Retrodirective-Assisted Secure Wireless Key Establishment

In this paper, a new type of architecture for secure wireless key establishment is proposed. A retrodirective array (RDA) that is configured to receive and re-transmit at different frequencies is utilized as a relay node. The RDA is able to respond in “real time,” reducing the required number of time slots to two. More importantly, in this architecture, equivalent reciprocal wireless channels between legitimate keying nodes can be randomly updated within one channel coherence time period, leading to greatly increased key generation rates in slow fading environment. The secrecy performance of this RDA-assisted key generation system is evaluated under several eavesdropping strategies and it is shown that it outperforms previous relay key generation systems.


I. INTRODUCTION
M OBILE wireless communication has experienced an unprecedented growth in recent years presenting many enterprise opportunities. Along with these opportunities there are attendant risks. The broadcast nature of the electromagnetic wave propagation medium in a wireless environment significantly increases the chances of sensitive information being intercepted by eavesdroppers. Currently sensitive transmission data is encrypted at the upper protocol layers through mathematical cryptographic means [1]. Recently the potential for the efficacy of such mathematical encryption schemes to be mitigated has been under discussion [2]. Furthermore, requirements related to trusted key management infrastructure may render conventional cryptographic method less applicable for some wireless systems, such as ad-hoc networks and lowcost wireless sensor networks [3], hence potentially providing a systemic issue regarding ubiquitous rollout of the Internet of Things [4].
Distinct from the upper layer cryptographic approach, physical layer security techniques do not reply on computational complexity. This implies that the achieved level of security will not be compromised even if an unauthorized third party has Manuscript  unlimited computational capability [5]. One form of physical layer security techniques relies on the establishment of secret keys by exploiting randomness of reciprocal propagation channels between keying nodes [6], [7]. The information theoretical foundation of this key establishment approach was given in [8] and [9]. Key generation normally consists of four steps: channel probing, quantization, information reconciliation, and privacy amplification [7]. Two legitimate users alternately measure the signal waveforms transmitted through propagation channels to harvest the randomness in channel probing stage. After converting the channel measurements into binary bits in quantization step, the mismatch bits of shared keys are corrected in information reconciliation using protocols or error correction codes. Finally the leaked information on shared keys is removed in privacy amplification step, e.g., through universal hashing functions. In this paper, we focus on designing a relay-based key generation architecture which enables a larger amount of common information being shared among keying nodes in wireless channel probing stage, when compared with previous relay key generation schemes. The remaining key generation procedures investigated previously, e.g., quantization schemes in [10], information reconciliation in [11], and privacy amplification in [12], can then be implemented after the common signal waveforms have been obtained in the channel probing stage.
There are several characteristics of legitimate channels that can be utilized to extract secret keys, such as received signal strength (RSS) [13]- [15], channel phase delays [16], [17], multipath relative time delays [18], [19], and full channel state information (CSI) [20], [21]. No matter which channel parameters are chosen, there is always a trade-off between key generation rate (KGR), describing the amount of key bits generated per time unit, and key disagreement rate (KDR), denoting bit disagreement rates of the generated keys shared by legitimate nodes. In a slow fading channel, the channel cross-correlation is impacted by the non-simultaneous probing and independent noise at each keying node, which result in the key disagreement [21], [22]. Therefore, the number of key quantization levels should be kept small in order to get a low KDR. On the other hand, slow fading channels and low quantization levels limit achievable KGR, since the key generation round can only be conducted once during one channel coherence time period.
A number of approaches have been proposed to increase KGR without degrading KDR. In [15], [23], and [24] multiple This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/ nodes or multiple antennas at each node are exploited in order to create multiple usable common channels from which more key bits can be extracted within one channel coherence time period. Similarly, multiple independent or quasi-independent channels can be generated using frequency resources, such as channel hopping in [25]- [27], and OFDM signals in [21] and [28]- [30]. A concept utilizing random beamforming was proposed in [27], [31], and [32]. Here the excitation weights of multi-antenna nodes are randomly updated during each key generation round, such that a controlled artificial 'fast fading' channel is created. As a consequence, more independent random secret key bits can be generated by repeated channel probing within one channel coherence time period.
In addition to the above methods, helper or relay nodes have been introduced in [17] and [33]- [37]. In [33] the presence of a relay node helps create two more common channels that exist between each of the keying nodes and the relay, such that KGR can be increased. Apart from creating more usable channels, the relay nodes can also help generate artificial noise [34], [35], which contaminates the intercepted signals received by eavesdroppers, or helps enhance the randomness of the channel characteristics, [35]- [37], in such a fashion to increase secret key rates. However, there are issues associated with the helper or relay architectures, which are listed as follows: a) the relay or helper needs to have calculation capabilities, e.g., estimating channels in [33], generating well designed artificial interference in [34], [35], and demodulating signals in [37]; b) the relay or helper needs to be a trusted party [17], [34]- [36], and in some cases a secure channel between helper and one of the keying nodes is required [34]; c) the relay or helper has to acquire some system knowledge before carrying out key generation protocols. This includes time-slot assignment [17], [33]- [37], CSI of legitimate channels [17], and the training symbols used in the system [33], [35], [36]; d) only one probing of the channel can be performed per coherence time period [17], [33]- [37].
