Physical Layer Key Generation for Secure Power Line Communications

Leakage of information in power line communication networks is a threat to privacy and security both in smart grids and in-home applications. A way to enhance security is to encode the transmitted information with a secret key. Relying on the channel properties, it is possible to generate a common key at the two communication ends without transmitting it through the broadcast channel. Since the key is generated locally, it is intrinsically secure from a possible eavesdropper. Most of the existing physical layer key generation techniques have been developed for symmetric channels. However, the power line channel is in general not symmetric, but just reciprocal. Therefore, in this paper, we propose two novel methods that exploit the reciprocity of the power line channel to generate common information at the two intended users. This information is processed through different quantization techniques to generate secret keys. To assess the security of the generated keys, we analyze the spatial correlation of the power line channels and verify the low correlation of the possible eavesdropping channels. The two proposed methods are tested on a measurement dataset. The results show that the information leaked to possible eavesdroppers has very low correlation to any secret key.


I. INTRODUCTION
I NFORMATION in networks where the communication mean is shared is always at risk, since both authorized and illegitimate users are given physical access to the network. Malicious users have therefore a chance to jeopardize the privacy of other users or, conversely, to send false information throughout the network. Typical examples of networks where such risk is particularly threatening are wireless networks and power line networks (PLNs).
In such physical broadcast (PB) networks, conversely from classical computer networks, a malicious user can perform attacks on all the stacks of the ISO/OSI model, including the MAC and physical layer [1]. In particular, the physical layer (PHY) comes to play an important role in both planning attacks to the network and defensive strategies. In fact, since the physical medium is shared, every input into the network has an effect on the system outputs. If the network system can be modeled, then its properties can be used with both malicious or aiding intent.
The wireless community has extensively relied on the properties of the physical channel to pursue research and identify methods for information security. From an information theoretic point of view, it is possible to guarantee secure transmission when the intended communication channel has Federico Passerini and Andrea M. Tonello are with the Embedded Communication Systems Group, University of Klagenfurt, Klagenfurt, Austria, e-mail: {federico.passerini, andrea.tonello}@aau.at. higher capacity than the eavesdropper one, by transmitting information at a sufficiently high rate [2]. However, some eavesdropper channels might have higher capacity than the intended one. For this reason, different techniques to enhance security have been conceived in the communication theory area, which include secret key generation, prefiltering and coding techniques [3], [2], [4]. These techniques rely on different properties of the wireless communication channels to restrict the information leakage to any possible unauthorized receiver. Such properties include the channel randomness both in time and in frequency domain and, especially in timedivision duplexing systems, its symmetry. In fact, if the channel between two users is symmetric, the randomness of the channel is common to the two users, i.e. they have access to the same information. This property is particularly useful for the secret key generation techniques. The key generation process includes the common information, which is unknown to an eventual eavesdropper, thus drastically enhancing the security of the produced key.
On the other side, in the context of power line transmission and distribution networks, attacks and defensive strategies are normally based on system theory. In this case, the network is modeled as a dynamic system that describes the power flow. Attacks of different kind aim at altering the perception of the state of the network, which in turn might bring to a network failure [5]. In any case, informative signals need to circulate through the network, therefore a resilient communication architecture would enhance the PLN security. However, to our knowledge there is very limited literature about physicallayer secure communications in PLNs, and it focuses only on information theoretic analysis [6], [7], [8], [9].
In this regard, Power Line Communications (PLC) is a well established communication technology in PLNs [10]. This technology already provides a form of security in the fact that it uses a communication mean, the power line cables, that is owned by the utility and therefore not accessible by everybody. However, an unauthorized user might be able to get physical access to the network, or the utility might not want to share some information with part of the network users. Therefore, additional security measures have to be provided. Since the PLC physical channel has some properties in common with the wireless channel, it makes sense to explore physical-layer security (PLS) techniques developed for wireless in the case of PLC. However, it has been shown that the PLC channel, conversely from the wireless one, is rather deterministic, in general not symmetric [11], [12], and moreover has different statistical properties [8].
