Millimeter Wave (mmWave) communications are expected to have significant impact on wireless, including V2V communication, paving the road towards applications such as autonomous vehicles and vehicle platoons . mmWave requires beamforming with narrow beams to compensate for high path loss, which is perceived as a challenge, since directional transmission requires good alignment between receiver and transmitter pairs. In this paper, we argue that the inherent directionality of mmWaves has a silver lining: it can be leveraged to efficiently establish secret keys that are unconditionally secure from passive eavesdroppers.
Our starting point is the fact that, packet erasures can help create secrecy. To illustrate, consider two communicating principals, Alice and Bob, and an adversary Eve, who is eavesdropping on their channel. Alice and Bob want to create a shared secret (without using an out-of-band channel) that remains secure from Eve. Assume that when Alice transmits, Bob and Eve do not overhear exactly the same packets because of packet erasures; it is then possible for Alice and Bob to create a shared secret Eve knows nothing about, even when Eve has a better channel . To create such keys, we therefore need to operate in an environment with packet erasures. We utilizied, in a recent line of work, packet erasures through multi-hop and multipath communication, as well as through the use of wiretap codes and beamforming over WiFi, and have experimentally demonstrated that such protocols can yield several Mbps of shared secret keys [3, 4].
In this paper, we build on the fact that mmWave directional transmissions, if not perfectly aligned, inherently lead to packet losses, and thus it seems a natural host environemnt for erasure-based key establishment. A main contribution of this work is that we explore the effect of mmWave characteristics, by utilizing realistic mmWave channel models  and protocol parameters . Our goal is to explore whether, and at what rates, we can distribute shared keys in anticipated mmWave applications. We showcase our approach for two scenaria:
(1) 5G wireless networks, where base stations use mmWave antenna arrays for transmissions. We show that, with minor modification to the standard beamsweeping mechanism, a considerable amount of secret bits (up to a few hundreds) can be established between the base station and mobile devices for virtually no additional transmission cost.
(2) Vehicular platooning, which is a safety-critical application. We show that physical-layer-based shared key agreement techniques with wiretap codes and millimeter waves can allow platooning cars to establish shared keys with rates up to
Mbps. This enables the use of (usually impractical) One-Time Pad (OTP) for encryption (an information-theoretically secure encryption technique) even for anticipated high rate exchanges, such as vehicles sharing of high rate sensor data to enlarge their sensing range.
Secret key establishment is an integral part in modern day cryptography. A common approach for generating shared keys is through number-based techniques such as Diffie-Hellman (DH) . Typically, these keys are used for symmetric encryption techniques such as AES or for message authentication .
We believe that our approach can complement current cryptographic approaches, for two main reasons. First, our physical layer security approach is (information-theoretically) secure regardless of the adversary’s computational capabilities, i.e. neither classical nor quantum adversary will be able to break it. This should be contrasted to currently deployed key agreement protocols, such as DH, which are vulnerable to quantum attacks and thus would never be able to provide long-term security guarantees. Second, post-quantum key-exchange mechanisms will be secure as long as the adversary is computationally bounded [9, 10, 11], while our proposed approach is secure regardless of the adversary’s computational capabilities. Third, current cryptographic approaches today assume small amounts of shared keys even to counter computationally bounded adversaries. However, to ensure secrecy against these adversaries, this comes at the expense of high complexity cryptographic algorithms and high overhead on short packet transmissions, which may not be suitable for certain applications (e.g. sensor networks ) In contrast, our proposed approach gives the ability to create large amounts of shared key, without a centralized infrastructure. This could enable to develop lightweight cryptographic protocols that are well suited for Cyber-Physical System (CPS) applications.
Ii Model and Background
Adversary Model. We consider a passive adversary Eve who eavesdrops and can be located anywhere within the transmission radius of our nodes. Since it does not transmit, we consider its location to be unknown. We assume that Eve has access to the same physical layer technology as the legitimate nodes. When Eve does not receive a packet by her physical layer (and therefore leans nothing about its content), we say that Eve experiences an erasure. We assume Eve has infinite memory as well as unbounded computational capabilities at her disposal and has perfect knowledge of the protocols.
mmWave channel model and antenna patterns.
In mmWave, transmitters are expected to employ transmit beamforming in order to focus transmission energy in a particular direction in space.