These factors make the above mentioned relay key generation architectures unsuitable in many application scenarios. In this paper we propose a new type of relay key generation architecture, which uses a retrodirective array (RDA) [38] as a relay node. By configuring the RDA node to receive and re-transmit at different frequencies, the common waveform observations can be shared among legitimate users for further secret key extraction. This arrangement has the following characteristics that facilitate overcoming the above mentioned weaknesses; a) the RDA relay node can be implemented in an analogue fashion thereby allowing low power consumption and the real-time response. The RDA node does not need to have any additional digital calculation capabilities; b) no secure links between RDA and other keying nodes are required. Since the RDA can operate without demodulating signals nor estimating channels, the potential for the relay node to leak information intentionally or unintentionally is significantly reduced, i.e., it can be considered as a trusted node; b) no system parameters including CSI, training sequences, and time-slot assignment are required by the RDA relay node; d) multiple channel measurements can be conducted within one coherence time period, because with the help of the RDA the equivalent channel can be manipulated to be 'fast fading', greatly increasing the achievable KGR.
Besides the above listed characteristics, the proposed architecture requires only two time slots for each key generation round, compared with at least three time slots in previous relay key generation protocols.
We need to point out that the approaches presented in [21]- [32], i.e., multi-antenna, multi-carrier, and ramdom beamforming schemes, can also be applied onto the RDA key generation architecture proposed in this paper, leading to a further increased KGR. The combinations of these techniques with the methodology suggested here are not discussed in this paper.
This paper is organized as follows; • In Section II, system models including statistical multipath channels and RDAs used throughout the paper are described. • In Section III, the single antenna element RDA assisted key generation architecture and the protocol deployed are presented. In additional, various strategies with minimum assumptions that can be adopted by eavesdroppers are discussed. • In Section IV, the secret key rates of the proposed system are simulated and compared with non-relay and previous relay key generation systems. It is shown that the proposed RDA assisted key generation system outperforms the previous relay key generation systems under every eavesdropping scenarios, in terms of secrecy performance. • In Section V, from a more practical point of view the impact of imperfect training sequence recovery at each node on the system performance is investigated. • In Section VI, the benefits of higher beamforming gains towards legitimate nodes than those towards eavesdroppers, which are brought by involving more antenna elements in RDA relay nodes, are briefly investigated. • In Section VII, conclusions are drawn.
Throughout this paper, the following notations will be used: Boldface lower case and capital letters, e.g., h and H, denote parameters in time and frequency domains, respectively, and they are complex numbers. Boldface capital letter with an arrow on top refers to a vector, whose elements are parameters in frequency domain. Letters with superscripts R D A, nr , and r correspond to parameters in the proposed RDA, non-relay, and previous relay key generation systems. '[·] * ' denotes complex conjugate operator, and '•' is the Hadamard product of two vectors. '[x] + ' returns zero if x is less than zero otherwise returns x.

A. Statistical Multipath Channel Model
In this paper a dynamic multipath-rich Rayleigh wireless propagation channel is considered. The channel impulse response (CIR) can be written as where h(τ l , t) is a complex number representing the attenuation and phase delay of the l th (l = 0, 1, ..., L −1) propagation path, i.e., channel taps, between communication nodes at the time instant t. τ l refers to the time delay of the l th channel tap relative to the corresponding t. δ(·) is the Dirac delta function. It is assumed that, a) at each time instant the total number of channel taps, i.e., L, is identical, b) τ l starts from zero and is uniformly spaced in time. Thus it can be expressed as τ l = lT , where T is normally determined by the sampling period of the hardware, c) the scattering multipath in the channel is sufficiently rich that the h(τ l , t) follows zero-mean complex Gaussian distribution, i.e., h(τ l , t) ∼ C N(0, σ 2 hl ) [39]. When taking Fourier transform of (1) with respect to τ , the channel frequency response (CFR) can be obtained, and is given as ( Unless otherwise specified, all of the simulation results presented in this paper are based on the following channel parameters for typical wireless indoor environment [40]. • The sampling period T is set to 50 ns; • The average power of each channel tap follows an exponential decay power delay profile with root mean square (RMS) delay spread σ τ of 50 ns, from which the number of channel taps can be calculated to be 11; • A bell-shaped Doppler power spectral density with Doppler spread f d of 10 Hz is used. The normalized auto-correlation function (ACF) of H( f, t) can be formulated as [41] r where 'E[·]' is the expectation operator. From the ACF the channel's coherence bandwidth f c and coherence time T c can be calculated [42].

B. Retrodirective Arrays (RDAs)
Before describing the RDA relay key generation system in Section III, RDA operation is briefly presented here. An RDA has the capability to re-transmit a signal back along the spatial direction(s), along which the array was illuminated by the incoming signals without the need for a-priori knowledge of their points of origin [38]. This automatic tracking characteristic makes RDA technology useful in many mobile applications, e.g., long-range radio frequency identification (RFID) [43] and mobile satellite communications [44], [45]. The core element of an RDA that enables the tracking functionality is the phase conjugator unit [46]. Among many forms of phase conjugator units, active analogue types are attractive due to their low power consumption, real-time response, and frequency reconfiguration flexibility [47], [48].
The basic operation upon which an RDA is predicated is illustrated by way of an example shown in Fig. 1. A distant source emits a pilot signal s(t), which can be a radio frequency (RF) continuous wave (CW) or a modulated signal waveform [49], at frequency f s . The  (4), A well-designed analogue RDA is able to complete the phase conjugation operation within 100 μs, which is normally much less than the channel coherence time T c (usually in the order of tens or hundreds of ms in indoor environment). Thus the re-transmission channel G sm ( f r ) can be normally regarded to be identical to the reception channel H sm ( f s ) when f r = f s . In this case (4) can, in the absence of noise, be expressed as Equation (5) indicates that the re-transmitted signals by each RDA element are combined constructively both spatially and temporally or, in other words, in-phase at the source node, i.e., automatically re-transmitting signal back to the source position where the pilot signal is originated.