In this paper, we propose a thorough analysis of the properties of the PLC channel in order to investigate under what conditions PLS techniques, which exploit common information at the two legitimate users, developed for wireless apply also to PLC. However, since the PLC channel is in general non symmetric, most of the known PLS algorithms cannot be applied to it. In fact, to the authors knowledge, very limited work exists on PLS in non-symmetric channels [13]. In order to overcome this limit, we make use of the fact that the PLC channel is reciprocal to investigate what channel state information (CSI) is known to two legitimate users independently from each other at any given time. In this context, we propose two new methods to retrieve common CSI. The first method involves the analysis of the multipath signal propagation in reciprocal channels. The second method relies on the exchange of a minimal amount of information between the two ends, which is however insufficient to a possible eavesdropper for decrypting the key. The CSI obtained with the proposed methods can be consequently used to generate cryptographic keys separately at the two communication ends. To this purpose, we process the CSI with various quantization techniques and show the reliability of the generated keys. We also analyze the spatial correlation in PLNs, in order to verify the level of security of the obtained CSI against possible eavesdroppers. Although our investigation focuses on PLN, the proposed CSI retrieval methods are common to every reciprocal network, including any kind of passive wired and wireless network.
The rest of the paper is organized as follows. In Section II, we briefly summarize the existing PLS techniques based on the properties of symmetric channels. In Section III, we analyze in what cases the PLC channel can be considered symmetric. The two algorithms for PLS in reciprocal channels are proposed in Section IV, while extended results are presented in Section V. Conclusions follow in Section VI.

II. CHANNEL-BASED SECURITY APPROACHES IN WIRELESS
Most of the PHY key generation techniques in wireless communications, especially the channel-based ones, rely on the symmetry of the channel [4], i.e. the fact that for every set of currents and voltages at the two communication ends that satisfies a certain system of relations, the set obtained by exchanging the transmitter and the receiver satisfies the same relations. In short, this means that the CSI is identical for both links.
In this paper, we model the transmitter with its Thevenin or Norton equivalent with transmit impedance Z T , and the receiver with its receive impedance Z L . Moreover, we consider the physical channel to be a system accessible in two ports, Port 1 and Port 2, where the transmitter and the receiver are attached (see Fig. (1)). The channel transfer functions (CTFs) H 1 and H 2 defined as 1 (see Fig. 1) are equal in symmetric channels. Therefore, when the receiver estimates for example H 1 of the forward link, it directly knows also H 2 of the reverse link, without need of further communication 2 . Such property serves as source of common randomness from which the parties can generate secret keys. An eavesdropper normally experiences a physical channel that is independent of that of the legitimate users. Therefore, the generated keys are intrinsically secure. In the following, we name the two legitimate parties Alice (A) and Bob (B) respectively, and we name the eavesdropper Eve (E). We also assume that Eve is a passive attacker, i.e. she just overhears the channel. The basic idea of channel-based key generation approaches is for Alice and Bob to obtain very correlated observations of the channel via channel training, then to apply key generation methods that rely on the correlated observations and public discussion [14]. From an information-theoretic perspective, the key generation procedure can be described as follows: 1) Channel sensing: Alice, Bob and Eve get the observations of length n of the CSI X n = [X 1 , · · · , X n ], Y n = [Y 1 , · · · , Y n ], and Z n = [Z 1 , · · · , Z n ] respectively, where the observations can be performed in time, frequency, space domain or a combination of them. 2) Key reconciliation via public discussion: in order to agree on a secret key, Alice and Bob can communicate through the PB channel and send to each other a deterministic communication sequence as follows. They generate the random variables U A and U B respectively, for initialization. Then, they alternatively send to each other the two sequences S k A = [S A1 , · · · , S A k ] and S k B = [S B1 , · · · , S B k ], respectively, where for each step i we have S Ai = f Ai U A , X n , S Bi−1 and S Bi = f Bi U B , Y n , S Ai−1 . At the end of the communication step, Alice and Bob determine the respective keys as . Different protocols have been proposed to implement both the reconciliation procedure, implemented either with cascade or error correcting codes, and the privacy amplification. An extended series of references about this can be found in [14].
