The Vault

Radio-telepathy: Extracting a Secret Key from an Unauthenticated Wireless Channel
Research Paper / Jan 2008


Radio-telepathy: Extracting a Secret Key from an
Unauthenticated Wireless Channel

ABSTRACT
Securing communications requires the establishment of cryp-
tographic keys, which is challenging in mobile scenarios where
a key management infrastructure is not always present. In
this paper, we address this challenge by presenting a pro-
tocol that allows two users to establish a common crypto-
graphic key by exploiting special properties of the wireless
channel: that the underlying channel response between any
two parties is unique and that the channel response decorre-
lates rapidly in space. The established key can then be used
to support security services (such as encryption) between
two users. Our algorithm uses level-crossings and quanti-
zation to extract bits from correlated stochastic processes.
The resulting protocol resists cryptanalysis by an eavesdrop-
ping adversary and a spoofing attack by an active adversary
without requiring an authenticated channel, as is typically
assumed in prior information-theoretic key establishment
schemes. We evaluate our algorithm through theoretical and
numerical studies, and provide validation through two com-
plementary experimental studies. First, we use an 802.11
development platform with customized logic that extracts
raw channel impulse response data from the preamble of a
format-compliant 802.11a packet. We show that it is possi-
ble to practically achieve secret key establishment rates of
∼ 1 bit/sec in a real, indoor wireless environment. Next,
to illustrate the generality of our method, we show that our
approach is equally applicable to per-packet coarse signal
strength measurements using off-the-shelf 802.11 hardware.

1. INTRODUCTION
Many of the risks associated with securing wireless sys-

tems stem from challenges associated with operating in a
mobile environment, such as the lack of a guaranteed infras-
tructure or the ease with which entities can eavesdrop on
communications. Traditional network security mechanisms
rely upon cryptographic keys to support confidentiality and
authentication services. However, in a dynamic mobile en-
vironment, with peer-to-peer associations being formed on-
the-fly between mobile entities, it is difficult to ensure avail-
ability of a certificate authority or a key management center
to support security needs. Since such scenarios are likely to
become increasingly prevalent in the future, it is necessary

Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
Copyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00.

to have alternative methods for establishing keys between
wireless peers without resorting to a fixed infrastructure.

In this paper, we explore an alternative for building cryp-
tographic services by exploiting an untapped resource - the
wireless channel itself. The wireless medium can serve as a
mechanism to share secrets between two wireless entities by
exploiting the variability and dimensionality associated with
wireless propagation. The specificity of the radio channel be-
tween two wireless devices, and its rapid decorrelation with
distance, provide a basis for the creation of shared secret in-
formation, such as cryptographic keys, even in the presence
of an eavesdropper. In typical multipath environments (see
Figure 1), the wireless channel between two users, Alice and
Bob, produces a random, time-varying, stochastic mapping
between the transmitted and received signals. This mapping
changes with time in a manner that is location-specific and
reciprocal, i.e., the mapping is the same whether Alice is
the transmitter with Bob as the receiver or vice-versa. The
time-varying mapping, commonly termed fading, decorre-
lates completely over distances of the order of half a wave-
length, λ. Thus, an adversary, Eve, who is more than λ/2
away from both Alice and Bob, experiences fading channels
to Alice and to Bob that are statistically independent of the
fading channel between Alice and Bob. These two properties
allow us to generate a common, secret cryptographic key at
Alice and Bob such that Eve gets no information about the
generated key. For example, at 2.4 GHz, we only require
that Eve be roughly λ/2 = 6.25 cm away from Alice and
Bob to ensure that she gets no useful information. Thus,
while fading is typically considered harmful, it is profitably
exploited by our technique to extract perfectly secret bits
without leaking information to an adversary.

The extraction of secret bits from the wireless channel can
be viewed as a ’black-box’ that can be advantageously uti-
lized in various ways putting to good use information that is
already available from the channel. For example, in the cur-
rent 802.11i system, session keys for communication between
a station and an AP are derived by hashing together authen-
tication credentials and randomly selected nonces which are
exchanged by the two parties in the clear. This effectively
ties the confidentiality of all future messages sent over the
air to the authentication credentials. Therefore, if these cre-
dentials are compromised at some time in the future, an
adversary will be able to derive the session keys and de-
crypt all past encrypted messages. If instead, the nonces
are derived from the unique channel between the two users,
making them information-theoretically secure, a passive ad-
versary has no means to derive the session keys even if it
learns the authentication credentials [1]. Similarly, the ses-
sion keys can be updated by employing secret bits derived
from the channel to deliver the new keys, instead of relying
on previously existing keys [1]. This ensures that the confi-



dentiality of each new session is protected independently of
earlier sessions.

Yet another vulnerability in 802.11i stems from the fact
that during the establishment of a secure link between a sta-
tion and an AP, all messages exchanged over the air, includ-
ing management frames, are sent unencrypted till the point
at which both parties have obtained the session key (called
the temporal key or TK in 802.11 jargon) and are therefore
susceptible to eavesdropping by unauthorized users sharing
the wireless medium as well as to spoofing by other users.
While the 802.11w amendment seeks to protect some man-
agement frames from such attacks, it too fails to protect
messages exchanged before the the establishment of TKs.
The problem is that securing the initial exchanges between
the parties requires them to share a key which is not estab-
lished until layer. Our key extraction mechanism provides
a natural solution [2] by allowing the parties to generate a
temporary key that protects the interim exchanges before
the formal keys are in place.

Ad-hoc networks present another avenue where our tech-
nique can be useful. Alice may not care to establish Bob’s
identity if she merely wishes to employ his services to for-
ward her data over another hop but may like to establish a
secure link layer with him nevertheless so as to add link-level
encryption to her data.

Prior work in information theory has noted the potential
of using the wireless channel for generating shared secret
bits, but most of this work has been aimed at computing
theoretical limits and neither provides practical algorithms,
nor a demonstrable and quantifiable impact on security. Our
contribution in this paper may be summarized as follows:

1. We translate prior information-theoretic ideas into a
practical protocol applied to wireless channels;

2. We build a new algorithm for key extraction that, un-
like prior schemes, does not require an authenticated
channel, and we evaluate its performance for typical
fading channels;

3. We validate our algorithm using channel impulse re-
sponses measured using the 802.11a packet preamble
on a customized FPGA-based 802.11 development plat-
form and a second study that uses only coarse per-
packet RSSI information readily available to off-the-
shelf 802.11 platforms.

We emphasize that existing mobile radio platforms already
provide the information we need, but such data are normally
discarded after physical layer processing and can be prof-
itably exploited to benefit security services. It is important
to recognize that the new approach we present is intended
to augment, rather than to replace existing cryptographic
security mechanisms. It provides a new approach to estab-
lishing keys that is useful when there is no key management
infrastructure (e.g. in peer-to-peer wireless systems).

In Section 2 we summarize the related work, in Section 3
we describe our system model and the design issues relevant
to our problem, in Section 4 we describe our key-extraction
algorithm in detail, in Section 5 we evaluate the performance
of our algorithm and in Section 6 we present two experimen-
tal studies that validate our algorithm on 802.11a hardware.
We conclude in Section 7 with a discussion on the practical
implications of our proposed system and the broader impact
it may have on securing wireless systems.

2. RELATED WORK

Figure 1: The multipath fading for a signal from Alice to

Bob is different from that for the signal reaching Eve.

An extensive body of information-theoretic work during
the past several decades has explored the use of information
from the physical layer in deriving security benefits. In [3,4],
the authors introduced the problem of generating identical
bits based on correlated information available to two users
such that a third eavesdropping user does not learn anything
about the generated key. They showed, provided Alice and
Bob already share an authenticated public channel, that it
is possible to generate identical keys at the two users. The
standard method for generating secret keys at Alice and Bob
under this assumption consists of three basic steps and has
been utilized by a number of proposed systems [5–7]. In
advantage distillation [3, 8], the legitimate users, Alice and
Bob obtain correlated information while Eve is allowed to
eavesdrop, so that Alice & Bob share greater information1

than that shared between Alice & Eve or Bob & Eve. Al-
ice and Bob then convert their information into bits. In
the information reconciliation stage [6], Alice and Bob ex-
change error-correcting messages over an authenticated pub-
lic channel that allow them to agree on an identical string
of bits. However, the publicly exchanged messages reveal a
certain amount of information about the bit strings to Eve.
In privacy amplification [10], Alice and Bob diminish the
partial information revealed to Eve by systematically dis-
carding some of their common bits. Efficient protocols have
since been designed [6,11]2 to allow key generation without
leaking out information to an eavesdropping adversary.

However, a central assumption in this entire body of work
is that Alice and Bob have an authenticated channel avail-
able to them even before key generation begins. This is an
unrealistic assumption in practice because the availability of
an authenticated channel implies that Alice and Bob already
share a secret key to begin with! Therefore, the purpose of
generating a common secret key is defeated.

In [13], Maurer and Wolf showed that secret key extrac-
tion without an authenticated channel is possible only if Eve
cannot possibly transmit a signal to Bob that is statistically
indistinguishable from signals coming from Alice (and vice-
versa). This provides an important insight that has not been
translated into a practical algorithm. Our work is the first
to build upon this result: we use use the wireless channel to
guarantee that Eve does not possess the required informa-
tion to prevent key generation.