When f r = f s , as occurs in full-duplex RDAs, the re- and H sm ( f s ) can be directly linked by compensating their frequency differences [50], thus after channel coefficient When an RDA is illuminated by multiple pilot sources from different directions, as occurs in our proposed system architecture described in Section III, the signals are re-transmitted along all of these directions with their beamforming gains proportional to the magnitudes of the corresponding received pilot signals along these directions [51]. This scenario is essentially equivalent to the case of single pilot source in a multipath environment.

III. RDA ASSISTED WIRELESS KEY GENERATION
In this section single antenna RDA assisted key generation system is presented and the associated adversary model is investigated. It should be noted that the single antenna RDA is still able to phase conjugate the incoming signal, but cannot perform beamforming for re-transmission towards the pilot source. This architecture is further extended to the multiantenna RDA key generation system in Section VI with additional benefits presented.

A. Single Antenna RDA Assisted Key Generation
The model of the proposed single antenna RDA assisted key generation system is illustrated in Fig. 2. The nodes Alice and Bob intend to establish a shared common key with the help of a single antenna RDA node. These three nodes are termed legitimate nodes hereafter. In this paper we assume Alice and Bob are both equipped with a single antenna. Not discussed in this paper are multiple-antenna cases which can be investigated using similar methods to those in [23] and [52] for MIMO key generation scenarios.
Each key generation round only comprises two time slots (TS1, 2), which are now described; TS1) Alice and Bob locally generate random and independent signals U i and V i , respectively, and then radiate them at an identical frequency f 1 . Here the subscript 'i ' refers to the i th key generation round. In order to simplify notation, the subscript 'i ' is omitted later in most cases. In order to facilitate signal to noise ratio (S N R) definition later in Section IV, it is assumed that Alice and Bob do not need to know or store the values of U and V. The detected signal W b at the RDA element can be expressed as where H x (G x ) represents the channel coefficient between Alice (Bob) and the RDA element at frequency is the frequency representation of the additive white Gaussian noise (AWGN) n xy ∼ C N(0, σ 2 n ), and all are independent. q 1/2 xy is a scaling coefficient involving both the amplification factor at transmitter sides and propagation path loss, and it is used to set required S N R at receiver sides. Here the E |H 1 U + G 1 V| 2 is normalized to be unity. The RDA cannot separate the two signals transmitted by Alice and Bob because both signals are at the same frequency, and are occurring at the same time, and none of H 1 , G 1 , U, and V are known.
At the same time Alice transmits a publicly known training sequence X at a different frequency f 2 ( f 2 = f 1 ). The received signal at the RDA element at frequency f 2 is q At the Bob the detected signal S b at frequency f 3 can be written as Similarly G 3 is normalized to be E[|G 3 | 2 ] = 1. Since X is publicly known to every node in the system, Bob is able to obtain the waveform observation K b , which in the frequency domain for the purpose of secret key extraction is shown in (8).

TS2)
In time slot 2, U and V transmitted by Alice and Bob at frequency f 1 are still present, which generates W a at the RDA node, seen in (9).
In this time slot Bob transmits the same known X at frequency f 3 , which, after being weighted with W * a , is re-transmitted by the RDA at frequency f 2 . When the known X is equalized, the waveform K a shown in (10) can be acquired by Alice.
From the first term of the obtained K a in (10) at Alice node and the first term of the obtained K b in (8) at Bob node, a common secret key can be generated and shared. The noise terms, i.e., the last two terms in both (8) and (10), reduce the correlation coefficients between K a and K b , and hence limit the achievable secret key rates of the proposed system. These aspects are investigated in Section IV. It is worth pointing out that even within one channel coherence time period, i.e., H 1 , G 1 , H 2 , and G 3 remain unchanged (here channel reciprocity is assumed), the equivalent common channel observation H 2 W * {a,b} G 3 still varies, and for different key generation rounds they are uncorrelated. This is achieved by randomly choosing U i and V i , which are unknown to any of the nodes in the system, in each key generation round. In other words, many key generation rounds can be performed within one channel coherence time period, leading to a greatly increased KGR.
When compared with the conventional digital transceivers used in previous relay key generation systems, the analogue phase-locked-loop (PLL) phase conjugators [47] remove the needs of analogue-to-digital converters, digital-to-analogue converters, and digital processing units, and for appropriate frequency chosen, down-conversion and up-conversion modules can also be eliminated. In this sense, the proposed RDA relay system has lower cost. The system implementation is under way with the PLL chipset ADF4360-1 chosen. The experimental setup and measured results are planned to be reported separately.

B. Eavesdropping Strategies
In this subsection, the effects of some eavesdropping strategies that can be adopted by a malicious node, named as Eve, are investigated.
Following the same assumptions in most physical layer key generation schemes in wireless networks [13], [16], [35], we assume that: • Eve knows the key generation procedures described in the previous subsection; • Every nodes in the system, including Eve, know the training sequence X. The case of X being obtained by actual wireless transmission is investigated in Section V. The above is actually the worst scenario with regard to the secure wireless transmission.
In this paper, we investigate three worst-case eavesdropping strategies: a) Eve is able to obtain the 'clean' signals that are transmitted by one of the legitimate nodes. Here the 'clean' simply means no multipath and no channel noise. In this case the channel coefficient between one of the legitimate nodes and Eve is set to 1; b) It is assumed that Eve's antenna is able to be placed close enough to one of the legitimate nodes, which leads to correlated legitimate and eavesdropping channels; c) The combination of the cases a) and b), i.e., Eve is able to obtain 'clean' signals transmitted by each legitimate node and Eve is able to create correlated legitimate and eavesdropping channels.
