High-Rate Secret Key Generation Using Physical Layer Security and Physical Unclonable Functions

Physical layer security (PLS) can be adopted for efficient key generation and sharing in secured wireless systems. The inherent random nature of the wireless channel and the associated channel reciprocity (CR) are the main pillars for realizing PLS techniques. However, for applications that involve air-to-air (A2A) transmission, such as unmanned aerial vehicle (UAV) applications, the channel does not generally have sufficient randomness to enable reliable key generation. Therefore, this work proposes a novel system design to mitigate the channel randomness constraint and enable a high-rate secret key generation process. The proposed system integrates physically unclonable functions (PUFs) and CR to generate and exchange secret keys between two nodes securely. Moreover, an adaptive and controllable artificial fading (AF) level with interleaving is used to mitigate the impact of low randomness variations in the wireless channel. Moreover, we propose a novel bit extraction scheme to reduce the number of overhead bits required to share the intermediate keys. The obtained Monte Carlo simulation results show that the proposed system can operate efficiently even when the channel is nearly flat or time-invariant. Consequently, the time required for generating and sharing a key is significantly shorter than conventional techniques. Furthermore, the results show that a key agreement can be reached at the first trial for moderate and high signal-to-noise ratios (SNRs) substantially faster than other PLS techniques. Adopting the AF into static channels managed to reduce the mismatch ratio between the generated secret sequences and degrade the eavesdropper’s capability to predict the secret keys.

highly correlated with the development of Internet of Things (IoT) technology, and UAVs are currently considered an integral element of IoT infrastructure where they are used for data collection, relaying, data distribution, etc. [2].
Multiple UAVs can be jointly assigned a remote mission requiring secure data communications in specific applications. For such applications, physical layer security (PLS) can be considered attractive due to the limited computational power and tight energy budget of the UAVs. In particular, PLS can facilitate the key generation and distribution processes and reduce the overhead signaling required for other key distribution techniques [3]. PLS techniques can be generally divided into two main categories: signal to interference plus noise ratio (SINR)-based and complexity-based PLS. The main focus of this work is the complexity-based PLS, which is associated with extracting and sharing a secret sequence by utilizing the shared channel between legitimate users. PLS mechanisms leverage wireless channels' random and reciprocal characteristics to achieve information-theoretical security [4]. Most existing complexity-based PLS schemes are designed for systems that adopt time division duplexing (TDD) to enable utilizing the channel reciprocity (CR) [3], [5], [6]. PLS generally requires rich and dynamic wireless channels. The richness of the channel is required to enable reliable key generation, while the channel dynamics are required to maximize the difference between consecutive keys. Consequently, the channel information in time [7], [8], frequency [5], [9] and space domains [10], [11] can be utilized to enable reliable key generation.
To enhance the security and randomness levels of complexity-based PLS systems, physically unclonable functions (PUFs) can be added as a second layer of security. The concept of PUFs was first introduced in [12]. The idea is that the integrated circuits (ICs) have a uniqueness in their physical structure inherited from inevitable variations during the fabrication process. These unique characteristics are unpredictable before the end of the manufacturing process and can be considered as device fingerprints. Due to their physical unclonability and high resistance to reverse engineering, PUFs have shown great promise as hardware identification primitives for cryptography applications such as authentication and secret key generation (SKG) [13]. The unclonability of PUFs means that it is infeasible to reproduce the same physical structure for a given fabrication procedure [14]. Moreover, compared to traditional cryptography techniques, PUFs require significantly less computational capacity as there is no need for permanent storage to secure the generated secret keys [15], [16]. PUFs are commonly characterized by a set of challenge-response pairs (CRPs) based on the unique circuit variations. The PUF response for a certain challenge that is measured under certain conditions, such as temperature and voltage, is called the "original response." The obtained responses from a PUF are sensitive to the environmental changes and physical conditions where the device is being tested. In other words, the readings from the PUFs are not perfectly reproducible. Therefore, error correction mechanisms such as fuzzy extractors are used to correct the mismatches with the original response [16].
The integration of a PUF in any system requires that one of the users to have a PUF circuit and the other to have the PUF emulator. The emulator can be realized as a CRPs table, which is generated and shared before the communication process [15]. Such tables correspond to a subset of the complete list of the PUF CRPs. However, using tables has several limitations, particularly scalability. To alleviate the need for tables, extensive research is currently being devoted to associating the PUF to a particular secret model that emulates the PUF CRPs behavior. For example, the secret model in the case of an arbiter PUF would be the delays of the individual stages [15]. It is also worth noting that the PUF CRPs depend on certain parameters such as temperature and voltage. Therefore, the PUF and its emulator might have some differences. However, for a well-designed PUF, the difference is small and can be generally eliminated using forward error correction schemes, which are also called secure sketch or error reconciliation schemes, in this context.