However, the radiated energy pattern in space as a result of beamforming strongly relies on 1) the wireless channel between the transmitters and receivers, and 2) the assumed antenna radiation pattern. Therefore, in this work, we strive to employ realistic channel models and antenna patterns in order to give a realistic assessment of our proposed mechanisms. In particular:
(1) For 5G cellular networks, we implement the point-to-point 73 GHz outdoor channel model proposed in  which takes into account line-of-sight as well as multipath fading signal components. Moreover, in order to take into account the fact that transmitters/receivers that are close by in space exhibit similar channel characteristic, we also implemented space consistency between receivers and transmitters, as specified in . We also implemented the standardized antenna radiation pattern proposed in .
(2) For vehicular networks, similar models for mmWave channel models are lacking. We developed instead a channel model based on ray tracing, which takes into account reflections off the hood, back and roof of the cars in the platoon. We also used a realistic model for a vertically-polarized 70 GHz antenna array system.
Secret key protocol . We assume a broadcast erasure channel between Alice and both Bob and Eve. Namely, both Bob and Eve experience random (independent) erasures with respect to packets transmitted by Alice. For such channels, the protocol proposed in  allows Alice and Bob to establish shared secret (against Eve) keys over the erasure channel and with polynomial complexity. We illustrate the protocol through an example. Alice produces and broadcasts packets with payloads that consists of random bits. Assume that Bob receives the packets , and . Bob then acknowledges to Alice that he has correctly received these three packets – these acknowledgments could be perfectly overheard by Eve. Then, if Alice knows that Eve has missed at least a number of these packets; say packet, then Alice and Bob can both compute a key , which is perfectly secure from Eve. In general, the protocol does not require that Alice knows which packets Eve has, but an upper bound on how many she has. In [3, 4], we have explored methods that enable to accurately upper bound the number of packets Eve misses. In this work, we do not make any assumption
about this estimate. Instead, we make worst-case estimates on how much Eve can eavesdrop, and we assess how good these estimates are through what we refer to as theinsecure regions, a notion which we describe later.
Creating erasures by leveraging wiretap codes. A key point for our protocol is the fact that packets are erased; a natural question is, how to create “perfect erasures”. The method we follow is based on wiretap codes and directionality. The basic idea is that, we send the random packets that Alice produces encoded with a wiretap code; the wiretap code ensures that in certain areas the random packets are perfectly received, and in others, perfectly erased.
A wiretap code is characterized by two parameters, and , typically chosen such that . Wiretap codes operate as follows: let the received Signal-to-Noise Ratio (SNR) of a given receiver be , then 1) if then the receiver will be able to fully decode transmitted packets, 2) if then the receiver will not be able to decode anything and 3) if then the receive may be able to infer something about the transmitted information. The three aforementioned modes of reception are shown in Figure 4. The green area highlights an area in space where a receiver would experience a value of and therefore would decode all transmitted information. The orange region (which typically encloses the green region) highlights an area where and therefore a receiver may decode part of the transmitted information. Finally, a receiver outside the green and orange regions (white region) will not be able to infer any information. To be conservative, we assume that Eve can perfectly decode packets received in both green and orange areas (we refer to the union of these two areas as insecure regions), while packets in the white area are erased.
The choice of wiretap code parameters affects the security of the transmission scheme in two aspects: 1) the maximum secure information rate, and 2) the size of insecure regions. The maximum rate of information received securely by a receiver with a certain value is denoted by . Assuming a point-to-point Gaussian channel, then for a legitimate receiver in the green region () can be expressed as
where the first term in equation (1) corresponds to the rate with which the legitimate receiver is receiving the transmitted packets, referred to as decoding rate, and the second term corresponds to wiretap coding overhead, referred to as secrecy overhead rate. Wiretap code parameters are therefore chosen such that:
The legitimate receiver should have so that it can fully decode transmitted packets,
and should be chosen such that the maximum secure information rate is adequately high, and
and should be chosen such that the insecure region is minimized.