By definition [15], a secret key rate R K is achievable if for every ε > 0 and sufficiently large n, there exists a public 1 We remark that (1) and the rest of the equations presented in this paper are function of the frequency. This dependency is omitted in the notation for simplicity. 2 The wireless literature often refers to this property as due to the reciprocity of the channel. This is technically incorrect, because in reciprocal networks the CTF is not forcefully the same in the two directions. Although the wireless channel is indeed reciprocal, it is also in most of the cases symmetric, as we will explain in Section IV.  communication strategy such that where H(·) and I(·) denote the entropy and mutual information operators and K is the key alphabet. Equation (2a) means that K A and K B are equal, (2b) ensures that no information is leaked to Eve and (2d) indicates that the generated key is uniformely distributed. It is clear from (2) that the possibility of generating at least one (R K > 1) or multiple keys is based on three characteristics of the PB medium: the temporal variation (i.e. the randomness) and the correlation of the CSI between Alice and Bob, and the spatial decorrelation of Eve. These three characteristics are fulfilled in many wireless scenarios, where the channel varies frequently, it is symmetric and the users typically experience uncorrelated multipath fading. This practically means, respectively, that n (considering observations in time) is low, X n and Y n are very correlated, which guarantees a fast convergence for the condition (2a), and they are both uncorrelated with Z n , which guarantees the convergence of (2b).
In the following, we analyze how the characteristics of the power line medium can be used to retrieve highly correlated CSI among Alice and Bob. Moreover, we discuss the physical constraints that limit the achievable R K in PLN. Considering the system model introduced in Fig. 1, we assume Alice to be branched at Port 1 and Bob or Eve to be branched at Port 2, depending on which CTF is of interest.

III. SYMMETRIES OF THE POWER LINE CHANNEL
In this section, we present under which conditions the power line channel is symmetric. Under these conditions, the existing PLS techniques developed for wireless can be similarly applied to PLNs.
It has been shown in [11] that the power line channel is symmetric if the impedance Z T at the transmission side is equal to the load impedance Z L (see Fig. 1). Similarly, this condition applies to the wireless channel and to any other kind of passive network. However, while in wireless systems both Z T and Z L are set to the same value (usually 50Ω) to maximize the power transmitted and received, the situation is different in PLC.
In classical half-duplex PLC systems, maximum communication rate is obtained by maximizing the transferred voltage, or more in general the SNR at the receiver [16]. Therefore, PLMs are usually equipped with Z T ∼ 1Ω, Z L ∼ 10kΩ and a switch that selects the correct impedance based on the link status [17]. This renders the channel highly non symmetric. On the other hand, in the recently proposed inband full duplex PLC technology, some front-end transceiver architectures use the same equivalent impedance both for transmission and reception chains [18]. Therefore, if the two communication ends are equipped with modems that use an equivalent impedance with the same value, the channel is symmetric.
A third communication architecture, which has been not yet proposed in the context of PLC, can be considered. It relies on the fact that the PLC channel is reciprocal [12] to get symmetric CSI. In fact, in any reciprocal two-port network the following holds true [19]: • When the current I g is applied to any of the two ports, the open circuit voltage measured at the other port is the same. Referring to Fig. 2a, this means that the ratio Z 21 = V 2 /I 1g is equal to the ratio Z 12 = V 1 /I 2g obtained when the two ports are inverted, under the condition Z T = Z L = ∞ • When the voltage V g is applied to any of the two ports, the short circuit current measured at the other port is the same. Referring to Fig. 2b, this means that the ratio Y 21 = I 2 /V 1g is equal to the ratio Y 12 = I 1 /V 2g obtained when the two ports are inverted, under the condition that Therefore, it is possible to obtain symmetric transmission of signals considering the trans-impedance Z or the transadmittance Y of the network instead of the classical voltage transfer function (see Fig. 2). However, the values of the transmit and receive impedances under which this property strictly holds are ideal and far from the common values of Z T and Z L .