A. RELATED WORK
Complexity-based PLS techniques are used for key generation by exploiting the inherent randomness of the channel and the principle of CR between the transmitter and receiver [3], [17], [18]. Unlike classical key distribution techniques, PLS does not involve the direct exchange of keys. Therefore, it is difficult for eavesdroppers to tap the key. The PLSbased SKG is explored in the literature for various networks and channel settings [17], [19], [20], [21]. In [19], [20], [21] and the references listed therein, SKG is studied for static and dynamic environments. The dynamic environments have high temporal variations that enable generating keys with high entropy, which leads to a high key generation rate (KGR). SKG is a challenging task in poor scattering environments where the channel randomness or variations are limited due to the channel's large coherence time or wide coherence bandwidth. Consequently, the key generation process, which requires strong time or frequency variations, will mostly fail to cause low KGR. In [20], the authors conducted an experiment inside an underground concrete tunnel to exclude most external interference sources and the effects of channel variation due to any surroundings' mobility. The obtained KGR was extremely low, about one 256 bit key every 7 minutes. In addition to the failure of the key generation process, the dominance of the independent hardware noise, i.e., additive white Gaussian noise (AWGN), at the legitimate nodes over the time or frequency selectivity of the channel, increases the key mismatch probability considerably. In the literature, several approaches were proposed to overcome such challenges, which include using relays [22], multipleinput multiple-output (MIMO) [23], intelligent reflective surface (IRS) [24], or by inducing artificial randomness [25]. In [26], [27], opportunistic randomized beamforming with a diversity mechanism is proposed. Generating artificial interference for the eavesdropper is presented in [28], [29]. An induced randomness for SKG is studied in [6] for static channels. However, the work considers that the eavesdropper's channel is independent of the legitimate users' channel, which is not generally a valid assumption in several cases of interest. Moreover, the induced randomness is not common among the system users, and its level is not guaranteed or adaptive. This can lead to high estimation errors or extra complexity, which can be avoided in the case of high channel randomness. In [26], the authors propose using IRS with discrete phase shifts for SKG. The channel coefficients are used to generate the secret keys.
Furthermore, in the existing PLS work with poor scattering or static environments, it is assumed that the legitimate users' channel is independent of the eavesdropper channel, given that the legitimate users are at least half a wavelength apart. However, this assumption is valid only in sufficiently rich scattering environments. In free space communications, which has poor scattering environments, such as air-to-air (A2A) and air-to-ground (A2G) channels, there might be a strong correlation between the channels of the legitimate and illegitimate users, even when there are large distances between the users [30]. Therefore, propagation environment reconstruction attacks can estimate the legitimate channel parameters with high accuracy [31].
The research on PUF in wireless communications applications is employed for node identification, authentication [32], and SKG [32], [33], [34], [35], [36]. In [33], quaternary PUF responses are used for key generation along with polar codes to ensure the secrecy leakage is low. The authors in [34] propose a method to produce reliable keys on field programmable gate arrays (FPGAs). The design uses a lookup table based on SLICEL components, which enables finetuning of the hamming weight of the PUF and increases the generated key uniqueness. A switched capacitor PUF is proposed in [35], which promises to provide a stable key for chip security with the use of metal blocks as a protective coating. An authentication and key establishment protocol based on PUF are proposed in [32].
Ideally, PUFs are unclonable. However, practical implementations have been prone to attacks such as physical cloning [37], side channel and reliability informationbased attacks [38], machine learning (ML)-based modeling attacks [39], etc. The modeling attacks pose a greater threat than other attacks because, in most cases, they do not require auxiliary information and can be based only on transmitted CRPs or leaked information during the exchange of data in the different stages of the SKG protocol. ML algorithms, such as logistic regression (LR), artificial neural network (ANN), support vector machine (SVM), etc, were applied successfully in various scenarios. Several solutions have been proposed in the literature to address the ML attack of PUFs. For example, in [40], Sbox transformation is introduced as an additional nonlinear operation to enhance the PUF resilience to modeling attacks. Other techniques are also proposed in [41], [42]. These mechanisms increase the implementation complexity and, consequently, the required energy and area cost, which is infeasible for resource-constrained UAV networks.

B. MOTIVATION AND CONTRIBUTIONS
As can be noted from the cited literature, the references listed therein, and to the best of the authors' knowledge, line-ofsight (LoS) and poor scattering environments are considered the main obstacles for adopting PLS in practical systems, particularly UAV networks. In UAV communications, the channels between the legitimate users and eavesdroppers' can be correlated or have a low entropy, which is highly probable in air-to-air channels. Therefore, the assumption that the channel is time or frequency-selective is generally weak. Therefore, the key generation rate becomes slow, which may jeopardize the system's security. Therefore, this paper proposes a novel framework for high-rate SKG based on PLS by incorporating artificial fading (AF) and PUFs. The synergy of PLS and PUFs will increase resilience to ML modeling attacks because no CRPs are required to be transmitted over the air. Furthermore, in the proposed SKG, the number of side-channel transmissions is reduced, which decreases the chance for eavesdroppers' to collect more information to model the PUF. The main contributions of this work are: 1) Propose a novel SKG protocol based on the integration of PUF and CR. The proposed SKG protocol resolves the issue of static channels in the context of PLS with the aid of PUFs, which can enhance the reliability of the SKG process and increase the KGR. In the proposed SKG, CR between the legitimate users is used to generate a challenge at the communicating nodes, which is applied to the PUF or PUF emulator to generate the ultimate key. 2) Propose a novel mechanism to enhance the randomness level of PLS systems in static or low scattering environments. The proposed scheme, called AF, introduces common signal variations between legitimate nodes. The AF is an interleaved version of the channel frequency response (CFR) of the previously successful SKG session where a key agreement is achieved. The interleaving process of the CFR will significantly reduce the eavesdropper's capability to accurately estimate the legitimate users' channel, even if it could locate itself close to a legitimate user. 3) Propose an efficient bit extraction (BE) scheme by modifying the adaptive secret bit extraction (ASBE) [20]. The new BE technique can reduce the number of transmissions between the nodes and reduce the required number of side-information bits. 4) The considered PUF is realized using a configurable ring oscillator (RO), which is implemented using FPGA, and its properties are validated. The numerical results for the proposed and conventional SKG are compared in terms of randomness, key mismatch

C. PAPER ORGANIZATION
The rest of the paper is organized as follows. Section II describes the signal and channel models. The intermediate key generation and sharing protocol is detailed in Section III. The proposed AF, BE, and PUF-based key generation are explained in Section IV. The numerical evaluation is presented and discussed in Section V. Section VI concludes the paper.

