RIS-Jamming: Breaking Key Consistency in Channel Reciprocity-based Key Generation
Guyue Li, Paul Staat, Haoyu Li, Markus Heinrichs, Christian Zenger, Rainer Kronberger, Harald Elders-Boll, Christof Paar, Aiqun Hu
TL;DR
This paper identifies a new RIS‑driven threat to channel reciprocity based CRKG by showing that a malicious RIS can degrade key agreement between legitimate parties. It analyzes the impact of RIS on the secret key rate, presents three attack mechanisms, and demonstrates that higher RIS gains and synchronization deviations worsen reciprocity. To counter this, the authors propose CPR‑CRKG, a wideband scheme that uses contaminated path removal and multipath separation to discard RIS‑affected paths and extract keys from remaining paths; simulations and commodity‑hardware experiments validate its effectiveness, with notable reductions in bit disagreement and resilience across wideband channels. The work highlights the practical risk of RIS in secure key generation for future wireless networks and offers a viable defense that leverages the rich multipath structure of wideband systems.
Abstract
Channel Reciprocity-based Key Generation (CRKG) exploits reciprocal channel randomness to establish shared secret keys between wireless terminals. This new security technique is expected to complement existing cryptographic techniques for secret key distribution of future wireless networks. In this paper, we present a new attack, reconfigurable intelligent surface (RIS) jamming, and show that an attacker can prevent legitimate users from agreeing on the same key by deploying a malicious RIS to break channel reciprocity. Specifically, we elaborate on three examples to implement the RIS jamming attack: Using active nonreciprocal circuits, performing time-varying controls, and reducing the signal-to-noise ratio. The attack effect is then studied by formulating the secret key rate with a relationship to the deployment of RIS. To resist such RIS jamming attacks, we propose a countermeasure that exploits wideband signals for multipath separation. The malicious RIS path is distinguished from all separated channel paths, and thus the countermeasure is referred to as contaminated path removal-based CRKG(CRP-CRKG). We present simulation results, showing that legitimate users under RIS jamming are still able to generate secret keys from the remaining paths. We also experimentally demonstrate the RIS jamming attack by using commodity Wi-Fi devices in conjunction with a fabricated RIS prototype. In our experiments, we were able to increase the average bit disagreement ratio (BDR) of raw secret keys by 20%. Further, we successfully demonstrate the proposed CRP-CRKG countermeasure to tackle RIS jamming in wideband systems as long as the source of randomness and the RIS propagation paths are separable.