More recently, [14] examined PHY-layer based authenti-
cation and confidentiality in wireless systems. The work
in [15,16] looked at authentication using channel signatures
between the transmitter and receiver(s). Our work is per-
haps most closely related to the work of [17], which proposes

1In information-theoretic terms, the amount of information
between two observations X and Y is measured by the mu-
tual information I(X;Y ) between them [9].
2Much of this work was done in the context of quantum key
distribution. For a more complete bibliography on quantum
key distribution see [12].



a scheme for generating secret bits from correlated observa-
tions of deep fades by two users communicating via a TDD
link. This work focuses on the theoretical construction for
extracting randomness through use of universal hash fam-
ilies. However, they do not demonstrate or evaluate the
amenability of the wireless channel to detection of deep fades
by both users using TDD to the degree of precision required
by their scheme. Their work does not provide a quantifi-
cation of the secret key rate versus parameters associated
with the underlying fading process or parameters involved
in their algorithm. Additionally, we note that their method
focuses primarily on a passive adversary. The reliance on
deep fades can be easily exploited by an active adversary
that produces greater interference power at one legitimate
user than the other so that a deep fade for one user may not
be a deep fade for the other. In [18], a method exploiting
channel reciprocity using ultra-wideband (UWB) channels
to generate secret bits was presented. In [19], specialized
electronically steerable antennas were proposed for use in
generating key bits by exploiting channel reciprocity. The
methods in [17–19] all rely on conventional reconciliation
for correcting bit-errors, and thus require an authenticated
channel. In [20,21], a method for secret key generation based
on phase reciprocity of frequency selective fading channels
was proposed. While this is attractive, it is difficult to im-
plement or evaluate in practice because accurate phase in-
formation is difficult to harvest from existing hardware plat-
forms.

In contrast to prior work, the algorithm we propose tran-
scends the requirement of an authenticated channel, does
not require specialized hardware and is not limited to UWB
channels. We provide both a fundamental analysis as well as
a real-world experimental implementation of our algorithm
and show that existing mobile platforms already provide suf-
ficeint information for producing secret bits using our algo-
rithm. We evaluate the randomness of the bit-sequences
produced by our algorithm, a generally overlooked aspect
in prior work on secret key generation, and show that they
are suitable for use as cryptographic keys. Lastly we note
that our technique may be compared with classical key es-
tablishment techniques such as Diffie-Hellman, which also
use message exchanges to establish keys. However, clas-
sical cryptographic key establishment techniques rely upon
the (unproven) arguments of computational complexity such
as the hardness of inverting discrete logarithms or factor-
ing a product of large prime numbers, while our algorithm
provides information-theoretic security, which does not rely
on these computational hardness assumptions and builds a
practical methods to achieve this type of security. In this
way we provide an analog of quantum cryptography for wire-
less networks.

3. SYSTEM MODEL & DESIGN ISSUES
The crucial insight that allows the wireless channel to be

amenable for generating a secret key is that the received sig-
nal at the receiver is modified by the channel in a manner
that is unique to the transmitter-receiver pair. It is the mod-
ification of the transmitted signal by the wireless multipath
channel that introduces information into the received signal
from which we can extract secret bits. This distortion cap-
tures information that depends critically upon the location
of the transmitter, the receiver, and the placement of scat-
tering surfaces in the wireless environment. Typically, such
distortion is estimated at the physical layer of the receiver
and the associated distortion information dealt with to en-
sure reliable physical layer decoding of the communication

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
0

0.5

1

1.5

2

2.5

Time (sec)

M
ag

ni
tu

de

(a)

10 20 30 40 50 60 70
0

0.5

1

1.5

2

(b)
Probe index number

M
ag

ni
tu

de
o

f c
ha

nn
el

p
ar

am
et

er q
+
level

q


level
h(t) process
Alice’s estimates
Bob’s etimates

Alice

Bob

q
+


q




3 pts above q
+


4 pts above q
+


Figure 2: (a) A sample realization of a Rayleigh fading

stochastic process. (b) Successive channel estimates of the

process by Alice and Bob showing excursions above the q+

and below the q− levels on a magnified portion of (a).

Symbol Meaning

h Stochastic channel parameter of interest
h(t) Value of the stochastic process h at time t
s(t) Probe signal transmitted to estimate h(t)
fd Maximum Doppler frequency (Hz)
fs Rate at which each user sends probes (Hz)

q+, q− Quantizer bin boundaries (Upper and lower resp. )
m Reqd. min. # of estimates in a excursion
N Length of key in bits
Rk Rate of generation of secret bits (s-bits/sec)
pe Probability of a bit error

pk Probability of key mismatch = 1− (1− pe)
N

Table 1: A summary of the notation used

signal. However, since this information is always present and
uniquely corresponds to the transmitter-receiver pair, it also
provides our transmitter (Alice) and receiver (Bob) a means
to privately establish secret bits associated with this distor-
tion. In this section, we focus on the challenges of using the
stochastic nature of the wireless channel to secretly establish
bits. We break down our discussion to include a description
of: (1) the underlying channel model associated with mul-
tipath fading; (2) the tools needed to obtain bits from the
channel response; and (3) the design goals that need to be
addressed in order to reliably establish these bits. To assist
the reader, we provide notation in Table 1.

3.1 Channel model
Let h(t) be a stochastic process corresponding to a time-

varying parameter that describes the wireless channel be-
tween Alice and Bob. Although there are many choices for
h(t), for our discussion, we shall assume that h(t) is the
magnitude of the transfer function of the multipath fading
channel between Alice and Bob evaluated at a fixed test fre-
quency, f0. Implicit in this formulation is the observation
that the system transfer function of the channel is the same
in the Alice →Bob direction as in the Bob→Alice direction
at a given instant of time. This follows from reciprocity,
which is a fundamental property of electromagnetic wave
propagation [22,23] in a medium and must not be confused
with additive noise or interference, which may be different
for different receivers. To distinguish between the channel
parameter of interest, and its value at a given instant of
time, we denote the parameter by h and refer to its value
as h(t). To estimate the parameter h, Alice and Bob must



transmit known probe signals to one another. Each party
can then use the received signal along with the known probe
signal to compute an estimate hˆ of the parameter h. Since
practical radios are half duplex due to hardware constraints,
Alice must wait to receive a probe signal from Bob before
she can transmit a probe to him and vice-versa. In the time
between the two successive probes, h(t) changes slightly in a
manner that is modeled by an appropriate underlying prob-
ability distribution (e.g. Gaussian). The received signal at
Alice and Bob due to successive probes may be written as

ra(t1) = s(t1)h(t1) + na(t1) (1)

rb(t2) = s(t2)h(t2) + nb(t2), (2)

where s(t) is the known probe signal, na & nb are the in-
dependent noise processes at Alice and Bob and t1 & t2 are
the time instants at which successive probes are received by
Alice and by Bob respectively. Using the received signal,
Alice and Bob, each compute (noisy) estimates of h:

hˆa(t1) = h(t1) + za(t1) (3)

hˆb(t2) = h(t2) + zb(t2), (4)

where za and zb represent the noise terms due to na and
nb respectively after having been processed by the function
that estimates h. We refer the reader to [24] for designing

good estimator functions for h. The estimates hˆa and hˆb
are in all likelihood unequal, due in part to the independent
noise terms and in part to the time lag τ , however they can
be highly correlated if Alice and Bob send probes to one
another at a fast enough 3 rate, i.e. if τ = t2 − t1 is small.
By repeatedly sending probes in an alternating manner over
the time-varying channel, Alice and Bob can generate a
sequence of n estimates hˆa = {hˆa[1], hˆa[2], . . . , hˆa[n]} and
hˆb = {hˆb[1], hˆb[2], . . . , hˆb[n]} respectively, that are highly
correlated, as in Figure 2. Although Eve can overhear the
probe signals sent by each of the users, the signals received
by Eve are completely different:

rbe(t1) = s(t1)hbe(t1) + ne(t1) (5)

rae (t2) = s(t2)hae(t2) + ne(t2), (6)

where hbe and hae denote the channel between Bob & Eve
and between Alice & Eve respectively and ne is the noise
added at Eve. If Eve is more than ∼ λ/2 away from Al-
ice and Bob, then hae and hbe are uncorrelated with h [25].
Therefore, despite possessing knowledge of the probe signal
s(t), Eve cannot use her received signals to compute mean-
ingful estimates of the Alice-Bob channel, h.

3.2 Converting the channel to bits
Alice and Bob must translate their respective sequences of

channel estimates to extract identical bit-strings. Further,
the bit strings they generate must be suitable for use as
cryptographic keys. This means that they must be:

1. Suitably long: Keys of length 128 to 512 bits are com-
monly used in symmetric encryption algorithms. So
they should be able to generate at least these many
bits in a reasonable amount of time.

2. Statistically random: The bits should be random with
equal probability of a ‘0’ and a ‘1’. Also, the bit-
sequences must not suffer from statistical defects that
could be exploited by an attacker.

3‘Fast enough’ here is in relation to the coherence time of
the channel, which is inversely proportional to the maximum
Doppler frequency fd.

The second requirement guarantees that the generated key
has desirable security properties. That is, an N-bit key must
really provideN bits of uncertainty to an adversary who only
knows the key generation algorithm and nothing else.