Choosing and gives contradicting effects with respect to the last two objectives: Figures 4 and 4 highlight these effects. Specifically, when and are relatively different in value, this results in a relatively larger insecure area and higher secret key rate as show in Figure 4. The opposite effect takes place when is relatively close to as shown in Figure 4. We note that today a number of practical designs for wiretap codes are emerging, based on polar , LDPC  and lattice codes , which enable with low complexity to achieve performance curves similar to (1). For this paper, we will directly use the expression in (1) to estimate potential benefits and trade-offs.
The benefit of multiple transmitters. Figure 4 presents an example where a transmitter with two antenna arrays wishes to create a shared secret key with a receiver. The transmitter encodes random packets with wiretap codes and sends different packets through each antenna. It is clear that, unless Eve is located in the intersection of the two beams, she is going to miss some of the packets that the legitimate receiver gets, and therefore we can establish secrecy. Thus, the insecure region is now the intersection of the two beams, which is a much smaller area, as shown in Figure 4. That is, using multiple transmitters can help reduce the insecure region.
Iii Showcase I - 5G networks
Our first showcase application is in the context of 5G cellular networks . The IEEE 802.11ad amendment proposes the use of directional communication to cope with the increased signal attenuation that accompanies transmission in the mmWave band.
Directional Communication in 5G. IEEE 802.11ad proposes the use of virtual antenna sectors which discretizes the azimuth angle. Shown in Figure 4, a base station sectorizes the azimuth range into sectors. Being equipped with up to antenna arrays, each array is responsible from transmission in one-third of these sectors111Antenna arrays do not cooperatively transmit in the same sector.. A mobile device is typically equipped with one antenna array and can have up to sectors. Each device has a set of pre-computed beamforming weights that correspond to transmission in each of the predefined sectors. When a base station wishes to communicate with a mobile device, both communicating parties have to agree on the best sector to use (i.e. best set of beamforming weights to employ) so that received signal strength is maximized. This sector training phase is referred to as the beamsweeping phase, and it is split into to sub-phases: 1) a Sector-Level Sweep (SLS) phase where both communicating parties agree on the best two sectors to use, and 2) a Beam Refinement Phase (BRP) in which the predefined beamforming weights are fine-tuned to further maximize the received signal strength. The SLS phase is also comprised of two sub-phases: the Transmit-SLS for negotiating the best sector to use at the transmitter, and the Receive-SLS for the receiver. We claim that the proposed mechanism for beam training in IEEE 802.11ad creates an excellent opportunity to establish secret keys between mobile devices and 5G back-end services. For the sake of demonstrating our ideas we only focus on the Transmit-SLS phase, noting that they can be extended to other phases of beamsweeping. We next describe Transmit-SLS:
1) The initiator (e.g. base station) sends a sequence of beacon frames, one in each sector. The responder (e.g. mobile device) receives these frames with a quasi-omnidirectional antenna pattern. Each beacon frame is marked with an ID for the used antenna array and sector.
2) The responder receives the aforementioned frames with varying levels of SNR. It then sends a feedback packet containing the optimal SNR value, and the sector ID of initiator transmitted beacon which was received with this SNR. This feedback packet is transmitted once in every sector of the responder. The initiator receives these frames with a quasi-omnidirectional antenna pattern.
3) Upon receiving the feedback packet from the responder, the initiator will be informed of the best sector to use for transmission. The initiator will then send one feedback packet on this sector, containing the optimal SNR value and the ID of the sector used by the responder which was received with this SNR.
4) Upon receiving the feedback packet from the initiator, the responder will be informed of the best sector to use for transmission.
Secret Key Agreement Protocol. The SLS mechanism proposed for 5G cellular networks offers an opportunity to employ physical-layer based key establishment techniques. Typically, a mobile station is envisioned to be simultaneously connected to multiple base stations . Therefore, it would participate in the Transmit-SLS phase of multiple base stations, receiving beacon frames from each of the base stations and sending back respective feedback frames. The 5G back-end services can then utilize this situation to virtually create a situation similar to the one shown in Figure 4, where the transmitter is the back-end service, the receiver is the mobile device, and the transmitter antennas are the base stations. To be able to run the key agreement protocol, a few random bits - encoded by an appropriately designed wiretap code - are added to each beacon frame transmitted by a base station. In case a frame is received by the mobile station with a SNR greater that of the used wiretap code, then the mobile station will be able to decode the random bits added to this particular frame. On the other hand, if Eve receives the frame with a SNR lower than , then Eve will not be able to infer any information about the random part of the frame, even though Eve may be able to decode other parts of the frame. Figure 14 shows the structure of the beaconing interval used in the SLS phase . Beacon frames used in the Transmit-SLS phase and sent by the initiator are indicated in the “Initiator” part of the beacon interval structure. This is where we propose to add a few encoded random bits to be used for key agreement.
