, the entropy of the group secret is limited by the length / entropy of
one of the sequences SA / SB / SC .

6. Generalized Group Key Generation

In this subsection, we present a generalized group key generation MuGKeG

algorithm with two fundamental goals. Firstly, we generalize the MuGKeG
algorithm for the case of N nodes with each node having C channels when
C ≥ N − 1. Secondly, we present the case of N nodes with each node having C
channels where C << N and N is of the order of thousands or millions.

6.1. Scaling up MuGKeG for large number of Channels

We now expand the MuGKeG algorithm to the case of a group of more than
N ≥ 3 users with C channels where C ≥ N − 1. The generalized algorithm is
described in Alg. 1 and Alg. 2 in Appendix.
As before, the algorithm is structured into two Phases. In Alg. 1, phase-I
of MuGKeG occurs by transmission of all N nodes to all receiver nodes one by
one through all C channels. Transmitted streams from every node follow an R
rounds process so that there is a minimum chance of getting same receptions by
Eavesdropper following a random strategy. At end of Phase-I, all nodes bear a
unique set of keys between all other nodes.
In Alg. 2, phase-II of group key generation occurs by transmission of N
sequences using respective key encryption between pair of nodes. At the end of
phase-II, every node generates the unique key using a hash function from the
combination of N sequences. A single application of the MuGKeG algorithm
can be used to establish a shared secret between at most as many nodes as there
are available channels.

11
6.2. Scaling Up MuGKeG for Large Groups of Nodes

One of the major advantage of MuGKeG is its application for large network
containing thousands or millions of nodes in the wireless network. In this sub-
section, we firstly present a base case (with 9 nodes) and then a generalized case
for scaling MuGKeG for large number of nodes. We show that the MuGKeG
algorithm can be applied repeatedly to include successively more nodes.
Fig. 1 presents a base case of nine nodes N 1 − N 9 with multiple passive
attackers. Each node is equipped with IEEE 802.11b radio with atleast two
channels used for group key generation. Based upon the MuGKeG algorithm,
three groups of nodes (N 1 − N 3, N 4 − N 6 and N 7 − N 9) each comprising of
three nodes are formed in the network as shown in Fig. 1. After the individual
key generation inside the three group of nodes, nodes N 3, N 6 and N 9 make a
cluster to generate a group key inside this cluster. Hence, after two iterations
of MuGKeG algorithm, all nodes bear a secret group key.

N1 N2

N3

N5 N6 N9 N8

N4 N7

Figure 1: Scaling Group key generation for large number of nodes.

For generalization, let us assume that every node has C channels available in-
side a million node network. Based upon the number of eavesdroppers (depend-
ing upon the system’s vulnerability), a maximum of N nodes with N ≤ C + 1
can participate in the first application of the MuGKeG algorithm. At the end
the N nodes will share a shared secret that can be used to generate a group
key. Next, each of these nodes will create a new group of N nodes with secure

12
communication channels between them. This will add another N × (N − 1)
nodes to the N securely communicating nodes, bringing the total to N 2 . After
i steps, this will grow the number of nodes communicating securely to N i . After
j iterations, N j can cover millions of nodes in any network.

7. Generalized Analytical Model

Take a group of N nodes, where N ≥ 3, able to communicate with each other

over N −1 independent wireless channels. We assume the presence of M passive
eavesdroppers that are able to cooperate and share information. First, we derive
the analytical, closed form expression for the probability mass function (pmf)
of the entropy of the shared pairwise keys between pairs of nodes [23]. Then we
use it to obtain the entropy of the shared group key among the N nodes.