We now consider less ideal conditions, taking the transimpedance case as an example. We name Z 12 the one obtained from transmission from Port 2 to Port 1 and Z 21 the opposite one. We also fix Z L to 10kΩ, as usual in PLM receivers and modify the value of Z T . Fig. 3, which is obtained from a dataset as discussed in Section V, shows that for low values of Z T the trans-impedance is highly asymmetric. The symmetry increases with the value of Z T , and when Z T reaches 10kΩ, the trans-impedance is essentially symmetric. This condition would be practically implementable in power line modems, by driving the line with a current instead of a voltage [20] and using a classical voltage receiver. Even though not shown, a similar result is obtained in the trans-admittance case when Z T and Z L are close to or less then 1Ω. Implementing this solution in power line modems would imply to send a voltage signal using a classical transmitter and to receive a current signal over a very small impedance.
When Z T and Z L have values that are far from ideality, the following method can be used to obtain symmetric CSI at the two communication ends. Referring to the trans-impedance case, we point out that if a circuit is adopted to measure the PLN input impedance Z in k at the Port k that is defined as then, relying the voltage and current divider equations, we can write for the transmission from Port 1 and Port 2 respectively. I i is the actual current entering the network and V oc is the open circuit voltage at the receiver. These two new quantities are the equivalent of the injected current and received voltage if the transmit and receive impedance were infinte. Similarly, in the trans-admittance case we have where V i and I cc are the equivalent of the injected current and received voltage if the transmit and receive impedance were zero. This means that (4),(5),(6) and (7) allow us to reproduce the conditions for symmetry in the respective systems. In fact, the resulting trans-impedances Z ′ 21 = V 2oc /I 1i and Z ′ 12 = V 1oc /I 2i , as well as the trans-admittances Y ′ 21 = I 2cc /V 1i and Y ′ 12 = I 1cc /V 2i , are respectively equal, independently of the actual values of Z T and Z L used.
In conclusion, a symmetry can be derived as explained also using classical values of output and load impedances in PLMs. A possible drawback of this method is that the receiver needs to know both Z in1 and Z in2 . Hence, the value of Z in1 or Z in2 needs to be transmitted through the public channel with risk of eavesdropping. However, a possible eavesdropper would not have access to the values of V 1 or V 2 in the trans-impedance case or to I 1 or I 2 in the trans-admittance case, which are a trait of the intended receiver. Therefore, sharing information about the channel input impedance at the transmitter and at the receiver, does not directly enable an eventual eavesdropper to estimate for example Z ′ 21 . This approach is further elaborated and discussed in Section IV-B, where we do not limit to transimpedance or trans-admittance architectures, but we generalize this method to any kind of communication architecture.

IV. KEY GENERATION IN HALF-DUPLEX PLC
In this Section, we propose two techniques to get common information at the transmitter and the receiver with minimal exchange of data. Both techniques rely on the fact that the PLC channel is reciprocal, as discussed before.