Depending on the number of frames that are decoded by the mobile station and the maximum number of frames eavesdropped by the adversary, the base stations can then employ the protocol in  to establish a shared key using the amount of secure information shared between the mobile device and the back-end service.
Simulation Setup. We assume a 5G cellular network with multiple base stations and a mobile device. Each base station is equipped with three millimeter wave planar antenna arrays, each with elements, while each mobile device is equipped with a single antenna array. The antenna arrays specifications and radiation patterns follow the standard in . As mentioned earlier, we use the channel model proposed in  with space consistency as specified in . We assume base stations use a transmission power of dBm and a channel bandwidth of GHz. All transceivers have a noise figure of dBm. Beacon frames are transmitted at a rate of Mbps . We assume that base stations have transmission sectors, with the first sector centered at with inter-sector separation of . For a given sector, the beam steering phases are computed with the center of the sector as the destination direction. Finally, we assume that each beacon frame in the Initiator part of the beacon interval is augmented with kbits which are the encoded random data. Our target maximum rate of secure information is Mbps.
Performance Metrics. In the experiments that follow, we assess the performance of our proposed key agreement mechanism based on two metrics: the Insecure Area (IA) of the protocol and the Effective Number of Secret Bits (ENSB) established between the back-end service and the mobile device.
1) Effective Number of Secret Bits (ENSB): as discussed earlier, if Eve manages to decode the secret bits from all frames received by the mobile device, then no secret bits can be guaranteed. In other words, the worst-case eavesdropper that does not completely break the system is the one that misses only one frame. Therefore, the maximum number of secret bits that can be guaranteed by our mechanism (assuming it is not broken) is kbits. However, this is dependent on the event that the legitimate receiver has a SNR greater than and Eve a SNR less than for any of the transmitted frames, which is a random event due to randomness in the channel model. Therefore, the ENSB is the excepted number of secret bits established by our proposed mechanism, averaged over many realizations of the channel between base stations and the mobile device. Formally, it is defined as
where the fraction term in equation (2) computes how much random data are encoded into the kbits added to each frame. Note that equation (2) depends on the SNR of both the mobile device and Eve. In other words, depending on the location of Eve and the SNR she experiences, the value of ENSB differs.
2) Insecure Area (IA): The IA is the insecure area in which Eve can actually eavesdrop all frames, thus breaking the key agreement mechanism. Other mechanisms may be needed to protect against eavesdroppers in the insecure area, and therefore a smaller IA indicates a stronger key agreement mechanism.
Experiments. We show the performance of our mechanism in different scenarios which we show next. In all our experiments, we set dB and dB. This is how they are computed:
: since the beacon frames are transmitted with a rate of Mbps, then setting this number to be equal to the decoding rate term in equation (1) directly gives the corresponding value of .
: given the target and knowing the decoding rate, then equation (1) directly gives the value of .
1. Two transmitters on a circle. Our first experiment is shown in Figure 12, where two base stations are placed at distance from a mobile station, and separated by an angle apart. We make a worst-case assumption that the orientation of the base stations allow the mobile station to receive only one frame from each base station with a SNR greater than (receiving more frames can only increase the value of ENSB). Figure 12 shows the value of ENSB against every possible location of an eavesdropper, when and . Note that the maximum value for ENSB is bits; this is achieved when Eve does not experience in any of the simulations that we performed. It is therefore clear that a major part of the area under consideration is completely protected against eavesdroppers (the dark red region). When we compute IA, we count all regions where ENSB is strictly greater than , which accounts for all regions that are not dark red. However, as evident in Figure 12, in most regions the value of ENSB is greater than bits, and a very small region actually has ENSB close to zero. Figure 12 shows the value of IA for different values of and , which seem to be relatively large even for . The reason for this is that we rely on beacon frames to establish keys. More specifically, the design purpose of the beam sweeping phase and the use of beacon frames is to align a base station/mobile device which are not yet coordinated. This is why for example beacon frames are transmitted with very low rates compared to the allocated bandwidth. This particular property forces the used wiretap codes to have relatively low, which makes it easy for most receivers (including eavesdroppers) to decode the frame. This is the trade-off for implementing our proposed key establishment mechanism without changing the transmission protocol. In case more intrusive changes in the protocol are allowed (e.g. using dedicated frames at higher rates of transmission), smaller insecure regions can be attained.