7.1. Phase I

Round-level: We first derive the probability that M cooperating eaves-

droppers will be able to overhear a particular transmission of a particular round
of a particular stage of the algorithm. Let the probability of successfully eaves-
dropping on such a transmission be denoted by ps and the failure probability be
pf = 1 − ps , and let T x,Rx denote the packet loss rate of the channel between
transmitting node T x and receiving / eavesdropping node Rx. Then,
 
N −i−1
p s = 1 − ΠMi=1 {1 − (1 −  T x,Rx )(1 −  T x,i )}
N −i
 
N −i−1 (1)
pf = ΠM i=1 {1 − (1 −  T x,Rx )(1 −  T x,i )}
N −i

Stage-level: We model the number of transmissions overheard by the M

eavesdroppers in the course of one stage of the algorithm by the random variable
R. Recall that before each of the R rounds of each stage of the N stages, the
receiver randomly selects from among N − 1 channels, independent of what
channel it listened on in previous rounds. This way, the pmf of R can be
modeled as a binomial random variable.

13
 R
r
pR (r) = p × pR−r
r s f

R
N −i−1
h i
= (1 − ΠMi=1 {1 − (1 − T x,Rx )(1 − T x,i )} )r
r N −i (2)
N −i−1
h i
M
× (Πi=1 {1 − (1 − T x,Rx )(1 − T x,i )} )R−r
N −i

We model the entropy of the transmissions of one particular transmitter

during all R rounds of one stage at Eve by random variable H (1) . Let the b and
B denote the length of each transmission for one and R rounds, respectively.
Since eavesdroppers will listen on a channel for at least the duration of one
round, H (1) can only take on values that are integer multiples of b. Then the
pmf of the random variable H (1) can be obtained simply as shown in Eq. 3.

h(1)
   
(1)
pH (1) h = pR R−
B (3)

Fig. 2 shows the PMF of entropy H (1) for vary number of bits (b) with 10,
20, 30 and 40 rounds, respectively. Trends of entropy show that small number of
rounds require small number of bits to produce large entropy while large number
of rounds require large number of bits for large entropy. Probability with which
Eve can listen to a particular channel is 0.5 in case of three nodes, which implies
that the probability of entropy will have a maxima when it intercepts half of
the shared info and a minimum value when it listens the complete shared info.
Pairwise Key-level: The shared, pairwise key between any two nodes
i and j of the N nodes has entropy denoted HP K (i, j) and is given in Eq.
4. Since the pairwise key is a shared key between nodes i and j, therefore,
HP K (i, j) = HP K (j, i).

H (1)
HP K (i, j) = 2 ×
N −1 (4)

14
 0.4
R = 10
R = 20

PMF of entropy (H(1))

0.3 R = 30
R = 40

0.2

0.1

0
0 1 2 3 4 5 6 7
Total bits for R rounds (B) x 10
5

Figure 2: PMF of entropy (H (1) ) with different rounds (R) for varying number of bits for all
rounds (B).

7.2. Phase II

In the second phase, the pairwise keys are used for encrypting communica-
tions between the pair of nodes that share the key. The sequence Si shared by
node i with node j, one of its N − 1 peers, is encrypted using HP K (i, j). The
entropy HGK of the shared group key depends on two things:

1. The length / entropy HS of each sequence Si .

2. The attack strategy employed by Eve.

If the M eavesdroppers follow the random strategy in Phase I, they would

have most likely been unable to breach any of the encrypted links used in Phase
(rand)
II. That makes the entropy HGK of the group key,

(rand)
HGK = N × HS
(5)

If the M eavesdroppers follow the optimal strategy described earlier, the

M ×N
eavesdroppers will be able to compromise no more than 2 channels between
pairs of nodes. However, the probability as long as the number of eavesdroppers
in the vicinity of each group of N nodes establishing shared secrets is M < N −1,
that probability remains very low. Even if M exceeds this threshold, increasing
the number of rounds R. Since there are a total of N nodes;

15
 (f ixed)
HGK = (N − M − 1) × HS
(6)

8. ns-3 Simulations

To verify the analytical model developed in the preceding section, we simu-

late the MuGKeG algorithm. This is achieved by tracking the entropy, i.e. the
number of bits unknown to eavesdroppers, in each pairwise secret established
at the end of Phase I, as well as the Group Key created at the end of Phase II.
The ns-3 platform was used for generating simulation results. Values of simu-
lation parameters used are provided in Tab-2. The analytical model measures
the secrecy of pairwise and group keys in terms of the uncertainty of the values
of bits making up the keys, as seen by Eve when it employs a random switching
strategy. We first provide results for the entropies of pairwise keys generated at
the end of Phase I, followed by the entropies of Group Keys generated at the end
of Phase II. For the simulations we set transmit power of IEEE 802.11b nodes
to 16.0206 dBm, while receivers have a gain of −20 dB. The MAC is operated in
Ad hoc WiFi mode and nodes are stationary. For simplicity successive rounds
are timed one sec apart, while nodes are placed 10 m apart.

