Securing NextG networks with physical-layer key generation: A survey

As the development of next-generation (NextG) communication networks continues, tremendous devices are accessing the network and the amount of information is exploding. However, with the increase of sensitive data that requires conﬁdentiality to be transmitted and stored in the network, wireless network security risks are further ampliﬁed. Physical-layer key generation (PKG) has received extensive attention in security research due to its solid information-theoretic security proof, ease of implementation, and low cost. Nevertheless, the applications of PKG in the NextG networks are still in the preliminary exploration stage. Therefore, we survey existing research and discuss (1) the performance advantages of PKG compared to cryptography schemes, (2) the principles and processes of PKG, as well as research progresses in previous network environments, and (3) new application scenarios and development potential for PKG in NextG communication networks, particularly analyzing the eﬀect and prospects of PKG in massive multiple-input multiple-output (MIMO), reconﬁgurable intelligent surfaces (RISs), artiﬁcial intelligence (AI) enabled networks, integrated space-air-ground network, and quantum communication. Moreover, we summarize open issues and provide new insights into the development trends of PKG in NextG networks.


Introduction
The next-generation (NextG) communication networks are expected to achieve a new network paradigm of "global coverage, full spectrum, full application, strong security" [1].To achieve this goal, researchers have carried out a lot of research and proposed new technologies, as shown in Figure 1.
To meet the demand for global coverage, the NextG communication networks need to be effectively supplemented by non-terrestrial networks, such as satellite networks, unmanned aerial vehicles (UAV) networks and marine communication networks, and so on, for building an integrated space-air-ground network.For example, satellite communication networks can provide communication with wider coverage and higher transmission rate, which is an effective complement to the terrestrial network and suitable for areas that cannot be covered by traditional communication means, such as aviation, ocean, and desert.Moreover, with the increasing maturity of UAV networks, many high-risk jobs in harsh environments can be remotely operated through drones, and areas that are difficult for humans to reach during disaster search and rescue can also be explored through drones.However, with the global coverage of NextG wireless communication, an increasing number of devices will access the network through wireless communication, and available spectrum resources have become scarce, for which the full use of the full spectrum has become an important component of the paradigm of the NextG networks.To make all spectrum to be fully developed to meet the requirements of massive devices, various spectrum resources (e.g., millimeter wave (mmWave) and optical frequency bands) have been extensively explored [1], especially the optical wireless communication has developed into a significant complement to the traditional spectrum [2,3].In the NextG networks, various devices will connect to the network worldwide, and diversified spectra resources will be explored, people expect NextG networks to have higher energy efficiency, higher data transmission rates, better network throughput, and more intelligent applications compared to previous networks.Therefore, several technologies have been further integrated and developed.For example, massive MIMO or even ultra-massive MIMO technology has received attention and is considered one of the most efficient methods to increase the network throughput of wireless communication systems [4][5][6].Additionally, reconfigurable intelligent surfaces (RISs) intelligently reconfigure the propagation environment for mobile users in a cost-effective, energy-efficient, and spectrally efficient manner, which ensures that the data rate and transmission reliability of users can be dramatically improved [7][8][9][10][11].Besides, the NextG network will enable a new set of smart applications with the use of artificial intelligence (AI) and big data technologies in order to deal with the vast datasets produced by the use of large devices, different communication situations, large numbers of antennas, and high data rates [1].Finally, strong security is the prerequisite for ensuring the correct functioning of NextG networks.At present, security technologies based on cryptography have been widely applied, and physical-layer key generation (PKG), as another potential technology, has also been widely studied, which will be introduced in more detail in the following.

Security risks and traditional solutions of NextG networks
Wireless networks are easy to suffer from multiple potential attacks [12] due to the natural characteristics of their transmission medium, including but not limited to eavesdropping attacks [13], impersonation attacks [14], Denial-of-Service (DoS) attacks [15], message falsification attacks [16], etc.The security of user privacy and the integrity, confidentiality, and dependability of data communications are all seriously threatened by each of these threats.Especially in the NextG networks, with the frequent interaction between devices and the participation of AI technologies, the risk of data leakage in the process of collection and transmission will be further amplified.And because the service provider needs to collect a large amount of data to train the AI model, once the data set is leaked, it will cause more serious consequences than previous networks.For instance, implantable and wearable medical devices in NextG networks will be prevalently used to monitor the physical health of the elderly.These devices store historical data about physical health indicators (such as heart rate, blood oxygen levels, and sleep duration), which is sensitive personal information that requires strict confidentiality [17].However, an attacker can use impersonation attacks to pass as a legitimate user and get access to the system and network without authorization, which will compromise the data's confidentiality.Additionally, attackers can furthermore violate the integrity and authenticity of information transmission between devices through active attacks such as information falsification attacks.Once the data transmission security of NextG network systems cannot be guaranteed, many wireless network-based applications will experience a crisis of confidence and suffer significant losses, including the deterioration of service quality and the leakage of commercial secrets and personal information.
There has already been considerable research done to help secure wireless communications.Existing solutions are typically based on cryptography to develop cryptographic models with high computational complexity [18][19][20] that render it impossible for an attacker to obtain the message content while the message is still valid, which is under the assumption that the attacker's computational power is insufficient to obtain the plaintext in a finite amount of time [21,22].It can be seen that the cryptography-based system makes use of the mismatch between the computing resources controlled by the attacker and the computing cost necessary to crack the key to access information, thereby creating a barrier to ensure the security of information transmission.However, there is no quantitative security evidence for this, and this security guarantee could be revoked at any time as a result of the development of efficient algorithms and hardware iterations.To this end, while cryptography-based methods have successfully protected wireless network transmission in the past, they will experience more difficulties in NextG wireless communication due to the explosive proliferation of wireless network access points and the sharp rise in computing ability in recent years.The difficulties can be concluded as follows: • First, the assumption that the encryption model is sufficiently complex and the computational power of the attacker is insufficient to break the message within the effective time is the foundation for the security of cryptography-based schemes.However, given the expeditious advancement of hardware technology [22] and the emergence of new computational techniques (e.g., quantum computing [23,24]), this assumption may be falsified and its security is hard to guarantee.• Second, cryptography-based methods are built on convoluted mathematical protocols and issues.
For devices with powerful capabilities, like smartphones, these methods work effectively.However, some low-overhead, battery-constrained lightweight devices find it difficult to match the demands of cryptography-based schemes [17], rendering them useless in these situations.• Third, the traditional cryptography scheme relies on a key management infrastructure to manage and distribute keys, which makes it challenging to update keys on time in the face of massive devices [25] and further compromises security, and is unattractive to many distributed networks and networks with a constrained computational capacity [22].
Considering the difficulties encountered by cryptography-based schemes in facing NextG networks, there is an urgent need for security schemes with perfect security, low computing power requirements for devices, and adaptability to distributed scenarios to secure NextG networks, to overcome the new risks brought by algorithm evolution and hardware iteration, and further guarantee the security of lightweight devices and distributed networks.