2. Multiple transmitters at equal distances. Our second experiment is shown in Figure 12, where base stations are placed at distance from a mobile station, and separated by equal angles. Similarly here, we make a worst-case assumption that the orientation of the base stations allow the mobile station to receive only one frame from each base station with a SNR greater than (receiving more frames can only increase the value of ENSB). Figure 12 shows the value of ENSB for and , while Figure 12 shows the value of IA for different values of and . Similar observations on the previous experiment can be made here too. Moreover, it is clear that having more base stations reduces the values of IA. It seems, however, that this reduction diminishes as the number of base stations increase, which suggests that a finite number of base stations is sufficient for all practical purposes (in our experiment, base stations seems a reasonable value for )..
3. Particular cell deployment. Our final experiment is shown in Figure 12, where we assume a particular deployment of cell in a given area. We then vary the location of the mobile device inside the shown gray triangle and compute the associated IA at each location. Due to the symmetry of the setup, the performance attained from that particular triangle will be repeated across the whole grid. Figure 12 shows the value of IA at different locations on the grid, where the maximum IA is approximately around the receiver.
Iv Showcase II - Vehicle platooning
Our second showcase is in the context of vehicle platoons, one of the most safety-critical applications of vehicular networks. A vehicle platoon is a set of autonomous cars which drive on the road in a line formation with approximately the same speed and relatively small inter-vehicle distances .
Setup and Protocol. The setup is shown in Figure 14. We assume each car to be equipped with two millimeter wave antenna arrays used for transmission and two omni-directional antennas used for reception. One pair of transmit antenna array/receive antenna (pair-1) is mounted on top of the roof of the car at a height of 0.5 m and the other pair (pair-2) at a height of 1 m. We use a wireless channel model that we developed using ray tracing, as well as the radiation pattern of an actual antenna array system. The noise figure for the used antenna system is dBm. We assume that the transmission power is dBm for each antenna array.
We next discuss the secret key establishment protocol for two consecutive cars, with the understanding that each two consecutive cars perform similar steps. The communication protocol works as follows: 1) Pair-1 from the front car sends random packets encoded with a suitable wiretap code to Pair-1 of the back car (Link-1), 2) Pair-2 from the front car sends random packets encoded with a suitable wiretap code to Pair-2 of the back car (Link-2), 3) the front car sends a set of carefully-designed packets according to the protocol in  (not encoded with a wiretap code) to the back car to establish the common secret key.
Analysis and Discussion. Our goal is to understand the potential of our secret key generation mechanism in the context of vehicle platooning. Therefore, out goal is to attain the maximum rate of secure key generation against eavesdroppers that are 1) non-colluding and 2) are only equipped with single antennas (we discuss this assumption later in this subsection).
1) Insecure regions: based on the assumed channel model, the received SNR value for Link-1 and Link-2 are dBm and dBm respectively. We therefore set the wiretap code parameters to be dBm and dBm. Table I shows the insecure region associated with the used links. There is no insecure region for both links, i.e. there are no areas in space where an eavesdropper with a single antenna can eavesdrop both links. This means that any eavesdropper with a single antenna will at least miss the transmitted packets from one link.
2) Secret Key Rate: Using equation (1) and the selected values for the thresholds, the maximum rate of secure information is therefore equal to Mbps on each link. An eavesdropper with one antenna can only eavesdrop at most one link, therefore our key agreement protocol can establish up to Mbps of secret bits.