A. Time-domain symmetry technique (TDST)
Considering a generic two port network, which in our case represents the PLN, the transmission matrix is defined as [19] where the subscripts 1 and 2 stand for the relative port. When the system is reciprocal, which is always the case in passive networks, the following relation holds true With this condition, the transmission matrix in the opposite direction becomes As shown in Appendix A, the time-domain response of (8) and (10) is not strictly symmetric but wide-sense symmetric. This means that the multipath response of the channel is characterized by peaks that are in the same position both when the signal travels from Port 1 to Port 2 and vice versa. However, the amplitude of the peaks and their shape are in general different, thus the PLC channel is not strictly symmetric. As an example, Fig. 4 shows the frequency and time domain response of a typical PLC channel in the two communication directions. The frequency domain response is far from symmetric, even though a certain degree of correlation still exists. The wide-sense symmetry in time domain appears clearly in Fig. 4b. Even though the amplitude of the peaks in the two cases is rather different, we see that their position is the same. The mismatches are due mainly to two reasons. On one hand, high peaks might render lower peaks that are close to them undetectable. On the other hand, the peak detection algorithm and the bandwidth of the signal deeply influence the estimation of the peak presence and position. One way to compensate these errors and to construct a key is to divide the time domain response h (or part of it) in N blocks, each with duration ε (white and gray stripes in Fig.  4b). A binary key with N elements is generated at each node, with all values initially set to 0. After channel estimation and peak detection, every key element is set to one if at least one peak is detected within its time block, so that the binary key K is generated. This method can be further refined by limiting the peak search to the first M blocks set to one. The limit is set because, due to the multipath and the smoothing effect of the channel, the density of the peaks tends to increase and their granularity tends to decrease with the time index, respectively. This means that every possible K would have a lot of ones towards the end of the sequence, which results in high similarity between different keys. Converserly, when the limit to the first M ones is applied, there are higher chances that the position of the ones in keys generated from Alice and Eve are in different positions. Finally, key reconciliation procedures, such as Slepian-Wolf coding [4] can be run as presented in Section II to agree on the final key.
A drawback of the TDST is the generation rate of new keys, which is very low or even zero. This is because the position of the peaks in the time domain response is due to the topological structure of the network. Thus, the key would change only when a topology variation occurs. Small physical variations of the channel, due for example to its periodic time variant nature [21] or to impedance changes at the terminations, do not in general affect the presence or the position of peaks in the time domain channel response. The topology is only modified when a power switch is activated to route the power flow to a different section of the grid or when an anomaly like a fault or a strong impedance change occurs [22].
In the case of transmission and medium voltage distribution networks, topological variations might occur from hours to weeks one from another. In the case of indoor or low voltage distribution networks, the topology of PLNs is fixed unless an anomaly occurs, therefore each communication pair can generate just one code. Since frequent channel changes are needed to prevent eventual eavesdroppers to retrieve the communication key, this key generation technique is prone to be decrypted over a long time period. Increased security could be obtained, for example, by combining the TDST with classical cryptographic methods to periodically refresh the key.

B. Transmission matrix technique (TMT)
Taking as starting point the normalization procedure presented in Section III, we can extend it to derive the full transmission matrix of the communication link. For this purpose, we assume the power line modems to be enabled to provide an estimateH of the frequency response H andZ in of the channel input impedance Z in , respectively [23].
Since the parameters A, B, C and D of the transmission matrix are the same in the two directions, their estimation at one communication end would enable the complete electrical characterization of the channel in both directions. Relying on (1),(3), (8) and (10) we can write the following equations The four complex unknowns A, B, C, D, can be found by solving a system made with these four complex equations [24]. However, solving this system at each communication end requires information about Z in , H 1 , Z in2 and H 2 to be shared on the PB channel. This would allow also any potential eavesdropper to solve the system, resulting in no secrecy. On the other hand, relying on (9), another system of equations can be written. Considering for example the user connected at Port 2, he can directly estimate H 1 , by relying on classical pilot signals used in communication systems [25], and Z in2 with an impedance sensor. At this point, considering also (9), only one equation is missing to derive the transmission matrix. Therefore, the value of either Z in1 or H 1 has to be sent through the PB channel. If, for example, the information about Z in1 is shared, then the user can solve the system With the estimated values of the transmission matrix, the user connected at Port 2 can estimate H 2 using (14). At this point, all the PLS techniques presented in Section II can be applied. The same procedure applies to the user connected at Port 1, with the transmission of information about Z in1 .
Since with this method the transmission matrix is estimated by both legitimate users, the key can be generated from any of the transmission matrix parameters or from a function of them. Even though some information is shared through the PB channel, a possible eavesdropper will not be able to correctly estimate the transmission matrix between the legitimate users, since it will at maximum have three equations available. When the cryptographic key is based on the degree of freedom left to the legitimate users, then the eavesdropper has no mean to retrieve the key.
