Wireless physical layer security

Secrecy Criterion.

Shannon’s cipher system considered the criterion of perfect secrecy. This is a very stringent criterion as it requires strict statistical independence between the message M and the channel output Zn at Eve. In particular, when the communication channel is noisy, this is hard to realize and it is reasonable to relax the criterion by requiring statistical independence only asymptotically in the block length n.

Having in mind that the channel output at Eve should not reveal any information about the confidential message, Wyner defined secrecy in terms of equivocation, or conditional entropy (2). Specifically, he required that the conditional entropy 1nH(M|Zn)≈1nH(M) so that the knowledge of the channel output Zn does not decrease the uncertainty rate about the message M; in other words, it does not provide any information about M. This criterion is known as weak secrecy and is often equivalently written in terms of mutual information as1nI(M;Zn)⟶n→∞0.

This quantity describes the information leaked about M to Eve in terms of a rate due to the normalization by the block length n. This definition of secrecy has its vulnerabilities (8) and can be strengthened by dropping the division by n toI(M;Zn)⟶n→∞0.

This condition is termed strong secrecy and the intuition is to have the total amount of information leaked to Eve vanish as n→∞. Strong secrecy for the wiretap channel was first considered in refs. 9 and 10. Recently, different approaches to achieve strong secrecy were presented in refs. 11⇓⇓⇓–15. One might question whether this definition for secrecy is meaningful. And indeed, strong secrecy ensures that the decoding error approaches one exponentially fast for any decoding strategy Eve may use (16). This demonstrates the usefulness of the strong secrecy criterion and establishes a desirable and practically relevant operational meaning.

Recently, this criterion was further strengthened by considering semantic security (17). Here, Eve is not only not able to decode the transmitted message, but also not able to obtain any information about it at all.

Secrecy Capacity.

Recall that Alice must encode the message into a codeword such that it is useful for Bob to recover the transmitted message (reliability) and at the same time the same codeword is useless for Eve (security). These two requirements seem to be conflicting and it is not obvious that it is possible to achieve both simultaneously.

Surprisingly, it is indeed possible and the so-called secrecy capacity characterizes the maximal rate at which both requirements are met. For discrete memoryless channels, for which the relation between the transmitted input and received output symbols at each independent channel use can be described by a conditional probability distribution of the channel output given the channel input, Wyner established the secrecy capacity in ref. 2 for the case of degraded channels, i.e., channels for which X−Y−Z form a Markov chain, which means that X and Z are statistically independent conditioned on Y. This result was subsequently generalized by Csiszár and Körner to the general, nondegraded case in ref. 18.

The secrecy capacity of the discrete memoryless wiretap channel is given byCS=maxV−X−(Y,Z)(I(V;Y)−I(V;Z)),[1]

where the maximization is over all random variables V and X such that the Markov chain relationship V−X−(Y,Z) is satisfied. (The prefixed V introduces artificial noise into the system and serves to make the eavesdropper channel noisier. This is known as channel prefixing.) Intuitively, the mutual information term I(V;Y) represents the channel quality of the legitimate link and describes the rate at which Alice can reliably transmit to Bob. Accordingly, the term I(V;Z) represents the channel quality of the eavesdropper link and the maximum transmission rate is penalized exactly by this quantity. Another important observation is that to have a positive secrecy capacity, the channel to Bob has to be “less noisy” than the channel to Eve; i.e., I(V;Y)>I(V;Z) for some V. This means Alice and Bob must have an advantage over Eve at the physical layer itself.

The crucial idea for achieving the secrecy capacity is the following: Instead of using all of the available resources for message transmission, a certain part of them are used for randomization by adding “dummy” messages unknown to Bob and Eve. Specifically, for each confidential message Alice wants to transmit, there are multiple valid codewords and a stochastic encoder chooses one of them uniformly at random. The key idea is now to choose the randomization rate for each confidential message roughly as I(V;Z), i.e., according to Eve’s channel quality. Thus, Eve will be saturated with the useless information carried by the dummy variables, leaving no remaining resources for decoding the confidential message itself (19). Because the channel quality to Bob supports reliable transmission roughly at rate I(V;Y), the remaining rate available for secure transmission of the confidential message is I(V;Y)−I(V;Z) as Bob usually has to decode both the confidential message and the dummy variables to recover the correct message.

Gaussian Wiretap Channels.