II. SIGNAL AND CHANNEL MODELS
This work considers two legitimate users, Alice and Bob, who aim to establish a secure and common key through an authenticated multipath wireless channel. An eavesdropper, Eve can listen to all communications between Alice and Bob passively and intends to predict the generated key. The system model is shown in Fig. 1. Orthogonal frequencydivision multiplexing (OFDM) with N subcarriers is adopted for the transmission where Alice, Bob, and Eve can transmit and receive OFDM signals. Every user is assumed to be equipped with a single antenna.
The key generation process should be initiated by one of the legitimate users, i.e., Alice or Bob, and then the negotiation to generate the secret key starts. Assuming that Alice starts the key generation process, she should send an OFDM symbol to Bob. The transmitted OFDM symbol is generated by applying the data symbols' vec- T generated by applyinḡ M-quadrature amplitude modulation (QAM) modulation to a bits sequence b A , to an N-point inverse discrete Fourier transform (IDFT). Then, a cyclic prefix (CP) no less than the maximum delay spread is added as a preamble to prevent inter-symbol interference (ISI). In all OFDM transmission standards, certain subcarriers are modulated using pilot symbols for channel estimation and synchronization purposes. Therefore, the vector x A may consist of data and pilot symbols. The symbols x n A ∀{n} are selected from an arbitrary constellation diagram and are considered to have unit average power, i.e., E[|x n denotes the statistical expectation. For simplicity, we consider the quadrature phase shift keying (QPSK) modulation scheme. In this work, we consider that the pilot symbols are generally distributed following the long-term evolution (LTE) resource block structure [43, Fig. 1]. The set of pilots is denoted by the vector . At Bob's receiver, the CP is removed, and discrete Fourier transform (DFT) is used to separate and extract the symbols from the subcarriers. Assuming the channel is quasi-static, i.e., the channel remains fixed during one OFDM symbol period, and the CP is larger than the maximum delay spread of the channel [44], the DFT output at Bob's receiver can be represented as is the AWGN vector whose elements are independent and identically distributed (i.i.d.) and w n B ∼ CN (0, 2σ 2 w ). The channel matrix G AB ∈ C N×N is the CFR matrix, which is given by and where g i denotes the ith multipath component gain and Q+1 represents the number of multipath components. The fading gains g i AB , i ∈ {0, 1, . . . , Q}, are considered independent. Therefore, the envelope of the channel matrix elements is Rician, and the channel frequency selectivity depends on the gain and delays of the channel multipath components g i AB . More specifically A special case of interest is when the fading factor K = 0, which corresponds to the Rayleigh fading scenario. It is worth noting that the diagonal elements in G AB d AB are correlated with a correlation factor that depends on g i AB ∀i [45]. Because Alice's signal is transmitted over a broadcast channel, Eve will also receive a copy, which can be written as where G AE is the CFR from Alice to Eve. Under the same assumptions and conditions, and in a similar fashion, Bob sends to Alice the vector x B , and the DFT output at Alice can be written as where G BA is the CFR matrix from Bob to Alice. The IDFT output at Eve can be expressed aś where G BE is the CFR matrix from Bob to Eve. The DFT outputs r A and r B can be used to obtain the channel state information (CSI) for both channels, i.e., G AB and G BA . The process typically starts by estimating the CFR at the pilot subcarriers using techniques such as the leastsquare (LS) or minimum mean-square error (MMSE). Then interpolation can be used to compute the channel gains at the data subcarriers [46]. The communications between Alice and Bob are assumed to be conducted using TDD where the coherence time of the channel is larger than the TDD frame. In such scenarios, the channel reciprocity principle can be incorporated to consider that G AB = G BA G [4], [20], [47], [48], [49]. Moreover, given that Eve is located at a relatively far distance from Bob, then G AB = G AE . Consequently, Alice and Bob are the only nodes who know G. Therefore, Alice and Bob can use G to generate a secret key on both sides and use it for secure communications [5], [6], [50].

III. INTERMEDIATE KEY GENERATION AND SHARING
Conventional PLS-based SKG is described extensively in the literature. Hence, it is stated briefly in this section for the sake of completeness and to simplify the presentation of the proposed framework. The keys generated in this work can be classified as intermediate and final keys. The intermediate keys can be generated using various PLS keysharing techniques described in the following subsections. The intermediate keys go through the second processing stage to generate the final keys using PUFs. The intermediate key generation and sharing processes using PLS can be briefly described as follows:

1) CHANNEL PROBING
The channel probing aims at estimating G AB and G BA , or more specifically d AB and d BA . The process starts when Alice transmits x A to Bob, who computes r B and uses it to estimate d AB as described in Section II. This work uses the LS method to estimate the channel coefficients at the pilot symbols. Then linear interpolation is used to obtain the coefficients at the data subcarriers. Similarly, Bob transmits x B within the same TDD frame and Alice computes r A and estimates d BA .

2) INTERMEDIATE KEY GENERATION
Once the vectors d AB and d BA are estimated, they can be used to generate the intermediate keys, which are denoted by q A and q B , respectively. In PLS, both the phase and amplitude of the channel coefficients can be used to extract the key bits from d. Nevertheless, the phase is more sensitive to hardware imperfections, so the amplitude is considered more attractive. Therefore, the amplitude, or equivalently the received signal strength (RSS) for QPSK or binary phase shift keying (BPSK) modulation schemes, ζ = |r|, is typically used to generate the bits of q A and q B . Therefore, In the literature, the BE algorithm proposed in [20], named ASBE, has received significant attention due to its ability to generate high entropy bits at a high bit rate. Nevertheless, the algorithm performance may deteriorate significantly in static or flat-fading channels where it might take about 7 minutes to generate a 256 bits key [20]. Moreover, Alice and Bob must exchange the indices of the subcarriers that were dropped during the BE process, which can be considered a significant overhead. Furthermore, it causes some information leakage about the key. To address the disadvantages of ASBE, we propose a BE mechanism in Section IV, which has less transmission overhead, a low number of side-channel transmissions, and is computationally more efficient.