Advantages of PKG
Compared to cryptographic schemes that lack sufficient theoretical proofs to guarantee security, physical layer security (PLS) techniques have attracted a great deal of attention from researchers for their solid information-theoretic security proofs.Additionally, the challenges that the cryptography scheme is encountering are anticipated to be resolved by the key generation technology based on the PLS mechanism.The PKG is to generate keys according to physical-layer characteristics, such as channel fading, noise, or device features, to realize specific security functions [26].The PKG uses the randomness and unpredictability of the wireless channel to generate the key [22] required for information transmission between the sender and the receiver and frequently updates the key in accordance with the wireless channel's time-varying characteristics to further improve security performance.
Since the key generation process does not consume a lot of computational resources, it is also applicable in some networks consisting of low-overhead, battery-constrained lightweight devices [27].Moreover, its information-theoretic security is achieved, for which PKG does not need to worry about being vulnerable to hardware iterations or the emergence of effective algorithms.PKG does not require a key management infrastructure to manage and distribute keys, so they can also be widely used in many distributed networks, further expanding the application scenarios.Additionally, PLS solutions can be easily implemented and changed without almost any upper-layer protocol adjustment needed [27].
Due to the advantages mentioned above, some researchers aggressively proposed PKG protocols to meet the practical needs of various scenarios and implement real prototypes for adequate performance evaluation [28][29][30][31].For example, Wu et al. [28] proposed a dynamic PKG scheme for OFDM passive optical network (OFDM-PON) systems and set up a real-time intensity modulation direct detection (IMDD) OFDM-PON system using Virtex-6 FPGA from Xilinx with fully pipelined DSP architecture.Cao et al. [30] built a cheap and moderately complex testbed with ESP32 and a PKG prototype is implemented on the proposed testbed.
It is worth noting that the quantum key distribution (QKD), which is based on the Heisenberg uncertainty principle and quantum entanglement, can keep the security of the keys and overcome the problems of quantum computing in the face of the improvement of the attacker's computing power and efficiency.However, the application of QKD will bring complex challenges.The most intuitive ones are the lack of suitable interfaces in the real environment and the high cost of quantum node construction, making it difficult to have enough quantum nodes to provide access services for massive user terminals.Compared to PKG which uses existing wireless network equipment for security protection, the cost of QKD is extremely high.More detailed challenges and related work on QKD are presented in Section 3.5.

Related work
Given the above advantages, PKG has received unprecedented attention for NextG network applications and various PKG schemes have been proposed to protect the network security.The existing surveys and tutorials can be mainly grouped into two categories.The first one focuses on investigating the PKG techniques themselves, as in [22,32,33].In [22,33], the authors present the fundamentals of PKG, including principles, performance metrics, channel parameters, and specific steps, where [22] briefly introduces some applications of PKG for wireless local area networks (WLANs) and wireless sensor networks (WSNs), while [33] describes the applications and implementations of the protocols on IEEE 802.11,IEEE 802.15.4,and explores potential pitfalls and future research.In [32], the authors review the existing research works on channel reciprocity-based key establishment from different perspectives, exhaustively investigate and present the works related to each step of PKG, and also discuss the feasibility, security issues, and emerging technologies in this area.
The other category starts from network security requirements, analyzes which PLS technologies need to be adopted in the network, and introduces PKG technologies in conjunction with network application scenarios, such as [34][35][36][37].This type of review tends to present PKG as a subset of PLS, with a more abbreviated introduction, but with the benefit of being able to analyze them in the context of the needs of NextG network technologies.Li et al. [34] reviewed channel reciprocity-based key generation (CRKG) for 5G and beyond networks with three candidate technologies (i.e., duplex mode, massive MIMO, and mmWave communications), identified opportunities and challenges for CRKG, and discusses the corresponding solutions.In [36], the authors present recent advances in PLS and security requisites for the sixth-generation (6G) networks and analyze security features and practical implementations in the context of novel applications (such as optical wireless communication and massive MIMO).In [37], the authors discuss the security and privacy of 6G networks in terms of different layers in the network architecture and analyze the impact of AI applications on 6G security.In [35], the authors provide a thorough analysis of the security challenges faced by 6G networks and discuss the possible security implications of distributed and scalable AI or machine learning (ML) security, distributed ledger technology, quantum security, visible light communication, and other applications that may encounter security and privacy issues.
Due to the lack of literature that simultaneously provides an in-depth introduction to the field of PKG and an analysis of the specific applications of PKG combined with NextG, we wrote this paper to make up for the gap, and the summary and comparison between this paper and the above-mentioned related papers are shown in Table 1.

Contributions and organization
In our paper, we provide a comprehensive survey of existing PKG technologies conjugated with NextG networks to help the reader better understand the prospects and applications of PKG in NextG networks.The following is a summary of our contributions: • We provide a description and analysis of the new paradigm of NextG networks from a high-level perspective, introduce state-of-the-art technologies that are likely to be widely used in NextG networks, analyze possible security hazards and drawbacks of traditional resistance schemes, and illustrate the superior advantages of PKG in securing NextG networks.• We introduce the initial knowledge of PKG from five aspects: the development history of the PKG field, the principles on which the effectiveness of PKG relies, the general steps of the PKG protocol, the channel parameters often utilized by PKG protocols, and the important metrics for measuring the effectiveness of PKG, and in which the challenges faced and the solutions that have been proposed are presented to help the reader gain a comprehensive understanding of the basic principles and methods of PKG.• Combining the latest technologies of NextG, such as massive MIMO, RIS, quantum computing, AIenabled technology, and space-air-ground integrated network.We analyze the impact of the NextG network on PKG applications and the role of PKG on NextG security, introduce the challenges and existing solutions respectively, and finally discuss the open issues and future work in depth for each technology.
The rest of this paper is structured as follows.Section 2 introduces the basics of PKG, including the development history, principles, key generation protocols, channel parameters, and performance metrics, to provide readers with a succinct overview of PKG.Section 3 introduces the application of PKG in NextG communication networks.The last section concludes this survey, the structure of our paper can be shown in Figure 2.

The overview of PKG
In this section, we provide a comprehensive and detailed perspective to further understand PKG, including the historical evolution of PKG, the working principle, the general stages of the protocol, common channel parameters, and performance evaluation metrics.At the same time, we analyze the difficulties that may be encountered in the implementation of the PKG protocols and extensively investigate the schemes proposed in the near years to improve the performance of PKG, introduce their core ideas, and analyze their advantages and disadvantages.

History
We provide a succinct overview of the development of PKG technology.In 1949, Shannon first proposed the idea of complete secrecy [38].Based on Shannon, Wyner [39] developed the eavesdropping channel model, which demonstrates that channel coding can increase the secrecy transmission rate of information when the condition of the channel between the parties engaging in legitimate communication is better than the eavesdropper's channel condition.To achieve the objective of secret communication, Maurer et al. [40] discovered in 1993 that the two parties in a legal communication can use a random signal source known only to the two parties to produce a key.A useful key generation protocol was presented forth by Hershey [41] in 1995 and was based on the three properties of wireless channels-reciprocity, uniqueness, and randomness.Since then, many researchers have further studied the PKG in various scenarios from different angles [28,[42][43][44][45], which will be introduced later.

Principle
The principle of PKG can be summarized as three points: spatial decorrelation, temporal variation, and channel reciprocity.
• Spatial decorrelation.Spatial decorrelation indicates that eavesdroppers will experience uncorrelated multipath fading when they are located more than half a wavelength away from legitimate users [22,33,46].For this reason, the key generated by both parties using the state information of the legal channel as a common source is difficult to be obtained by the eavesdropper, and the security is extremely high.Moreover, spatial decorrelation is a common situation because the wavelength of radio signals at frequencies commonly used for wireless communication (such as wireless fidelity (WiFi) and cellular) is very small.• Temporal variation.Temporal variation means that the communication environment of the wireless channel changes obviously with time, which is caused by unpredictable random movement of transceivers and any object in the environment because the movement will change the reflection, refraction, and scattering of the channel path.Temporal variation is conducive to the frequent generation and update of physical-layer keys and strengthens the security of communication systems.• Channel reciprocity.Channel reciprocity means that the transceivers at both ends of the wireless link experience the same multipath fading and observe the same channel state, which is a prerequisite for enabling the transceivers to generate the same key.It is noteworthy that a time-division duplex (TDD) communication system has better channel reciprocity than a frequency-division duplex (FDD) system generally, which is due to the fact that in TDD systems, the same frequency is used for the uplink and downlink, while in FDD systems two different frequencies are used.For this reason, the uplink and downlink signals in TDD systems are more likely to be received and transmitted in the same way, resulting in better channel reciprocity.