The Gaussian wiretap channel is the most basic model for a wireless channel, having linear time-invariant multiplicative links corrupted by additive white Gaussian noise. When Alice transmits a signal Xi, the received signals YB,i at Bob and YE,i at Eve at channel use i can then be expressed asYB,i=hBXi+NB,i and YE,i=hEXi+NE,i,[2]where hB and hE are the channel gains between Alice and Bob and between Alice and Eve, respectively, and NB,i and NE,i are additive white Gaussian noises, independent of the transmitted signals, with zero means and variances σB2 and σE2, respectively. Here, white noise refers to a random process that is independent from channel use to channel use.

Considering an average transmit power constraint of P, the secrecy capacity of the Gaussian wiretap channel was established in ref. 20 and is given byCS=12log(1+P|hB|2σB2)−12log(1+P|hE|2σE2).

The secrecy-capacity–achieving strategy is to transmit with full power P and to choose the input signals according to a Gaussian distribution. This latter choice is by no means obvious, as Gaussian input maximizes the information flow to Bob, but at the same time also to Eve. Interestingly, the secrecy capacity in this case turns out to be equal to the difference between the main channel’s Shannon capacity and the eavesdropper channel’s Shannon capacity. From this it follows immediately that secure communication is possible if and only if Bob has a better channel than Eve in the sense that the signal-to-noise ratio of the main channel must be larger than that of the eavesdropper channel; i.e., |hB|2/σB2>|hE|2/σE2. We return to this point later.

Multiantenna Wiretap Channels.

Systems with multiple transmit and receive antennas, so-called multiple-input multiple-output (MIMO) systems, can improve the performance of wireless transmission significantly and hence form the basis of most modern high-capacity wireless systems. Thus, the MIMO wiretap channel is particularly of interest. Accordingly, Alice, Bob, and Eve are assumed to have multiple transmit and receive antennas, respectively. Note that a multiantenna eavesdropper can also be interpreted as multiple single-antenna eavesdroppers that cooperate.

When Alice transmits a vector-valued signal 𝑿i, the received vector-valued signals 𝒀B,i at Bob and 𝒀E,i at Eve can be expressed as𝒀B,i=𝑯B𝑿i+𝑵B,i and 𝒀E,i=𝑯E𝑿i+𝑵E,i,where 𝑯B and 𝑯E are matrices containing multiplicative channel gains, and 𝑵B,i and 𝑵E,i are independent (of each other and for different values of i) additive Gaussian noise vectors at Bob and Eve with zero means and identity covariance matrices. The transmission is subject to an average transmit power constraint tr(𝑸)≤P with 𝑸=𝔼[𝑿i𝑿iT] being the covariance matrix of the transmitted signal.

The secrecy capacity of the MIMO Gaussian wiretap channel was established in refs. 21 and 22 and is given byCS=maxtr(𝑸)≤P(12logdet(𝑰+𝑯B𝑸𝑯BT)−12logdet(𝑰+𝑯E𝑸𝑯ET)).[3]

Similarly to the scalar case, capacity is achieved by transmitting with full power P and by choosing Gaussian-distributed input symbols. Although, in principle, the secrecy capacity of the MIMO wiretap channel is given by the above relation, it remains to find the optimal transmit covariance matrix Q that maximizes the rate in [3]. Analytically, this is a nontrivial task as the corresponding optimization problem is nonconvex in general. Accordingly, the optimal transmit covariance matrix has been characterized only for certain special cases. For example, the optimal transmit strategy is known for the general matrix power constraint 𝑸≼𝑺 with 𝑺≽𝟎 being a positive semidefinite matrix (23), full-rank channels, or isotropic eavesdroppers (24).

A scenario that is completely understood is the multiple-input single-output wiretap channel, in which Alice has multiple transmit antennas, Bob has a single receive antenna only, and Eve may have multiple receive antennas. In this case, the optimal transmit covariance matrix is known in closed form (21). Denoting the channel to Bob by the vector 𝒉B and that to Eve by the matrix 𝑯E, the solution of the secrecy rate maximization problem in [3] isCS=12log(λmax(𝑰+P𝒉B𝒉BT,𝑰+P𝑯ET𝑯E)),with λmax the largest generalized eigenvalue of the two matrices 𝑰+P𝒉B𝒉BT and 𝑰+P𝑯ET𝑯E. The optimal transmit strategy achieving the secrecy capacity is to form a beam in the direction of the generalized eigenvector corresponding to λmax.