3) ERROR RECONCILIATION AND VERIFICATION
For reliable communications, the keys q A and q B should be identical. However, the BE process is prone to errors due to AWGN, imperfect CSI estimation, and hardware mismatch. Therefore, additional processing is necessary to guarantee that q A = q B , and both users should verify that they have identical keys. The verification process can be realized using cyclic redundancy check (CRC) where Alice generates the CRC bits and Bob verifies and acknowledges the CRC process outcome [51]. Therefore, Alice computes the CRC bits of q A , denoted as c q A , and sends them to Bob. The error reconciliation eliminates discrepancies between q A and q B . In this work, we adopt the code-offset secure sketch proposed in [6], and Bose-Chaudhuri-Hocquenghem (BCH) codes are used as the underlying coding scheme.
The process starts when Alice randomly selects a codeword v q A from the codebook of the corresponding BCH code, and then computes where v q A is a codeword with the same length as q A and ⊕ is the exclusive or (XOR) operation. The vector s q is then modulated and transmitted to Bob.
Because q A and q B are not necessarily equal, we can write q A = q B ⊕ ε, where ε is the error pattern that represents the differences between q A and q B . Therefore, ε i = 1 if At Bob's side, Bob demodulates the received sequence, extracts the data bits, and computes, wheres q 1 is the demodulated version of s q 1 andε is the error vector due to the transmission and reception operations, and ϕ = ε ⊕ε. Thenṽ q A applied to the BCH decoder to produce the estimated version of the random codeword v q A , denoted asv q A . Finally, the estimated error pattern can be computed asφ =ṽ q A ⊕v q A . Consequently, the key at Bob can be updated such that q B = q B ⊕φ. Given that the hamming weight ofφ is less than the error correction capability of the code, then we obtain q A = q B . Once q B is computed, c q B is computed and compared toc q A , and if they are equal, Bob sends an acknowledgment to Alice then q A and q B are considered as the intermediate keys. Otherwise, a negative acknowledgment is sent. In this case, steps 1 to 3 are repeated until a key agreement is achieved.