To put this number in perspective, we compare our protocol against 2048-based DH algorithm (DH-2048) for symmetric key exchange, a commonly used algorithm for symmetric key establishment between two communicating parties . For consistency, it is recommended to do not share secret keys larger than 112 bits when using DH-2048. This is because the key-exchange scheme only achieves 112 bits of security, and thus transmitting larger keys will still be subject to attacks at this step at a cost of 112 bits of security only. Therefore, we assume one operation of DH-2048 generates a 112-bit long key between two parties. According to the benchmark performance in , one operation of 2048-DH takes approximately megacycles. Assuming that each car to be equipped with an off-the-shelf DSRC transceiver with a MHz processor, and assuming no delay due to wireless transmission, then the secret key generation rate for 2048-DH is equal to kbps.
|Link||Insecure Volume (m)|
|1 and 2||0|
Application Example. We will show here that, thanks to the high rate of secret key generation, our protocol allows for the use of OTP to secure one of the most safety-critical functionalities of vehicle platooning. We assume that platoon cars are equipped with longitudinal and lateral controllers which operate the platoon. In order to maintain string stability within the platoon , each car in the platoon exchanges data packets every 100 ms  with both the cars in front of and to the back of it; this is called the bi-directional preceding-only communication topology . These packets include position, speed and acceleration information about the transmitting car. Assuming the use of the Dedicated Short Range Communication (DSRC) and Wireless Access in Vehicular Environments (WAVE) standard , then these packets add up to approximately bytes per packet. To protect the safety and privacy of the cars in the platoon against malicious attackers, transmitted packets with cars’ information should be encrypted . We will show next that, in the context of vehicle platooning, our suggested key agreement technique can generate enough secret bits which allows the use of OTP. Assume that our proposed algorithm for key generation is used every minutes for a duration of ms. Therefore, each two consecutive cars will have an amount of secret keys equal to ms Mbps kB to use for encryption during the next minutes. Longitudinal/lateral controllers require the transmission of data packets every ms, each of which is of size bytes. Therefore, the total amount of data to be transmitted during the next minutes is equal to min B kB kB of secret bits. Therefore, OTP is a practical solution for our proposal, something rarely achieved in any other kind of security application.
|Critical resource||Computation power||Bandwidth|
|Moderate (AES)||Simple (OTP)|
|Quantum-Vulnerable||Yes||No (Info. theoretically secure)|
Discussion. Table II shows a comparison between DH as a conventional key establishment mechanism and our proposed one based on channel erasures, in the context of vehicle platoons. While DH is limited by the computation power of the transmitter/receiver, erasure-based key generation technique is bounded by the available transmission bandwidth. It is important to note therefore that the shown key rates are reliant on the assumed parameters such as the DSRC module processor speed and the allocated bandwidth. However, the numbers shown here are based on values practically assumed in real systems, and therefore the attained rates reflect realistic performance measures.
The analysis in this section is made based on the assumption that Eve has a single antenna and that the eavesdroppers are not colluding. Therefore, to protect our proposed mechanism from being compromised the intersecting volume of the insecure regions from both links has to be zero as shown above. However, if either of these assumptions is removed (Eve has more than one antenna or two eavesdroppers can collude) then the system can be compromised even when having an intersecting volume of zero: the eavesdropper(s) can have a separate antenna in the insecure volume of each of the two links, thereby overhearing all transmissions and breaking our mechanism. Fortunately, with the current deployment of antennas on cars, one can construct 4 links instead of the aforementioned 2. By minimizing the intersecting insecure regions from every possible pair of links, we can therefore create a system that is secure against more capable Eve/colluding eavesdroppers. This is a current direction we are investigating.
V Conclusion and Future Directions
In this paper we investigated how the directional nature of mmWave communication can be used to enhance security. We focused on secret key agreement protocols that rely on packet erasures, where wiretap codes can be used to artificially create erasures at different terminals. We showcased how mmWaves can enhance the performance of these techniques in the context of two applications, 5G cellular networks and vehicle platooning. For both cases, we used/developed channel models with realistic antenna parameters to give realistic assessment of such protocols. For the case of 5G networks, we showed that existing beam sweeping mechanism proposed in the IEEE 802.11ad standard can be used to create a few hundred secret keys at virtually no additional transmission cost, while in vehicle platooning our proposed mechanism promises to deliver very high rates of secret keys.
This work is an initial investigation on the topic. In fact, we make a few simplifying assumptions to understand the potential of using mmWave: 1) we assume the existence of practical implementations of wiretap codes which can closely achieve the upper bound performance of these codes, 2) we do not account for the control overhead of the used scheme. Building real-world implementations of our proposed mechanism is scheduled for future work. However, we believe that, even with these assumptions, the results presented in this paper suggest that the use of mmWaves to enhance security is a very promising venue of research.