It is obvious to conclude that the strategy c) is equivalent to the case of multiple Eves that are able to collude, which is not commonly studied in previous key generation work. We investigate the secret key rate R R D A s [9], [53], expressed in (11), for different eavesdropping strategies in our proposed RDA key generation system. 'I (·; ·)' denotes mutual information. Here we assume Eve attempts to estimate the generated waveform K a (K b ) at Alice (Bob) node. The estimation is denoted as K e . Only real parts of associated waveforms, i.e., Re(K a ), Re(K b ), and Re(K e ), are considered in order to facilitate comparison with previous related works [35].
a) Eve observes one of the legitimate nodes.
• Eve intercepts the signals radiated by Alice.
Alice radiates signals at frequencies f 1 and f 2 . If Eve has ability to intercept at both frequencies, she can obtain U and the publicly known X. • Eve intercepts the signals radiated by Bob.
Bob radiates signals at frequencies f 1 and f 3 . If Eve has ability to intercept at both frequencies, she can obtain V and the publicly known X. • Eve intercepts the signals radiated by the RDA.
In TS1 RDA radiates signals at frequency f 3 . The noiseless observation, after X being divided, is (12) Similarly, in TS2 RDA radiates signals at frequency f 2 . The noiseless observation, after X being divided, is (13) When comparing K TS{1,2} e and K {a,b} , it can be concluded that Eve has three choices to estimate legitimate waveforms. They are K TS1 e , K TS2 e , and K TS1 e K TS2 e . It is obvious that Eve can acquire more information for better estimation of the K {a,b} through observing the signals transmitted by the RDA, compared with the amount of information obtained through intercepting Alice (Bob)'s signal radiation. b) Eve's antenna is placed close enough to one of the legitimate nodes.
• Eve's antenna is placed close to Alice.
In this case the eavesdropping channel between Eve and the RDA is correlated to the legitimate channel between Alice and the RDA. Since the RDA radiates signals at frequencies f 2 and f 3 in two different time slots, two pairs of correlating channels are created. One pair of correlating channels at frequency f 3 are denoted as P 3 and H 3 , respectively, for eavesdropping and legitimate channels. However, since the legitimate channel H 3 is not utilized in key generation process, see (8) and (10), this channel pair does not help Eve in terms of interception. The other eavesdropping channel at frequency f 2 , denoted as P 2 , is correlated to H 2 through the correlation coefficient ρ R D A ae expressed in (14).
Eve cannot estimate P 2 , and hence H 2 , since q radiated by the RDA in TS2 is unknown to any nodes in the system. Fortunately, from Eve's point of view, she does not need to know H 2 . It is better for her to estimate K a as a whole directly. The obtained waveform, K ae e , used for estimation can be written as where channel noise N ae 2e at the Eve node is assumed to have the same distribution as N 2a .
• Eve's antenna is placed close to Bob.
Similar to the case discussed above, an eavesdropping channel, denoted as Q 3 , is created at frequency f 3 , and it is correlated to the legitimate channel (14) with P 2 and H 2 being replaced with Q 3 and G 3 , respectively. The corresponding waveforms, K be e , used for estimation at Eve node can be expressed in where channel noise N be 3e at the Eve node is assumed to have the same distribution as N 3b . • Eve's antenna is placed close to the RDA.
In this case Eve is able to obtain an estimation of H 2 and G 3 , since Alice and Bob project X at frequency f 2 and f 3 , respectively. It is noted that although Alice and Bob transmit U and V at frequency f 1 , the corresponding channels, H 1 and G 1 , cannot be estimated by Eve. This is because U and V are transmitted at the same frequency at the same time and they are unknown to any of the nodes in the system. The leakage of parts of H 2 and G 3 helps little to Eve in terms of interception, compared with the strategies of placing the antenna close to Alice or Bob discussed above. c) Multiple Eves that are able to collude.
It is obvious that this case of multiple colluding Eves includes the scenarios a) and b) discussed above. As a consequence, the secrecy performance in this case is upper bounded by those obtained under the scenarios a) and b). In this subsection, we investigate a straightforward strategy that can be adopted by colluding Eves, i.e., collaboratively estimate each factor within q where the noise N re 2e is assumed to have the same distribution as N 2b .
Similarly the best estimation can be obtained in TS2 by an Eve whose antenna is placed close to the RDA. In this case a pair of correlating channels J 3 and G 3 with correlation coefficient ρ R D A e3 is created. J 3 is the channel coefficient between Bob and the Eve that is close to the RDA. The estimation of of q 1/2 3b G 3 can be formulated as where the noise N re 3e is assumed to have the same distribution as N 3a .
W b is shown in (6). U and V can be observed directly because under this colluding eavesdropping strategy we assume that Eve can obtain noiseless copies of signals transmitted by every legitimate nodes. However, Eve cannot separately estimate H 1 and G 1 since H 1 U and G 1 V are radiated at the same frequency f 1 and are occurring at the same time. As a consequence, Eve can only obtain the estimated where the noise term N 1e is assumed to have the same distribution as N 1b in (6). J H 1 (J G1 ) is the channel coefficient at the frequency f 1 between Alice (Bob) and the Eve whose antenna is placed close to the RDA.