Protocol
In recent years, there are many practical protocols have been proposed to optimize the performance of PKG and meet the constraints of different scenarios, such as maximizing the sum key generation rate (KGR) and reducing the pilot overhead.However, they are generally composed of four steps: channel probing, quantization, information reconciliation, and privacy amplification [25,29,42,47,48], which are portrayed in Figure 3.As depicted in Figure 3, there are two legitimate users, namely Alice and Bob, and their PKG process can be summarized as follows: Alice and Bob perform channel probing firstly to obtain channel information, such as obtaining Y A and Y B by sending pilot signals S A and S B to the other party respectively and performing channel estimation based on the received signals, and often a preprocessing method is used to eliminate interference from non-reciprocal factors.They then converted the measurements into digital binaries by quantization to get the raw keys K A and K B .Since there may be a mismatch between K A and K B , information reconciliation is applied to resolve any inconsistency that might be present.Considering the possible information leakage in the past steps, privacy amplification is employed to remove the leaked information.Finally, key verification terminates the PKG process.We will describe each of the four main steps in detail later.

Channel probing
Both communication parties need to use the same random source as input to generate the identical key, which generally requires channel probing to obtain the reciprocal information.Due to the random and reciprocal nature of the wireless channel, channel characteristics such as the received signal strength (RSS), channel state information (CSI), and angle of arrival are widely used random sources [49].As shown in Figure 3, Alice and Bob first send pilot signals S A and S B to each other for obtaining channel characteristics.Through the transmission of the wireless channel, the signals they receive can be given as where the h BA and h AB are the channel responses from Bob to Alice and from Alice to Bob respectively, N A and N B are the zero-mean complex white Gaussian additive noise at Alice and Bob.Significantly, the time t A and t B of Alice and Bob transmitting the pilot signals are not synchronized.Considering the reciprocity of the channel, the time difference ∆t = |t A − t B | must be less than the channel coherence time for which the channel can be considered constant during the two probes [22].Consider that in real-world applications, the reciprocity of wireless communication systems is affected by the environment and equipment, including hardware fingerprint differences between devices produced by different manufacturers and external additive noise [22,50].Such non-reciprocal factors will make the values of channel characteristics measured by adjacent probes correlated and further reduce the reliability of the PKG schemes [49].Therefore, it is necessary to preprocess the acquired channel characteristic measurements before the subsequent steps to reduce the correlation between the characteristic measurements.Several preprocessing methods have been developed to eliminate the correlation [22,49], such as principal component analysis (PCA) [49,51], discrete cosine transform (DCT) [52,53], filtering-based algorithms [50,[54][55][56][57] and weighted sliding window smoothing [58].Li et al. [51] proposed a preprocessing method based on PCA to solve the non-reciprocity and correlation issues in key generation from orthogonal frequency division multiplexing (OFDM) channel measurement.In [49], a general mathematical model for several preprocessing strategies was proposed and the preprocessing performance was compared by numerical simulations.The results demonstrated that enhanced key generation by PCA using common eigenvectors can obtain keys with a high KGR, low key error rate, and good randomness.In [56], Zhang et al. designed a low pass filter for the key generation system which is based on OFDM subcarriers' channel responses to have better channel reciprocity and less noise, and ultimately reduce the key disagreement rate (KDR).In [55], authors preprocess the channel measurements before quantization with simple moving average filtering to improve channel reciprocity.In [58], authors proposed weighted sliding window smoothing to reduce noise, which can smooth out local noise, and also make up for the mismatched sensing time caused by the half-duplex nature.

Quantization
After doing the aforementioned channel probing, Alice and Bob acquire preprocessed channel measurements ŶA and ŶB , respectively, which are analog values that cannot be utilized directly by PKG schemes.For this reason, the objective of quantization is to map the preprocessed channel characteristic measurements ŶA and ŶB into binary sequences K A and K B (also the raw keys).
Recent research [32] shows that the performance of the quantization has a direct impact on the KGR and the KDR, which depends on the selection of the quantization levels and quantization thresholds.In general, a multi-level quantization will lead to a higher KGR while being more vulnerate to non-reciprocity factors and further cause a higher KDR.
The number of quantization levels is affected by the signal-to-noise ratio (SNR) of the channel [22] and the thresholds are usually determined according to the mean, standard deviation, and distribution of the measured values [22,33,46].Taking the dual-threshold quantization scheme as an example, the quantization function expression is shown in the formula: where µ(x) and σ(x) represent the mean and stand deviation of x, and α is the quantization factor used to control the quantization threshold position.The measured values between q + and q − will be dropped and others will be mapped into one or zero.In addition, to improve quantization performance and deal with active attacks, several quantization schemes adjust the threshold adaptively [59,60] and multi-bit quantization schemes [41,61,62] were proposed.

Information reconciliation
There might have a small number of inconsistent bits in the keys K A and K B generated by Alice and Bob through quantization due to the non-reciprocity factors [32], for which information reconciliation is applied to find and correct the mismatch bits in raw keys, and finally get the same key K .The workflow of information reconciliation based on error correction code (ECC) is shown in Figure 4.The communicating parties, Alice and Bob, first divide the raw keys K A and K B generated during the quantization process into blocks.Next, Alice encodes the blocks of K A and sends the calculated syndrome to Bob, who employs the corresponding decoder to obtain the desired codebook, consisting of K B and the received syndrome.Bob performs error correction by the ECC, and Alice and Bob then apply CRC to determine whether the keys agree or not.If the check values of Alice and Bob are the same, i.e., C A = C B , then the key agreement is reached and the process proceeds to the privacy amplification step, otherwise, it goes back to the channel probing.
Recently, various information reconciliation protocols have been proposed over the years, such as Cascade [63], low-density parity-check (LDPC) [64], Turbo codes [65], and Polar code [66], which enable the keys to achieve agreement by error detection or error correction.In [63], the authors proposed an efficient protocol where the amount of information leaked during reconciliation is close to the minimum possible amount of information for a sufficiently reliable secret channel.Many PKG protocols have adopted this scheme for information reconciliation, such as [60,67,68].In [64], the authors describe in detail two algorithms based on binary and quadratic LDPC codes, the latter of which is more suitable for high SNR environments.Epiphaniou et al. [65] generate random and symmetric encryption keys by utilizing the properties of dynamic propagation channels and innovatively integrating time-variable properties into the key generation process, the experimental results show that the use of Turbo codes has a substantial boost in KDR and KGR.In [66], the authors design a protocol for generating keys in correlated Gaussian random variables based on polar codes and prove that the protocol based on polar codes outperforms similar protocols that use LDPC codes instead of polar codes.

Privacy amplification
During information reconciliation, some information may be obtained by eavesdroppers in public discussions, which can jeopardize the security of the generated keys.Privacy amplification is then adopted [22] to reduce the information leakage about the generated keys to eavesdroppers, such that the final key is secure against attacks.Common privacy amplification protocols are mainly implemented based on extractor [69,70], or hash functions [70][71][72][73][74].

Channel parameters
PKG relies on channel parameters for extracting secret keys from the wireless channel, which is the random source to generate identical keys and characterized by several physical properties such as multipath, fading, and noise.In this subsection, we will discuss the key channel parameters used in PKG and their impact on the security and performance of the generated keys.Common channel parameters include channel impulse response (CIR), channel frequency response (CFR), phase information, RSS, precoding matrix index (PMI), and so on.
RSS is widely used as the channel parameter for PKG because they are easy to measure [32] and can be obtained without additional hardware, making it a cost-effective solution.Moreover, RSS-based PKG protocols can be implemented in various wireless communication systems, such as 802.11systems [59,[75][76][77][78] and 802.15.4 systems [79][80][81].Another widely used channel parameter is CSI, including channel phase [82][83][84], CIR [85,86], and CFR [87], which provides more accurate information than RSS and can reduce errors when extracting keys.In addition, CSI can model the effect of frequency-selective channels more accurately, and therefore can better resist interference.Besides, CSI can also improve the efficiency and reliability of key extraction by using the information of multipath propagation.However, there are drawbacks to obtaining the key using the CSI as well.For instance, it is expensive and requires high-quality hardware equipment to get the CSI, and obtaining CSI demands sophisticated algorithms for complex signal processing.Moreover, CSI may be forged by an attacker, which will compromise the security of PKG.In addition, PMI-based key extraction schemes [88,89] are explored.Considering the correlated MIMO channel, Wu et al. [88] proposed PMI-based secret key generation with rotation matrix (MOPRO), and the experimental results show that the KDR is dramatically reduced and the communication overhead is greatly decreased.In [89], Taha et al. proposed a new physical layer approach to exchange keys in MIMO channels using private random precoding (PRP), which is applicable to both TDD and FDD systems and has an excellent performance in computational overhead and key agreement.
It is worth mentioning that in recent years, there have also been some schemes that use other channel parameters to generate keys, such as the angles of arrival and departure [90], signal envelopes [91], etc.Overall, the selection of channel parameters for key generation will be mainly determined by the wireless technology used, and the randomness, stability, repeatability, and acquisition difficulty of channel parameters should be considered comprehensively.