We now briefly describe how to obtain bits from the chan-
nel estimates hˆa and hˆb, to provide the intuition behind our
algorithm, while postponing a formal description to Sec-
tion 4. The sequence of channel estimates hˆa and hˆb are
sequences of random variables, drawn from an underlying
probability distribution that characterizes the random chan-
nel parameter h. We assume, for the sake of our discussion,
that h(t) is a Gaussian random variable and the underly-
ing stochastic process h is a stationary Gaussian process. A
Gaussian distribution for h may be obtained, for example,
by taking h to be the magnitude of the in-phase component
of a Rayleigh fading process between Alice and Bob [22].
It must be noted that the assumption of a Gaussian distri-
bution on h is for ease of discussion and our algorithm is
equally valid in the general case.

Since the channel estimates computed by Alice and Bob
are continuous random variables, it is necessary to quantize
their estimates using a quantizer Q(·) to obtain bits. How-
ever, a straightforward quantization of the vectors hˆa and

hˆb is not sufficient because it does not guarantee that an
identical sequence of bits will be generated at the two users.
In our scheme, Alice and Bob use the channel statistics to
determine scalars, q+ and q− that serve as reference levels
for the quantizer Q(·) as follows:

Q(x) =


1 if x > q+
0 if x < q−

. (7)

Alice then parses through her channel estimates hˆa to deter-
mine the locations of excursions4 of her channel estimates
above q+ or below q− that are of a duration ≥ m esti-
mates, i.e., m successive channel estimates in hˆa are > q+
or < q−, where m is a protocol parameter. She sends Bob
a message over the public channel containing the locations
of k such excursions in the form of an array of indexes
L = {l1, l2, . . . , lk}. Bob then checks his own sequence hˆb
at the locations specified by the indexes in L to determine
whether it contains an excursion above q+ or below q− for
a duration greater than or equal to ‘m − 1’ samples, i.e.
whether hˆa(li) is > q+ or < q− for a duration that spans
m−1 or more estimates, for each i = 1, . . . , k. Bob identifies
‘good’ indexes by finding all index values l in L that produce
such an excursion in hˆb. He places these indexes into an ar-

ray L˜ to be sent to Alice publicly. Indexes in L but not in L˜
are dropped from consideration by each party. The indexes
in L˜ are used by each user to compute a sequence of bits
by performing the quantization: Q(hˆa(L˜)) and Q(hˆb(L˜)). If

the bit-vectors Q(hˆa(L˜)) and Q(hˆb(L˜)) are equal, then Alice

and Bob succeed in generating |L˜| identical bits. We show
later that provided the levels q+, q− and the parameter m
are properly chosen, the bit sequences generated by the two
users are equal with very high probability. A variation of
the protocol that copes with the spoofing attack is detailed
in Section 4.1.

3.3 Design goals
An important quantity of interest will be the rate of gen-

eration of secret bits, expressed in secret-bits per second or
‘s-bits/sec’. Naturally, it is desirable that Alice and Bob
achieve a high secret-bit rate. According to 802.1x recom-

4A stochastic process is in an excursion when it lies above
or below a specified level for a given duration of time.



mendations, it is generally desirable for master keys to be
refreshed at intervals of one hour [26]. Using these exam-
ples and AES key sizes of 128 bits as a guideline, a con-
servative key rate of roughly 0.1 bits per second is needed,
though it is desirable to achieve higher secrecy rates. How-
ever, we are especially wary of bit errors. If the sequence
Q(hˆa(L˜)) is different from Q(hˆb(L˜)) even by a single bit,
then the two bit-strings cannot be used as cryptographic
keys and consequently the entire batch of bits must be dis-
carded. Therefore, we would like the bit error probability
pe, to be extremely low, so that the probability pk that the
keys generated by the two users do not match is acceptably
small. For example, in order to have a key-mismatch prob-
ability of pk = 10

−6, assuming keys of length 128 bits, we
must target a bit-error probability of pe where

pk = 1− (1− pe)128, (8)
which gives pe ∼ 10−8. A bit-error is defined as the event
that Alice and Bob agree to use a certain index li contained
in the list L˜ for generating a bit, but they end up generating
different bits, i.e. hˆa and hˆb both lie in excursions at the
index li but the excursions are of opposite types.

The rate at which secret bits can be extracted from the
channel is fundamentally limited by the rate of time-variation
in the channel. We quantify this variation by the maximum
Doppler frequency, fd. In a fading channel, fd determines
the both the rate at which the channel varies and the mag-
nitude of the swings produced. A simple measure of the
maximum Doppler frequency in a given wireless environ-
ment is given by fd =

v
λ
, where v is a measure of the effects

of user mobility and the dynamic environment around the
users, expressed in meters/sec and λ is the wavelength of
the carrier wave. In our case λ = c

f0
, where c is the speed of

light. It can be seen that increasing the value m or the mag-
nitudes of the quantizer boundaries q+ & q− would not only
result in a lower rate but also a lower probability of error.
Intuitively, this is because larger magnitudes of q+ & q−, or
a larger value of m makes it less likely that Alice’s and Bob’s
channel estimates lie in opposite type of excursions, thereby
reducing the error rate. However both types of excursions
also become less frequent, thereby decreasing the number of
secret bits that can be generated per second. Thus, there is
a tradeoff between rate and probability of error, and the pa-
rameters q+, q− and m provide convenient controls to select
suitable operating points over this tradeoff. Apart from gen-
erating bits at a reasonable rate and achieving robustness to
errors, we also require the bits to be random and free from
statistical defects. This aspect is discussed in Section 5.3.

Finally, the correlated information obtained by Alice and
Bob can be utilized to build a secret key in a number of
different ways and it is important to make sure the method
employed does not allow Eve to infer any useful information.
An alternative bit extraction scheme is to have each user es-
timate a statistical measure of the channel (e.g. the mean

signal-strength, or variance in the estimates) using hˆa and

hˆb respectively. If the channel is stationary
5, then their re-

spective statistical measures would each converge to the true
value with time. In this way, Alice and Bob will each pos-
sess knowledge about a numerical quantity, without having
actually sent messages over the air containing this quantity.
They could then quantize their estimates of the statistical
measure to generate bits. However, the trouble with using a
statistical measure is that knowledge of the locations of Al-

5By stationary, we mean a channel whose stochastic charac-
teristics do not vary significantly over the time duration of
the key extraction protocol.

ice and Bob and their environment may allow Eve to infer
the statistics of the channel between them. Indeed publicly
available tools, such as the WISE ray-tracer [27], make it
easy to predict the signal statistics at a receiver given the
knowledge of the locations of the transmitter and receiver
and the building’s layout. Thus, it is important to recog-
nize that using a statistical measure for key generation can
be perilous. Our algorithm avoids statistical measures from
influencing the secret-key generation process by relying on
specific instantiations of the fading process.

4. LEVEL-CROSSING ALGORITHM
We now detail our key-extraction algorithm based on level

crossings and quantization of Alice’s and Bob’s channel es-
timates. It is assumed that when the algorithm is run, Alice
and Bob have collected a sufficiently large number of chan-
nel estimates hˆa and hˆb, by alternately probing the channel
between themselves. Further, it is assumed that the vectors
hˆa and hˆb are of equal length and their j

th elements hˆa(j)

and hˆb(j) correspond to successive probes sent by Bob and

Alice respectively, for each j = 1, . . . , length(hˆa). Algorithm
1 describes the procedure and consists of the following steps:

1. Alice parses the vector hˆa containing her channel es-
timates to find instances where m or more successive
estimates lie in an excursion above q+ or below q−.

2. Alice selects a random subset of the excursions found
in step 1 and for each selected excursion, she sends Bob
the index of the channel estimate lying in the center of
the excursion, as a list L. Therefore, if hˆa(i) > q+ or
< q− for some i = istart, . . . , iend, then she sends Bob
the index icenter = ⌊ istart+iend2 ⌋.

3. For each index received from Alice, Bob checks whether
his own vector of channel estimates hˆb contains at least
m−1 channel estimates centered around that index in
an excursion above q+ or below q−, i.e. whether hˆa >
q+ or < q− for each index

˘
l − ⌊m−2

2
⌋, . . . , l + ⌈m−2

2
⌉¯,

for each l ∈ L.
4. For some of the indexes in L, Bob’s channel estimates

do not lie in either excursion. Bob makes a list L˜ of
all indexes that lie in excursions and sends it to Alice.

5. Bob and Alice compute Q(hˆa) and Q(hˆb) respectively

at each index in L˜, thus generating a sequence of bits.
Since Eve’s observations from the channel probing stage

do not provide her with any useful information about hˆa
and hˆb, the messages L and L˜ exchanged between Alice and
Bob do not provide her with any useful information either.
This is because they contain time indexes only whereas the
generated bits depend upon the values of the channel esti-
mates at those indexes. Further, the selection of a random
subset in Step 2 from the set of eligible excursions found in
Step 1, guarantees that Eve cannot use L and L˜ to infer the
values of the channel estimates of Alice or Bob at those time
indexes.

4.1 Preventing a spoofing attack
Since Alice and Bob do not share an authenticated chan-

nel, Eve can impersonate Alice in Step 2, or Bob in Step
4 above, allowing for a spoofing attack. If successful, such
an attack would allow Eve to insert her own ‘fake’ L or
L˜ messages, thereby spoofing a legitimate user to the other
and effectively disrupting the protocol without revealing her
presence to the two users.