Regarding the estimation procedure, since H 1 , Z in1 and Z in2 are constant as long as the transmission matrix is constant, their best estimatesH 1 ,Z in1 andZ in2 are given by averaging over time, assuming zero mean noise [26].Ã, B,C,D, are then simply derived by directly solving (15). When the channel state changes, the estimation procedure can be repeated and a new cryptographic key is generated.
Different methods can be proposed to quantize and arrange the selected CSI. First of all, we consider the absolute value of the magnitude of the selected CSI to be linearly quantized over 2 nbits − 1 levels for every frequency bin. Then, we consider two ways of arranging the data: • Binary: the quantized data are converted to binary sequences with Gray encoding to minimize the distance between symbols that are close to each other. Each binary symbol is used as a symbol of the key.
• Coded: the key is defined over an 2 nbits -ary alphabet and each symbol is made by the quantized value of the CSI at one frequency bin. One symbol at the end of the key sequence accounts for the actual value of the least significant bit. The actual key is generated by multiplying the values of all the symbols by the last one. This method is used to avoid data with similar shape but different amplitudes to produce similar keys. These two methods will be compared in Section V, where we consider as an example the key to be derived fromH 2 . We remark that other quantization methods are possible. However, a thorough comparison of quantization methods is out of the scope of this paper.
As mentioned before, the PLC channel is typically ciclostationary with period equal to the mains semi-cicle and can be roughly subdivided into a series of slots in which it is considered static. Such intervals typically are in the order of some hundreds of microseconds [21]. Hence, the number of cryptographic keys that can be generated for a given node pair using the proposed method is equal to the number of time slots in the particular scenario. Since the state variations are much higher at frequencies below 5 MHz than above, a higher number of and less correlated keys are likely to be generated using narrow-band PLC, which uses the spectrum 3-500 kHz, than broad-band PLC, which uses the spectrum 2-86 MHz. Therefore, the proposed method for key generation is expected to have the best performance when applied to distribution networks, where PLC are used mainly within the narrow-band spectrum.

V. PRACTICAL RESULTS
The results presented in this paper are based on the measurement campaign presented in [27]. In this measurement campaign, the full transmission matrix of a total of 1312 in-home channels divided in 3 sites has been measured in the frequency range from 0.1 to 80 MHz. We chose this dataset because, to our knowledge, it is the only one available with measurements of the full transmission matrix. However, considering the results of other measurement campaigns conducted on distribution grids [28], we expect our results to be qualitatively applicable also in the outdoor scenario.

A. Channel correlation
As presented in Section II, one fundamental property to generate secure keys from the physical channel is the strong correlation between the two forward and reverse channels from Alice to Bob and vice-versa. At the same time, both the Alice to Eve and Bob to Eve channels have to be as low correlated as possible w.r.t. the two legitimate channels. Therefore, in this section we analyze the spatial correlation of PLC channels, independently on the key generation method used.
A first work presented in [27] defined the space-frequency correlation as where i and j stand for the channel realization indexes, E [·] is the expectation operator, ℓ and m stand for the frequency bin indexes, and H is the CTF of a specific channel. The correlation is computed as an expectation over all the channels that share the same transmitter and over all the possible transmitters. The results show that the average correlation between the channel transfer functions from or to different outlets is rather low, but it increases to values around 0.3 when the absolute values of H are considered. In this work, especially in the case of the TMT, information about the input impedance is shared, and Eve is interested in retrieving H ab and H ba from it (see Section IV-B). Therefore, it is of interest to compute where H Zin and Z in share the same transmitter. The results in Fig. 5, where we fixed l = m, show that |C| is on average low, but the frequency-space correlation C abs , computed using the absolute values, is on the other side not negligible. Therefore, it is recommended, when generating secure keys with the TMT, to make use of the estimated complex values and not just their magnitude. It makes also sense to use a broader definition of correlation, which is not dependent on the frequency bin, but just on the channel realization. To this purpose, we consider the deterministic correlation coefficient ρ H , defined as where L is the total number of frequency bins considered. The results are plotted in Fig. 6, where the left picture shows the results for |ρ H | and the right one shows ρ H abs , which is the correlation as in (18) computed with the absolute value of the transfer functions. On the main diagonal, instead of plotting the autocorrelation of each channel, which would be one, we plot ρ H between the Alice to Bob and the Bob to Alice channels. The results show that the power line channels are rather uncorrelated (left), and that the correlation increases when the absolute values of the transfer functions are considered (right). The correlation between the channels of the legitimate parties is on average higher than that with Eve, but still not significant (see Tab. I).
