A famous chicken-and-egg problem that arises in any secret-key generation system is that extracting identical strings of bits by communication over a pubilc channel requires the channel to be authenticated. However, the avilability of an authenticated channel implies that the two users attempting to extract a key (to be used for encryption) already share a key (the authentication key!) – therefore the purpose of extracting a key is defeated.
In a seminal paper my Witsenhausen, it is shown that given correlated random variables X and Y possessed by Alice and Bob respectively, not even a single bit of secret information can be reliably extracted from X and Y without having Alice and Bob exchange a message. This is a problem because any messages exchanged over a public channel would ostensibly require Alice and Bob to have an authenticated channel available to them if they are to avoid an active attack by Eve. This implication (requirement of an authenticated channel) has been so far taken for granted. On a wireless channel, having exhcanged a series of probes in a TDD fashion, Alice and Bob have built up some statistics for what the received signal from the other user must look like. If Alice sends Bob a quick message in order to enable extraction of identical bit strings then the history of the past few messages can be used in a hypothesis test to determine (with some false alarm probabilty) whether it was sent by Alice or inserted by Eve.
A bigger problem for secret-key generation seems to be finding an application that would require two entities to establish an encrypted channel between themselves without requiring an authentication by a trusted third party. That is, at the beginning of the protocol, how do Alice and Bob know whether they are sending probes to the right entity and not a malicious intruder? In other words, the authentication afforded by the wireless channel at the PHY layer is only good for maintaining authentication but not for guaranteeing authentication at the start. It seems like good old certificates will be necessary for that (?) The only scenario I can think of where guaranteed authentication isn’t an issue at the start is when entities are simply talking to other (unknown) entities in an ad-hoc environment.
