An anti-collusion attack defense method for physical layer key generation scheme based on transmission delay

Introduction

With the development of communication and Internet of Things technology, more and more intelligent devices are used in all aspects of society and life. Urban intelligent transportation, industrial modernization, smart grid, smart home, and smart driving all need the support of intelligent devices (Asghari, Rahmani & Javadi, 2019). Large-scale heterogeneous devices are faced with increasingly complex application scenarios and increasingly blurred network boundaries (Kouicem, Bouabdallah & Lakhlef, 2018), and more and more application scenarios require cross-domain information interaction. However, due to the lack of effective encryption communication scheme support, unencrypted sensitive data can be easily intercepted by third parties, resulting in serious security problems such as information leakage and data tampering (Lu & Xu, 2019), which may seriously endanger the safety of people’s lives and property.

Faced with these large-scale heterogeneous devices especially IoT devices with security requirements, traditional identity authentication based on digital certificates and physical layer key generation (PLKG) schemes based on asymmetric keys (Harn & Ren, 2011) face the problems of high cost, difficult key management, and inapplicability to devices with limited resources. However, recent studies (Lee, Hwang & Choi, 2020; Aldaghri & Mahdavifar, 2020; Tang et al., 2021b) have shown that the characteristics of communication devices, channels, and noise can be skillfully used in the physical layer to realize device identity identification, authentication and key distribution without complicated mathematical operations and key management.

Physical layer security technology is a supplement to cryptography security technology. In radio frequency communication, it is mainly used to improve the security performance of wireless communication networks. For example, the wireless channel-based physical layer key generation (Kai et al., 2010; Aldaghri & Mahdavifar, 2018; Li et al., 2017) schemes are to use the uniqueness and reciprocity of wireless channel characteristics to generate keys, including received signal strength (RSS), channel impulse response in the time-frequency domain, phase, delay, envelope and other characteristics of the received signal. However, the wireless physical layer security technology cannot be applied to communication systems other than radio frequency communication, such as visible light communication (Lopez-Martinez, Gomez & Garrido-Balsells, 2015), underwater acoustic communication (Xu, Fan & Liu, 2020) and wired communication (Salem et al., 2016), which has certain limitations.

Therefore, researchers are looking for more general physical layer features to meet the security requirements of different scenarios. Recently, Huang et al. (2021) proposed a new physical layer key generation scheme based on network transmission delay, which used random forwarding technology and a three-stage delay measurement method to generate random and reciprocal communication delay and then converted the random delay into a secret key by means of quantization coding and information reconciliation. This scheme uses the characteristics of the network itself, which has no restrictions on the communication mode of nodes. Therefore, the physical layer key generation scheme based on network transmission delay greatly expands the use scenario of physical layer security and makes it possible to realize cross-domain key agreement.

However, when analyzing the security of Huang et al.’s scheme, we find that the security of the scheme is based on the secret apportionment strategy, that is, the secret information corresponding to the key is divided into multiple fragments and randomly apportioned to the nodes involved in forwarding. These nodes transmit the secret and finally recombine it at the receiving end so that only the two parties who negotiate the key can generate the key, while the nodes involved in forwarding can only master part of the secret but cannot generate the key. Therefore, there is a hidden danger of a collusion attack when the secret apportionment strategy is adopted. Once a number of malicious nodes share secrets, it is possible to steal the keys shared by both parties. We will discuss this in detail in Section 3.

To solve the security problem of collusion attacks in Huang et al.’s (2021) scheme, we propose an anti-collusion attack defense method, which can effectively reduce the risk of key leakage caused by a collusion attack. The contributions of this article are summarized as follows.

• Through the analysis of Huang et al.’s scheme, we find that the scheme has the security problem of collusion attack, and we reveal the influence of collusion attack by a single malicious node and multiple malicious nodes on key security by a probability model.

• In order to solve the collusion attack problem in Huang et al.’s scheme, we propose a defense strategy based on optimized deployment parameters to minimize the impact of collusion attacks, including the number of middle forwarding nodes, the random forwarding times, the number of delay measurement times and the level of out-of-control rate of middle forwarding nodes.

• Based on the game model, the optimal attack strategies of the “Careless Defender” and “Cautious Defender” are analyzed respectively. It is theoretically proved that the defense strategy proposed in this article can reduce the key security risk caused by collusion attacks to zero under the optimal attack strategy.

The remainder of the article is organized as follows. In Section 2, we briefly introduce the working principle and main components of Huang et al.’s scheme. In Section 3, we analyze the scheme of Huang et al. and put forward that the main security problem is the collusion attack. In Section 4, we give a defense strategy against collusion attacks and prove the effectiveness of this method. In Section 5, we give a literature review to give readers a comprehensive and systematic understanding of PLKG. Finally, the conclusion is drawn in Section 6.

Background

Huang et al.’s (2021) physical layer key generation scheme based on transmission delay

Huang et al. first proved that the network transmission delay is an excellent network feature for key generation and proposed a practical key generation scheme. The main components of Huang et al.’s scheme are as follows.

Random forwarding networks (RFNs)

Huang et al.’s method utilize RFNs as the random source of measured delay. RFNs refers to a kind of network composed of several middle forwarding nodes which use random forwarding as their forwarding strategy. These middle forwarding nodes can be any devices connected to each other. Figure 1 shows a random forwarding network composed of three middle forwarding nodes.

The random forwarding rule is simple. Firstly, Alice randomly selects a middle forwarding node to send a delay measurement data packet, and sets the forwarding times as N in the packet; Then, the middle forwarding node receiving the delay measurement data packet randomly selects one middle forwarding node in the RFN including itself as the next hop, and reduces the remaining forwarding times by 1; Finally, when the remaining forwarding times return to 0, the delay measurement data packet is directly sent to Bob.