With the colluding capability, multiple Eves are able to use (17), (18), and (19) to construct estimated K col e , When comparing (20) with (16), it can be seen that K col e contains less information about the genuine waveform, i.e., Here J 3 and Q 3 defined early in this section are not the same, but they are equivalent. While the three noise terms in (20) are greater than the two noise terms in (16). As a consequence, we can conclude that separately estimating each factors within the waveforms shared among legitimate nodes by colluding Eves does not help eavesdropping when compared with the case b). From the above discussions in this subsection, it can be concluded that the best strategies that Eve can adopt are directly intercepting signals radiated by the RDA, or placing Eve's antenna close enough to Alice or Bob in order to create correlated channel pairs, i.e., P 2 and H 2 , and Q 3 and G 3 , to estimate K a or K b directly, see illustrations in Fig. 2.

IV. SECRECY PERFORMANCE EVALUATION
In this section the secrecy performance of the proposed RDA assisted key generation system is evaluated, and compared with non-relay and previous relay systems.
The non-relay system, acting as a bench mark, comprises only Alice and Bob, between which the reciprocal Rayleigh channel is denoted as H nr . The previous relay key generation systems used for comparison are schemes described in [35]. Apart from the secret key rates expressed in (11), the correlation coefficients between obtained waveforms at Alice and Bob used for secret key extraction in different systems are also simulated and provided since these parameters are useful for practical system design. For example, quantization levels and signal pre-processing algorithms are determined by the correlation coefficients between waveform observations at Alice and Bob. The operation frequencies of the RDA for all the results presented in this section are configured to be

A. Comparison With Non-Relay Key Generation System
In the non-relay key generation system, the waveforms acquired at Alice and Bob can be expressed as in (21) The noise terms N nr a and N nr b are independent and follow C N 0, σ 2 nr . The scaling factor q 1/2 nr is utilized to set the required S N R nr .
S N R nr = q nr σ 2 nr (23) Fig. 3. Calculated correlation coefficients between observed waveforms at Alice and Bob used for secret key extraction in non-relay and proposed RDA assisted key generation systems.
In Fig. 3 the correlation coefficient ρ nr K a K b , which is calculated by replacing P 2 and H 2 with K nr a and K nr b , respectively, in (14), is depicted as a function of S N R. Here S N R equals S N R nr in (23). In simulations conducted in this paper the key generation round is repeated 4 × 10 6 .
When bringing the proposed RDA assisted key generation system under consideration, the system S N R needs to be defined separately since more wireless communication links exist in the system. Only signal transmissions in TS1 are investigated. S N Rs in TS2 can be defined in a similar way.
It is assumed that q 1a = q 1b . • The S N R of the received signals q 1/2 2b H 2 X at the RDA node at frequency f 2 is denoted as It is assumed that q 2a = q 2b . • The power ratio of the received signal q It is assumed that q 3a = q 3b .
Here it needs to be pointed out that the S N R R D A 3 is greater than the S N R within the waveform K b in (8) in terms of secret key extraction, since the noise introduced at frequencies f 1 and f 2 , i.e., N 1b and N 2b , are not involved in the definition of S N R R D A 3 .
The correlation coefficients ρ R D A K a K b between the observed K a and K b in the proposed RDA assisted key generation systems are calculated for various S N R R D A x (x = 1, 2, 3) scenarios, and are also depicted in Fig. 3. As expected, along with more key generation procedures, more noise is introduced into the waveforms shared between Alice and Bob, leading to reduced key correlation coefficients compared with that in the nonrelay key generation system. However, a) as can be seen in Fig. 3, the performance degradation can be traded by configuring S N R R D A x through different key generation procedures; b) multiple key generation rounds can be conducted within a single channel coherence time period, since U i and V i can be randomly generated, leading to a greatly enhanced KGR. In order to facilitate discussion only the case of S N R R D A {1,2,3} = S N R R D A is investigated in the rest of the simulations in this paper.
The secret key rates in the non-relay key generation system, R nr s , when considering Eve's antenna being placed close to Alice or Bob, can be calculated using (11) by replacing K {a,b,e} with their corresponding K nr {a,b,e} . K nr e is the waveform obtained at Eve node used for secret key estimation in the nonrelay key generation system. The term I Re(K nr a ); Re(K nr b ) can be computed directly with the closed-form formula in (27), [54].  (27).
The calculated secret key rates R nr s in the non-relay key generation systems with different ρ nr {a,b}e are depicted as a function of S N R nr in Fig. 4(a). ρ nr {a,b}e is the correlation coefficient between H nr and the eavesdropping channels. Thus it is different to ρ nr K {a,b} K e , which can be computed from ρ nr {a,b}e by using (28). The 'channel use' in Fig. 4 It should be noted that the closed-form formula in (27) is only applicable when the statistical distributions of observed waveforms are Gaussian, which does not necessarily hold in most other key generation systems, including the previous relay and our proposed RDA assisted key generation systems. Thus the results estimated using a mutual information calculation method that is based on k-nearest neighbor (knn) distances [55] are also presented and are shown good agreement with the closed-form results, seen in Fig. 4(a). For system simulation results presented later in this paper, this knn distances method is adopted.
The secret key rates R R D A s in the proposed RDA assisted key generation systems are also calculated and shown in Fig. 4(b) for the same eavesdropping scenarios, i.e., Eve's antenna is placed close to Alice or Bob. Different from the non-relay case shown in Fig. 4(a), the RDA assisted key generation system is more susceptible in this eavesdropping scenario. It is also noticed that even when ρ R D A {a,b}e = 0, there is still an amount of information about the observed waveforms at the legitimate nodes leaked (The curve for ρ R D A {a,b}e = 0 is below the curve for the upper bound I (K a ; K b ) ). This is due to the fact that the legitimate waveforms and intercepted waveforms take forms of H 2 W * {a,b} G 3 and P 2 W * a G 3 (or H 2 W * b Q 3 ). They are not independent even if H 2 (G 3 ) and P 2 (Q 3 ) are independent.