Evaluation metrics
To evaluate the performance of PKG, several metrics are widely used.In this subsection, we will discuss some of the most commonly used metrics.
• KGR.KGR is an important performance metric, referring to the speed at which a secure key can be generated by utilizing the inherent randomness in the wireless channel.The KGR is typically measured in bits per second (bps), which can be given as where L represents the length of the key and T is the time taken.• KDR.KDR is a critical performance metric in PKG that quantifies the probability of different bits between the raw keys generated by Alice and Bob after quantization, which can be defined as where L represents the length of keys, K A (i) and K B (i) are the ith bits of K A and K B respectively, which is the raw key generated by Alice and Bob after quantization.• Randomness.Similar to KDR and KGR, randomness is also an important metric used to evaluate PKG performance.With higher randomness, the key is more unpredictable and has better security.
The randomness test suite developed by the National Institute of Standards and Technology (NIST) is a set of statistical tests used to evaluate the quality of randomness in digital data.And the NIST randomness test suite is often used to evaluate the quality of the keys generated by PKG and verify whether the keys meet certain statistical properties.

The applications of PKG in the NextG networks
In this section, we explore the impact of NextG networks on the PKG field and the potential of PKG for ensuring NextG security.Moreover, we provide in-depth analysis from five aspects (e.g., massive MIMO, quantum technology, AI, RIS, and space-air-ground integrated network).In each subsection, the faced challenges and existing research work will be introduced in detail, and urgent open issues and future work are discussed as well.

Massive MIMO
Massive MIMO is one of the key technologies to improve 5G NR frequency efficiency.In Massive MIMO systems, large-scale antenna arrays are formed by simultaneously utilizing tens to hundreds of antennas at a base station (BS).Numerous antennas can be used to spatially multiplex many user terminals (UTs).Therefore, users can be flexibly selected to receive at any given time, significantly improving spatial resolution and degree of freedom [92].To go further, in order to achieve higher bandwidth and faster wireless communication, researchers in [93] introduced the idea of ultra-massive (UM) MIMO (1024 × 1024).UM MIMO technology employs hundreds or thousands of antennas on the BS side to greatly enhance the throughput, energy efficiency, and robustness of wireless communication systems.Massive MIMO and UM MIMO will still be the focus of NextG mobile communication research and will not only be limited to the ground mobile communication systems but also be applied to the satellite communication systems, ocean communication systems, and high-altitude platform communication systems, which is one of the core technologies to form full-scene communication in the near future [94].
While the massive MIMO technology has brought great advantages in improving the spectrum efficiency and scheduling complexity of the system, it is also faced with communication security problems in diversified multi-service scenarios.At present, traditional upper-layer encryption technology has been widely used to ensure information security.However, with the huge increase in wireless devices, key distribution between massive devices has become complex and even impractical, and traditional encryption techniques may not be sufficient to guarantee information security [95].

Massive MIMO for PKG: Advantages and challenges
PKG has provided a new paradigm for information theory secure key sharing.In massive MIMO systems, PKG technology can solve the shortcomings of traditional key distribution schemes and provide security for communication.Meanwhile, massive MIMO technology also brings many benefits to PKG and boosts the key generation performance.In massive MIMO scenarios, the BS generates a narrow and directional beam aimed at different users.Narrow beams and directional beams increase the received SNR and KGR, while significantly weakening the received SNR of eavesdroppers [34].Simultaneously, the key generation rate increases linearly with the number of antennas [96].In addition, if the number of antennas is greater than the number of propagation paths, the wireless channel will exhibit sparsity.This sparsity can contribute to obtaining channel reciprocity information such as CSI.To this extent, massive MIMO technology is more conducive to the realization of PKG. Figure 5 shows a massive MIMO model that the BS is provided with M antennas and the kth UT is provided with N k antennas.The BS generates secret keys κ = {κ 1 , κ 2 , • • • , κ K } with K UTs concurrently, where κ k is the pairwise key generated by BS and the kth user.In traditional PKG protocols, the BS and the user send orthogonal pilot signals to estimate CSI.Considering passive eavesdropping, it is assumed that the distance from Eve to BS and all UTs is greater than half wavelength.As a result, we regard the channel observations between BS and UTs are independent of Eve's channel observations.Because of the open nature of the wireless channel, all UTs can receive signals.Consequently, in addition to Eve, other UTs are also regarded as potential eavesdroppers [97].
Even though the extensive number of antennas benefits the communication systems, massive MIMO for PKG imposes new challenges that can be categorized as: • Difficult channel probing.Most of the research on PKG is in the TDD mode, where the BS and users alternately send pilots to probe the channel.When the sampling time difference between them is within the channel coherence time, both parties can estimate the CSI with a high correlation.However, in the multi-user system with orthogonal pilots, an enormous number of pilots are introduced to distinguish different users.The pilot length and the number of antennas have a linear relationship, so it becomes difficult to complete channel probing in the coherence time when there are a large number of antennas or users [98].• Inter-user interference.When different users communicate using non-orthogonal pilot signals (or shared pilot signals between BSs), significant inter-user interference will occur.This interference will affect the reciprocity of channel measurement, resulting in the failure of both parties to obtain the same key.Additionally, the interference will cause some correlation between different users, which may result in secret key leakage.• High dimension of the channel matrix.Because of the spatial correlation of antennas, the channel probing results often exhibit high auto-correlation characteristics, resulting in long 0 and 1 in the quantized bit sequence.Traditionally, preprocessing algorithms can be used to reduce correlation, such as PCA [49,51] and DCT [52,53].However, in massive MIMO systems, the number of antennas at the BS and UTs side is extremely large.The complexity of executing preprocessing algorithms such as PCA will increase as the dimension of the channel matrix increases.• Pilot contamination attack.The eavesdropper can launch a pilot contamination attack by sending BS the pilot signal that is identical to that of legitimate users.Then the CSI estimated by the BS is not the legitimate user, but the sum of users and eavesdroppers.Therefore, the channel probing results of BS and users may not be reciprocal, so both parties cannot generate a consistent secret key.
To sum up, the problems of implementing PKG in massive MIMO systems mainly focus on the difficulty of calculating high-dimensional channel matrices and large pilot overhead leading to excessive channel probing time.