Because the destination of each forwarding is random, the forwarding route from Alice to Bob is random, thus ensuring that the end-to-end delay of the delay measurement data packet sent from Alice to Bob through the random forwarding network is random.

The randomness of end-to-end delay is related to the number of middle forwarding nodes, forwarding times, and random forwarding strategy. We find the optimal random forwarding strategy to maximize the randomness of end-to-end delay and have proved that with the increase of the number of middle forwarding nodes and the number of forwarding times, the randomness of end-to-end delay is increasing (Wang et al., 2022).

Delay measurement protocol

To ensure the reciprocity of the measured delay, the three-stage delay measurement protocol as shown in Fig. 2 is adopted.

The idea of a three-stage delay measurement protocol is as follows:

1. Alice sends a request delay measurement data packet through a random forwarding network to Bob according to the random forwarding rule and records the sending time $T_{ab}^1$.

2. Bob records the receiving time $T_{ba}^1$ when receiving the request delay measurement data packet, and sends a reply delay measurement data packet to Alice according to the random forwarding rule, assuming that the stay delay is ${\epsilon }_B$.

3. Alice receives the reply delay measurement data packet and sends the final delay measurement data packet to Bob according to the forwarding route generated by the random forwarding network in i), assuming that the stay time is ${\epsilon }_A$. Then Alice records the receiving time $T_{ab}^2$ and calculates the measured delay $\mathrm{\Delta }{T}_{ab}$.

4. Bob receives the final delay measurement data packet and records the receiving time $T_{ba}^2$. Then Bob calculates the measured delay $\mathrm{\Delta }{T}_{ba}$.

The measured delays of Alice and Bob are $\mathrm{\Delta }{T}_{ab}=T_{ab}^2-T_{ab}^1$ and $\mathrm{\Delta }{T}_{ba}=T_{ba}^2-T_{ba}^1$, respectively. Since the random route Alice forwarded to Bob twice is the same, then we have

(1) $$\mathrm{\Delta }{T}_{ab}=\mathrm{\Delta }{T}_{ba}=d_{AB}+d_{BA}+{\epsilon }_A+{\epsilon }_B=T_{measured}$$where $T_{measured}$ is the secret shared by Alice and Bob. Obviously, with the support of RFNs and the three-stage delay measurement protocol, the measured delay satisfies all four necessary properties of network features that can be used for key agreement: measurability, randomness, reciprocity, and entanglement. Therefore, $T_{measured}$ can be used to generate keys.

It is worth mentioning that although the three-stage delay measurement protocol guarantees the reciprocity of measured delay in principle, in fact, due to the random fluctuation of the network, there will still be some small errors in the delay measured by Alice and Bob, which will be eliminated during key generation.

Key generation process

As Fig. 3 shows, similar to the method of wireless physical layer key generation, first Alice and Bob respectively quantized and coded the measured delay into binary codes, then Alice and Bob corrected the different bits in the generated binary codes by means of information reconciliation (Tang et al., 2021a), and finally, Alice and Bob fused a group of binary codes generated by measured delay into a key, where codes fusion usually combines several short keys into one long key by random out-of-order splicing, so that the code generated by each delay can spread to the whole key, thus achieving the effect of resisting local exhaustive attacks.

The security problem of huang et al.’s scheme

By the scheme of Huang et al. (2021), Alice and Bob, the key negotiation parties, independently measured the reciprocal network characteristics and shared the random secret of measured delays. However, Alice’s secret information can not be transmitted to Bob out of thin air.

In fact, Fig. 4 reveals the secret of keeping the consistency of the three-stage delay measurement protocol. From Fig. 4, it can be found that the middle forwarding nodes participating in this random forwarding can also obtain the same measured delay as Alice and Bob. From the communication point of view, it seems that Alice transmitted the random secret of measured delay to Bob through a random forwarding route, so the middle forwarding nodes carrying the task of transmitting measured delay naturally obtained this random secret. We call this feature Secret Transmission Consistency. It should be noted that although the communication point of view is used as an analogy, it is actually quite different from the plaintext secret transmission, so it is impossible to obtain the measured delay by monitoring the communication link.

The key to Alice and Bob’s secure communication is generated by a set of measured delays. As is shown in Fig. 5, if we regard the key as a complete secret shared by Alice with Bob, each measured delay is one piece of the whole secret. As the middle forwarding nodes are randomly selected by random forwarding rules, these secret fragments are randomly apportioned to all middle forwarding nodes. Only Alice and Bob can obtain the complete secret used to generate the key. As long as there are enough middle forwarding nodes, the possibility of obtaining a complete secret by one middle forwarding node is small enough to ensure the security of the key. This security strategy that relies on the number of middle forwarding nodes to apportion secrets is Secret Apportionment Strategy, which is the security mechanism of Huang et al.’s (2021) method.

However, the Secret Apportionment Strategy is most concerned with the Collusive Attack. A Collusive Attack refers to multiple malicious nodes conspiring to destroy the security of the target system. In our key agreement scenario, the Collusive Attack is manifested as malicious nodes conspiring to steal the key negotiated by both communication parties.

Collusive Attack has a great influence on the security of the Secret Apportionment Strategy. As shown in Fig. 6, once the attacker has mastered the vast majority of middle forwarding nodes in the RFNs, the key agreement process is almost completely monitored by the attacker. In this case, the key can be easily leaked.

Therefore, it is necessary to study the influence of the Collusive Attack on our method. The Attack Model of Collusive Attack under Secret Apportionment Strategy is given below:

1. Because the middle forwarding nodes have the same status in RFNs, it is assumed that the attacker’s selection of attack targets is random.