Partial Channel State Information.

The previous discussions have in common that knowledge of the gains of all channels (including those to eavesdroppers) is available to the legitimate users. This condition is termed perfect channel state information (CSI) and such idealized communication assumptions allow one to obtain important insights and to develop an understanding of the fundamental principles of wireless physical layer security. However, due to the nature of the wireless channel, but also due to practical limitations such as inaccurate channel state estimation or limited feedback schemes, practical systems always have to deal with limited CSI. In particular, perfect eavesdropper CSI is questionable unless the eavesdroppers are otherwise legitimate network participants, as malevolent eavesdroppers will not provide any information about their channels or may even jam or otherwise influence the legitimate channel. A survey on secure communication under channel uncertainty and adversarial attacks can be found in ref. 25.

A realistic model for the unpredictable nature of the wireless channel and the imperfections of practical implementations is to assume that the actual realization of the channel gains is unknown to Alice and Bob but is known to lie in an uncertainty set of possible channels. This is the concept of compound channels and it accordingly requires reliability and secrecy for all possible channel realizations in this uncertainty set. Such a guaranteed performance criterion is particularly relevant for the transmission of confidential information that must be kept secret regardless of the actual channel conditions.

The compound wiretap channel has been studied, for example, in refs. 16, 26, and 27. In this scenario, the legitimate channel and eavesdropper channel are not known, but belong to uncertainty sets ℋB and ℋE. Such channels can be studied abstractly, but there are also useful concrete versions of possible uncertainty sets. For example, due to limited channel estimation capability, the true channel to Bob might be considered to be in a certain neighborhood of its estimated version. Accordingly, a reasonable uncertainty set is given by a (spherical) setℋB={𝑯B:𝑯B=𝑯0+Δ𝑯,∥Δ𝑯∥2≤ϵ}[4]with ∥⋅∥2 the spectral norm. Then, ϵ describes the maximum estimation error Δ𝑯 around the estimated channel 𝑯0. Another uncertainty model is to assume that the received channel gain for the eavesdropper is limited; i.e.,ℋE={𝑯E:∥𝑯E∥2≤ϵ}.[5]Here, ∥𝑯E∥2 corresponds to the largest channel gain, which is thus assumed to not exceed ϵ. Such an uncertainty set models, for example, the scenario in which an eavesdropper cannot approach the transmitter beyond a minimum protection distance. All such scenarios are covered by the concept of compound channels.

Assuming [4] and [5] to be the uncertainty sets for Bob’s and Eve’s channels yields a compound wiretap channel that reflects two practically relevant points: First, Eve’s desire is to be confidential so that only minimal CSI is available to Alice. It might be known only that Eve is beyond a certain protection distance, as noted above. And second, Bob on the other hand wants to maximize the rate and, accordingly, is willing to share his CSI with Alice. However, due to practical limitations only a channel estimate is available, resulting in additive uncertainty. This model is studied in ref. 27.

Determining the secrecy capacity of the compound wiretap channel is a challenging task and it is known only for certain special cases. For degraded channels, i.e., for which each potential eavesdropper channel realization is a degraded version of all possible legitimate channel realizations, the secrecy capacity has been established in refs. 16 and 26 for discrete memoryless channels and in ref. 26 for MIMO Gaussian channels. The compound MIMO wiretap channel above with uncertainty sets [4] and [5] is not degraded and is one of the few examples for which the secrecy capacity has been established for the nondegraded case:CS=maxtr(𝑸)≤P(min𝑯B∈ℋB12logdet(𝑰+𝑯B𝑸𝑯BT)−max𝑯E∈ℋE12logdet(𝑰+𝑯E𝑸𝑯ET)).

The analysis reveals the characteristic structure of secure communication under channel uncertainty. The maximum transmission rate is limited by the worst channel to Bob and by the best channel to Eve. This result confirms the intuition that for guaranteeing reliable and secure communication, one has to be prepared for the worst channel conditions. This result further shows how the performance degrades because of channel uncertainty.

Fading Wiretap Channels.