Algorithm 1: The basic level crossing algorithm

Input : hˆa and hˆb
Output : A cryptographic key Ka = Kb at Alice and Bob
Alice:

for i = 1 to length(hˆa)−m do

if Q(hˆa[i]) = Q(hˆa[i + 1]) . . . = Q(hˆa[i+m− 1]) then
iend ← last index in excursion

L′ ← [L′ ; ⌊
i+iend

2 ⌋]
i← iend + 1

else
i← i + 1

end

end

L = Random subset of L′

Alice sends L to Bob on PUBLIC_CHANNEL .

Bob:

for l ∈ L do

if Q

hˆb(l− ⌊

m−2
2 ⌋)


= . . . = Q


hˆb(l+ ⌈

m−2
2 ⌉)


then

L˜← [L˜; l]
end

end

Kb = Q

hˆb(L˜)


Bob sends L˜ to Alice on PUBLIC_CHANNEL.

Alice:

Ka = Q(hˆa(L˜))

Our protocol provides a mechanism to detect the adver-
sary in each of the two cases above. We first focus on the
possibility of Eve inserting a fake L-message. Since Eve
has no information about the locations of channel excur-
sions apart from L, she can only make random guesses about
which indexes to place into a fake L-message to Bob (apart
from the ones Eve learns from L). For each guess, she has
a very low probability of choosing an index that lies in an
excursion spanning (m − 1) or more estimates at Bob. Of
these, the indexes that do not lie in an excursion in hˆb are
discarded by Bob while those that do happen to lie in an ex-
cursion are considered eligible for quantization and placed
into the L˜-message sent to Alice. Therefore, an unsuccessful
guess provides no benefit to Eve, while a successful guess,
albeit improbable, causes L˜ to contain an index that was not
present in L, thereby alerting Alice. Thus, Eve must modify
the message L˜ by deleting this index before it reaches Alice.

Our protocol can be made to resist modification of the
L˜-message as follows. Once Bob computes the list L˜, he
can proceed with the quantization stage and compute Kb =
Q(hˆb(L˜)) of length N bits. The first Nau bits of Kb are kept
aside for use as an authentication keyKau = Kb(1, . . . , Nau),
to prevent a spoofing attack and the remaining N − Nau
bits are kept as the extracted secret key K¯b = Kb(Nau +
1, . . . , N). Bob computes a message authentication code for

L˜ using Kau to obtain MAC

Kau, L˜


. Finally, he sends

the package
n
L˜,MAC


Kau, L˜

”o
to Alice. Upon receiv-

ing this package, Alice uses L˜ to form the sequence of bits
Ka = Q(hˆa(L˜)). She uses the first Nau bits of Ka as the au-
thentication key Kau = Ka(1, . . . , Nau), and using Kau she
verifies the message authentication code to confirm that the
package was indeed sent by Bob. Since Eve does not know
the bits in Kau generated by Bob, she cannot modify the
L˜-message without failing authentication at Alice. Finally,
if Eve inserts a significant number of random guesses into
a fake L-message, Bob can detect her presence by comput-
ing the proportion of indexes in L that lead to excursions in
hˆb. Since Eve can only make random guesses, this quantity

would be much lower than one resulting from a legitimate
L-message from Alice. Therefore, even without an authen-

Algorithm 2: Modified algorithm incorporating au-
thentication and resistance to an active attack.

Input : hˆa and hˆb
Output : A cryptographic key K¯a = K¯b at Alice and Bob
Alice:

for i = 1 to length(hˆa)−m do

if Q(hˆa[i]) = Q(hˆa[i+ 1]) = . . . = Q(hˆa[i+ m− 1]) then
iend ← last index in excursion

L′ ← [L′ ; ⌊
i+iend

2 ⌋]
i← iend + 1

else
i← i+ 1

end

end

L = Random subset of L′

Alice sends L to Bob on PUBLIC_CHANNEL.

Bob:

for l ∈ L do

if Q

hˆb(l− ⌊

m−2
2 ⌋)


= . . . = Q


hˆb(l+ ⌈

m−2
2 ⌉)


then

L˜← [L˜; l]
end

end

if
n
|L˜|
|L| < 0.5 + ǫ

o
then

DECLARE ACTIVE ATTACK
else

Kb = Q

hˆb(L˜)


Kau = Kb(1, . . . , Nau)
K¯b = Kb(Nau + 1, . . . , N)

Package =
n
L˜,MAC


Kau, L˜

”o
Bob sends Package to Alice on PUBLIC_CHANNEL.

end

Alice:

Ka = Q

hˆa(L˜)


Kau = Ka(1, . . . , Nau)
K¯a = Ka(Nau + 1, . . . , N)
if MAC validation using Kau fails then

DECLARE ACTIVE ATTACK
end

ticated channel, Alice and Bob can successfully establish
a common secret key despite an active adversary, provided
there are no bit errors. This explains why we insist on a very
low probability of error in Section 3.3. Further, the reduc-
tion in the secret-bit rate is negligible over a long run of the
protocol because the Nau bits used for authentication are a
one-time expense that allow Alice and Bob to bootstrap au-
thentication. A modified version of the secret key extraction
algorithm that incorporates the above ideas is presented as
Algorithm 2 (see Figure 3) and has the following additional
steps:

1. To make sure that the L-message received is really
from Alice, Bob computes the fraction of indexes in L
at which hˆb lies in an excursion spanning (m − 1) or
more estimates. If this fraction is less than 1

2
+ ǫ, for

some fixed parameter 0 < ǫ < 1
2
, Bob concludes that

the message was not really sent by Alice, implying that
an adversary has injected a fake L-message.

2. If the authentication check above passes, Bob replies
to Alice with a message L˜ containing those indexes
in L at which hˆb lies in an excursion. Bob computes

Kb = Q(hˆb(L˜)) to obtain N bits. The first Nau bits are
used as an authentication key to compute a message
authentication code (MAC) of L˜. The remaining N −



Figure 3: Timing diagram for the key-extraction protocol.

Nau bits are kept as the extracted secret key. The

overall message sent by Bob is
n
L˜,MAC


Kau, L˜

”o
.

Another type of active attack involves Eve impersonating Al-
ice or Bob during the channel-probing stage itself, i.e. Eve
may begin sending probes to Bob pretending to be Alice
or vice-versa. Such an attack can be detected using a hy-
pothesis testing approach on the sequence of probes received
at each legitimate user, and this has been extensively stud-
ied in [15, 16]. Essentially, legitimate users compare each
newly received probe against the recent history of received
probes from the other legitimate user using a hypothesis
test. The technique relies on the insight that given a suf-
ficiently fast probing rate, successive probes received at a
legitimate user are most likely to differ by a small amount.
In practice the hypothesis test is implemented by compar-
ing a likelihood ratio [28] with a threshold and is based on
a Neyman-Pearson criterion. We do not present further de-
tails on this type of attack here. Detection of Eve using the
hypothesis test can only be accomplished if Alice and Bob
have already exchanged some probes. If Eve impersonates
either or both legitimate users from the very beginning of
the channel probing stage, then the method is susceptible to
a man-in-the-middle attack wherein Eve can establish two
keys, one each with Alice and Bob, while giving Alice and
Bob he impression that they have established a key with
themselves. We note that this problem can be alleviated
using techniques similar to those used to secure the Diffie-
Hellman protocol.

5. PERFORMANCE EVALUATION
The central quantities of interest in our protocol are the

rate of generation of secret bits, the probability of error
and the randomness of the generated bits. The controls
available to us are the parameters: q+, q−,m and the rate
at which Alice and Bob probe the channel between them-
selves, fs. We assume the channel is not under our con-
trol, and as explained in Section 3.3, the rate at which the
channel varies can be represented by the maximum Doppler
frequency, fd. The typical Doppler frequency for indoor
wireless environments at the carrier frequency of 2.4 GHz

is fd =
v
λ

∼ 2.4×109
3×108

= 8 Hz, assuming a velocity v of 1

m/s. We thus expect typical Doppler frequencies in indoor
environments in the 2.4 GHz range to be of the order of
about 10 Hz and 20 Hz in the 5 GHz range. For automobile
scenarios, we can expect a Doppler of ∼ 200 Hz in the 2.4
GHz range.

5.1 Probability of error
The probability of error, pe is critical to our protocol. As

explained in equation (8), in order to achieve a robust key-
mismatch probability pk, the bit-error probability pe must

2 3 4 5 6 7 8 9 10 11
−8

−7

−6

−5

−4

−3

−2

−1

0

Value of m

Pr
ob

ab
ilit

y
of

b
it

er
ro

r,
p e


(lo

g 1
0

sc
a

le
)

SNR = 0 dB
SNR = 10 dB
SNR = 20 dB
SNR = 30 dB
SNR = 40 dB

Figure 4: Probability of bit error pe for various values of m

at different SNR levels (q± = mean ± 0.8σ)

be much lower than pk. A bit-error probability of pe =
10−7 ∼ 10−8 is desirable for keys of length N = 128 bits.
We have explained in Section 3.3 that there is a fundamental
trade-off in the selection of parameters m, q+ and q− that
affects the rate and probability of error in opposing ways.