2. Because the defense strategy is deployed on the middle forwarding node, attacking a middle forwarding node does not mean controlling the middle forwarding node. It is reasonably assumed that the attacker may fail to control the middle forwarding node that was attacked.

3. Because of the similar defense strategies deployed on the different middle forwarding nodes, it is assumed that the probabilities of the attacker successfully controlling the attacked middle forwarding nodes are the same.

The Formal Description of the problem of Secret Apportionment Strategy against the Collusive Attack is as followed:

Assuming that the number of middle forwarding nodes is $m$ and the number of forwarding times is N, this key is composed of $k$ measured delays. Then the composition of this key is shown in Fig. 7A, in which each time delay is determined by a random forwarding path $Z_{j1}\to Z_{j2}\to \dots \to Z_{jN}$, and any forwarding node $Z_{ji}$ in the random forwarding path is randomly selected from the middle forwarding nodes $Z_1,Z_2,\dots ,Z_m$. If there exist malicious nodes in the random forwarding path, the delay corresponding to the random forwarding path is no longer secure. When all the delays are insecure, the key will be exposed as shown in Fig. 7B.

1) Considering the single malicious node, the probability of a single malicious node participating in a certain time delay measurement is $1-(1-1/m{)}^N$. When $m$ is large, the probability of a single malicious node participating in one delay measurement is approximately $N/m$, and the probability of participating in all delay measurements is $(N/m{)}^k$. When the value of $k$ is slightly larger, this probability will be close to 0. Therefore, under the Secret Apportionment Strategy, a single malicious node can hardly pose a security risk to the key.

2) Considering multiple malicious nodes, let us suppose that there are $r$ $(1\le r\le m)$ malicious nodes conspiring to attack. According to the Secret Transmission Consistency of the three-stage delay measurement protocol, for one-time delay measurement, as long as a malicious node participates, the delay will be exposed to this malicious node. According to Fig. 7, the probability of time delay exposure is $1-(1-r/m{)}^N$. For a key agreement, the key is composed of $k$ measured delays, and the key will be exposed only when all these measured delays are exposed. Therefore, under the condition of collusion of $r$ malicious nodes, the key exposure probability $p_{expose}$ is

(2) $$p_{expose}(r)={[1-{(1-\frac{r}{m})}^{N}y]}^k$$

Figure 8 shows the change curve of key exposure probability $p_{expose}$ with the collusion number $r$ of malicious nodes when $m=100$, $N=10$, and $k=10$.

As can be seen from Fig. 8, there are two threshold numbers with significant curvature changes on the curve: $r_{defense}$ and $r_{attack}$. When $r<r_{defense}$, the key is basically secure; When $r_{defense}\le r<r_{attack}$, the probability of key exposure $p_{expose}$ increases rapidly; When $r>r_{attack}$, the key exposure probability is close to the maximum value, and basically no longer increases. Because $r_{defense}$ indicates the number of malicious nodes that defenders can tolerate, We call $r_{defense}$ as the upper limit of the defender’s tolerance. $r_{attack}$ indicates the lowest number of malicious nodes that can effectively destroy key privacy, so we call $r_{attack}$ as the ideal lower limit of the number of malicious nodes controlled by the attacker.

These two indicators, $r_{defense}$ and $r_{attack}$, are very important for key security. To explore the relationship between $r_{defense}$, $r_{attack}$ and $m$, N, $k$, the mathematical definition of $r_{defense}$ and $r_{attack}$ are described as follows:

(3) $$\{\begin{array}{c}{r}_{defense}\stackrel{\mathrm{\Delta }}{=}\underset{r}{\arg max}K(p_{expose})\hfill \\ r_{attack}\stackrel{\mathrm{\Delta }}{=}\underset{r}{\arg min}K(p_{expose})\hfill \end{array}$$where $K(y)\stackrel{\mathrm{\Delta }}{=}\frac{y^{\mathrm{\prime }\mathrm{\prime }}}{(1+y^{{\mathrm{\prime }}^2}{)}^{\frac{3}{2}}}$ represents the signed curvature of the curve $y=f(x)$.

Since $\frac{\mathrm{\partial }}{\mathrm{\partial }r}{p}_{expose}=\frac{kN}{m}(1-\frac{r}{m}{)}^{N-1}[1-(1-\frac{r}{m}{)}^N{]}^{k-1}\ll 1$, $r_{defense}$ and $r_{attack}$ can be approximated as

(4) $$\{\begin{array}{c}{r}_{defense}\approx \underset{r}{\arg max}\frac{{\mathrm{\partial }}^2}{\mathrm{\partial }{r}^2}{p}_{expose}\hfill \\ r_{attack}\approx \underset{r}{\arg min}\frac{{\mathrm{\partial }}^2}{\mathrm{\partial }{r}^2}{p}_{expose}\hfill \end{array}$$

Equation (4) can be obtained by solving equation $\frac{{\mathrm{\partial }}^3}{\mathrm{\partial }{r}^3}{p}_{expose}=0$, so the analytical solutions of $r_{defense}$ and $r_{attack}$ are as follows:

(5) $$\{\begin{array}{c}{r}_{defense}=<m[1-{\left(\frac{(N-1)(3Nk-N-4)+N\sqrt{\mathrm{\Delta }}}{2(Nk-1)(Nk-2)}\right)}^{\frac{1}{N}}]>\\ r_{attack}=<m[1-{\left(\frac{(N-1)(3Nk-N-4)-N\sqrt{\mathrm{\Delta }}}{2(Nk-1)(Nk-2)}\right)}^{\frac{1}{N}}]>\end{array}$$where $\mathrm{\Delta }=(5Nk-N-k-7)(N-1)(k-1)$ and $<x>$ represents the rounding of $x$.