IV. PROPOSED ARTIFICIAL FADING, BIT EXTRACTION, AND PUF-BASED FINAL KEY GENERATION A. PROPOSED ARTIFICIAL FADING
Because most PLS techniques require high channel randomness to provide a reliable key generation process, flat and slow fading channels are challenging operating channels. To resolve this issue, we propose using AF, where a frequency-selective fading channel is emulated and used at the transmitter side. The AF is mathematically similar to the widely-known pre-equalization process [52] but different in that the current and pre-equalization channels can be independent.
To implement the AF process, consider that a pre-designed fading channel whose channel matrix, denoted asĠ, can be represented as a diagonal matrix where the diagonal elements can be expressed by the vectorḋ = [ḋ 0 ,ḋ 1 , . . . ,ḋ N−1 ]. Therefore, the DFT output at any user's receiver can be written as r = GĠx+w. Because G andĠ are diagonal matrices, then GĠ G, which is also a diagonal matrix whose diagonal elements vector can be written asd = dḋ. Given that the adjacent elements in d are correlated, and similarly inḋ, then the elements ofd will also be correlated. Consequently, all users can estimate the CSI using conventional approaches as described in Section II. In the worst case that the channel is purely flat, i.e., d i = 1 ∀i, thend =ḋ, which corresponds to a frequency-selective channel, which still can be used to generate a random bit sequence. For legitimate users, the estimation process starts by equalizing the effect ofḋ, which is already known, then d can be obtained. It is worth noting that we can estimate G directly. However, the estimation accuracy will be generally worse because the channel will be highly selective in this case.
Although it is difficult for Eve to estimate G because of the spatial decorrelation, she might attempt to increase the correlation by getting close to any of the legitimate users. To mitigate this scenario, the selection ofĠ can be performed to decorrelate the overall fading matrix G making it even more difficult for Eve to estimate G or G. Such an approach can be efficient because most channel estimation algorithms for OFDM generally require the channel coefficients over adjacent subcarriers to be highly correlated [43].
In this work, we adopt random interleaving to decorrelate the elements of the AF vectorḋ. Fig. 1 shows the AF process where each user is assumed to have a storage element called "AF buffer" to storeĠ. Also, at each successful iteration where both users agree on an intermediate key q A = q B , the AF buffer is enabled to updateĠ. The enabler of the buffer is controlled by β where β = 1 if q A = q B , otherwise β = 0. The interleavedḋ is denoted asd = Pḋ, where P is the interleaving matrix. An example ford with and withouṫ d interleaving is shown in Fig. 2. As noted from the figure, it will be hard to accurately estimate the channel coefficients at the non-pilot subcarriers using any interpolation scheme before eliminating the impact ofd. When interleaving is used, the received signal becomes whereG = GG, andG = PĠ is interleaved version ofĠ. Let's denote ζ n = |r n |, ∀n. By noting thatG is a diagonal matrix, the legitimate user can initially compute It is worth noting that (11) is obtained becauseG is a diagonal matrix. The next step for the legitimate user is to estimate the channel matrix G and compute GĠ, which will be used for the key generation process. The AF matrixĠ should be initially configured during the system initialization stage, and both Alice and Bob will be informed about the interleaving matrix P. Then,Ġ will be updated continuously as outlined in Algorithm 1. Consequently, both users will synchronously updateĠ. The same approach can be applied to the interleaving matrix P. However, the random matrixĠ can be used to generate P.
To examine the impact of the channel interleaving on Eve's capability to estimate the channel between Alice and Bob, for the extreme scenario, when Bob broadcastsG BA x B while Eve is very close to Alice, and thusG BA =G BE , and hence, r E =G BA x B + w E . To be able to break the system, Eve needs to know PĠ, which is not known by Eve. Even if P is known, it is still difficult for Eve to knowĠ. Therefore, unlike conventional PLS systems, spatial decorrelation is not the only source of security in the system. Furthermore, the system should never experience the considered extreme case in practical scenarios. Moreover, the channel matrix G continuously changes. Therefore, observing the channel for a long time should not leak information about G,Ġ, orG. It is worth noting that if Eve wants to use bruteforce search to solve (11), then she has to search for PĠ that maximizes the correlation between the elements ofĜ, which is the estimated version of G. However, by considering a number of subcarriers of about 256, then both P andĠ will be 256 × 256 matrices. Moreover, while the elements of P are binary, the elements ofĠ are continuous. Consequently, the search space, in this case, is massive, theoretically infinite, and Eve would not be able to find PĠ. Furthermore, assuming that Eve receiver is superior in terms of signal-to-noise ratio (SNR) has generally limited impact on her eavesdropping capability as demonstrated in Fig. 3.
To further study the impact of channel interleaving on Eve and the legitimate users, Fig. 3a shows the bit error rate (BER), P e for Eve and Alice over Rayleigh fading channel for the worst case scenario where Eve is very close to Alice. We consider two frequency-selective fading channels, denoted as Ch 1 Fig. 3, Eve's BER is severely worse than Alice's for all cases and SNR values, which demonstrates the benefit of adopting the AF with interleaving. In addition, P e is evaluated with and without the interleaving ofḋ BA . Since Alice knows the pilot symbols andd BA , then she first divides r A overḋ BA , and applies the channel estimation process in Section II. Clearly, for both channels Ch 1 and Ch 2 , P e is identical for the two scenarios, which implies that the interleaving process does Furthermore, for the same setup, Fig. 3b shows the mean squared error (MSE) for the channel estimation of G BA at Alice and Eve. It can be seen that the MSE of Alice is much lower than that of Eve. Although using the AF is generally beneficial even in frequency-selective channels, it introduces an additional computational complexity of N complex multiplications at the transmitter and N complex divisions at the receiver. To reduce the complexity, the AF can be applied only when the channel does not have sufficient frequency selectivity to produce a reliable bit sequence. To decide if a channel randomness level is not adequate to generate a shared challenge, we consider a counter for the number of sessions where Alice and Bob's challenges are not matching. If the challenge sharing fails for a certain number of consecutive sessions, the channel is considered unsuitable, and AF is incorporated. It is also worth noting that the initially stored channel vectorḋ should not be used permanently and should be updated frequently. Toward this goal, we use the channel produced during the last successful sequence as the new channel for the AF process.
The AF process is described in Algorithm 1, where the AF buffer is used for storing the AF coefficients. The inputs to the AF algorithm are l, x and G l where l is the counter for the number of successful final key agreement iterations and G l is the CFR of the last successful iteration. Prior to the implementation of the protocol, an initial CFR matrixĠ with a certain fading level is generated and stored in the AF buffer. If l > 0 thenĠ is updated such thatĠ = G l . Then, we interleaveĠ using random interleaving,G = interleave(Ġ), consequently, the transmitted signal can be represented aṡ

B. PROPOSED ADAPTIVE BIT EXTRACTION
Because the elements of G ABĠAB and G BAĠBA are analog values, they cannot be used directly for key generation. Therefore, additional processing is required for BE. In this work, we propose a BE scheme based on the ASBE presented in [20]. In the ASBE, the number of side-channel transmissions and required overhead are significant, particularly when the channel variations are limited and/or the SNR is low. For notational simplicity, the indices A and B will be dropped unless it is necessary to include them. The proposed BE algorithm for Alice can be explained as follows: which has K elements. The set of indices for each block is denoted as I m , m ∈ {1, 2, . . . , M}. Because all blocks go through the same process, the block index m will be dropped unless it is necessary to include it. Moreover, the same processes are applied to all blocks. 2) Evaluate two thresholds [20], z + = μ + ασ and z − = μ−ασ , where μ, α, and σ are the mean, weight factor and standard deviation of the block, respectively. Note that the elements of j remain unsorted. 5) Find the minimum element in the third column where ζ {·} > z + . Store the value of j for that element as J 1 . 6) Find the maximum element in third column where ζ {·} < z − . Store the value of j for that element as J 2 . 7) Assign a value of one for all elements in the third column, row 1 to row J 1 , and zero to all elements in row J 2 to row N. 8) All rows with indices larger than J 1 and less than J 2 should be deleted. 9) Sort the values of columns two and three in a descending order based on the values of the second column, i.e., restore the order of the original elements. The remaining steps are also similar to those of Alice. However, Bob does not need to share his ranges with Alice. It is worth noting that unlike [20], the proposed algorithm does not leak information about the indices of the selected subcarriers, however, it tells the number of generated bits. Such information should not be critical since the key size is typically assumed to be known by Eve.
In order to compare the performance of the ASBE and the proposed BE, Fig. 4 figure, we consider applying the three steps: channel probing, BE with M = 1 and α = 0.4, and error reconciliation. We use the same setup presented in the numerical results section for the OFDM structure and BCH code (63, 7, 15) for the error reconciliation step. It can be seen that the MMR difference between both techniques is negligible, which makes the proposed mechanism outweighs the ASBE in terms of the needed overhead.  to the correction capability of the BCH code which can correct up to 15 errors, both techniques will have comparable MMR performance as shown in Fig. 4.