Solution methods
Currently, the issues of PKG in massive MIMO scenarios have attracted extensive research.Fortunately, some preliminary solutions have been proposed, including beam domain-based channel dimensionality reduction algorithms and utilizing new channel features.Below are some measures presently being proposed to address the above issues.
• Reduce pilot overhead.The large pilot overhead caused by multiple antennas makes the time delay exceed the coherence time, which leads to the key generation failure.At present, there has been some research on reducing pilots.An optimization method was proposed in [97] to achieve maximum sum KGR with pilot reuse which means that different users transmit the same pilot signal.By designing appropriate precoding and receiving matrices, interference between different UTs will be reduced.This method can achieve nearly perfect channel CSI and significantly reduce the pilot overhead caused by the increase in UTs quantity.Chen et al. [98] introduced an interference neutralization-based multiuser beam allocation (IMBA) algorithm for pilot multiplexing.The algorithm designs precoding and receiving matrices to assist key generation.Compared to using orthogonal signals, this method can greatly reduce pilot overhead.• Optimize computational complexity.Research has also been launched on the computational complexity of channel high-dimensional matrix.Li et al. [99] proposed a key generation method based on loop-back, called two-band multiple-antenna loop-ack key generation (TB-MALA), to address the high auto-correlation problem in MIMO systems.The method also effectively reduced the effective channel auto-correlation by making use of the rotation matrix.In view of the computational complexity and time consumption resulting from high dimensional matrices in massive MIMO wireless communications, the optimization problems of the multi-user secret key generation are studied in [43].The power allocation algorithm and the beam scheduling algorithm are presented to achieve the optimal solution.This method can obviously decrease the channel matrix dimension and reduce inter-user interference.Jiao et al. [90] suggested utilizing novel channel characteristics to generate a consistent secret key in massive MIMO systems, for instance, virtual angle of arrival (AoA) and angle of departure (AoD).Employing virtual sparse channel estimation methods to estimate at low overhead is relatively easy, and greatly reduces complexity compared to estimating high-dimensional CSI.• Resist pilot contamination attack.Regarding pilot contamination attacks, in [100], authors proposed a secret key agreement (SKA) protocol that can detect pilot contamination attacks.There is a complementary relationship between the received signal strength of eavesdroppers and legitimate users, so this relationship can be used to measure the amount of information leaked to eavesdroppers.
Specifically, if the pilot contamination attack detector declares the presence of a pilot contamination attack multiple times, the SKA protocol will suspend the key generation process to prevent eavesdroppers from obtaining information.The numerical results indicate that the SKA protocol can effectively constrain the impact of the pilot contamination attack on the SKA by adjusting the pause threshold, which ensures the performance of key generation between BS and users.

Future works
Massive MIMO technology will continue to develop in NextG networks.The mmWave massive MIMO and UM MIMO are also considered potential technologies for future communication.The following are some research opportunities and future directions.
• PKG in mmWave massive MIMO.In the future wireless network, mmWave is expected to improve the network capacity and data rate, and massive MIMO is used to overcome the high propagation path loss of the mmWave channel.Higher frequency and more antennas bring new channel characteristics, such as fewer propagation paths, greater attenuation, etc., which pose new challenges to PKG. • Multi-cell and multi-user key generation.Cellular networks usually contain multiple BSs.Cellular communication involves a large-scale connection on a limited wireless spectrum, and the pilot resources between cells are multiplexed.High-frequency pilot reuse makes users at the edge of the cell suffer from co-frequency interference from adjacent cells, and there is inter-user interference among users in the cell.BSs and users may not be able to generate symmetric keys because interference affects channel estimation results.How to solve the impact of interference on PKG is a problem to be further studied.
• PKG in UM MIMO system.The ultra-massive antenna provides NextG with richer communication resources and higher degrees of freedom.And UM MIMO can be combined with other key technologies, such as terahertz and high-speed rail communication.More antennas also bring more opportunities and challenges to PKG.More research and exploration are needed on how to apply PKG in UM MIMO scenarios.

Reconfigurable intelligent surface
A RIS consists of a large number of passive reflecting elements, each element can independently change the propagation characteristics of the signal, such as amplitude and phase, in an expected or random way.Unlike traditional relay stations, it only controls the reflection of the signal and does not consume extra power, making it low-power and environmentally friendly, which is very attractive to some resource limited networks, such as sensor networks.The low power consumption brings about a low cost and easy implementation, which means it can be used with a wide range of wireless network types.Finally, it can be flexibly deployed according to communication requirements [101].These features make it a key technology in the future network technology revolution [102].For example, in 5G, massive MIMO, and mmWave communication play important roles.The former improves communication quality and expands signal coverage range, and the latter has fast data transmission speed and strong anti-interference ability.However, these technologies still face many difficulties and challenges in practical scenarios.RIS can effectively compensate for these shortcomings.On the one hand, the energy consumption of massive MIMO systems is very high, while the power required by RIS is much lower than that of traditional relay nodes.Moreover, RIS can be used to optimize the energy efficiency of the MIMO system [103][104][105] so that the power or energy needed can be further reduced; on the other hand, the signal propagation path of mmWave communication is easily blocked by objects, using RIS to reflect the signal is a feasible solution to the issue [106].
As it can help to build a controllable signal propagation environment, RIS has also been widely studied in the field of PKG.Below, we will introduce the research work on RIS into two kinds, which correspond to the two kinds of influences that RIS brings to PKG: positive and negative.

Positive impact: RIS-assisted PKG
At present, in RIS-assisted PKG, two issues have attracted much attention, i.e., how to generate randomness for PKG by exploiting RIS in a static environment, and how to design schemes of RIS configuration in a dynamic environment to optimize the performance of PKG, such as KGR.Static environment refers to the environment, such as the communication environment between devices with fixed indoor positions, where the channel characteristic parameters lack change.However, we cannot directly extract secret keys from the channel that lacks change, otherwise, as shown in Figure 6a, it will lead to extremely low KGR or a large number of consecutive repeated bits, which poses a great threat to communication security.As shown in Figure 6b, by deploying RIS in static environments, a new solution to increase randomness has been found.
The greater KGR, the more secret key bits can be obtained per unit of time or a single channel measurement period, and the more secure communication requirements between communication nodes can be met.The optimization of the coefficient matrix for RIS to improve KGR is a hot topic of research in dynamic environments, as shown in Figure 6b.However, under most circumstances, the expression of KGR may be very complex, so the optimization problem is difficult to solve, we can only find its sub-optimal solution.
• PKG in static environment.In [107][108][109], Random RIS phase configuration schemes are used to simulate the dynamic time-varying channel.Specifically, in [107], the remote controller of RIS calculates the optimal phase switching time immediately after Alice and Bob send the pilot signal, and then switches the RIS phase randomly.It is very hard to derive a closed form of the KGR expression for RIS channel coefficients with discrete phase shifts, in contrast to studies based on Gaussian channel coefficients.Therefore, in [107], only two extreme conditions, i.e., high SNR and massive RIS elements are analyzed.The analysis of the condition of massive RIS elements is meaningful because the numerical results show that when the number of elements is 20, the KGR is very close to the theoretical upper limit.Moreover, the KGR of the proposed scheme is higher than the other two benchmarks based on the artificial random signal.In [108], Alice and Bob first estimate the direct channel and then remove the direct channel estimation from the signal observed by the receiver in each time slot to obtain the sub-reflecting channel estimation, respectively.Different from the two-way probing (TWP), in the oneway probing (OWP) used in this scheme, Bob measures the channel in downlink slots, and then Alice reconstructs the CSI based on the direct channel estimation and the sub-reflecting channel estimation.But the study did not propose an algorithm to optimize the achievable KGR.In [109], a PKG scheme using RIS for channel phase probing was proposed, which uses RIS to randomize the phase of the probing signal to generate randomness.In the quantization stage, Bob divides [0, 2π) equally into 2 W sub-intervals, where W is a positive integer.Each sub-interval represents a sequence of binary bits, and the initial KGR is the set of the bit sequences corresponding to all sub-channel phase estimation.Uncommon in other studies, this research analyzed the impact of deployment locations of RIS on PKG performance.Currently, most of the research on RIS remains in the theoretical stage, but some studies have delved further into the research.In [110,111], the authors implemented a prototype system using commodity Wi-Fi transceivers and a low-cost RIS in a low-entropy environment to assist the PKG of the OFDM system, respectively.• PKG performance optimization.In the single-user scenario, the authors of the study [112] regarded the RIS as a passive beamformer and then derived the minimum achievable secret key capacity under the condition that multiple eavesdroppers are nearby, Finally, an optimization algorithm to improve the performance of PKG protocols was proposed.In [113], a multiple-input single-output (MISO) system was considered, and the authors deduced the minimum achievable secret key capacity.Then, an optimization algorithm was proposed to maximize it by configuring the reflecting coefficient matrix of RIS.In short, this study used RIS to improve the lower limit of the secret key capacity and enhance the security of the system.In the multi-user scenario, Li et al. [114] considered a multi-user channel model, and gave the optimization algorithms to maximize the sum KGR of multi-users when the channels between users are independent and correlated respectively.To deal with the non-convexity of constraints, the above articles apply the semi-definite relaxation (SDR) method to relax the constraints.The complexity of the optimization algorithms is reduced by applying the successive convex approximation (SCA) technique which can obtain a sub-optimal solution.