Considering $r_{defense}$ and $r_{attack}$ increase linearly with $m$, let’s define ${\omega }_{defense}\stackrel{\mathrm{\Delta }}{=}\frac{r_{defense}}{m}$ as the upper tolerance rate of the defender on the number of malicious nodes and ${\omega }_{attack}\stackrel{\mathrm{\Delta }}{=}\frac{r_{attack}}{m}$ as the ideal lower bound rate of the number of malicious nodes controlled by the attacker. The expressions of ${\omega }_{defense}$ and ${\omega }_{attack}$ are as follows:

(6) $$\{\begin{array}{c}{\omega }_{defense}=1-{\left(\frac{(N-1)(3Nk-N-4)+N\sqrt{\mathrm{\Delta }}}{2(Nk-1)(Nk-2)}\right)}^{\frac{1}{N}}\\ {\omega }_{attack}=1-{\left(\frac{(N-1)(3Nk-N-4)-N\sqrt{\mathrm{\Delta }}}{2(Nk-1)(Nk-2)}\right)}^{\frac{1}{N}}\end{array}$$

According to Eq. (6), we find that ${\omega }_{defense}$ and ${\omega }_{attack}$ are irrelevant to the number of middle forwarding nodes $m$, but only relevant to the number of forwarding times N and the number of measured delays that make up the key $k$.

According to the expressions of ${\omega }_{defense}$ and ${\omega }_{attack}$, ${\omega }_{defense}$ has the following relationship with ${\omega }_{attack}$:

(7) $$\{\begin{array}{c}{(1-{\omega }_{defense})}^N+{(1-{\omega }_{attack})}^N=\frac{(N-1)(3Nk-N-4)}{(Nk-1)(Nk-2)}\\ \\ {(1-{\omega }_{defense})}^N{(1-{\omega }_{attack})}^N=\frac{(N-1)(N-2)}{(Nk-1)(Nk-2)}\end{array}$$

According to the Vieta Theorem, $(1-{\omega }_{defense}{)}^N$ and $(1-{\omega }_{attack}{)}^N$ can be regarded as the two roots of the characteristic equation described in Eq. (8).

(8) $$x^2-\frac{(N-1)(3Nk-N-4)}{(Nk-1)(Nk-2)}x+\frac{(N-1)(N-2)}{(Nk-1)(Nk-2)}=0$$

It is easier to solve ${\omega }_{defense}$ and ${\omega }_{attack}$ with the characteristic equation in an actual usage scenario. Take Fig. 8 as an example, in the scenario of setting $m=100$, $N=10$ and $k=10$, the characteristic equation for solving ${\omega }_{defense}$ and ${\omega }_{attack}$ is

(9) $$x^2-\frac{143}{540}x+\frac{1}{135}=0$$

The two roots of Eq. (9) are $x_1=(1-{\omega }_{defense}{)}^{10}\approx 0.23353$ and $x_2=(1-{\omega }_{attack}{)}^{10}\approx 0.03178$, and ${\omega }_{defense}\approx 0.1354$ and ${\omega }_{attack}\approx 0.2917$ can be further solved. As $m=100$, we can calculate exactly $r_{defense}=14$ and $r_{attack}=29$ in Fig. 8.

Furthermore, Fig. 9 shows the changing trend of ${\omega }_{defense}$ and ${\omega }_{attack}$ with the number of forwarding times N and the number of delay measurement times $k$. Seen from the left figure of Fig. 9, ${\omega }_{defense}$ and ${\omega }_{attack}$ decrease with the increase of N. For the defender, the larger ${\omega }_{defense}$ and ${\omega }_{attack}$ are, the better the security is, so N should not be set too large, and when N is small ( $N<10$ in this figure), the change of N has a great influence on ${\omega }_{defense}$ and ${\omega }_{attack}$. However, N should not be set too large, when N is large ( $N>20$ in this figure), there begins to have marginal effects. From the right figure of Fig. 9, ${\omega }_{defense}$ and ${\omega }_{attack}$ increase with the increase of $k$, and the influence decreases with the increase of $k$, and there is also a marginal effect. Compared with the numerical influence, N has a greater influence on ${\omega }_{defense}$ and ${\omega }_{attack}$ than $k$.

Through analysis, we find that although Collusive Attack can destroy key privacy, a reasonable selection of deployment parameters $m,N,k$ can effectively improve the difficulty of the attacker’s attack and reduce the risk of key exposure. Therefore, in Section 6, we will analyze effective defensive strategies against Collusive Attacks based on the attack-defense game.

Solutions on the security problem of huang et al.’s scheme

Proof of the effectiveness of our defense strategies

In this subsection, we will establish a probabilistic model for attack-defense game analysis in the scenarios of “Careless Defender” and “Cautious Defender” respectively to prove the effectiveness of the defense method. According to the two optimization objectives in previous subsection, the idea of proof is shown in Fig. 10, we will first solve the optimal attack strategy of the attacker under any deployment parameters, and then analyze the relationship between the key theft probability and each deployment parameter under the optimal attack strategy of the attacker and the deployment parameter to ensure the security of the key. Finally, we will give an actual security deployment example.