In Fig. 7, we plot ρ Z computed as The results show that the input impedances are more correlated than the channel transfer functions, especially when the absolute values are considered. This might be due to the fact that the input impedance is, notably at high frequencies, very dependent on the characteristic impedance of the cable the modem is branched to. If different outlets are branched to cables with similar characteristic impedances, then a certain degree of correlation is expected.

B. Time-domain symmetry technique results
As presented in Section IV-A, the time-domain channel transfer function is not expected to be more correlated than  the frequency domain one, since h is made by peaks that have different heights in the two directions. The results when computing (18) for the impulse response are similar to those obtained with the CTF. In fact, the correlation between the Alice to Bob and Bob to Alice channels is almost the same in the two cases and only with Eve the correlation is slightly lower in the impulse response case (see Table I).
In order to localize the peaks needed to apply the TDST, we considered different spectral analysis techniques, both parametric and non-parametric [29]. Given the wide bandwidth available, the best results have been achieved using a nonparametric technique that consists of interpolating the original estimated time domain trace and applying the energy based peak detection technique presented in [30]. The interpolation filter is a truncated sinc, which is equivalent to zero padding in frequency domain. Although the interpolation does not reveal any more information about the presence of peaks, it greatly improves the estimation of their location. Fig. 8 shows the average of the correlation coefficient ρh computed as as a function of the number M of the peaks considered, for  different amounts of interpolation points. As for the length of the keyh, we set it to N =200 elements, which are obtained by segmenting the impulse response in 200 time blocks, each with duration ε = 3T S , where T S is the sampling period after interpolation. The results show that when M increases, the correlation between the keys generated from Alice and Eve increases linearly, while the correlation coefficient ρh between Alice and Bob almost saturates after the first steps. This means that considering high values of M for key generation might reduce the security of the key. On the other hand, using very low values of M reduces the correlation of the legitimate parties and also simplifies the work needed by Eve to infer the key by a series of random guesses. Concerning the interpolation, increasing the number of interpolation points slightly reduces the correlation between Alice and Eve, but drastically reduces the one with Eve. This is particularly clear in Fig. 8b, which shows that the ratio between the two correlations is, for example, the same when using M = 1 and no interpolation and M = 9 and 3-point interpolation. The use of interpolation is therefore encouraged in order to generate secure keys.

C. Transmission matrix technique results
As explained in Sec. IV-B, the TMT allows to obtain common CSI between Alice and Bob avoiding Eve to access it. Since the technique consists of solving a fully determined system, possible mismatches are only due to the presence of noise. For example, higher estimation errors are expected when external electromagnetic interference impinges differently on the two communication ends. It has been shown in [12], that in the case of PLNs this effect is limited. Considering for example the key to be generated from H 2 , Fig. 9 depicts the difference whereH A 2 is the CTF estimated by Alice andH B 2 is the one estimated by Bob in the presence of disturbances. The values of ∆ are on average in the range -25 dB to -35 dB, with one exception around 10 MHz, where higher values are shown. These higher values are due to disturbances caused by amateur radio transmissions.