Table 2: ns-3 simulation parameters.

Parameter Value

MAC model IEEE 802.11b in Adhoc Mode

Frame Payload (b) 2312 bytes
PHY Mode WiFi Phy mode
Transmit Power 16.0206 dBm
Receiver Gain -20dB
Packet loss rate 5%, 10%, 20%
Propagation Delay Const Speed Propagation Delay Model
Propagation Loss Friis Propagation Loss Model
Distance 10 m
Static Routing Protocol OLSR

16
8.1. Entropy of Pairwise Keys

For the base case the number of nodes N was set to three and number
of rounds R in Phase I exchanged during each stage was set to 10. During
each round, the number of bits b transmitted is set to 2312. Here we provide
a comparison between our simulation results and the analytical model of the
MuGKeG algorithm. Fig. 3 plots the PMF of the entropy HP K of pairwise keys
against different values of pairwise key entropies for N = 3 and one eavesdropper
(M = 1), for the case when Eve employs the random channel switching strategy.

0.35
N=3,M=1,Analytical
0.3 N=3,M=1,Simulated
0.25
PMF of HPK

0.2

0.15

0.1

0.05

0
0 10 20 30 40 50
Entropy of Pairwise Key (HPK)

Figure 3: Comparison of PMF of entropy of intercepted pairwise key at Eve (ns-3 simulation)
for N = 3. This is plotted against the PMF entropy predicted by our analytical model.

When Eve adopts the fixed strategy it is guaranteed to compromise one

pairwise key. Simulations of Eve using the fixed strategy also confirm this.
The probability that Eve captures the complete key or none of the bits used
in all keys are both very low. The PMF of the pairwise key entropy peaks at
R×b
N −1 bits. Clearly, the simulation results are in agreement with the analytical
model. Fig. 4 is a plot of the entropy H (1) and the number of rounds that
were necessary between N = 3 nodes at different packet loss rates of 5%, 10%
and 20%, respectively. It is also rather clear that the entropy of the pairwise
secret increases linearly with number of transmissions. Similarly, the entropy of
pairwise shared secret grows linearly with an increase in the number of rounds
R.

17
 6
x 10

1.5
Entropy H (1)
1
Error Rate = 5%
0.5 Error Rate = 10%
Error Rate = 20%
0
100 150 200 250 300 350
Number of Rounds (R)

Figure 4: Scatter plot of entropy H (1) vs number of rounds at various packet loss rates.

8.2. Entropy of Group Keys

We now separately analyze the entropy of the group key that is obtained
by concatenating sequences SA , SB and SC for the base case in Section 4.
Fig. 5 plots the PMF of the entropy of the group key for the base case with
a group of N = 3 nodes trying to establish a group key in the presence of
M = 1 eavesdropper. PMF predicted by the analytical model as well as the one
obtained by simulations follow the basic trends with minor variations.

0.2
N=3,M=1,Analytical
N=3,M=1,Simulated
0.15
PMF of HGK

0.1

0.05

0
0 50 100 150
Entropy of Group Key (HGK)

Figure 5: Comparison of PMF of entropy of intercepted group key at Eve (ns-3 simulation)
for N = 3. This is plotted against the PMF entropy predicted by our analytical model.

18
9. Limitations

9.1. Active Attack

Performance of MuGKeG is limited to passive attackers (eavesdroppers).

Active attack strategies like jamming, replay attack, Man in the middle, denial
of service attack etc. deteriorate the performance of MuGKeG. It is pertinent
to mention that the goal of MuGKeG is to generate the secure key based upon
the assumption that the communicating channel is free for transmission.