The probability of bit-error, pe is the probability that a
single bit generated by Alice and Bob is different at the
two users. The symmetry of the distribution of h allows
us to consider just one type of bit error in computing pe.
Consider the probability that Bob generates the bit “0” at
an index given that Alice has chosen this index but she has
generated the bit “1”. As per our Gaussian assumption on

the parameter h and estimates hˆa and hˆb, this probability
can be expanded as

P (B = 0|A = 1) =
P (B = 0, A = 1)

p(A = 1)
= (9)

Z ∞
q+

Z q−
−∞

. . .

Z ∞
q+| {z }

(2m−1) terms

(2pi)(1−2m)/2

|K2m−1|
1/2

exp
n
− 12x

TK
−1
2m−1x

o
d(2m−1)x

Z ∞
q+

. . .

Z ∞
q+| {z }

(m) terms

(2pi)−m/2

|Km|
1/2

exp
n
− 12x

TK
−1
m x

o
d(m)x

,

where Km is the covariance matrix of m successive Gaus-
sian channel estimates of Alice and K2m−1 is the covariance
matrix of the Gaussian vector (hˆa[1], hˆb[1], hˆa[2], . . . , hˆb[m−
1], hˆa[m]) formed by the combining m channel estimates of
Alice and the m−1 estimates of Bob in between, in chrono-
logical order. The numerator in (9) is the probability that of
2m− 1 successive channel estimates (m belonging to Alice,
and m − 1 estimates in between belonging to Bob), all m
of Alice’s estimates lie in an excursion above q+ while all
m− 1 of Bob’s estimates lie in an excursion below q−. The
denominator is simply the probability that all of Alice’s m
estimates lie in an excursion above q+. We compute these
probabilities for various values of m and present the results
of the probability of error computations in Figure 4. The
results confirm that a larger value of m will result in a lower
probability of error. This is because a larger m makes it less
likely that Alice’s and Bob’s estimates would lie in opposite
types of excursions. Note that if either user’s estimates do
not lie in an excursion at a given index, a bit error is avoided
because that index is discarded by both users.

5.2 Secret-bit rate
The correct way to address the tradeoff between prob-

ability of error and rate of generation of secret bits is to
upper bound the acceptable probability of error and then
attempt to derive the greatest possible rate. How many
s-bits/second can we expect to derive from a time-varying
channel? An approximate analysis can be done using the



0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
0

2

4

6

8

10

12

Probing rate (KHz)

R
at

e
in

s
ec

re
t b

its
/s

ec

(a)

m=2
m=4
m=8
m=14
m=20

0 5 10 15 20 25 30 35 40 45 50
0

20

40

60

80

100

120

(b)
Probing rate (KHz)

R
at

e
in

s
ec

re
t b

its
/s

ec

m=2
m=4
m=8
m=14
m=20

fd = 10 Hz

fd = 100 Hz

Figure 5: Rate in secret bits per second for various values of

m, against probing rate for a channel with Doppler frequency

(a) fd = 10 Hz and (b) fd = 100 Hz (q± = mean ± 0.8σ)

level-crossing rate for a Rayleigh fading process, given by

LCR =

2πfdρe

−ρ2 [22], where fd is the maximum Doppler
frequency and ρ is the threshold level, normalized to the root
mean square signal level. Setting ρ = 1 in this expression
gives LCR ∼ fd.

The above calculation tells us that we cannot expect to
obtain more s-bits per second than roughly the order of fd.
In practice, the rate of s-bits/sec depends also on the channel
probing rate fs, i.e. how fast Alice and Bob are able to send
each other probe signals. In Figure 5 (a) and (b), we plot the
rate in s-bits/sec as a function of the channel probing rate
for a wireless channel with maximum Doppler frequencies of
fd = 10 Hz and fd = 100 Hz respectively. As expected, we
find that the number of s-bits the channel yields increases
with the probing rate, but saturates at a value that is of the
order of fd. A more precise analysis of the secret-bit rate can
be performed as follows: The number of s-bits/sec equals
the number of s-bits per observation times the number of
observations per second, i.e. the probing rate. Therefore

Rk = H(bins) × p(A = B) ×
fs

m
(10)

= 1× (p(A = 1, B = 1) + p(A = 0, B = 0))×
fs

m
(11)

= 2
fs

m
× p(A = 1, B = 1) (12)

=2
fs

m
.

Z ∞
q+

. . .

Z ∞
q+| {z }

(2m−1) terms

(2π)
1−2m

2

|K2m−1|1/2
e

n
− 1

2
xTK

−1
2m−1x

o
d
2m−1

x,(13)

where H(bins) is the entropy of the random variable that
determines which bin (> q+ or < q−) of the quantizer the
observation lies in, which in our case equals 1 assuming that
the two bins are equally likely6. The probing rate fs is
normalized by a factor of m because a single ‘observation’
in our algorithm is a sequence of m channel estimates. The
expression in (13) is reminiscent of the probability of error
expression in (9) and has been evaluated in Figure 5.

Figure 5 confirms the intuition that the secret bit rate
must fall with increasing m. This is because the longer du-
ration excursions of the Gaussian processes required by a
larger value of m are less frequent. In Figure 6 (a), we inves-
tigate how the secret-bit rate Rk varies with the maximum
Doppler frequency fd, i.e. as the amount of time-variation
of the channel is changed. We found that for a fixed channel

6The levels q+ and q− are chosen so as to maintain equal
probabilities for the two bins.

0 50 100 150 200 250
0

50

100

150

200

250

Doppler frequency fd (Hz)

Se
cr

et
b

its
p

er
s

ec
on

d

m=2
m=3
m=4
m=5
m=6

Probing rate f
s
= 4 Khz

(a)

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2
0

5

10

15

Value of α

Se
cr

et
b

its
p

er
s

ec
on

d

f
s
= 3.5 KHz, any m

m=4, f
s
= 500 Hz

m=8, f
s
= 500 Hz

m=12, f
s
= 500 Hz

q
+
= mean+α⋅σ

q


= mean−α⋅σ

fd = 10 Hz

(b)

Figure 6: (a) Secret-bit rate for varying Doppler fd and

fixed fs for various values of m (b) Rate as a function of

function of quantizer levels q+ & q− parametrized by α.

probing rate (in this case, fs = 4000 probes/sec), increas-
ing fd results in a greater rate but only up to a point, after
which the the secret-bit rate begins to fall. Thus, ‘running
faster’ does not always help unless we can increase the prob-
ing rate fs proportionally. This suggests that not only does
each channel have an optimal minimum probing rate for de-
riving the best possible secret-bit rate, but each probing rate
also corresponds to a most ‘useful’ maximum Doppler fre-
quency. Figure 6(b) shows the expected decrease in rate as
the quantizer levels q+ and q− are increased in magnitude.
In this figure, α denotes the number of standard deviations
from the mean at which the quantizer levels are placed.

5.3 Randomness of generated bits
Guaranteeing that the generated bits are random is crucial

because they are intended for use as a cryptographic key.
Since we have assumed the adversary possesses complete
knowledge of our algorithm, any non-random behavior in the
bit sequences can be exploited by the adversary to reduce
the time-complexity of cracking the key. For example, if the
algorithm is known to produce a greater proportion of ‘1’s
than ‘0’s, then the effective search space for the adversary
would be reduced. Consequently a variety of statistical tests
have been devised to test for various defects [29].

In evaluating the randomness of bit sequences generated
by our algorithm, we focus on Maurer’s universal statistical
test [30], a widely accepted benchmark for testing random-
ness. The test statistic relates closely to the per-bit entropy
of the sequence, and thus measures the actual cryptographic
significance of a defect as related to the running time of an
adversary’s optimal key-search strategy [30]. It detects a
broad class of statistical defects and therefore subsumes a
number of other standard tests.

In addition to Maurer’s universal test, we ran a few other
basic tests using the public-domain test suite made available
by NIST [31]. We refer the interested reader to [32] for a
description of these tests and the definitions of p − value
for each test. The results for these are summarized in Table
2. Subsequent runs produced comparable results and thus
support the conclusion that our algorithm provides random
bits. In particular, Maurer’s test showed the average entropy
of our bit-sequences is very close to the value expected for
a truly random sequence. This can be possible only if suc-
cessive bits are almost independent of one another, which
in turn requires that they must be separated in time by at
least a ‘coherence time’ interval. Since the coherence time of
a channel is inversely proportional to the Doppler frequency,
extracting bits from a channel at a rate significantly greater
than fd cannot possibly produce random bits. We observed



Test P-value

Maurer’s Test 0.8913
Monobit frequency 0.9910
Runs Test 0.1012
Approx. entropy 0.8721
Random excursions 0.5829
Lempel Ziv 1.0000

Table 2: Results from randomness tests on bit sequences

(108 bits) produced by our algorithm for fd = 10 Hz, fs = 30

Hz, m = 5 and q+, q− = mean ± 0.2σ. In each test, a p-value

> 0.01 indicates the sequence is random.

in Section 5.2 that the rate at which our algorithm gen-
erates secret bits is bounded from above by approximately
the maximum Doppler fd - therefore our algorithm produces
bits slow enough for them to be random. Finally, we note
that the selection of a random subset of excursions by Alice
effectively allows her some control on selecting the final key
generated. Thus, even if a particular run happens to pro-
duce excursions at Alice containing a statistical defect in the
resulting bit sequence, she can fix the defect to some extent
by suitably choosing L from among eligible excursions.