Negative impact: RIS-based attacks in PKG
While RIS has brought positive impacts, security issues have also arisen.As shown in Figure 6c, active eavesdroppers may exploit the RIS to design attack schemes.Some attackers may even seize control of the RIS.Currently, much research has been done on RIS-based attacks.Designing attacks against RIS is beneficial to attract research on designing corresponding countermeasures, which will make the RIS technology more mature.Wei et al. [115] pointed out the serious impact of the pilot spoofing attack (PSA).Eve and Alice send amplified pilot sequences at the same time.Eve can increase the possibility of obtaining legal channel probing samples by increasing the amplifying factor.The study first analyzes how RIS can improve the performance of PKG under PSA.The results show that with the increase of spoofing factor, the upper bound of KGR quickly approaches 0, which means that RIS has limited effect on defending against powerful PSA.Secondly, the influence of RIS on legitimate communication after it is controlled by attackers is analyzed.The spoofing KGR increases with the increase of the spoofing factor, and if it is optimized, the spoofing effect will be significantly strengthened.The study points out that the traditional scheme of optimizing RIS phase configuration is difficult to work against PSA.The authors of [116] proved that colluded Eves are able to obtain secret keys according to the globally known pilot sequence.They replaced the pilot sequence with a random Gaussian matrix to cope with the challenge.The secret key is generated according to the fact that the singular values of probability distribution functions (PDF) of legitimate nodes' received signal matrices are very similar.The scheme does not need legal channel estimation, because the channel used for PKG is not required in the subsequent wireless communication.A muti-Eve attack scheme is also designed [117].In the proposed scheme, Eves estimated the legal channel by making the entropy of the legal channel conditioned on Eves' signals approached zero.In [111], two kinds of attacks against RIS were proposed, namely the RIS jamming (RISJ) attack and the RIS leakage (RISL) attack, respectively.RISJ attack is an active attack, which prevents Alice and Bob from agreeing on the shared secret key by adjusting the RIS reflection matrices.Unless separating the direct channel and the RIS-induced channel in a system with a high multipath resolution, it is still challenging to find a strategy to resist this attack.In the RISL attack, the secret key will be obtained by Eve.RISL attacks can be divided into two kinds, in the first kind of RISL, Eve controls the configuration of RIS elements in a predetermined way, such as controlling their switching state, to make the channel measurement results of Alice and Bob meet Eve's expectations.In the second RISL type, Eve attempts to speculate on the legal channel.But this kind of attack imposes a high requirement for Eve and is more possible to succeed in some specific environments.Works in [118] are instances of RISL attack.The study features in that the RIS only plays a malicious role in the PKG system.Specifically, the RIS is controlled by Eve and is used to reconstruct the secret key to a certain extent.

Future works
As a potential technology, the research and application prospect of RIS is very broad, but there are still many key problems that have not been solved, which deserve more research in the future.Here are some examples: • Consider security issues when optimizing RIS configuration.At present, most research on RIS mainly focuses on performance optimization, effective and low-complexity channel estimation, etc.Moreover, it is usually assumed that RIS is friendly, but the actual situation is that RIS may be exploited by attackers.So future work should pay attention to the coexistence of friendly RIS and malicious RIS, and the role of RIS in minimizing the secret information leaked to Eve, that is, optimizing the configuration of RIS to improve the communication security of the system.In addition to defending against active and passive RIS-based attacks, we are also faced with the challenge of how to detect and locate attackers.• RIS-assisted mmWave massive MIMO system.The mmWave communication has abundant available frequency band resources because of its short signal wavelength, but mmWave signals are more easily blocked by obstructions, so they mainly propagate in line-of-sight (LoS) environments, which leads to serious path loss.Combining it with a massive MIMO system can effectively alleviate this problem, which has become one of the key technologies of 5G and NextG communication networks.However, the current challenge is to solve the resulting high power consumption problem.The emergence of RIS technology provides a feasible solution to it.It is believed that combining RIS with mmWave massive MIMO system [119,120] will improve the performance and enhance the security of communication systems, and reduce power consumption and cost.• RIS deployment location, multi-RIS scheme, and cooperation between RISs.Currently, most research in the field focuses on optimizing the configuration of the elements and the reflection coefficient matrices of RIS to improve data transmission speed, secrecy rate, or KGR, etc., while fixing the RIS in a certain position.However, there is no reason given for the selection of the deployment location of the RIS.In other words, there is still a lack of research on the impact of the deployment location of the RIS on system performance.Moreover, the spatial position of RIS can be used as a new degree of freedom.For example, RIS can be deployed on a drone to enhance channel randomness through the drone's random movement, thereby assisting secret key generation.In addition, there is currently almost no research discussing the scheme of multiple RISs and how they collaborate.Generally speaking, multiple RISs can bring more randomness.As the number of RISs increases, the computational overhead caused by optimizing the reflection coefficients also increases.Therefore, how to reduce the computational complexity and secret key generation delay is also worth studying.• RIS authorization and countermeasures against adversarial RIS.In PLS, there have been a lot of meaningful studies utilizing RIS to enhance the security of wireless communication networks.
However, the characteristic of RIS being able to only reflect signals and not actively transmit signals is a double-edged sword.On one hand, it helps reduce power consumption and simplify design; on the other hand, it poses a serious obstacle to the authorization of legitimate RIS.Almost all the research assumes that the RIS is the authorized one, in other words, the RIS itself is reliable.However, there is currently no widely adopted mechanism to ensure this, and only a few works have explored such a problem so far.For example, in [118], the authors utilized RIS controlled by Eve to attack CSIbased and two-way cross multiplication-based PKG systems, respectively.Hu et al. [121] proposed a new RIS-assisted manipulation attack that reduces wireless channel reciprocity by rapidly changing the RIS reflection coefficients and further proposed a path separation-based slewing rate detection method to remove the attacked paths and defend against this attack.Li et al. [122] proposed a RIS jamming attack that disrupts channel reciprocity by deploying an adversarial RIS and further designed a countermeasure that exploits wideband signals for multipath separation to distinguish adversarial RIS paths from all separated channel paths to resist RIS jamming attacks.To this end, more work is needed in the future to discover and defend against adversarial RIS attacks.It is worth noting that in addition to the above-mentioned attacks, adversarial RIS is likely to bring other hazards, which are worth extensive research to explore and design corresponding defense solutions, and how to ensure that the used RIS is authenticated, is also an urgent problem to be solved.

Artificial intelligence
In future wireless communications, AI technology, especially deep learning (DL) methods, will be applied to improve the efficiency and quality of wireless communication in various fields.The NextG networks are expected to have faster data rates, lower transmission delay, and more connected devices.These requirements also present new challenges.First, because of the complexity of NextG communication networks, it is hard to accurately describe networks with mathematical models.Secondly, new performance challenges increase hardware devices' complexity, so new implementation techniques are needed to make the algorithms more suitable for practical applications.AI is considered one of the solutions to improve the performance and robustness of NextG communication networks.The data-driven nature is one of the advantages of AI [123].AI can learn features from massive data to increase network efficiency and reduce delay.AI's excellent performance will lead the intelligent development trend of NextG communication.Some preliminary studies have demonstrated that AI and ML have great potential in wireless channel measurement and modeling.AI can leverage clustering, classification, and regression algorithms for channel multipath clustering and channel feature prediction.Wireless channel modeling has begun to apply ML algorithms, for example, convolutional neural networks (CNN).In addition, AI and ML can predict the wireless channel characteristics of unknown scenes, unknown frequency bands, and future moments [1].AI can also solve problems that may be difficult to model or accurately solve by traditional methods.In recent years, some researchers combine DL with channel coding, channel estimation [124], channel CSI feedback [125], modulation classification [126], etc., and use AI technology to help optimize the physical layer.The direct input deep neural network (DI-DNN) proposed by Gao et al. employs signals received by all antennas to estimate the channel [127].Wen et al. [125] designed CSINet using DL technology, which is a novel CSI sensing and recovery mechanism.CSInet can efficiently learn how to use channel structures from the training set.In addition, the current communication systems are characterized by high capacity and high density, and a large amount of data will be generated during wireless transmission, which provides sufficient samples for DL model training.