In Section VI, we will show that when equipping multiple antennas at the RDA node, the wireless transmission gains from the RDA towards the legitimate nodes, Alice or Bob, can be greater than those gains towards Eve, increasing R R D A s under the same ρ R D A {a,b}e scenarios.

B. Comparison With Previous Relay Key Generation Systems in [35]
There have been a number of key generation methods reported, such as multi-antenna [24], multi-carrier [28], random beamforming [31], and relay based schemes [35]. The proposed RDA assisted key generation scheme in this paper is not a replacement of the multi-antenna, multi-carrier, and random beamforming schemes. In fact all of these techniques can be combined to lead to a further enhanced KGR. The combination can be straight-forward. Thus in our view it is not meaningful to compare the proposed RDA key generation system with these three types of schemes. However, since the proposed RDA key generation system is a relay-based scheme, the comparison with previous relay key generation systems is necessary, in order to claim the better performance that can be achieved in the proposed RDA key generation system. There have been several relay key generation systems reported, such as [17] and [33]- [37]. Among all previous reported relay key generation systems, we reckon that [35] investigated the most general relay key generation schemes, which, as a consequence, is selected to compare with the proposed RDA key generation system in this paper.
In [35] four relay key generation schemes were presented, which are classified by the authors as amplifyand-forward (AF), signal-combining amplify-and-forward (SC-AF), multiple-access amplify-and-forward (MA-AF), and amplify-and-forward with artificial noise (AF-AN). The AF scheme, as the authors pointed out, is not secure when the relay is monitored by Eve. The AF-AN scheme relies on the design of the artificial noise that is projected by the relay node towards Eve, but not Alice and Bob. For the architecture proposed in this paper, the generation of artificial noise using RDA for the benefit of wireless key generations will be presented separately in the future. Compared with the SC-AF, the MA-AF reduces the number of required time slots for a single key generation round from four to three at the cost of requirement for synchronization between Alice and Bob. The secret key rates in the SC-AF and MA-AF systems are almost identical when the unit 'bit/channel use' is adopted. They are both denoted as R r s in this paper. In order to facilitate discussion in this paper, the waveforms acquired at Alice and Bob used for key generation purpose in the SC-AF scheme are presented in (29) and (30).
H r (G r ) refers to the Rayleigh wireless channel between Alice (Bob) and the relay. They are independent, and are normalized to be E |H r | 2 = E |G r | 2 = 1. It is assumed that all of the noise terms N r {a,b}{1,2,3} are independent and follow C N(0, σ 2 r ). The S N Rs of signal transmissions in each step in the SC-AF key generation process are set to be identical, denoted as S N R r = q r1 /σ 2 r . In Fig. 5 the calculated correlation coefficients ρ r K a K b between K r a and K r b in SC-AF and MA-AF schemes are presented and compared with its counterpart in the RDA assisted key generation systems. Clearly, it can be concluded that more noise involved in the SC-AF (MA-AF) key generation systems, seen in (29) and (30), reduces the achieved ρ r K a K b significantly, when the channel S N Rs are identical. The reduced ρ r K a K b results in lower secret key rates R r s that are depicted in Fig. 4(c). The R r s is defined the same as R R D A s in (11) with K {a,b,e} being replaced with their counterparts K r {a,b,e} . Here K r e , used for R r s calculation in Fig. 4(c), is the detected waveform by Eve which is placed close to Alice or Bob. In this case, a pair of legitimate and eavesdropping channels with correlation coefficient ρ r {a,b}e is created. The noise terms q (29) and (30), on the other hand, reduce the amount of leaked information when Eve's antenna is placed close to Alice or Bob.
When Eve has the capability to intercept signals radiated by the relay node, the secret key rates, R R D A s and R r s are obtained and compared in Fig. 6. During the calculation it is found that in the RDA key generation system, using K TS1 e K TS2 e as K {a,b} estimation at Eve node is always better than using individual K TS{1,2} e . For R r s calculation in the SC-AF and MA-AF systems the waveforms used for secret key estimation at Eve node are designed as as adopted in [35]. In order to facilitate comparison with the proposed RDA key generation scheme, the same eavesdropping strategy of colluding Eves for SC-AF and MA-AF is now investigated, which were not studied in [35]. From (29) and (30) it can be seen that the common waveform that is used for key extraction at Alice and Bob nodes is 1 Hence, with the colluding capability different Eves can separately estimate H r and G r , respectively, and then combine them to construct K r_col e , see (32), (33), and (34).
Here two pairs of correlating channels H r (or G r ) and P r (or Q r ) with correlation coefficient ρ r HP (ρ r GQ ) are created. P r (Q r ) is the channel coefficient between the relay and the Eve whose antenna is placed close to Alice (Bob) in time slot 1 in both SC-AF and MA-AF schemes, see [35, Fig. 2]. The noise terms N r e{1,2} are independent, and are assumed to follow the same distribution as N r {a,b}1 , i.e., N r e{1,2} ∼ C N(0, σ 2 r ). Similarly, S N R r_col is defined as q r1 /σ 2 r . In Fig. 4(d) the calculated system secret rates R r_col s are presented for various ρ r_col , here ρ r_col = ρ r HP = ρ r GQ . Compared with those in Fig.4(c), it can be seen that only when the legitimate channels and eavesdropping channels are highly correlated, collaboratively estimating each factor within the shared waveforms between Alice and Bob in SC-AF (MA-AF) scheme helps interception of secret keys.