5.4 Summarizing insights
The rate in secret bits per second that Alice and Bob de-

rive from a time-varying channel is fundamentally limited by
the rate of time-variation in the channel. To maximize rate,
we need to probe the channel fast enough. Given the fastest
possible rate at which we can probe, the parameters m, q+
and q− can be tuned to keep the probability of error within
an acceptable bound. Increasing m or the magnitudes of
q+, q− provides a drop in the error probability at the cost
of a decrease in the secret-bit rate. Further, increasing the
amount of temporal variation in a channel helps increase
the secret-bit rate but only up to a point, after which fur-
ther increase in temporal-variation produces a decrease in
the rate, unless it is accompanied by a proportional increase
in the channel probing rate. Standard randomness tests in-
dicate that our algorithm is resilient to attacks exploiting
randomness defects. Key rates significantly greater than the
maximum Doppler frequency cannot result in truly random
bits.

6. VALIDATION USING 802.11A
We now describe our experimental efforts to validate our

algorithm for typical indoor environments. Our experiments
were divided in two parts. In the first study, we delved into
the structure of an 802.11 packet to access the preamble
sequence [33] in the received signal to compute a 64-point
channel impulse response (CIR) that showed one or more
resolvable dominant paths as separate peaks. We used the
magnitude of the tallest peak in the CIR, which corresponds
to the dominant multipath, as the channel parameter of in-
terest in our algorithm. To access received signal informa-
tion at the sample level, we used an 802.11 development
platform with FPGA-based customized logic added for pro-
cessing CIR. Our results showed that our algorithm works
very well for both static and mobile scenarios, producing
error-free secret bits at rates ∼ 1 s-bits/sec in the tested
indoor environments.

Encouraged by the CIR results, we sought to determine
whether unmodified off-the-shelf 802.11 hardware could achieve
comparable results. Therefore, for the second study, we used
coarse RSSI measurements reported in the Prism headers7

7The Prism header is available on Atheros 802.11 cards using
the Madwifi [34] driver and contains RSSI and MAC-layer
timestamps among other parameters.

(a)
(b)

Figure 7: (a) Our experimental platform - a development

board for a commercial 802.11a/b/g modem IP, to which we

added custom logic to process CIR information. (b) Timing

diagram for collecting CIR information using PROBE packets

Figure 8: A layout of the experimental setup for the CIR

method (distances in cm)

of 802.11 packets exchanged between commercially available
802.11a radios, with one legitimate user configured as an
access point (AP mode) and the other as a client (station
mode), and a third user configured to listen (station mode)
on transmissions from both legitimate users.

6.1 CIR method using 802.11a

6.1.1 Experiment setup
Our experimental platform (Figure 7(a)) consisted of an

802.11 development board with commercial 802.11a/b/g mo-
dem IP, to which we added custom logic to extract the chan-
nel impulse response from received packets. This allowed us
to pull out received signal information at a level not normally
accessible using commodity 802.11 hardware and drivers.
Two such boards were set up as Alice and Bob, while a
third board was configured to be Eve. Alice was configured
to be an access point (AP mode), and Bob was configured to
be a client (station mode). The experiment involved Bob
sending PROBE request messages to Alice, who then replied
with a PROBE response message (Figure 7(b)). Limitations
of our development boards allowed us to have Eve listen on
either Alice or Bob, but not both. In the results presented
here, Eve has been configured to listen in on Alice. In the
first experiment, Alice and Eve were placed in a laboratory,
while Bob was placed in an office cubicle outside the lab.
Figure 8 shows the layout of the three users and the sur-
rounding environment. In the second experiment, Alice and
Eve remained in the same positions while Bob circled the
cubicle area along the trajectory in Figure 8 in a cart on
wheels.

Figure 9 shows a 64-point CIR obtained from a single
802.11a PROBE request packet received at Alice, along with
the corresponding CIR computed from the PROBE response
packet received by Bob in reply. Also shown is the CIR



0 10 20 30 40 50 60
0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

Sample number

M
ag

ni
tu

de
Alice’s CIR
Bob’s CIR
Eve’s CIR

Figure 9: The 64-point CIR from a single 802.11 packet.

For our key-extraction algorithm, we use the magnitude of

the main peak as the channel parameter of interest.

0 100 200 300 400 500 600 700 800 900 1000
1

1.2

1.4

1.6

1.8

CIR index
(a)

M
ag

ni
tu

de
(m

ain
pe

ak
) Eve’s CIR

Bob’s CIR
Alice’ CIR
"1" bits
"0" bits

150 160 170 180 190 200 210 220 230 240 250
1.1

1.2

1.3

1.4

1.5

1.6

1.7

CIR index
(b)

M
ag

ni
tu

de
(m

ain
pe

ak
)

Key generated by Alice: 111000111110111111111111000011001000000010001
Key generated by Bob: 111000111110111111111111000011001000000010001
Key inferred by Eve: 010001010000000010001000100000000000000100000

q
+


q




Figure 10: (a) Traces of Alice, Bob and Eve. Variation in

avg. signal power produces longs strings of 1s and 0s. (b) A

magnified portion of the traces.

as computed by Eve, using the overheard PROBE response
packet from Alice. For the purpose of our algorithm, we use
only the magnitude of the main peak in the CIR.

Figure 10 shows the traces of the CIR’s main peak’s mag-
nitude at Alice and Bob for our first experiment. While our
experiment ran for ∼ 22 minutes, in the interest of space and
clarity we show 1000 CIRs collected over a duration of ∼ 110
seconds. The traces show significant changes in average sig-
nal power, ostensibly due to time-variations in the wireless
environment between Alice and Bob (see Figure 8). If each
user simply uses this data as input to the level-crossing bit-
extraction algorithm, the generated key has long strings of
1s and 0s (see Figure 10). This is because we are attempt-
ing to include the effect of shadow fading [22] (also called
large-scale fading) that produces large but slow swings in
the average signal power, into the key generation algorithm.
In other words, the channel in Figure 10 is not stationary.
Each user locally computes q+ and q− as:

qu+ = mean(hˆu) + α · σ(hˆu) (14)
qu− = mean(hˆu)− α · σ(hˆu), (15)

where u can be Alice or Bob, hˆu is the set of magnitudes

of the CIR’s main peak collected by user u, and σ(hˆu) rep-

resents the standard deviation of hˆu. The factor α can be
selected to vary the quantizer levels. We chose α = 1

8
for

the CIR-method. The effect of the underlying shadow fading

0 100 200 300 400 500 600 700 800 900
−0.4

−0.3

−0.2

−0.1

0

0.1

0.2

0.3

CIR index
(a)

M
ag

ni
tu

de
(m

ain
pe

ak
)

150 160 170 180 190 200 210 220 230 240 250
−0.4

−0.3

−0.2

−0.1

0

0.1

0.2

0.3

CIR index
(b)

M
ag

ni
tu

de
(m

ain
pe

ak
)

Alice’s CIR
Bob’s CIR
Eve’s CIR
"1" bits
"0" bits

Key generated by Alice: 10101011010011001011010010100100010010001010101101010101010
Key generated by Bob: 10101011010011001011010010100100010010001010101101010101010
Key inferred by Eve: 00100100101000101110010 101000110011010100001101101111011010

q
+


q




Figure 11: (a) Traces of Alice and Bob after subtracting

average signal power. Using m = 5, N = 59 bits were gener-

ated in 110 seconds (Rk = 0.54 s-bits/sec) while m = 4 gives

N = 125 bits (Rk = 1.13 s-bits/sec.) with no errors in each

case. (b) A magnified portion of (a)

contained in the collected data can be removed by subtract-
ing a moving average of each trace from the original trace.
This leaves only the small scale fading that we wish to use
in our algorithm. The result is shown in Figure 11. In this
way, not only do we do away with the problem of long strings
of 1s and 0s, we also prevent the average signal power from
affecting our key generation process. Using the small scale
fading traces, our algorithm generates N = 125 s-bits in 110
seconds (m = 4), yielding a key rate of about 1.13 s-bits/sec.

6.1.2 Contrasting Eve’s attempts
Figures 10 shows a trace of Eve’s CIR peak as overheard

from Bob along with Alice’s and Bob’s traces. Figure 11
shows the bits that Eve would generate if she carried through
with the key-generation procedure. The mutual informa-
tion [9] (M.I.) between Eve’s data and Bob’s data is a use-
ful measure of the information learned by Eve about Bob’s
measurements hˆb and can be compared to the mutual infor-

mation between Alice’s and Bob’s estimates hˆa and hˆb. Ta-
ble 3 gives these mutual information values computed using
the method in [35]. As a consequence of the data process-
ing inequality [9], any processing of the received signal by
Eve would only reduce her information about the Alice-Bob
channel, and therefore the M.I. values in Table 3 provide up-
per bounds on the information about the Alice-Bob channel
leaked out to Eve. The results from our second experiment
with a moving Bob are very similar to the ones shown for the
first experiment, although with fewer bits produced. Due to
space limits, we do not present plots for the mobile experi-
ment but instead summarize our results in Table 3. It is no-
table that in the static case the M.I. between Eve and Bob
is orders of magnitude smaller than that between Alice and
Bob and very close to zero, indicating that Eve is unable
to derive any significant information about the Alice-Bob
channel. Further, the M.I. between Eve and Bob is lower in
the mobile case compared to the static case, indicating that
mobility actually helps strengthen the secrecy of generated
keys.