9.2. Wireless Coverage

MuGKeG requires a minimum number of three nodes in the presence of one

eavesdropper. This suggests that every node in the network must be in the
radio range of atleast two other nodes for secure key generation of MuGKeG.

9.3. MIMO Eavesdroppers

MuGKeG assumes that eavesdropper’s capability of listening the channels

is similar to the communicating nodes capability. All nodes can listen to only
one channel at any given instant. However, presence of more than one radio can
enable the eavesdroppers to listen multiple channels which is beyond the scope
of this algorithm.

9.4. Channels Availability

For a group of three nodes, MuGKeG requires atleast two wireless channels
simultaneously. Absence of atleast two channels can hinder the algorithm from
its working and it can also make the system vulnerable to eavesdropper. More-
over, error free communication occurs only for two non-overlapping channels
otherwise key generation is not only vulnerable but also time-consuming due to
retransmissions.

19
10. Discussion

Tab-3 presents a comparison of MuGKeG with previous state of the art

schemes. A number of parameters were compared including the jamming, arti-
ficial noise, secrecy rate, key size and number of transmissions etc. Comparison
shows that MuGKeG is independent of physical layer technique as it depends
only upon the available channels. It excels other techniques in secrecy rate (76
kbps with 256 bit key size), key size (scalable) and key generation depending
upon the physical layer technology (IEEE 802.11b WLAN used for MuGKeG).
MuGKeG is independent from Eve’s location with number of transmissions in-
dependent of number of eavesdroppers. Moreover, jamming and artificial noise
were not incorporated by MuGKeG. It is pertinent to mention that Safaka et al.
[9][18] have calculated the probability of guessing the secret bit by varying the
number of nodes participating in key generation process. As number of nodes
increase, probability of guessing the secret bit decreases, owing to noise in the
channel.

Table 3: Comparison of MuGKeG with previous state of the art schemes

Technique Zan and Gruteser [14] IJam [8] Safaka et al. [9] Safaka et al. [18] MuGKeG

Physical Layer FHSS OFDM No No Independent

Secrecy Rate 426.67 bps 3-18 Kbps 38 Kbps 55 Kbps 76 kbps

Key Size 128 bits 512 bits – – Scalable

Key Generation Pair Pair Pair + Group Pair Pair + Group

Performance Parameters Key generation time BER Eve’s C.E* + Ef.**Eve’s C.E* + Ef.**Eve’s C.E* + Ef.**

Eve’s Location Independent Independent Independent Dependent Independent Independent

No. of transmissions RC 2RNP RN RNP RN(N-1)

Jamming No Yes No No No

Artificial Noise No No Yes Yes (LOS) No

* Conditional Entropy (C.E). ** Efficiency (Ef) = Key Size (bits) / Transmission Size (bits) *** P = Pkts per round

20
11. Conclusions

This paper presents the MuGKeG algorithm to create a shared group key
among a group of N wireless nodes. Repeated applications of the MuGKeG
algorithm to different sets of nodes can be used to scale up the size of the group
of nodes communicating securely. The time required to include a total of T
nodes can be achieved in logN T times the time required to run one iteration of
the MuGKeG on a single set of N nodes. The MuGKeG algorithm is able to
generate a group key even in the presence of large number of nodes (greater than
the number of available channels) and can scale up to use all available channels
for a given number of nodes. The MuGKeG algorithm makes no assumptions
and places on pre-conditions on the channel conditions or positions of the eaves-
droppers. The MuGKeG algorithm is scalable in the sense that it can be used
in any group of three or more wireless nodes and is able to guarantee security
as long as both the following conditions hold true:

1. Packet losses on a wireless channel are independent of packet losses on

other channels.
2. For each application of the MuGKeG algorithm the number of available
channels is equal to the number of nodes.

An analytical model is developed for the entropy of the intermediate pairwise

keys as well as the group keys. The analytical model is verified by results
generated from ns-3 simulations that closely follow the model.

21
12. Bibliography

[1] S. Singh, The code book: The science of secrecy from ancient egypt to
quantum cryptography. anchor books, EDICION, ISBN 744962333.