Challenges of traditional PKG and advantages of AI for PKG
Because of the powerful capabilities of AI in channel estimation, feature extraction, and other aspects, researchers have attempted to apply AI to solve the shortcomings of PKG technology.Specifically, the DL algorithms are used to model and predict channels to extract the information needed for the key.For example, DL algorithm can be used to model the frequency response of a channel and generate a key by predicting CFR.The AI-based PKG scheme is shown in Figure 7.The traditional PKG methods still have limitations in the actual implementation process, and currently, there are many works that use AI to assist PKG to overcome difficulties.The following problems are faced by traditional PKG methods and are expected to be solved through AI combined with PKG.• PKG in TDD systems.The feasibility of PKG technology mainly depends on the characteristics of the wireless channel, i.e., spatial decorrelation and short-term reciprocity.However, in the TDD system, the reciprocity can be affected by non-simultaneous sampling and noise factors, which may lead to high KDR.Existing PKG approaches capture reciprocity features in the channel by designing some feature extraction methods.Most of the studies employ traditional linear transformation (e.g., PCA [49,51] and DCT [52,53] algorithms) to extract reciprocity features, these methods may suffer from limitations like low KGR or high feedback overhead.Some nonlinear feature extraction methods are better than linear transformation [128].In the channel simulation environment, most of these methods show good performance, but the robustness is poor in the actual environment.• PKG in FDD systems.For FDD systems, the uplink and downlink channels use different carrier frequencies to transmit information.The reciprocity parameters in TDD are completely different in FDD [34].Therefore, finding reciprocal channel characteristics in FDD systems is challenging.To address this issue, some research has been conducted.Recently, many researchers try to find new frequency-independent reciprocity features (such as angle and delay) based on the uplink and downlink CSIs to generate the key.Nevertheless, accurate acquisition of angles and delays requires significant resource overhead, and there are limitations on the number of antennas that are not suitable for lowpower terminals [129].Some researchers focus on generating keys through path separation.But in complex multipath environments, it is hard to accurately separate paths.• Third party threats.Most current PKG protocols are based on spatial decorrelation, i.e., if the eavesdropper is positioned at a distance exceeding half a wavelength from the legitimate correspondents, it is considered that the eavesdropper is unable to accurately estimate the channel probing between legitimate correspondents.Under this assumption, it will be difficult to obtain the reciprocity characteristics for PKG for the eavesdropper.Nevertheless, certain research shows that in some environments, the spatial correlation of channels still exists between eavesdroppers and legitimate correspondents [130].Besides, the eavesdropper may be closer to the legitimate party, which can lead to information disclosure.
PKG technology based on AI can improve the performance of PKG and solve the problems faced by traditional PKG technology applications.Firstly, AI technology can enhance the efficiency of PKG protocols.AI-based methods can automatically learn channel characteristics from large amounts of data through ML algorithms, thereby achieving fast and accurate key generation.Secondly, AI technology can improve the security of PKG protocols.For example, AI-based methods can leverage the excellent fitting and discrimination capabilities of DL algorithms to effectively identify and filter out noise and interference.In addition, AI technology can also monitor the key generation process, detect and handle abnormalities in a timely manner, thereby further enhancing the stability and reliability of key generation.

Solution methods: applying AI in PKG
In the past few years, there have been a number of successful studies that use AI technology to address the above-mentioned issues related to traditional PKG schemes.Specifically, we will introduce the relevant AI and PKG combination solutions for the above-mentioned challenges.
• Reciprocal feature extraction.Channel reciprocity in actual TDD systems is affected by various environmental factors, limiting the practical application of PKG.It is essential to establish reciprocity features in non-ideal wireless channels.To address this problem, DL technology offers attractive solutions.DL is a powerful feature extraction technology and does not require statistical information of predefined channel models.By applying DL technology to channel estimation, the performance of existing channel estimation technology can be improved, with lower complexity in practical applications [124].Han et al. [131] proposed an efficient PKG scheme based on an autoencoder to extract reciprocity features from weakly correlated channel estimation and obtain better performance results than the PCA-based method.He et al. [132] designed a multi-branch autoencoder neural network based on prior knowledge of channel measurement models, called a channel reciprocity learning network (CRLNet).This model uses collected CSI data for training to adaptively learn reciprocity features in weakly correlated channels and can achieve higher KGR.• DL assisted PKG in FDD system.At present, researchers have begun to combine DL with PKG to reduce costs and improve efficiency in FDD systems.Zhang et al. [133] employed feature mapping to construct reciprocity features in FDD systems and proposed a key generation neural network (KGNet) for constructing interactive channel features.This method solves the problem of mathematically representing feature mapping between different frequency bands.In [134], two-channel feature mapping methods based on deep transfer learning (DTL) and meta-learning respectively for FDD system key generation were proposed to address the issue of the inapplicability of DL models due to environmental changes.The feature mapping algorithm based on DTL first uses data samples from the original environment to train the network, and then applies a few data from the new environment to fine-tune the trained initial network model.The model can be effective in new environments through this approach.
The other feature mapping algorithm based on meta-learning carries out intra-task and cross-task learning across multiple tasks, where each task represents a key generation in a specific scenario.Through this process, the optimal model initialization parameters for generating keys in the new environment can be obtained.• Eavesdropping prevention.The difference between the keys generated by legitimate users and eavesdroppers can be increased by applying neural networks.In [135], a method based on the automatic encoder and neural network domain confrontation (DANN) was proposed to assist in PKG, called automatic encoder domain confrontation training (DAAE).This method can estimate the reciprocal channel characteristics of legitimate communication parties and maximize the difference between the channel features and those of eavesdroppers.The weak correlation channel CSI in the form of amplitude and phase is sent to the neural network for training, and the main components of the reciprocal channel information between legitimate parties are obtained through the DAAE feature extractor.Compared with other PKG methods, it reduces the correlation between legitimate communication parties and eavesdroppers.Compared to PKG using only automatic encoders, it achieves better security.• Cooperation with RIS.RIS is also an emerging technology and has been used to assist PKG research.At the same time, in massive MIMO scenarios, PKG may have serious overhead issues.To address this issue, Liu et al. [136] proposed a low-cost RIS-assisted PKG method based on DL.Firstly, the channel CSI is constructed by using RIS.Then, the channel reciprocity features are extracted through the designed neural network (RIS CRNet).This method can extract highly anisotropic channel features without any prior information, and the overhead is small.In [137], ML is used to resolve the high-dimensional non-convex optimization problem of PKG in RIS-assisted multi-antenna systems.They proposed a new algorithm based on the unsupervised deep neural network (DNN) with a simple structure, which uses DNN to obtain the optimal configuration of BS and coding and RIS phase shifts.Simulation results reveal that this method achieves a higher KGR.