Careless defender

Since the attack behavior will not be found, assuming that the attacker chooses $n$ middle forwarding nodes as the attack targets, as long as there are middle forwarding nodes controlled by the attacker, a Collusive Attack can be launched to steal the key. Therefore, in the “Careless Defender” scenario, the probability $p_{success\mathrm{\_}I}$ of the attacker successfully stealing the key is

(12) $$p_{success\mathrm{\_}I}(n)=\sum _{r=1}^n{C}_n^r{\alpha }^r(1-\alpha {)}^{n-r}{[1-(1-\frac{r}{m}{)}^N]}^k$$

Figure 11 shows the change curve of attack success probability $p_{success\mathrm{\_}I}$ with the number of attacking nodes $n$ under different out-of-control rate $\alpha$ when $m=100$, $N=10$ and $k=10$.

From Fig. 11, we can see that $p_{success\mathrm{\_}I}$ is a monotonic increasing function. Of course, generally, we need to prove that $p_{success\mathrm{\_}I}(n+1)>p_{success\mathrm{\_}I}(n)$ (see Appendix A for proof).

The attacker hopes to find the optimal attack strategy in the “Careless Defender” scenario, that is, the optimal number of attack middle forwarding nodes $n_{I\mathrm{\_}otp}\stackrel{\mathrm{\Delta }}{=}\underset{n}{\arg max}{p}_{success\mathrm{\_}I}(n)$. As $p_{success\mathrm{\_}I}$ is monotonically increasing, we find the optimal strategy is $n_{I\mathrm{\_}otp}=m$. However, it is observed from Fig. 11 that when $\alpha$ is greater than a certain threshold, that is, $\alpha \ge \delta (m,N,k)$, the marginal effect will occur when the attacker increases the number of attack nodes, which is consistent with the meaning of the ideal lower limit $r_{attack}$ of the number of attack control nodes in the defense strategy analysis subsection of the defender. And when $\alpha \ge \delta (m,N,k)$, the optimal attack strategy should be $n_{attack}(\alpha )=\underset{n}{\arg max}\frac{{\mathrm{\partial }}^2}{\mathrm{\partial }{n}^2}{p}_{success\mathrm{\_}I}$ after taking the marginal effect into account, so overall, the optimal attack strategy in the “Careless Defender” scenario of the attacker is

(13) $$n_{I\mathrm{\_}otp}=\{\begin{array}{c}m,\alpha <\delta (m,N,k)\hfill \\ n_{attack}(\alpha ),\alpha \ge \delta (m,N,k)\hfill \end{array}$$

It is difficult to solve $\underset{n}{\arg max}\frac{{\mathrm{\partial }}^2}{\mathrm{\partial }{n}^2}{p}_{success\mathrm{\_}I}$ directly because $p_{success\mathrm{\_}I}$ has the discontinuous part $C_n^i$, so a approximate solution method is as follows.

Lemma 1. For given $F(n)$, suppose $\mathrm{\exists }G(n)$, $G(n)\approx F(n)$. Then, for solution sets $Z=\{n|T\{F(n)\}=0\}$ and $Z^{\ast }=\{n|T\{G(n)\}=0\}$, we have $Z\approx Z^{\ast }$.

Proof. Assume that $\epsilon =\underset{n}{max}|F(n)-G(n)|$, $G(n)\approx F(n)$ represents ${lim}_{\epsilon \to 0}G(n)=F(n)$. Then, we have ${lim}_{\epsilon \to 0}T\{G(n)\}=T\{F(n)\}$, so for $Z=\{n|T\{F(n)\}=0\}$ and $Z^{\ast }=\{n|T\{G(n)\}=0\}$, we have ${lim}_{\epsilon \to 0}{Z}^{\ast }=Z$, which is $Z\approx Z^{\ast }$.

To put it simply, if there exists $G(n)$ with good mathematical properties that can approximately replace $F(n)$ with bad mathematical properties, then any unsolvable mathematical equation about $F(n)$ can be replaced with $G(n)$ to solve the approximate solution.

It can be observed from Fig. 12 that the influence of $\alpha$ on $p_{success\mathrm{\_}I}$ is actually approximately stretching the abscissa of the corresponding curve of $\alpha =1$ (see Appendix B for proof), that is

(14) $$\begin{array}{rl}{p}_{success\mathrm{\_}I}(n;\alpha ={\alpha }_0)& \approx p_{success\mathrm{\_}I}({\alpha }_{0}n;\alpha =1)\\ & =p_{expose}({\alpha }_{0}n)\end{array}$$

Therefore, $p_{expose}(\alpha n)$ is an approximation of $p_{success\mathrm{\_}I}$. According to Lemma. 1, we have

(15) $$n_{attack}(\alpha )\approx \underset{n}{\arg \max }\frac{{\partial }^2}{\partial n^2}{p}_{expose}(\alpha n)$$

Since $\underset{n}{\arg max}\frac{{\mathrm{\partial }}^2}{\mathrm{\partial }{n}^2}{p}_{expose}(n)$ has been solved in Eq. (5), $\underset{n}{\arg max}\frac{{\mathrm{\partial }}^2}{\mathrm{\partial }{n}^2}{p}_{expose}(\alpha n)$ can be directly obtained by substitution method as

(16) $$n_{attack}(\alpha )\approx <\frac{m}{\alpha }{\omega }_{attack}>$$where ${\omega }_{attack}$ can be easily obtained by solving the characteristic equation described in Eq. (8) or directly obtained by Eq. (6).