[2] T. A. PRESS, TJX Says Theft of Credit Data Involved 45.7 Million Cards,
The New York Times.

[3] S. Jana, S. N. Premnath, M. Clark, S. K. Kasera, N. Patwari, S. V. Krish-

namurthy, On the effectiveness of secret key extraction from wireless signal
strength in real environments, in: Proceedings of the ACM MOBICOM
Conference, 2009.

[4] J. Croft, N. Patwari, S. K. Kasera, Robust uncorrelated bit extraction

methodologies for wireless sensors, in: Proceedings of the IPSN Conference,
2010.

[5] Q. Wang, H. Su, K. Ren, K. Kim, Fast and scable secret key generation
exploiting channel phase randomness in wireless networks, in: Proceed-
ings of the IEEE International Conference on Computer Communications
(INFOCOM), 2011.

[6] A. Arora, L. Sang, Dialog codes for secure wireless communications, in:
Proceedings of the IPSN Conference, 2009.

[7] S. Vasudevan, D. Goeckel, D. Towsley, Security-capacity trade-off in large

wireless networks using keyless secrecy, in: Proceedings of the eleventh
ACM international symposium on Mobile ad hoc networking and comput-
ing (MobiHoc), 2010.

[8] S. Gollakota, D. Katabi, Physical layer wireless security made fast and
channel independent, in: Proceedings of the IEEE International Conference
on Computer Communications (INFOCOM), 2011.

[9] I. Safaka, C. Fragouli, K. Argyraki, S. Diggavi, Creating shared secrets out

of thin air, in: Proceedings of the 11th ACM Workshop on Hot Topics in
Networks, ACM, 2012, pp. 73–78.

22
[10] S. Sankararaman, K. Abu-Affash, A. Efrat, S. D. Eriksson-Bique, V. Pol-
ishchuk, S. Ramasubramanian, M. Segal, Optimization schemes for pro-
tective jamming, in: Proceedings of the ACM international symposium on
Mobile Ad Hoc Networking and Computing, 2012, pp. 65–74.

[11] L. Dong, Z. Han, A. P. Petropulu, H. V. Poor, Improving wireless physi-

cal layer security via cooperating relays, in: IEEE Transactions on Signal
Processing, Vol. 58, No.3, 2010.

[12] T. R. Henderson, M. Lacage, G. F. Riley, C. Dowell, J. Kopena, Network

simulations with the ns-3 simulator, SIGCOMM demonstration.

[13] S. Xiao, W. Gong, D. Towsley, Secure wireless communication with dy-

namic secrets, in: Proceedings of the IEEE International Conference on
Computer Communications (INFOCOM), 2010.

[14] B. Zan, M. Gruteser, Random channel hopping schemes for key agreement
in wireless networks, in: IEEE International Symposium on Personal, In-
door and Mobile Radio Communincations, 2009.

[15] S.-C. Tsai, W.-G. Tzeng, K.-Y. Zhou, Key establishment schemes against
storage-bounded adversaries in wireless sensor networks, in: IEEE Trans-
actions on Wireless Communications, 2009.

[16] M. J. Miller, N. H. Vaidya, Leveraging channel diversity for key establish-

ment in wireless sensor networks, in: Proceedings of the IEEE International
Conference on Computer Communications (INFOCOM), 2006.

[17] N. Basilico, N. Gatti, M. Monga, S. Sicari, Security games for node localiza-
tion through verifiable multilateration, IEEE Transactions on Dependable
and Secure Computing 11 (1) (2014) 72–85.

[18] I. Safaka, C. Fragouli, K. Argyraki, S. Diggavi, Exchanging pairwise se-

crets efficiently, in: Proceedings of the IEEE International Conference on
Computer Communications (INFOCOM), 2013, pp. 2265–2273.

23
[19] X. Zhu, F. Xu, E. Novak, C. C. Tan, Q. Li, G. Chen, Extracting secret
key from wireless link dynamics in vehicular environments, in: Proceed-
ings of the IEEE International Conference on Computer Communications
(INFOCOM), IEEE, 2013, pp. 2283–2291.