-  D. Swaroop and J. Hedrick, “Constant spacing strategies for platooning in automated highway systems,” Journal of dynamic systems, measurement, and control, vol. 121, no. 3, pp. 462–470, 1999.
-  U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE transactions on information theory, vol. 39, no. 3, pp. 733–742, 1993.
-  K. Argyraki, S. Diggavi, M. Duarte, C. Fragouli, M. Gatzianas, and P. Kostopoulos, “Creating secrets out of erasures,” in Proceedings of the 19th annual international conference on Mobile computing & networking. ACM, 2013, pp. 429–440.
-  I. Safaka, L. Czap, K. Argyraki, and C. Fragouli, “Creating secrets out of packet erasures,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 6, pp. 1177–1191, 2016.
-  T. A. Thomas, H. C. Nguyen, G. R. MacCartney, and T. S. Rappaport, “3d mmwave channel model proposal,” in Vehicular Technology Conference (VTC Fall), 2014 IEEE 80th. IEEE, 2014, pp. 1–6.
-  L. Czap, V. M. Prabhakaran, C. Fragouli, and S. N. Diggavi, “Secret communication over broadcast erasure channels with state-feedback,” IEEE Transactions on Information Theory, vol. 61, no. 9, pp. 4788–4808, 2015.
-  W. Diffie and M. Hellman, “New directions in cryptography,” IEEE transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
-  W. Mao, Modern cryptography: theory and practice. Prentice Hall Professional Technical Reference, 2003.
-  J. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan, and D. Stebila, “Frodo: Take off the ring! practical, quantum-secure key exchange from lwe,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006–1018.
-  E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, “Post-quantum key exchange-a new hope.” in USENIX Security Symposium, 2016, pp. 327–343.
-  P. S. Barreto, S. Gueron, T. Gueneysu, R. Misoczki, E. Persichetti, N. Sendrier, and J.-P. Tillich, “Cake: Code-based algorithm for key encapsulation. 2017,” in To appear at ”16th IMA International Conference on Cryptography and Coding.
-  T. Nitsche, C. Cordeiro, A. B. Flores, E. W. Knightly, E. Perahia, and J. C. Widmer, “Ieee 802.11 ad: directional 60 ghz communication for multi-gigabit-per-second wi-fi,” IEEE Communications Magazine, vol. 52, no. 12, pp. 132–141, 2014.
-  T. S. G. R. A. Network, Study on channel model for frequency spectrum above 6 GHz, 3rd Generation Partnership Project, July 2016.
-  H. Mahdavifar and A. Vardy, “Achieving the secrecy capacity of wiretap channels using polar codes,” IEEE Transactions on Information Theory, vol. 57, no. 10, pp. 6428–6443, 2011.
-  A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J.-M. Merolla, “Applications of ldpc codes to the wiretap channel,” IEEE Transactions on Information Theory, vol. 53, no. 8, pp. 2933–2945, 2007.
-  J. Lu, J. Harshan, and F. Oggier, “A usrp implementation of wiretap lattice codes,” in 2014 IEEE Information Theory Workshop (ITW), pp. 316–320.
-  Crypto++ benchmark performance. [Online]. Available: https://www.cryptopp.com/benchmarks.html
-  D. Swaroop and J. K. Hedrick, “String stability of interconnected systems,” IEEE transactions on automatic control, vol. 41, no. 3, pp. 349–357, 1996.
-  J. Ploeg, B. T. Scheepers, E. Van Nunen, N. Van de Wouw, and H. Nijmeijer, “Design and experimental evaluation of cooperative adaptive cruise control,” in 2011 14th International IEEE Conference on Intelligent Transportation Systems (ITSC), pp. 260–265.
-  Y. Zheng, S. E. Li, J. Wang, D. Cao, and K. Li, “Stability and scalability of homogeneous vehicular platoon: Study on the influence of information flow topologies,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 1, pp. 14–26, 2016.
-  “IEEE Standard for Dedicated Short Range Communication (DSRC),” IEEE Std. 1609, 2013.
-  M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,” Journal of computer security, vol. 15, no. 1, pp. 39–68, 2007.