As can be seen from Fig. 12, since $m$ is the upper bound of $n_{I\mathrm{\_}otp}$, as long as $n_{attack}(\alpha )<m$, it means that marginal effect appears, then $n_{I\mathrm{\_}otp}=n_{attack}(\alpha )$, otherwise $n_{I\mathrm{\_}otp}=m$. So we can solve $n_{I\mathrm{\_}otp}$ without knowing $\delta (m,N,k)$, which is

(17) $$n_{I\mathrm{\_}otp}=min[n_{attack}(\alpha ),m]$$

Equation (17) gives the calculation formula of the attacker’s optimal attack strategy $n_{I\mathrm{\_}otp}$ in the scenario of “Careless Defender”. It can be found that $\alpha$ has an important influence on the value of $n_{I\mathrm{\_}otp}$, which is also of great interest to attackers. Therefore, we have made the curve of the optimal attack strategy $n_{I\mathrm{\_}otp}$ of the attacker with the out-of-control rate $\alpha$ in the specific scenario shown in Fig. 13.

As can be seen from Fig. 13, in the scenario of “Careless Defender”, when the out-of-control rate $\alpha$ of the middle forwarding node is small ( $\alpha \le \delta$), adding the middle forwarding nodes to attack will not cause a marginal effect, and the attacker’s optimal strategy, in this case, is all-node attack.

However, when the out-of-control rate $\alpha$ of the middle forwarding nodes is large ( $\alpha >\delta$), increasing the number of middle forwarding nodes in the attack will result in a marginal effect. Considering the attack income, the attacker’s optimal strategy is to choose the number of middle forwarding nodes before the appearance of the marginal effect, which is $n_{attack}(\alpha )$, and this number gradually decreases with the increase of $\alpha$.

On the whole, the larger the out-of-control rate $\alpha$ of the middle forwarding node is, the lower the number of middle forwarding nodes that the attacker may choose to attack according to the attacker’s optimal strategy.

So, the probability $p_{success\mathrm{\_}I\mathrm{\_}otp}$ of the attacker successfully stealing the key under the optimal attack strategy $n_{I\mathrm{\_}otp}$ in the scenario of “Careless Defender” is

(18) $$p_{success\mathrm{\_}I\mathrm{\_}otp}(m,N,k,\alpha )\stackrel{\mathrm{\Delta }}{=}{p}_{success\mathrm{\_}I}(n_{I\mathrm{\_}otp})$$

Considering that the marginal part has little influence on the probability of the attacker’s success, it is advisable to use $p_{success\mathrm{\_}I}(m)$ to approximately describe $p_{success\mathrm{\_}I}(n_{I\mathrm{\_}otp})$, so we have

(19) $$p_{success\mathrm{\_}I\mathrm{\_}otp}(m,N,k,\alpha )\approx p_{success\mathrm{\_}I}(m)$$

Then, we explore the influence of $m,N,k,\alpha$ on $p_{success\mathrm{\_}I\mathrm{\_}otp}$ respectively. Figure 14 shows the relationship curves of the effects of four parameters in the typical case scenario.

It can be seen from Fig. 14 that $p_{success\mathrm{\_}I\mathrm{\_}otp}$ increases with the increase of the node out-of-control rate $\alpha$, and when $\alpha$ reaches a certain value ( $\alpha >0.5$ in this figure), the $p_{success\mathrm{\_}I\mathrm{\_}otp}$ approaches 100%, and the marginal effect appears; $p_{success\mathrm{\_}I\mathrm{\_}otp}$ increases with the increase of node forwarding times N. Similarly, when N reaches a certain value ( $N>30$ in this figure), $p_{success\mathrm{\_}I\mathrm{\_}otp}$ approaches 100%, and marginal effect appears; $p_{success\mathrm{\_}I\mathrm{\_}otp}$ decreases with the increase of delay measurement times $k$. At the beginning of the increase, $p_{success\mathrm{\_}I\mathrm{\_}otp}$ drops rapidly, and when $k=20$, $p_{success\mathrm{\_}I\mathrm{\_}otp}$ has dropped below 20% and continues to increase $k$, the decrease of $p_{success\mathrm{\_}I\mathrm{\_}otp}$ has a marginal effect; $p_{success\mathrm{\_}I\mathrm{\_}otp}$ decreases with the increase of the number of middle forwarding nodes $m$. However, because the attacker adopts the optimal attack strategy, the impact of increasing $m$ on $p_{success\mathrm{\_}I\mathrm{\_}otp}$ is limited, and $m$ increased by 20 times in this figure only decreases $p_{success\mathrm{\_}I\mathrm{\_}otp}$ by 5%.

Cautious defender

The “Cautious Defender” scenario means that there is a central control that judges whether there are abnormal middle forwarding nodes through traffic monitoring, behavior analysis, and other means. Once the abnormality is detected, the key agreement will be terminated in advance. Then, once the attacker attacks a certain middle forwarding node but fails to control it, it will trigger an alarm to alert the defender, resulting in the failure of stealing the key.

Therefore, the attacker can not be found by the “Cautious Defender” only when all the targets are successfully controlled, so the probability $p_{success\mathrm{\_}II}$ of the attacker successfully stealing the key in the “Cautious Defender” scenario is

(20) $$p_{success\mathrm{\_}II}(n)={[1-{(1-\frac{n}{m})}^N]}^k{\alpha }^n$$

Figure 15 shows the change curve of attack success probability $p_{success\mathrm{\_}II}$ with the number of attacking nodes $n$ under two typical out-of-control rates $\alpha =0.1,0.8$ when $m=100$, $N=10$ and $k=10$. We take two representatives $\alpha$ values, where $\alpha =0.1$ indicates that the defense capability is strong and the attacker has not found effective defense vulnerabilities and $\alpha =0.8$ indicates that the defense capability is weak and the attacker has found effective defense vulnerabilities to attack.