C. PROPOSED PUF-BASED FINAL KEY GENERATION
In principle, PUF utilizes the nano-scale manufacturing process variations of semiconductor devices to produce unique keys [16]. Mathematically, for a υ-bit input (called υ-bit challenge) and ς -bit output (called ς -bit response) PUF circuit can be represented by a Boolean function f : {0, 1} υ → {0, 1} ς . The unclonability and uniqueness proprieties of PUFs are exploited to enhance the security level of the PLS-based SKG protocol as well as the KGR. In the proposed protocol, we input the intermediate keys, q A and q B , to the PUF or equivalently its emulator and the produced hashed responses are considered as the final secret keys. It should be mentioned that the intermediate or final keys will not be distributed or shared at any step of the protocol. The previously mentioned characteristics of PUFs allow us to accept any number of bits (length) for the intermediate keys and this will not affect the secrecy level of the system. Consequently, unlike the conventional PLS-based SKG, we do not need to wait until a specific number of bits is obtained from the RSS, thus utilizing the PUF leads to high KGR [6], [20]. In order to avoid transmitting the intermediate keys through the channel, both Alice and Bob should have the same set of CRPs obtained by the PUF. Due to the low computational and storage capabilities of UAVs, it is not feasible to store the CRPs at any node. Therefore, we propose to consider a PUF emulator at one side and the actual PUF at the other side. PUFs manufacturers can provide the legitimate parties by the PUF parameters such as gate delays and reliability distribution against voltage and temperature variations. In this paper, we assume that we can emulate the actual PUF using a set of gate delays and reliability models.
For the proposed protocol, we assume that Bob is equipped with a configurable RO PUF [53], which is a delay-based PUF that uses the RO frequencies as the random source for generating the responses, and Alice has its emulator. It is worth noting that professional UAVs are usually equipped with adequate processing power and some custom application-specific integrated circuits (ASICs) to facilitate several types of operations [54]. Therefore, the RO PUF can be implemented using around 0.006 mm 2 area using 22 nm technology, which is fairly small. Another possibility is to use external mini FPGA board and connect it to the UAV motherboard through any of the available communications ports. Due to the sensitivity of PUFs to temperature and voltage variations, we consider that the emulator response is similar to the PUF response that is generated at room temperature with a fixed voltage of 3 V, which is denoted as the typical response. Also, we assume that any attempt to tamper or separate the PUF will destroy it [55]. The process to generate the final key starts by inputting the intermediate keys q B and q A to the PUF and its emulator at Bob's and Alice's sides, respectively. The detailed steps are as follows: 1) Response Generation: Alice will input q A to the PUF emulator whereas Bob will input q B to the PUF. The responses y A and y B are produced at Alice's and Bob's sides, respectively. Ideally speaking, the responses should be identical under any environmental setting, however, practically it is not the case. 2) Error Reconciliation and Verification: The aim of this step is to ensure that y A and y B are identical in the presence of temperate and voltage variations. Therefore, the error reconciliation mechanism described in Section III can be applied. In this work, we consider that the encoder is located at Alice's side and the decoder is at Bob's side. Moreover, the verification of the responses agreement is performed using CRC at Alice's and Bob's sides, c p A and c p B , respectively. At Alice's side, we compute Then, Alice modulates and transmits s p to Bob who detectss p and computesṽ p A as in (9). Once q B is obtained, Bob calculates c P A to compare it with c P A . If both CRCs are equal, then Bob will send an acknowledgment to Alice. Otherwise, a negative acknowledgment is to be sent. In the latter case, the final key generation steps 1 and 2 are repeated until a key generation agreement is reached. 3) Hash Generation: Some information about the shared challenges and responses is leaked to Eve during the error reconciliation steps. Thus, we utilize universal hash functions (UHFs) [56] to generate the final keys, K A = H(y A ) and K B = H(y B ), to enhance the randomness level.

D. PUF MODELING ATTACK
We assume that Eve is aware of the proposed SKG protocol, including the decided parameters of the proposed BE and error reconciliation steps. As mentioned earlier in Section I, ML attacks are challenging for PUFs due to the possibility of modeling them using the transmitted CRPs and side-channel information without physical intervention. The key generation protocol can be considered secure if Eve is not able to predict the correct keys given the knowledge of the used techniques and having full access to the transmitted data. We also assume that the benefit of an attack diminishes if Eve needs to continuously employ significant computing power beyond a reasonable time span [57]. In Fig. 1, we call the model resulting from the ML attack as "PUF prediction model." In our scheme, the following 4 secrets are shared over the channel: s q , s p , J 1 and J 2 . We assume that the attacker has access to all data transmitted between Alice and Bob. The ML attacks require Eve to collect a sufficient subset of CRPs and side-channel information to build an accurate PUF. As presented earlier in Sections III and IV-C, the intermediate and final keys generation stages do not require any explicit transmission of the PUF CRPs. Moreover, the shared data s q and s p will not be useful for Eve unless she has the correct v q and v p to be able to accurately obtain q and y which is very unlikely because v is a codeword that corresponds to a random binary vector. As for J 1 and J 2 , they only represent the range of the dropped indices during the BE step. Actually, if the RSS is not known, then these indices do not reveal useful information for Eve. Therefore, we can consider that the proposed SKG is secure since the leaked information is not significant to produce a subset of CRPs to model the PUF over a reasonable time span. Fig. 6 shows the cross-correlation between Alice and Bob ρ AB , and Alice and Eve ρ AE [58, eq. (2.75)] in the bestcase scenario for Eve, where she is located in the middle between Alice and Bob. This means that her fading channel is the same as the legitimate channel. However, the AF coefficients are known only to legitimate users. We assess the correlation between q A and q B and q A and q E . Two Rayleigh fading channels are considered Ch 1 and Ch 2 , and the OFDM, AF, BE and error reconciliation parameters are presented in Section V. It is clear that the level of correlation between Alice and Eve is considerably lower than between Alice and Bob, which is due to the impact of the induced AF at Alice's transmitters. Consequently, the intermediate key MMR between Eve and the legitimate users will be considerably high. Therefore, with regards to the PUF, it is challenging for Eve to estimate the challenge. Thus, generating a CRPs model is highly unlikely.