From Figs. 4(b), 4(c), 4(d), and 6 it can be concluded that the proposed RDA assisted key generation system outperforms, with regard to secrecy performance, both the previous SC-AF and MA-AF relay key generation systems in [35]. Table I summarizes the characteristics of the non-relay, the SC-AF, the MA-AF, and the proposed RDA assisted wireless key generation systems. From Fig. 4(b) it can seen that the proposed RDA assisted wireless key generation system is relatively sensitive to the eavesdropping when Eve's antenna is placed close to Alice or Bob. This vulnerability can be alleviated by exploiting more antenna elements in the RDA which is investigated in Section VI.

V. IMPACT OF IMPERFECT TRAINING SEQUENCE ON SYSTEM PERFORMANCE
When the training sequence X is not perfectly shared among all nodes in advance, it has to be distributed via actual wireless transmissions during the key generation process. In this section the impact of this wireless distributed and recovered X on the system performance is investigated.
In TS1 Alice transmits training X at frequency f 2 , which can be detected by Bob aŝ where H ab is the wireless channel between Alice and Bob at frequency f 2 , and N ab 2b is the independent AWGN ∼ C N(0, σ 2 b ). In the meantime, when the Eve antenna is placed close to Bob, an estimation of X can be obtained by Eve aŝ Here H ae and N ae 2e are defined the same as H ab and N ab 2b , but they are associated with Eve instead. N ae 2e ∼ C N(0, σ 2 e ), and it is assumed that σ e = σ b .
Similarly in TS2, Bob transmits training Z at frequency f 3 , which can be recovered at Alice and Eve positioned close to Alice, respectively. The training sequence Z used by Bob is different to the X used by Alice. The estimations of Z at Alice and Eve nodes are denoted in G ba (or G be ) is the wireless channel coefficient between Bob and Alice (or Eve positioned close to Alice) at frequency f 3 . The noise terms N ba 3a and N be 3e are assumed to have the same distribution with N ab 2b and N ae 2e . Since it is assumed that Eve is placed either close to Bob in TS1 or close to Alice in TS2, it is reasonable to set the magnitudes of legitimate and eavesdropping channel pair to be identical, i.e., E |H ab | 2 = E |H ae | 2 and E |G ba | 2 = E |G be | 2 . Under these conditions, the S N Rs in the training stage can be defined in (39) and (40).
With the imperfectly recovered training sequences, the waveform observations obtained by Bob and Alice for secret key extractions in (8) and (10), respectively, are thus contaminated, and they are expressed in (41) and (42).
Similarly the intercepted waveforms by Eves that are placed close to Bob or Alice can be written as and The coefficients k 1 and k 2 are added for power normalization and they equal to q 2b E |H a{b,e} | 2 and q 3a E |G b{a,e} | 2 , respectively. Using (41), (42), (43), and (44), the secret key rates in the proposed RDA assisted key generation system were calculated for the case when Eve's antenna is placed close to Alice or Bob (ρ R D A {a,b}e = 0.5) and imperfect training sequence recovery is assumed. The results are illustrated in Fig. 7. As can be expected, the higher quality of the wireless channel for training sequence transmission, i.e., higher S N R t 1 and S N R t 2 , makes the secrecy performance of the system converge to that of the system with perfectly shared training sequence. It is also worth mentioning that an S N R t of only 15 dB is sufficient to maintain the performance advantage over that can be achieved in the previous relay key generation systems even with the assumption of perfect training sequence recovery, see Fig. 4(c) for comparison.

VI. MULTI-ANTENNA RDA ASSISTED KEY GENERATION
In this section the benefit of using multiple RDA antenna elements in the proposed key generation architecture is investigated. We do not exploit multiple wireless propagation channels between Alice (or Bob) and each antenna in the RDA to extract more secret keys in one key generation round. This is because in order to separate multiple propagation channels more time slots are required and the RDA has to know time slot assignment. And more importantly, when using 'bit/time slot' as the unit the achievable secret key rates do not increase with the number M of the antenna elements in the RDA. Instead we investigate the beamforming gains that multiple RDA antenna elements can bring for the improvement of the system secrecy performance under the scenario that Eve's antenna is placed close to Alice or Bob.
The response of a multipath wireless channel is a function of both frequency and time. As we discussed in Section II, when compared with the channel coherence time T c in a typical in-door multipath environment which is normally in the order of tens to hundreds of ms, the RDA operation, i.e., signal reception, phase conjugation, and re-transmission, occurs within hundreds of μs, and thus it can be regarded as 'real-time', i.e., the channel response is constant with respect to time during RDA operation. As a consequence only the frequency configuration of an RDA is investigated. In order to enable RDA phase conjugation operation a pilot signal, e.g., U and V used in the proposed scheme, normally needs to be constantly present. For the purpose of increasing isolation between the received pilot signal and the re-transmitted signal, frequency-division duplexing for signal reception and signal re-transmission is commonly adopted [38], [46].