6.2 Coarse measurements using RSSI

6.2.1 Experiment setup



(a)

(b)

Figure 12: (a) Timing diagram for collecting RSSI infor-

mation using PING packets in the RSSI-method. (b) Exper-

imental Layout for RSSI-based method showing trajectories

of Bob and Eve, while Alice (the AP) was kept stationary.

The setup consisted of three off-the-shelf 802.11 radios.
Alice was configured in AP mode along with a virtual moni-
tor interface to capture received packets. Bob was a client,
consisting of a laptop with a 802.11a card configured in sta-
tion mode, along with virtual monitor mode for capturing
received packets. Eve was a third 802.11a node, identical
in configuration to Bob, but capable of receiving packets
from both Alice and Bob. In our experiment, Alice was sta-
tionary, while Bob and Eve moved along fixed trajectories.
Atheros [36] WiFi cards based on the 5212 chipset were used
at each end along with the Madwifi driver [34] for Linux.
The experiments were done in the 5.26 GHz channel. The
AP-station configuration ensured that MAC-layer clocks at
the two nodes were synchronized. Figure 12 (b) shows the
layout of the office building along with the location of the
fixed AP and path followed by the mobile client. ICMP PING
packets were sent from the AP to the client at a rate of 20
packets per second. Each PING request packet received at
the client generates a MAC-layer acknowledgment packet
sent back to the AP, followed by a PING response packet.
Upon receiving the PING response packet, the AP similarly
replies with a MAC-layer ACK packet.

Figure 12 (a) shows the sequence in which these packets
are sent. A tcpdump [37] application running on both the AP
and the client side recorded and time-stamped all packets re-
ceived on the monitor interface of each user. The experiment
consisted of sending 8, 000 packets from Alice to Bob. The
tcpdump traces at each end were filtered using the MAC ad-
dress field to keep only the four types of packets described
above. Further, RSSI and MAC-timestamps were pulled out
of each packet to generate a trace of (timestamp,RSSI)
pairs.

6.2.2 Modification to handle timestamps
We note that since the precise time instants at which the

PING response and PING request messages are received Al-
ice and Bob respectively cannot be controlled, there was no
way to guarantee that successive PING request messages re-
ceived by Bob were separated in time by exactly one PING
response received in between by Alice. Therefore MAC-
layer timestamps were essential to time-align RSSI informa-
tion at Alice & Bob since we did not have index numbers
with which to reference RSSI values. This required a slight
variation in our algorithm to handle MAC-timestamps in-

2.15 2.2 2.25 2.3 2.35 2.4 2.45 2.5
x 109

20

30

40

50

60

70

80

MAC layer timestamp (µs)

R
SS

I r
ec

ei
ve

d

Alice’s recd. RSSI
Bob’s recd. RSSI
"1" bits
"0" bits
Eve’s RSSI from ALice
Eve’s RSSI from Bob

0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 1 0 1 1 1 1 1 0 1 1 1 1 1 1 1 1 0
1 1 0 1 0 0 1 1 1 1 1 1 1 1 1 1 0 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 0 1 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 1 0 1 0 1
0 1 1 1 0 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 1 0 1 1 1 1 1 0 0 1 0 1 0 0 1 1
0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1

Key generated
by Alice & Bob:

Bob → Eve

Alice → Eve

Bob → Alice

Alice → BobLong strings of 1s & 0s

Figure 13: RSSI traces of Alice and Bob and bits generated.

This plot includes the effect of shadow fading.

2.15 2.2 2.25 2.3 2.35 2.4 2.45 2.5
x 109

−5

0

5

10

15

MAC−timestamp (µs)
(a)

R
SS

I (5
−p

kt
av

era
ge

)

2.335 2.336 2.337 2.338 2.339 2.34 2.341 2.342
x 109

−6

−4

−2

0

2

4

6

8

MAC−timestamp (µs)
(b)

R
SS

I (5
−p

kt
av

era
ge

) AliceBob
"1" bits
"0" bits

Alice recd. RSSI
Bob’s recd RSSI
"0" bits
"1" bits

0 1 1 1 1 0 0 1 1 1 0 0 0 0 1 0 1 0 1 1 1 0 1
0 1 0 0 1 1 0 1 0 1 0 0 0 0 1 0 0 0 1 1 0 1 0
1 0 0 0 1 0 1 0 1 0 1 0 0 0 1 1 1 1 1 1 0 1 1
0 0 0 0 1 1 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1
1 1 0 1 0 0 1 1 1 1 0 1 0 0 1 0 0 0 1 1 0 0 0
1 0 1 0 1 0 0 1 0 0 1 1 1 0 1 0 0 0 1 1 1 1 0
1 0 1 1 1 0 1 1 0 1 0 0 1 0 1 1 0 0 0 1 0 1 1
0 1 0 1 0 1 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 0 1
1 0 1 0 1 1 0 1 1 1 0 1 1 1 1 0 1 1 0 0 1 0 1
1 0 1 0 0 1 1 0 0 0 1 0 0 1 1 1 0 1 0 0 1 0 0

1 1 1 1 0 1 0 1 1 0 0 1 0 0 1 0 1 0 1 1 1 0 0
0 1 1 0 0 1 1 0 1 0 0 1 1 1 0 1 0 1 0 1 1 0 0
0 1 0 0 1 1 1 1 0 0 1 1 0 0 1 0 1 1 0 1 0 1 0
0 1 1 1 1 1 0 0 1 0 0 0 1 0 1 0 0 0 1 1 1 0 0
0 1 1 0 1 1 0 0 0 1 0 0 1 1 1 0 1 0 1 1 1 1 0
0 0 1 0 1 1 0 1 0 1 0 0 1 0 1 1 0 0 1 0 0 1 1
1 1 0 0 0 0 1 0 1 1 0 1 0 1 1 1 0 0 1 0 1 1 1
0 0 0 1 1 0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1 0
0 1 0 0 0 1 0 1 0 1 1 0 1 0 0 0 1 0 1 1 0 1 1
1 1 0 0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 1 0 0 1 1

0 0 1 1
1 0 0 0
1 0 1 1
1 1 0 1
0 0 1 1
1 1 0 0
0 1 0 0
1 0 0 1
0 0 0 1
1 0 0 1

q




q
+


Key @ Alice
and Bob:

Figure 14: RSSI traces of Alice & Bob after subtracting

windowed mean. We get 511 bits in 392 sec using m = 4

(Rk = 1.3 s-bits/sec.)

stead of indexes in the messages exchanged between Alice
and Bob. The modifications may be summarized as:

1. Instead of sending index numbers to Bob, Alice now
sends MAC-timestamps in the message L (see Algo-
rithm 1 in Section 4).

2. For each MAC-timestamp sent by Alice, Bob finds the
MAC-timestamp in his own trace that is closest in time
to the value of the timestamp sent by Alice.

3. Bob uses the packet determined in Step 2 above as
if it were the index sent by Alice. He checks for the
presence of excursions above q+ or below q− centered
at this packer as in Algorithm 1.

The RSSI field in the Prism header of received 802.11 pack-
ets reports RSSI as integers, thereby providing only coarse
channel information. Moreover, the 802.11 cards at Alice
and Bob may not be relatively calibrated and thus may re-
port different values of RSSI. We found in our experiments
that although lacking calibration, the temporal variations in
RSSI are matched in Alice’s and Bob’s traces. This problem
was solved by subtracting out a moving average of the trace
to remove the effects of slowly varying average signal power,
as in the CIR method. Figure 13 shows the raw RSSI traces



CIR-based method
Value of m used 4
Choice of q+, q− mean ±0.125σ
Duration of experiments 1326 sec (∼ 22 min.)
Inter-probe duration 110 msec.
Static case:
Average secret-bit rate 1.28 s-bits/sec.
I(Alice; Bob) 3.294 bits
I(Bob; Eve) 0.0468 bits
Mobile case:
Average secret-bit rate 1.17 s-bits/sec.
I(Alice; Bob) 1.218 bits
I(Bob; Eve) 0.000 bits

RSSI-based method
Value of m used 4
Choice of q+, q− mean ±0.5σ
Average secret-bit rate 1.3 s-bits/sec
Inter-probe duration 50 msec.
Duration of experiment 400 sec.
I(Alice; Bob) 0.78 bits
I(Alice; Eve) 0.00 bits
I(Bob; Eve) 0.07 bits

Table 3: Summary of experimental results. I(u1;u2) denotes

the mutual information (M.I.) between the measurements of

users u1 and u2.

collected by Alice and Bob plotted against their received
MAC-timestamps. As in the CIR-method, the traces ex-
hibit strong variations in average signal power. We average
out the large-scale variations and keep only the small scale
fading effect. The result is shown in Figure 14. Our algo-
rithm produces secret bits at a rate of almost 1.3 s-bits/sec
using m = 4, where q+ and q− were computed independently
by each user as in (14)-(15) with α = 1

2
.

6.2.3 Contrasting Eve’s attempts
We plot the RSSI traces captured by Eve for both Alice’s

and Bob’s signal in Figure 13. The traces from Alice and
Bob after considering only variations about a moving aver-
age, are shown in Figure 14 along with the key generated
by Alice and Bob. Even with coarse RSSI measurements
that represent the average received signal power per-packet
over the entire 802.11 channel bandwidth, Alice and Bob can
exploit reciprocity of their channel to successfully generate
secret bits at a fairly good rate. We compute the pair-wise
M.I. between the traces of Eve, Alice and Bob in Table 3.
As in the CIR-method, we find that Eve gets almost no in-
formation about the Alice-Bob channel.