In the above discussion, the channel has been considered to be fixed during the entire duration of transmission. In particular, for the previously discussed Gaussian wiretap channel, the multiplicative channel gains hB and hE in [2] are constant. For wireless channels this is rarely the case because multipath propagation and interference usually result in changing communication conditions, particularly for mobile networks. This phenomenon is known as fading. In such an environment, the input–output relations of the channels are typically modeled asYB,i=hB,iXi+NB,i and YE,i=hE,iXi+NE,i,where all hB,i, hE,i, NB,i, and NE,i are mutually independent. Here, hB,i and hE,i are fading coefficients that characterize the communication conditions at channel use i. The input signal is subject to an average power constraint 1n∑i=1n𝔼[Xi2]≤P and the noise processes, which are independent from channel use to channel use, are Gaussian with zero means and variances σB2 and σE2 respectively, as before.

For ergodic fading channels, the fading coefficients are independent and identically distributed and are allowed to change from channel use to channel use. Thus, Alice, Bob, and Eve might experience a different fading state for each channel use. Assuming that all terminals have perfect CSI about the current fading state, so-called instantaneous CSI, the ergodic secrecy capacity has been studied in ref. 28 and is given asCS=max𝔼A[γ]≤P𝔼A[12log(1+γ|hB|2σB2)−12log(1+γ|hE|2σE2)]with γ the power allocation (to be explained below) andA={(hB,hE):|hB|2σB2>|hE|2σE2}[6]so that the expectation is taken over all fading realizations in which Bob experiences a better channel in terms of signal-to-noise ratio than Eve; i.e., 𝔼A[⋅] denotes the expectation over all (hB,hE)∈A.

The key idea behind this result is that the instantaneous CSI allows one to decompose the fading channel into a set of parallel and time-invariant channels. Now, each fading realization corresponds to a particular wiretap channel and it remains to determine the optimal power allocation γ between all these parallel wiretap channels. Obviously, power is allocated only to those fading realizations in which Bob experiences a better channel than Eve [6]. The fading wiretap channel has been intensively discussed in refs. 28⇓–30. In ref. 31 a layered decoding and secrecy approach is discussed, which adapts to the channel quality without requiring perfect CSI.

Having a closer look at the secrecy capacity of the (static) wiretap channel and the fading wiretap channel, one observes the following. Whereas for the (static) wiretap channel secure communication is possible only if Bob has a better channel than Eve, i.e., |hB|2/σB2>|hE|2/σE2, for the fading wiretap channel it suffices to have ℙ{|hB|2/σB2>|hE|2/σE2}>0 to have a positive secrecy capacity. Thus, interestingly, fading is actually beneficial for communicating confidential information. Even if Eve’s channel is better than Bob’s on average, the ergodic secrecy capacity is positive, because whenever Bob experiences a better channel than Eve instantaneously (which will happen infinitely often), this fading realization can be exploited for secure communication.

Broadcast Channel.

The broadcast channel describes the communication scenario in which one sender transmits information to several receivers. For example, this channel describes the downlink phase of a cellular communication system in which a base station transmits data to several mobile users.

The broadcast channel with confidential messages models the communication scenario in which one transmitter Alice transmits a common message M0 to two receivers Bob 1 and Bob 2 and a confidential message M1 to one receiver, say Bob 1, which must be kept secret from the other one. Thus, Bob 2 is a legitimate receiver for the common message M0 and, at the same time, an eavesdropper for the confidential message M1. This scenario models situations, for example, in which some (basic) content is multicast while other (premium) content is unicast. It was introduced by Csiszár and Körner (18) and is depicted in Fig. 3. Here, instead of a single secrecy capacity, we have a region of possible reliable rates R0 for the common message and secrecy rates R1 for the confidential message. The secrecy capacity region has been established and is given by all rate pairs (R0,R1) that satisfyR0≤min{I(U;Y1),I(U;Y2)}R1≤I(V;Y1|U)−I(V;Z|U)for random variables U−V−X−(Y1,Y2). The basic coding idea for achieving this rate region is based on a combination of superposition coding and wiretap coding. The common message M0 designated for both receivers is encoded first and represented by the auxiliary random variable U. As M0 must be decoded at both receivers, the corresponding rate is limited by the weaker of the channel qualities to Bob 1, i.e., I(U;Y1), and to Bob 2, i.e., I(U;Y2). Then, superimposed on that, the confidential message M1 is encoded in V according to the same principle as for the wiretap channel discussed above. Accordingly, the confidential rate is limited by a similar difference of both channel qualities but conditioned on U because the common message is known at both receivers.

• Download figure
• Open in new tab
• Download powerpoint

Fig. 3.

Broadcast channel with confidential messages.