[20] C. Hu, X. Cheng, F. Zhang, D. Wu, X. Liao, D. Chen, OPFKA: Secure

and efficient ordered-physiological-feature-based key agreement for wireless
body area networks, in: Proceedings of the IEEE International Conference
on Computer Communications (INFOCOM), 2013, pp. 2274–2282.

[21] H. Liu, Y. Wang, J. Yang, Y. Chen, Fast and practical secret key extraction
by exploiting channel response, in: Proceedings of the IEEE International
Conference on Computer Communications (INFOCOM), 2013, pp. 3048–
3056.

[22] A. S. Tanenbaum, Computer networks, Vol. 1981, Prentice-Hall Englewood

Cliffs (NY), 1989.

[23] T. M. Cover, J. A. Thomas, Elements of information theory, John Wiley

& Sons, 2012.

24
Appendix A. Flow Chart and Algorithms for MuGKeG

Tx Phase I Rx
A R 3 2 1
C [KAC/2, KBC/2]

Stage 1
CA
KAC 1
2
3 Er [KAC'/2, KBC'/2]
KBC
R CB
B Ef [KAC]

A R
CA
3 2 1 B [KAB/2, KCB/2]
Stage 2

KAB 1
2 [KAB'/2, KCB'/2]
3 Er
KCB
R CC
C Ef [KAB]

B R
CB
3 2 1 A [KBA/2, KCA/2]
Stage 3

KBA 1
2
3 Er [KBA'/2, KCA'/2]
KCA
R CC
C Ef [KCA]

Tx Phase II Rx
Stage 4

SA
A [KAB,KBA]/2 B
Compromised

SA [KAC,K
CA]/2
SA
C
Link

B A SB
Stage 5

[KAB,KBA]/2

SB [KBC,K
CB]/2
Ef
C SB
Compromised
Link

C [KCA,KAC]/2 A
Stage 6

SC
SC [KCB,KB
C]/2
B SC

Figure A.6: Flow chart for MuGKeG for base case description between Alice (A), Bob (B),
Calvin (C), Eve-fixed (Ef ) and Eve-random (Er ).

25
Algorithm 1 Multi-channel Secure Group Key Generation
Ensure: Every node n is assigned a home channel Cn
1: PHASE I:
2: for Stage n = [1..N ] do
3: Vn = [ ]
4: for Node m = [1..N ] do
5: for Round r = [1..R] do
6: Node n initializes Rm [r] := [ ]
7: end for
8: end for
9: for Node m = [1..N ], m 6= n do
10: Node m initializes Tm := [ ]
11: end for
12: for Round r = [1..R] do
13: Node n randomly picks a number from {{1, 2, . . . , N } − {n}} and stores it in Vn [r].
14: Node n switches to channel ChVn [r] to receive.
15: Nodes {{1, 2, . . . , N }−{n}} generate, save and simultaneously transmit b bit random
sequences Tm [r] on respective home channels.
16: Node n stores received b bit transmission as P .
17: if P passes CRC then
18: Rn [r] := P
19: else
20: Vn [r] := 0
21: end if
22: end for
23: Transmit vector Vn to nodes {{1, 2, . . . , N } − {n}}.
24: end for
25: for Node n = [1..N ] do
26: for Node m = [1..N ], m 6= n do
27: Node n creates shared key P Kn,m = [Rn [Index(Vn == m)]Tn [Index(Vm == n)]].
28: end for
29: end for

26
Algorithm 2 Multi-channel Secure Group Key Generation
Ensure: Every node n is assigned a home channel Cn
1: PHASE II:
2: for n = [1..N ] do
3: Node n selects a random sequence Sn .
4: for m = [1..N ], m 6= n do
5: Node n encrypts Sn using pairwise key P Kn,m .
6: Node n transmits encrypted message P Kn,m (Sn ) to m.
7: end for
8: end for
9: for n = [1..N ] do
10: Create shared Group key GK by concatenating GK := [S1 S2 ..SN ].
11: end for

27