E. COMPUTATIONAL COMPLEXITY
Although the new generation of professional UAVs have high computational capabilities [54], it is still necessary to evaluate the complexity of the main processing blocks of the proposed SKG systems. As can be noted from the proposed system description, the main operations performed by a given UAV are the BCH encoding and decoding for the secure sketch, the BE, AF application and elimination, CRC generation and verification, the PUF and PUF emulator, and finally, the OFDM modulation and demodulation. It is also required to compute the power of the channel estimates. Except for the PUF/emulator, the complexity of most operations is dominated by multiplication and division operations. If we denote the complex multiplication (CM) and complex dividion (CD) operations by M C and D C , then the complexity can be generally evaluated as follows.
The Radix-2 fast Fourier transform (FFT) and inverse fast Fourier transform (IFFT) requires N log 2 N CMs. The least-square channel estimation requires N CDs. The channel estimates magnitude computation requires N CMs. The BE requires N CMs to compute the thresholds. The AF application and elimination require N CMs and CDs, respectively. It is worth noting that the multiplication process associated with interleaving is not considered because it is a simple 0 or 1 multiplication. The CRC computation is computed using a linear feedback shift register, so it does not encounter any arithmetic operation. The BCH encoding can be realized using simple digital logic devices. If hard decision decoding is adopted, then the decoder complexity is comparable to the encoder complexity. It is worth noting that the CRC and error reconciliation are applied at the intermediate and final key generation stages. The RO PUF can be implemented using a custom ASICs, which requires about 0.006 mm 2 area using 22 nm technology, which is fairly small. Another possibility is to use external mini FPGA board and connect it to the UAV motherboard through any of the available communications ports. The PUF emulator complexity depends on the adopted method. The lookup table can be considered the least demanding approach because a limited number of challenge-response pairs can be stored and used during a given mission, and it can be updated for consequent missions. It is worth noting that the computational power can be evaluated based on the computational complexity as described in [59]. Overall, it can be concluded that the proposed scheme's computational complexity and computational power are suitable for most professional UAVs.