D. Quantization results
In order to assess the overall efficiency of the proposed methods, in this section we analyze the distance d between the keys generated by the legitimate users and by Eve, using the TDST and the TMT combined with different quantization methods. We define the distance d between two keys with equal length N as where K A is the key generated by Alice, K B,E is the key generated by Bob or Eve. This definition of distance is a normalized version of the classical Hamming distance [31]. The two are equal in the binary case, i.e. when K A i , K B,E i ∈ [0, 1] ∀i. When the keys are not made of binary symbols, (22) ensures that the maximum distance between each symbol is 1. This enables an easy comparison between different quantization methods over the same data source. Fig. 10 shows the results regarding the TDST. We notice in Fig. 10a that as the number M of bins set to 1 increases, the average d Alice↔Bob only slightly increases and it is almost independent from the interpolation used. On the other side, the average d Alice↔Bob rapidly detaches from the maximum possible d, especially with low values of interpolation. These results confirm what had already been deducted from the correlation analysis in Section V-B. Regarding the results in Fig. 10b, we considered all the peaks present in N blocks. We notice that in this case d Alice↔Bob is rather influenced by the interpolation factor. This is due to the fact that, while the first few peaks in the time domain CTF are well separated and sharp, the density and the smoothness of the other peaks increases, due to the multipath and the cable attenuation. Therefore, with increasing N there are much more and less detectable peaks, which in turn increases d Alice↔Bob . Fig. 11 and 12 show the results regarding the TMT. Fig.  11a shows that, considering the same code length N , the TMT with binary symbols quantized with 8 bits has a similar performance to the TDST with 5-point interpolation. On the other hand, the best results in terms of d Alice↔Bob are achieved by the TMT coded method, although also d Alice↔Eve is rather low. However, the ratio between the average d Alice↔Eve and the average d Alice↔Bob is maximized with this technique (see Fig. 11b), which therefore ensures the best security of the key among the proposed methods.
We finally consider the effect of the number of bits used for quantization on d. As depicted in Fig. 12, while E[d] increases with the number of bits in the TMT binary case, it is almost independent from it in the other case. In fact, since the CFT estimated by Alice and Bob are rather close to each other (cfr Fig. 9), the same holds also for the quantized values. When the number of bits increases, d for each symbol decreases, but at the same time the number of symbols with non-null d increases, these two effects compensating each other. In the TMT binary case, on the other hand, d for each symbol cannot slowly decrease towards 0, since the alphabet is binary, while   the number of symbols with non-null d increases with N .
In conclusion, we found that the best results in term of average d are achieved when considering a limited number of peaks and a high interpolation factor in the case of the TDST. Regarding the TMT, the length of the key or the number of quantization levels does not play a fundamental role, but rather the method to arrange the data. Among those proposed, the TMT coded yields the best results.

VI. CONCLUSIONS
In this paper, we presented different ways of enhancing physical layer security in power line networks exploiting the channel properties. On one side, the power line channel is symmetric when either full duplex, transresitance or transconductance communication architectures are used. In this case, the existing methods for physical layer security in symmetric networks can be applied. On the other side, when the classical half duplex architecture is used, the power line channel is not symmetric, but just reciprocal. We showed some fundamental properties of reciprocal channels that enable the generation of secret keys with minimal exchange of information between the two legitimate users. In particular, the wide-sense symmetry of reciprocal channels has been used to propose a CSI based key generation method that relies on peak analysis and generates highly correlated information at the two communication ends with no exchange of key information. Another CSI based key generation method has been proposed, which relies on the estimation of the transmission matrix of the link at the two ends with minimal exchange of information about it through the broadcast channel.
We also presented an analysis of the spatial correlation in power line networks based on a measurement dataset. The results showed that the power line channels have low spatial correlation, which is even lower when complex valued CSI is considered.
We finally generated secret keys by quantizing with different methods the gathered CSI and assessed their reliability by computing a specifically formulated distance between the different keys. The results showed that the distance between the keys generated by Alice and Bob is on average much lower than the distance between the keys generated by Alice and Eve. This guarantees a good level of security of the generated keys. This paper opens a path for new research efforts in physical layer security for reciprocal networks. Further developments might include key agreement protocols, the incorporation of other common information at the two communication ends and the combination of the proposed techniques with classical cryptographic methods.