In a similar way to that for the wiretap channel, the broadcast channel with confidential messages has been subsequently extended into several directions as well, including MIMO Gaussian channels (32), channels with partial CSI (33), and fading channels (28).

Multiple-Access Channel.

The multiple-access channel is the counterpart to the broadcast channel: Multiple senders transmit information to a single receiver. An example of where this occurs is in the uplink phase of a cellular system in which several mobile users transmit data to a base station.

In a multiple-access channel with confidential messages two senders Alice 1 and Alice 2 transmit confidential messages M1 and M2 to a single receiver Bob. Each transmitter overhears the transmission of the other one so that Alice 1 and Alice 2 must send their confidential messages such that they are decodable by Bob but leak no information to the other transmitter. This situation is visualized in Fig. 4. Again, we have a region of secret rates for the two users’ messages. Inner and outer bounds on this region have been derived in ref. 34, although the secrecy capacity region itself remains unknown.

• Download figure
• Open in new tab
• Download powerpoint

Fig. 4.

Multiple-access channel with confidential messages.

A slightly different setting is given by the multiple-access wiretap channel in which both transmitters are trustworthy but their communication must be secured from an external eavesdropper. This situation has been studied, for example, in refs. 35 and 36. Similar to the multiple-access channel with confidential messages the secrecy capacity region is unknown and only inner and outer bounds have been established so far.

Interference Channel.

The interference channel describes the communication scenario in which multiple transmitter–receiver pairs interfere with each other. Each sender is interested only in transmitting information to its designated receiver. However, due to the open nature of the wireless medium, the transmitted signals are received not only by the intended receivers but also by the other users.

The interference channel with confidential messages considers two transmitters Alice 1 and Alice 2 who wish to transmit their confidential messages M1 and M2 to their respective receivers Bob 1 and Bob 2. Because both transmissions interfere with each other, each transmitter must encode and transmit its message in such a way that it is kept secure from the counterpart receiver. This is shown in Fig. 5. Inner and outer bounds on the secrecy capacity region for this channel have been established in refs. 37 and 38.

• Download figure
• Open in new tab
• Download powerpoint

Fig. 5.

Interference channel with confidential messages.

A different communication scenario is given by the cognitive interference channel with one common and one confidential message. Here, the common message is known to both transmitters and must be conveyed to both receivers whereas the confidential message is known only at one transmitter and must be conveyed to its respective receiver, keeping the other receiver ignorant of it. Unlike the other interference scenarios, the secrecy capacity region is known in this case (39).

Relay Channel.

The aim of a relay is to support the communication between a transmitter and a receiver. Relays are used, for example, for coverage and range extension or to increase the maximal transmission rate.

The relay channel with confidential messages considers the scenario in which the sender Alice wishes to transmit a confidential message to receiver Bob. The transmission is supported by an untrusted relay so that Alice must encode and transmit the message in such a way that the relay is able to help the communication, but does not get any information about the message. This has been studied in refs. 40 and 41.

The relay channel with an external eavesdropper differs from the previous scenario by having a trusted relay, but the confidential transmission must be secured against an external eavesdropper. This situation is considered in ref. 42.

Public Discussion.

Secret-key generation using public discussion was first considered simultaneously by Ahlswede and Csiszár (45) and Maurer (46). In this setting the two terminals Alice and Bob observe correlated versions YAn and YBn of a common random source. Based on these observations both terminals want to agree on the same secret key; i.e., ℙ{KA≠KB}→0 as n→∞, where KA and KB are secret keys generated at Alice and Bob, respectively. To do so, they are allowed to exchange unlimited information (in multiple iterations) via a noiseless public channel. However, this channel is eavesdropped upon so that whatever is exchanged via public discussion must not reveal any information about the secret key itself. This condition is modeled similarly to the wiretap channel by adopting a strong secrecy criterion,I(Φ;KA,KB)⟶n→∞0,where Φ denotes the public discussion over the public channel. In other words, the secret key must be independent of the public discussion. This scenario is shown in Fig. 6.

• Download figure
• Open in new tab
• Download powerpoint

Fig. 6.

Secret-key generation.

The aim is now to determine the secret-key capacity, which characterizes the maximal rate at which secret keys can be generated. In refs. 45 and 46 it has been shown that for the case of unlimited public communication, the secret-key capacity isCK=I(YA;YB).[7]Moreover, it has been shown that this rate can be achieved by a single one-way communication from Alice to Bob.