V. NUMERICAL RESULTS
This section presents a wide range of numerical results to evaluate the performance of the proposed SKG protocol. The simulation results are obtained using a computing machine that runs Intel Xeon CPU E5-2640 processor, clock frequency of 2.5 GHz, 16 GB RAM, and 64 bit operating system. The software tool used to generate the results is MATLAB R2022b. The system model considers an OFDM system with N = 256 subcarriers that are modulated using QPSK. The number of CP samples, pilot and null subcarriers are N c = 64, N p = 25 and N n = 53 × 2, respectively. The null subcarriers split equally and are located at the edges of the subcarriers. The number of OFDM symbols considered to assess the performance of the proposed protocol is 1.2 × 10 4 for each simulation point. The wireless channel is modeled as a quasi-static Rician frequency-selective fading channel with K ∈ {−∞, 15} dB, where the channel remains fixed during a given OFDM symbol but changes randomly between adjacent symbols. The case where K = −∞ corresponds to the Rayleigh fading. Two multipath fading channel models are considered in this section, Ch 1 and Ch 2 are defined in Section IV. Moreover, in order to examine the proposed protocol under practical conditions, we vary the correlation factor ρ AB between the channels of Alice and Bob. For notational simplicity, we denote ρ AB as ρ. The chosen correlation values are ρ = {1, 0.88}. As for the proposed BE, we chose M = 2 and α = 0.4. For the AF, the initially storedĠ in the AF buffer is the FFT of [0.246 − 0.599i, 0.594 − 0.141i, 0, 0, −0.619 + 0.0938i, 0.211 + 0.876i, 0, 0, 0, 0, 0, 0.0713 + 0.619i, 0, 0, . . . , 0], where the length of the vector is equal to N. For conciseness, we denote the proposed SKG as (P. SKG) and the conventional SKG presented in [20] as (C. SKG).
The PUF considered in this paper is presented in [53]. As tested in the paper, the uniqueness and uniformity are almost 50%. Also, in order to reflect the impact of temperature and voltage changes on the PUF responses, we use the presented reliability distribution in terms of the intrahamming distance, which is obtained by conducting several experiments on FPGA. The reliability distribution of [53] is shown in Fig. 7. As mentioned earlier in Section I, the emulator response is considered as the original response. The reference temperature and voltage are, respectively, set as 26 o C and 3V. The length of the response of the PUF and its emulator is 127 bits.
We have implemented the proposed configurable RO PUF of [53] on FPGA to verify its reliability. Due to the area limitation of the FPGA, the lengths of the challenge and Occurrence Rate PUF in [53] Implemented PUF on FPGA response are chosen to be 32 bits. First, to ensure that the PUF can produce the same response to a certain challenge given fixed temperature and voltage, we ran it for 2500 times at 25 o C and 3V. As expected, the same response is obtained in every run. Fig. 7 shows the intra-hamming distance distribution of the 32 bits responses under 4 different temperatures [40 o , 50 o , 60 o , 70 o ] C with reference temperature 25 o C. For each temperature value, 5 × 10 3 responses are produced. As can be noted, most of the measurements have 1 to 3 errors when compared to the reference response, which can be corrected using the utilized error-correcting code-based secure sketch.
As for the error reconciliation step in the intermediate and final SKG stages, we use error-correcting code-based secure sketch [6]. We consider BCH as the underlying code where we use (63, 7, 15) for the intermediate SKG and (127, 8, 31) for the final SKG stage. It should be noted that the error correction capability is related to the rate of the code. It should be noted that, unlike the C. SKG, for the intermediate key generation stage, we do not restrict the number of generated bits to be 63 bits as the PUF can generate uncorrelated responses and cannot be predicted by Eve. If the length of q A or q B is less than 63 bits, we append the vector by zeros.
Due to the multiple signals exchanges, we amplify the responses y A and y B privacy by applying SHA-256 hash function [56]. The outputs of the SHA-256 functions are the final keys of Alice and Bob, K A and K B , respectively, with a length of 256 bits. Figures 8 and 9 show the MMR for the final keys by applying the P. SKG protocol and the C. SKG for K = {−∞, 15} dB over Ch 1 and Ch 2 . We consider the ASBE scheme for the conventional protocol. For all the presented scenarios, as the SNR increases, the MMR decreases, which results from the reduced impact of the independent noise and the dominance of the multipath fading. Let's start with the case of ρ = 1, i.e., perfect CR, to study the impact of the channel frequency selectivity on the key MMR. First, for both multipath channels, as K decreases, the MMR decreases. This is due to the impact of the higher correlation and common variations between Alice and Bob for the more severe channel (Rayleigh fading). Moreover, it can be noticed that Ch 1 results in higher MMR than Ch 2 due to the lower frequency selectivity level, which leads to higher noise dominance. As mentioned previously in Section I, the channel measurements of the uplink and downlink are asymmetric due to hardware imperfections. Therefore, we vary the amount of correlation between Alice and Bob. Clearly, as ρ decreases, the key MMR increases, as the entire protocol depends on the level of matching between |r A | and |r B |. Moreover, as can be noted from both figures, our proposed protocol performs significantly better than the conventional SKG protocol. This is due to the impact of the AF on the correlation between Alice and Bob. In other words, by applying the AF on both sides, the amount of common variations and correlation increase, which is similar to the impact of increasing the fading selectivity level, which increases the probability to agree on a shared key. Fig. 10 shows the average number of sessions required for Alice and Bob to agree on a key, K A = K B for the P. SKG and C. SKG protocols. It can be noted that for both protocols, as the SNR increases, the average number of sessions decreases, which is due to the reduced impact of the noise. Also, the P. SKG results in lower values due to the utilization of PUF and AF. The use of PUF does not  restrict us on any intermediate key length, hence unlike the C. SKG protocol, we can generate the final keys from any number of bits and this does not affect the secrecy level of the system. In other words, instead of waiting until we get 63 bits for the q in the C. SKG, in our protocol, we append the q with zeros to get 63 bits. Also, due to the higher correlation between Alice and Bob resulting from applying AF, the average number of times required to achieve a key agreement is lower than the C. SKG. In order to assess the randomness of the final keys generated by the proposed SKG protocol, we use the NIST suite [60]. The suite consists of 15 tests and computes a probability value for each test, called p-value. For practical considerations related to the minimum input length required for every test, we decided to compute 8 tests [20]. The key can be considered random with 99% confidence if the corresponding p-values are greater than 0.01. We run our proposed protocol using the same coefficients and parameters listed previously forγ = 16 dB. Table 1 shows the p-values of the NIST tests. Since the final keys pass all the tests as shown in Table 1, they are considered random with 99% confidence.
For comparison purposes, we ran the NIST test for the C. SKG protocol as shown in Table 2. For a fair comparison with the settings of our protocol, we ensure that the length of the keys input to the hash generation step is 127 bits. We can note from Table 2 that the keys produced by this protocol pass the NIST test and are hence considered random.

VI. CONCLUSION
This work proposed a novel framework that integrates PLS with PUF to strengthen the secrecy and improve the efficiency of the key generation and sharing processes for dynamic and static wireless channels. More specifically, in the case of flat fading or poor scattering environments, we proposed a novel technique denoted as AF, which overlays a user-defined frequency-selective fading over the actual channel experienced between the legitimate users. Although AF results in higher computational complexity, it leads to a significant drop in the MMR compared to the conventional PLS-based SKG protocols. Further, it results in a lower average number of sessions needed to agree on a shared key. Furthermore, we proposed an efficient BE scheme that has reduced overhead, less number of side-channel transmissions, and increased secrecy, as compared to conventional schemes. The obtained numerical results showed a significant reduction in the MMR of the proposed protocol when compared to existing conventional SKG protocols. It is also shown that we can achieve a key agreement in a single session for moderate and high SNR ranges in rich scattering environments or equivalently when AF and PUF mechanisms are applied.
Our future work will focus on extending the proposed system to a UAV swarm where a group key can be generated and shared. Such an extension is generally not straightforward because each UAV would require a PUF emulator or a lookup table for all other UAVs PUFs, which is prohibitively expensive. Moreover, using other advanced error correction schemes for the secure sketch process will be considered to reduce the number of sessions required to reach a key agreement. The use of multiple antennas at the UAVs to enhance the channel entropy will also be considered.