In the proposed key generation architecture in this paper, the RDA node receives the pilot signals at frequency f 1 and re-transmits signals at frequency f 3 in TS1 and at frequency f 2 in TS2. As we discussed in Section II.B in a multipath environment when the phase conjugation frequency is different from the signal re-transmission frequency, (5) does not hold. This means re-transmitted common signals by each RDA antenna cannot be combined in-phase at the location where the pilot signal is originated, resulting in reduced beamforming gains, compared with ideal beamforming gains. In following discussions only the transmission from the RDA to Bob in TS1 is considered. In this case the relative beamforming gain G b in dB, experienced at Bob node, is defined as Here the ideal beamforming gain corresponds to the link gain between the RDA and Bob when the frequencies for pilot reception and signal re-transmission are identical, i.e., f 1 = f 3 , so that G 3 becomes G 1 . All of the vectors in (45) have M elements with the m th entry representing the channel coefficients between Alice or Bob and the m th RDA antenna element at the corresponding frequencies.
In order to facilitate discussion in this section it is assumed that the signal magnitudes radiated by each RDA antenna element are identical and channels between each RDA antenna and Bob are independent Rayleigh fading. The amount of the loss of beamforming gains is determined by the level of similarity between the channel involved in phase conjugation process, i.e., G 1 , and the channel used for signal re-transmissions, i.e., G 3 . The level of similarity, quantified as channel correlation coefficients r f b , is a function of their frequency separation f = f 3 − f 1 and channel frequency characteristics described with parameter σ τ . r f b is calculated using (3) with H( f, t) and H( f + f, t + t) being replaced with G 1 and G 3 , respectively. In Fig. 8 the simulated relative RDA re-transmission beamforming gains, G b are illustrated for a range of frequency separations f , and also for different numbers M of RDA antenna elements. Multipath channels with σ τ of 20 ns, 50 ns, and 100 ns are considered. Values of delay spread other than 20 ns, 50 ns, and 100 ns can be equivalently adopted. The results shown in Fig. 8 are averaged over 2000 time instants that are separated far beyond the channel coherence time T c . As expected for a fixed RDA element M, greater frequency spacing f and RMS delay spread σ τ lead to lower relative retransmission beamforming gain. This is because in these cases the propagation channels G 1 and G 3 , at signal reception and re-transmission frequencies respectively, are less correlated. Similarly, when the channel and frequency spacing are fixed, i.e., σ τ and f are fixed, greater numbers of RDA elements result in lower relative RDA re-transmission beamforming gain. This can be explained that more array antenna elements generate radiation beam patterns with narrower main beams which are more susceptible to the dissimilarity between the wireless channels at frequencies f 1 and f 3 , i.e., G 1 and G 3 .
Since the channel correlation coefficient r f b between G 1 and G 3 is a function of both σ τ and f , the curves in Fig. 8 can be simplified by plotting relative RDA beamforming gains G b against r f b , shown in Fig. 9. r f b = 1 means that either the RDAs receive and re-transmit at the same frequency, i.e. f = 0, or the wireless channels are flat-fading, i.e., L = 1. We deliberately write the axis units in Fig. 9 as r f and G, instead of r f b and G b . This is because the Fig. 9 can also be applicable to r f e and G e , when Eve's antenna is placed close to Bob. r f e is the channel correlation coefficient between G 1 and the eavesdropping channel Q 3 . It is noted that G 1 and G 3 is correlated with coefficient r f b , and G 3 and Q 3  is correlated with coefficient ρ R D A be . G e is defined similarly as in (45) with G 3 being replaced with Q 3 .
Two examples of achieved relative RDA beamforming gains toward Bob and Eve, i.e., G b and G e , together with associated r f b and r f e are provided in Table II and  Table III. The difference of G b and G e corresponds to the difference of received S N Rs at Bob and Eve nodes when the added channel noise N 3b at Bob and N be 3e at Eve have the same distribution. It is this gain difference G b − G e that determines the amount of improvement of secrecy performance when multiple antennas at RDA node are employed. For better illustration the gain differences G b − G e are plotted for various σ τ , f , ρ R D A be , and M in Fig. 10. As can be concluded, the smaller values of σ τ , f , and ρ R D A be , and the greater number M lead to larger gain differences G b − G e . Intuitively, when σ τ and/or f → ∞, the frequencies of receive and re-transmission at RDA node are  separated far beyond the coherence bandwidth, resulting in no beamforming gain towards the legitimate keying nodes in the multi-antenna RDA scenario. The gain differences, namely, the differences of S N Rs at Bob and Eve nodes, make the proposed RDA assisted key generation systems less vulnerable under the eavesdropping strategy of placing Eve's antenna close to Alice or Bob, especially for small ρ R D A {a,b}e . Fig. 11 gives an example of the simulated R R D A s for different ρ R D A be . In this example it is assumed that σ τ = 50 ns, f = 2 MHz, and M = 9. Compared with R R D A s shown in Fig. 4(b), it can be seen that more RDA antenna elements help reduce the chance of being intercepted by the Eve positioned around Alice or Bob. In addition greater beamforming gains enabled by adopting more RDA antennas reduce the transmitted power by the RDA under the same system S N R requirement.

VII. CONCLUSION
A new type of wireless key generation system architecture, using an RDA as a relay node, was proposed and analyzed in this paper. By configuring analogue RDAs receive and re-transmit at different frequencies, the number of time slots required for each key generation round was reduced to two. Furthermore, the equivalent reciprocal wireless channels between legitimate keying nodes can be controlled, by Alice and Bob, to be 'fast fading', which is able to increase KGRs significantly. Also distinct from the previous relay based key generation systems, the RDAs employed do not need to have additional digital computational capability, and do not need to acquire knowledge about system parameters, such as time slots assignment and training sequences, which makes this architecture more flexible in terms of adding more legitimate keying nodes and/or more RDA relay nodes. Through simulations it was shown that the proposed RDA assisted key generation systems have better secrecy performance than that in the previous relay key generation systems, under various eavesdropping strategies.