From Fig. 15, we can see that $p_{success\mathrm{\_}II}$ has a maximum value, that is, the attacker should choose $n_{II\mathrm{\_}otp}\stackrel{\mathrm{\Delta }}{=}\underset{n}{\arg max}{p}_{success\mathrm{\_}II}(n)$ number of middle forwarding nodes to attack, so as to maximize the success probability of the attack. The existence of this optimal solution is obvious. If the attackers choose too few middle forwarding nodes to attack, then even if all of them are controlled, they can not form an effective Collusive Attack, because the Collusive Attack requires a certain number of malicious nodes; If the number of nodes attacked by the attacker is too large, the probability of making a mistake on one middle forwarding node and triggering an alarm will be greater, which will also reduce the success rate of the attack. The rest of the $\alpha$ values have the same conclusion.

Therefore, only selecting an appropriate number of middle forwarding nodes to attack can make the attack more successful, which is also what the attacker hopes.

This optimal attack number $n_{II\mathrm{\_}otp}$ can be obtained by solving $\frac{\mathrm{\partial }}{\mathrm{\partial }r}{p}_{success\mathrm{\_}II}=0$, which is the root of the equation described in Eq. (21).

(21) $$L(n)=ln\alpha [1-{(1-\frac{n}{m})}^N]+\frac{kN}{m}(1-\frac{n}{m}{)}^{N-1}=0$$

Equation (21) is difficult to solve directly. However, considering that “Cautious Defender” commonly chooses more middle forwarding nodes to keep the key secure and that the out-of-control rate $\alpha$ of these middle forwarding nodes is small under the tight defense strategy of the “Cautious Defender”, which causes $\frac{n}{m}\to 0$ according to Fig. 15. Therefore, we have the following approximation:

(22) $$(1-\frac{n}{m}{)}^N\approx 1-\frac{Nn}{m}$$

By substituting Eq. (22) into Eq. (21), we get

(23) $$n_{II\mathrm{\_}otp}\approx <\frac{mk}{k(N-1)-mln\alpha }>,\alpha \le \mu$$where $\mu$ is an empirical boundary that satisfies this approximation.

When $\alpha$ becomes larger ( $\alpha >\mu$), because Eq. (21) is a transcendental equation, the analytical solution cannot be obtained directly. It also can not be approximated by Eq. (22), but the approximate numerical solution can be obtained by Newton’s Method $n_t=n_{t-1}-\frac{L(n_{t-1})}{L^{\mathrm{\prime }}(n_{t-1})}$, and the initial value can be chosen as $n_0=1$. Then, we have

(24) $$n_{II\mathrm{\_}otp}\approx {lim}_{t\to +\mathrm{\infty }}{n}_t,\alpha >\mu$$

Taken together from Eqs. (23) and (24), the optimal attack strategy $n_{II\mathrm{\_}otp}$ of the attacker in the “Cautious Defender” scenario is

(25) $$n_{II\mathrm{\_}otp}=\{\begin{array}{c}<\frac{mk}{k(N-1)-mln\alpha }>,\alpha \le \mu \hfill \\ {lim}_{t\to +\mathrm{\infty }}{n}_t,\alpha >\mu \hfill \end{array}$$

From the experimental results (see Appendix C), it is appropriate to take about $\mu \approx 0.2$. This is a relatively conservative estimate. In addition, $\alpha \le 0.2$ is usually satisfied in the “Cautious Defender” scenario, and the calculation of the optimal attack strategy of the attacker can be solved directly by the simple formula method, and Newton’s method is seldom used.

Figure 16 shows the curve of the optimal attack strategy $n_{II\mathrm{\_}otp}$ of the attacker with the out-of-control rate $\alpha$ in an example scenario.

It can be seen from Fig. 16 that as the out-of-control rate $\alpha$ increases, the attacker should gradually increase the number of attacking middle forwarding nodes. In addition, it can also be found that when $\alpha$ is large enough, although the attack success rate is very high, the attacker should not fully attack all middle forwarding nodes, but choose the appropriate number of middle forwarding nodes to attack.

The probability $p_{success\mathrm{\_}II\mathrm{\_}otp}$ of the attacker successfully stealing the key under the optimal attack strategy $n_{II\mathrm{\_}otp}$ in the scenario of “Cautious Defender” is

(26) $$p_{success\mathrm{\_}II\mathrm{\_}otp}(m,N,k,\alpha )\stackrel{\mathrm{\Delta }}{=}{p}_{success\mathrm{\_}II}(n_{II\mathrm{\_}otp})$$

Similarly, we draw Fig. 17 to show the relationship curves of the effects of four parameters $m,N,k,\alpha$ on $p_{success\mathrm{\_}II\mathrm{\_}otp}$ in the typical case scenario.

It can be seen from Fig. 17 that $p_{success\mathrm{\_}II\mathrm{\_}otp}$ increases with the increase of the node out-of-control rate $\alpha$, and only when $\alpha$ reaches a certain value ( $\alpha >0.8$ in this figure) does $p_{success\mathrm{\_}II\mathrm{\_}otp}$ begin to increase significantly; $p_{success\mathrm{\_}II\mathrm{\_}otp}$ increases with the increase of node forwarding times N. Similarly, when N reaches a certain value ( $N>40$ in this figure), $p_{success\mathrm{\_}II\mathrm{\_}otp}$ begins to increase significantly; $p_{success\mathrm{\_}II\mathrm{\_}otp}$ decreases with the increase of delay measurement times $k$. At the beginning of the increase, $p_{success\mathrm{\_}II\mathrm{\_}otp}$ drops rapidly, and $p_{success\mathrm{\_}II\mathrm{\_}otp}$ has basically dropped to 0 when $k>4$ in this figure; $p_{success\mathrm{\_}II\mathrm{\_}otp}$ decreases with the increase of the number of middle forwarding nodes $m$. When $m$ reaches a certain value ( $m>25$ in this figure), $p_{success\mathrm{\_}II\mathrm{\_}otp}$ has basically dropped to 0.