7. DISCUSSION AND CONCLUSIONS
The properties of the wireless medium can support secu-

rity objectives for wireless systems by making it easier to
establish cryptographic keys. In this paper, we proposed
a protocol that exploits the reciprocity of the transfer func-
tion of the wireless multipath channel to establish a common
cryptographic key between two communicating entities. Our
protocol obtains a security advantage from the fact that the
channel response decorrelates rapidly with distance from ei-
ther communicator, implying that there is strong protection
against a passive eavesdropper as well as an active adver-
sary attempting a spoofing attack. The performance of our
scheme was evaluated and important insights relating the
probing rate, quantizer parameters and the resulting secret
key generation rate were provided.

We also presented the results of a thorough effort to ex-
perimentally validate the utility of the wireless channel for
secret key generation. We validated our algorithm through
two complementary efforts. First, we constructed a system
to extract channel impulse response information on a cus-

tomized 802.11 development platform, where we utilized the
802.11a preamble to compute channel impulse responses on
a per-packet basis. Second, we used off-the-shelf 802.11a
cards for collecting coarse RSSI measurements. In both
cases, our algorithm worked well, generating secret bits at
a useful rate without any errors. We showed that an eaves-
dropper shares minuscule mutual information with legiti-
mate communicators, thereby supporting security against
eavesdroppers. Our work demonstrates that the multipath
information that is inherent in any wireless system (and is
normally discarded after physical layer processing), can suc-
cessfully support key establishment. More importantly, we
showed that although this capability is possible with custom
architectures, it can actually be achieved using off-the-shelf
radio platforms, and thus could lead to an immediate impact
on the security of commodity wireless systems.

The astute reader might inquire about whether varying
levels of interference at different locations in the environ-
ment would affect the secret key generation process. Our
work has provided fundamental tradeoffs relating signal-to-
interference levels to quantizer parameter selection for an
isotropic noise background. By conservatively selecting pro-
tocol parameters (e.g. selecting a larger value of m (see
Figure 4)), it is possible to improve robustness in the key
generation process, though at the cost of lowering the rate.

Beyond our fundamental observations and feasibility stud-
ies, there are many avenues for advancing the proposed pro-
tocol that could make our scheme more powerful. In partic-
ular, we have used a simple two-level scalar quantizer, and
we note that the quantizer could be optimized through vec-
tor quantization, which would allow for improved trade-off
between key generation rate and probability of error. This is
a non-trivial optimization problem though and is part of our
ongoing effort. Finally, we note that many emerging wire-
less systems are moving toward adopting MIMO or OFDM
as a means to enhance communication rates. Our algorithm
would naturally benefit from both of these, as multiple un-
correlated channels between two users would lead to a pro-
portional increase in the secret-bit extraction rate.

8. REFERENCES
[1] Method and system for deriving an excryption key using joint

randomness not shared by others. InterDigital
Communications Corporation, US Patent Application
ITC-2-1135.01.WO, 2006.

[2] System for fast secret-key extraction from a wireless channel
prior to authentication and key distribution in a wireless

communication system. InterDigital Invention Disclosure No.
9-8164, 2008.

[3] U. Maurer, “Secret key agreement by public discussion from
common information,” IEEE Transactions on Information
Theory, vol. 39, no. 4, pp. 733–742, 1993.

[4] R. Ahlswede and I. Csiszar, “Common randomness in
information theory and cryptography – Part I: Secret sharing,”
IEEE Transactions on Information Theory, vol. 39, no. 4, pp.
1121–1132, 1993.

[5] J. Cardinal and G. V. Assche, “Construction of a shared secret
key using continuous variables,” Info. Theory Workshop, 2003.

[6] G. Brassard and L. Salvail, “Secret key reconciliation by public
discussion,” Advances in Crytology Proc. - Eurocrypt ’93,
Lecture Notes in Computer Science, vol. 765, pp. 410–423,
1994.

[7] C. Ye, A. Reznik, and Y. Shah, “Extracting secrecy from jointly
Gaussian random variables,” in Proceedings of IEEE Int. Symp
on Info. Theory, Jul 2006, pp. 2593 – 2597.

[8] C. Cachin and U. M. Maurer, “Linking information
reconciliation and privacy amplification,” Journal of
Cryptology: the journal of the International Association for
Cryptologic Research, vol. 10, no. 2, pp. 97–110, Spring 1997.

[9] T. M. Cover and J. A. Thomas, Elements of Information
Theory. John Wiley, 1991.



[10] C. H. Bennett, G. Brassard, and J.-M. Robert, “Privacy
amplification by public discussion,” SIAM J. Comput., vol. 17,
no. 2, pp. 210–229, 1988.

[11] W. T. Buttler, S. K. Lamoreaux, J. R. Torgerson, G. H. Nickel,
C. H. Donahue, and C. G. Peterson, “Fast, efficient error
reconciliation for quantum cryptography,”Phys. Rev. A,
vol. 67, p. 052303, 2003.

[12] G. V. Assche, Quantum Cryptography and Secret Key
Distillation. Cambridge University Press, 2006.

[13] U. Maurer and S. Wolf, “Secret key agreement over a
non-authenticated channel -Part II: The simulatability
condition,” IEEE Transactions on Information Theory,
vol. 49, no. 4, pp. 832–838, Apr. 2003.

[14] Z. Li, W. Xu, R. Miller, and W. Trappe, “Securing wireless
systems via lower layer enforcements,” in WiSe ’06:
Proceedings of the 5th ACM workshop on Wireless security,
2006, pp. 33–42.

[15] N. Patwari and S. K. Kasera, “Robust location distinction using
temporal link signatures,” in MobiCom ’07: Proceedings of the
13th annual ACM international conference on Mobile
computing and networking, 2007, pp. 111–122.

[16] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe,
“Fingerprints in the ether: Using the physical layer for wireless
authentication,” in Proceedings of the IEEE Int.. Conf. on
Comm., pp. 4646 – 4651.

[17] B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener,
“Robust key generation from signal envelopes in wireless
networks,” in CCS ’07: Proceedings of the 14th ACM
conference on Computer and communications security, 2007,
pp. 401–410.

[18] R. Wilson, D. Tse, and R. Scholtz, “Channel identification:
Secret sharing using reciprocity in UWB channels,” IEEE
Transactions on Information Forensics and Security, vol. 2,
no. 3, pp. 364–375, 2007.

[19] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka,
“Wireless secret key generation exploiting reactance-domain
scalar response of multipath fading channels,” IEEE
Transactions on Antennas and Propagation, vol. 53, no. 11,
pp. 3776–3784, Nov 2005.

[20] A. Hassan, W. Stark, J. Hershey, and S. Chennakeshu,
“Cryptographic key agreement for mobile radio,” Digital Signal
Processing, vol. 6, pp. 207–212, 1996.

[21] H. Koorapaty, A. Hassan, and S. Chennakeshu, “Secure
information transmission for mobile radio,” IEEE
Communication Letters, vol. 4, no. 2, Feb 2000.

[22] T. S. Rappaport, Wireless Communications: Principles and
Practice. Prentice Hall PTR., 2001.

[23] A. Goldsmith, Wireless Communications. New York, NY,
USA: Cambridge University Press, 2005.

[24] J. K. Tugnait, L. Tong, and Z. Ding, “Single-user channel
estimation and equalization,” IEEE Signal Processing
Magazine, vol. 17, pp. 16–28, 2000.

[25] W. C. J. Jr., Microwave Mobile Communiations. Wiley, 1974.

[26] T. Moore, “IEEE 802.11-01/610r02: 802.1x and 802.11 key
interactions,”Microsoft Research, 2001.

[27] S. Fortune, D. M. Gay, B. Kernighan, O. Landron, R. A.
Valenzuela, and M. Wright, “Wise design of indoor wireless
systems: practical computation andoptimization,”
Computational Science and Engineering, IEEE, vol. 2, no. 1,
pp. 58–68, April 1995.

[28] H. L. V. Trees, Detection, Estimation and Modulation
Theory: Part I. Wiley-Interscience, 2001.

[29] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone,
Handbook of Applied Cryptography. CRC Press, 1996.

[30] U. M. Maurer, “A universal statistical test for random bit
generators,” Journal of Cryptology, vol. 5, pp. 89–105, 1992.

[31] “http://csrc.nist.gov/groups/st/toolkit/rng/.”

[32] NIST, “A statistical test suite for the validation of random
number generators and pseudo random number generators for
cryptographic applications,” 2001.

[33] “IEEE standard 802.11a: Part 11 wireless LAN medium access
control (MAC) and physical layer (PHY) specifications:
High-speed physical layer in the 5 GHz band.”

[34] “http://www.madwifi.org/.”

[35] Q. Wang, S. R. Kulkarni, and S. Verdu, “A nearest-neighbor
approach to estimating divergence between continuous random
vectors,” in Int. Symp. on Inform. Theory, 2006, pp. 242–246.

[36] “http://www.atheros.com/.”

[37] “http://www.tcpdump.org.”