The crucial idea for generating a uniformly distributed secret key of rate [7] is based on Slepian–Wolf coding (5) and can be outlined as follows. All sequences YAn that can be observed by, say, Alice are divided into bins, with each one containing 2nI(YA;YB) sequences. Now, when Alice observes YAn, she sets the secret key to the index of the particular sequence and sends only the bin index (but not the index of the sequence itself) over the noiseless channel to Bob. Based on the Slepian–Wolf coding idea, having observed YBn this bin index is sufficient for Bob to infer the other observation YAn. Thus, Bob is able to choose the same secret key as Alice. As the bin index and the sequence index are independent, no information about the secret key is leaked to Eve.

In the previous model, Eve was able to eavesdrop upon the public communication only over the noisy channel. This has been extended by allowing Eve to further observe its own correlated observation YEn of the common random source as depicted in Fig. 6. Whereas for the previous scenario the secret-key capacity is known, this is no longer the case when Eve has observed her own realization. Only upper and lower bounds on the secret-key capacity CK are known: I(YA;YB)−min{I(YA;YE),I(YB;YE)}≤CK≤min{I(YA;YB),I(YA;YB|YE)}. Although arbitrary information exchange between Alice and Bob is allowed in principle, the lower bound is achieved by a one-way communication from Alice to Bob or Bob to Alice only. Comparing this rate with the rate in [7], it can be interpreted as the maximum secret-key rate I(YA;YB) that can be generated minus some information leakage min{I(YA;YE),I(YB;YE)} to Eve. This reveals the same structure as that for the secrecy capacity of the wiretap channel in [1]. However, it is possible to control whether information is leaked from Alice, I(YA;YE), or from Bob, I(YB;YE).

In the above setting, the public communication was unlimited in the sense that no restrictions on the corresponding communication rate have been made. In practical applications, however, there might be such restrictions that then result in a certain degradation in secret-key capacity (47).

Wireless Channels.

Now we extend the previous discussion on secret-key generation based on public discussion to the practically relevant case of wireless channels. We will see that wireless channels themselves can serve as sources of common randomness, making previous concepts applicable (43, 48, 49).

The scenario is the same: Two terminals Alice and Bob want to generate a secret key, keeping an eavesdropper Eve in the dark. Both terminals can transmit over a wireless fading channel and can further use a noiseless public channel for public discussion. Eve overhears the transmissions over the wireless channel and also eavesdrops upon the public discussion. The crucial idea is to exploit the reciprocity of the wireless channel to obtain correlated observations of the common fading channel. Then the key can be generated as discussed above.

When Alice transmits a signal XA over the wireless channel, the received signals YB at Bob and YE at Eve areYB=hABXA+NB and YE=hAEXA+NEwith hAB and hAE the channel gains between Alice and Bob and Eve, respectively. NA and NB are additive Gaussian noise terms with zero means and variances σ2. Alternatively, when Bob transmits a signal XB, the received signals YA at Alice and YE at Eve are YA=hBAXB+NA and YE=hBEXB+NE.

If both transmissions happen in the same frequency band and within the coherence time of the channel, it is reasonable to assume that the channel between Alice and Bob is reciprocal; i.e., hAB=hBA. Even if the channel is not perfectly reciprocal, it suffices to obtain correlated versions that are useful for the following secret-key generation process. Moreover, as Eve’s location is assumed to be different from Alice’s and Bob’s, the transmitted signals experience different transmission conditions, resulting in channel observations hAE and hBE at Eve that are independent of hAB and hBA.

In a first phase, Alice and Bob send training signals that allow each terminal to estimate its channel h∼AB and h∼BA. If the training symbols are sent within the channel coherence time T, Alice and Bob are able to obtain correlated versions of the common channel gain. This allows both terminals to use the same protocol: They can agree on a secret key by using the correlated versions of the common channel gain and by using the public channel for exchanging information based on Slepian–Wolf coding. Then a secret key of rateRK=1TI(h∼AB;h∼BA)=12Tlog(1+σ14P2T24(σ4+σ2σ12PT))[8]can be generated. The expression [8] reveals that the secret-key rate depends on the transmit power P as well as the coherence time T of the channel. As expected, with increasing power P the secret-key rate increases as well. However, with increasing coherence time T the secret-key rate decreases and approaches zero. Thus, from a secrecy perspective, a rapidly varying channel is beneficial whereas a slowly varying channel or a channel that is almost constant results in a low key rate.