From the analysis of the attack-defense game in the two different scenarios, it can be clearly seen that the defenders are dominant in the whole game. Because the defender can control most parameters $m,N,k$, and each parameter has a significant impact on the attacker’s attack success rate $p_{success\mathrm{\_}otp}$ under the best strategy. Generally speaking, as long as we select deployment parameters according to our security defense strategy, even if the attacker chooses the optimal strategy, the defender can also reduce the attack success probability to almost zero, so that the security of the physical layer key generation scheme based on measured delay against collusion attack can achieve absolute security in the sense of probability.

For example, if a “Careless Defender” uses 100 middle nodes with the out-of-control rate of 0.2 to form a random forwarding network, the security of the key can be guaranteed by setting the forwarding times to 10 and the key to be composed of 40 measured delays. Because it can be proved from Fig. 14 that $p_{success\mathrm{\_}I\mathrm{\_}otp}\approx 0$ under the parameters that are $m=100,N=10,k=40,\alpha =0.2$. The same goes for a “Cautious Defender”.

Literature review

With the advent of the IoT era, encryption methods based on traditional cryptography cannot cover a huge number of smart devices. However, encryption methods based on PLS can realize lightweight encryption and decryption, which is the first choice to ensure the communication security of IoT devices.

In 1949, Shannon (1949) gave the definition of perfect secrecy and proved the unconditional security of one secret at a time by using two theorems about perfect secrecy. On this basis, Wyner (1975) put forward a mathematical model of an eavesdropping channel, assuming that the eavesdropping channel is the degraded channel of the legitimate receiver. Maurer (1993) showed that correlation randomness can be used to generate keys and thought that Wyner’s degraded eavesdropping channel may not be realistic, and proposed a key agreement protocol in which both parties can communicate securely. The key elements of this scheme are information reconciliation and security enhancement (Maurer, 1993).

Scholars continued Maurer’s idea and carried out research in the field of PLKG. In the field of wireless communication, with the development of 5G mobile communication technology, key generation technologies based on the single antenna (Abbasi et al., 2020) and MIMO have been proposed (Melki et al., 2020). Channel characteristics such as received signal strength (RSS), channel characteristic information (CSI), and angle of arrival (AOA) have been proven to be applicable to key generation, while MIMO technology can effectively improve the problem of low secure key generation rate (SKGR) due to single channel (Jiao, Tang & Zeng, 2018). In recent years, with the rise of a breakthrough wireless communication technology-Reconfigurable Intelligent Surface (RIS) (Shengjie et al., 2022), RIS can be used to synthesize high-entropy dynamic channels under the uncontrollable wireless environment, which is considered to be an effective solution to the problems of poor reliability and difficult key generation caused by the traditional wireless channel physical layer key generation technology in the face of harsh communication environment (Li et al., 2021). In addition to the channel characteristics suitable for key generation in wireless communication, scholars have also designed PLKG methods in fields including visible light communication, underwater communication, and wired communication, which greatly enriches the application scenarios of PLKG. Of course, the most special method is the PLKG method based on transmission delay proposed by Huang et al. (2021) which uses the physical characteristics of the network itself to establish secure communication, gets rid of the restrictions on various communication modes, and can be well compatible with all current networks, and has a wide range of application prospects.

In addition to the mining of available channel features, the research on specific key generation technology has also attracted the attention of many scholars. The typical processes to obtain the shared secret key include channel measurement, quantization coding, information reconciliation, and privacy amplification (Shehadeh & Hogrefe, 2015). Through these processes, the randomness of the reciprocal channel characteristics is completely retained in the secret key to the maximum extent, and at the same time, the minimum information leakage is also a key concern. The main purpose of quantization is to discretize the random channel measurement values and to preserve the randomness of channel measurement values to the greatest extent while removing some noise through reasonable quantization order and quantization interval settings. Therefore, in the face of different channel characteristics, it has a very important influence on the key bit rate to design a quantization scheme that matches the distribution of the characteristics. At the same time, the quantization coding process also needs to ensure that both parties have a high agreement rate of key bits for information reconciliation (Wu, Xia & Cheng, 2018). The essence of information reconciliation is to correct the inconsistencies by channel coding. Famous information reconciliation protocols include Binary, Cascade, and Winnow protocol which combines checksum and Hamming code for information reconciliation. In recent years, information reconciliation schemes based on LDPC code and Polar code have also been proposed (Zhang et al., 2018). In order to further reduce the impact of leaked information on key security in the process of information reconciliation, Bennett, Brassard and Robert introduced the concept of privacy amplification for special situations, extracting highly confidential secrets from a large number of shared information to generate keys (Bennett et al., 1995).

Although the research of PLKG has achieved great success, there are still many problems in practical application. On the one hand, it is difficult to ensure that the randomness of channel characteristics can meet the high key generation rate required by the application, on the other hand, there are potential security problems to be solved, including collusion attacks, so the research of PLKG still has a long way to go.

Conclusions

Huang et al. (2021) propose an innovation key agreement method based on network physical features to solve the secure communication problem of large-scale heterogeneous devices. The method uses the RFNs and three-stage delay measurement protocol to generate reciprocal random measured delays. Communication parties can utilize these measured delays to share the key through quantization coding and information reconciliation. We study the security mechanism of this method and discover that the security of our method is based on the Secret Apportionment Strategy, where the main security threat comes from the Collusive Attack. We deduce the influence of the Collusive Attack on Secret Apportionment Strategy through game theory and give the best defense strategy for the defender to ensure key security.

Supplemental Information