Future works
The research on AI-enabled PKG technology is still in the developmental stage.Although some AI-based PKG schemes have been proposed and applied in practical communication systems, these schemes still face many challenges and limitations.Therefore, in the future, further research is needed to explore more efficient, secure, and reliable AI-enabled PKG technology.The following are some further potential research directions: • Reliable common dataset.DL networks require a large amount of data for parameter training.These data often need to be obtained under specific channel conditions.Therefore, many studies presently rely on mathematically simulated data samples, ignoring the impact of actual environments.The static data obtained from specific channel conditions may conflict with the diversity and temporal variability of the actual wireless channel.In order to obtain more practical research results, the collected actual data should be used for network training and validation.However, obtaining trustworthy channel data in practice is challenging.The actual data sampling environment is complex, and there are many false alarms and misjudgments in the data.In addition, the acquisition and classification of data also pose significant challenges.• Generalized scene model.Currently, the DL models applied to PKG are mostly data-driven, and trained on channel data from a single scene, which limits their application to hypothetical single scenarios.The transformation of the scene may lead to the inapplicability of the DL model.Therefore, exploring a generalized DL model that can be applied to various scenes is a challenging research area.Additionally, the employ of DL models for PKG has some uncertainty due to the instability of the wireless channel environment, resulting in overfitting or underfitting issues.Hence, developing more stable DL models is also a challenging task.• Low complexity models.Some DL models used for PKG may generate high computational complexity, which makes them difficult to apply to small terminals.So far, most DL model frameworks have been designed based on DNN and CNN.Nevertheless, these models can cause high complexity in memory and time, and lead to ultra-high parameters.Therefore, designing better-performance DL models while reducing their complexity is also a challenging research direction [138].

Space-air-ground integrated network
The space-air-ground integrated network is aimed at integrating space-based, air-based, and ground-based networks, which can make up for their respective shortcomings.The advantages of ground networks are low latency, high data rate, powerful computing ability, etc.However, it is difficult to connect ground networks to remote areas, and inefficient for temporary network construction and load balancing.Non-ground networks have wide coverage, and large transmission capacity, and are not limited by the geographical environment, but the communication delay is high.Various components in the space-air-ground integrated network have currently attracted extensive research interest [139].Below we will introduce three typical networks, i.e., the Internet of Vehicles (IoV), UAV network, and satellite network.

IoV network
The development of the automobile industry and communication technology makes our life more convenient, and the interconnection between automobiles and other network devices has also become a rapidly developing technology, which aims to provide a guarantee for the better operation of the road traffic system.The IoV is a huge network for information exchange between vehicles and other communication devices, which can make traffic management more information-based, improve the quality of vehicle user experience and make vehicle control more intelligent.Figure 8a illustrates different components of communication in IoV, including vehicle-to-vehicle (V2V), vehicle-to-roadside (V2R), vehicle-to-human (V2H), and vehicle-to-infrastructure (V2I) communication.
Whether the security issues of IoV be valued is the key to its further development.In fact, IoV communication is vulnerable to attacks such as eavesdropping, forward, interception, etc.The data transmission rate of long-distance vehicle communication is usually very low and the mobility of vehicles is very high.These two problems will reduce channel reciprocity, and some common short-distance wireless communication technologies become unsuitable, which deepens the security risk of IoV communication.In addition, to achieve a high key agreement rate, it is significant to study how to improve the correlation of RSS values between vehicles.The RSS values are improved by using polynomial interpolation to improve the correlation between the vehicle and roadside unit (RSU).However, when the speed of the vehicle is a little high, the performance of the proposed quantization method is unacceptable, which means an expensive error correction cost.Bottarelli et al. [141] proposed a PKG algorithm for V2V communications by introducing a novel channel response quantization method.To solve the non-reciprocity issue of channel responses and improve KGR, the research introduced a quantization optimization block, named as perturb-observe (PO) algorithm.A PKG scheme derived from RSS in the V2V communication was proposed by the authors in [142].Doppler effect is considered in channel probing as it can influence the channel coherence time.Different from [140], the similarity of RSS values between vehicles is enhanced by using the Kalman filter in [142].However, the study did not propose a method to improve the KGR.In [143], the authors proposed Vehicle-Key to ensure the security of LoRa-enabled IoV communications.LoRa's long-distance communication decreases channel reciprocity, the study proposed a deep-learning model to address this issue and improve the key agreement rate.In the model, the channel measurement of a communication node can be predicted by the other one.Moreover, the authors performed four different IoV-based PKG experiments outdoors to evaluate the theoretical results.

UAV network
UAVs have played an important role in air-based network communications in recent years.As small air crafts, UAVs have been crucial in achieving deep network coverage in three-dimensional space, especially in some special scenarios where their flexibility and importance in assisting communications are evident, such as temporary network reconstruction in disaster areas and network resource allocation in crowded areas.Specifically, UAV communication has the following characteristics: (i) LoS channel dominated.UAVs typically hover or circle in the air, with few obstacles in the communication link.Since the signal can propagate through the direct link without reflection or scattering, the signal transmission is generally considered to be in LoS environments [144], and the channel condition between the UAV and ground communication device is of high quality.(ii) High mobility and flexibility.Due to their controllable threedimensional maneuverability, UAVs can maintain quasi-static or cruise to a designated location according to the requirements of the system.The motion of UAVs provides a new degree of freedom to provide efficient communication.Additionally, UAVs can adjust their hovering position to maintain communication quality or adjust their deployment position to achieve emergency communication.Moreover, UAV is also very suitable for some temporary communication scenarios.(iii) Fast and low-cost network construction.The size of a UAV is usually small, which enables flexible deployment and application in complex and variable environments.A cluster of UAVs can form a communication network in various scenarios.In emergency situations where ground-based communication infrastructure is damaged or non-existent, UAVs can serve as temporary communication infrastructure for disaster relief, remote sensing, firefighting, and other purposes.The deployment of UAVs helps to reduce communication costs and achieve uninterrupted communication.
As small mobile devices, UAVs first use energy to maintain their own flight, resulting in limited energy allocated to communication processes such as signal transmission and reception, signal power amplification, computational expenses, and so on.Moreover, like LoS communication, UAV communication is vulnerable to eavesdropping attacks.Therefore, both the data link and the control link of UAV communication require high levels of confidentiality.Moreover, in terms of PKG, LoS channel results in low randomness, which means low KGR. Figure 8b shows the application of PKG in three different types of UAV communication scenarios.
The following are some examples of research on PKG in UAV communication, which can be mainly divided into three types: UAV air-to-ground communication, UAV air-to-air communication, and UAVassisted ground communication.
• PKG in UAV air-to-ground communication.Lin et al. [145] considered UAV MIMO communication and proposed a PKG scheme that can be implemented in FDD systems.In this work, the three-dimension (3D) spatial angle of the UAV is used as a new channel parameter to generate the secret key, which can also combat an active eavesdropping attack called Environment reconstruction based attack for secret keys (ERASE).In the process of PKG, the stage of angle information extraction and angle data processing is added, which is used to make the extracted angle information with uneven distribution follow a near-uniform distribution, thus avoiding a series of repeated bits in the secret key.However, this scheme needs to balance the KGR and the randomness of the key.• PKG in UAV air-to-air communication.In UAV air-to-air communication.Pham et al. [146] proposed that the rotation of the UAV antennas be regarded as a randomness source which is reflected by the channel phases.The two-dimensional (2D) case is analyzed first, i.e., the rotation axis l of the antennas is perpendicular to the plane Σ formed by Alice, Bob, and Eve.Then the authors extend it to the 3D case, i.e., l is not perpendicular to Σ. Finally, numerical results of achievable KGR are given under different SNRs, without analyzing their theoretical values and upper bounds on KGR, nor involving specific quantization and information reconciliation stages.Assaf et al. [147] combined physically unclonable functions (PUFs) with PKG technology.Specifically, the study addressed the problem of the static channel in UAV communication using PUFs to generate equivalent channel randomness.The randomness was then enhanced with artificial fading (AF), and a new bit extraction scheme was proposed by modifying the adaptive secret bit extraction (ASBE), reducing the number of transmissions between the nodes and reducing the required number of side-information bits.However, the study only considers UAVs with a single antenna at present.In the future, the study can be extended to multiple UAV scenarios, but the cost of PUF emulators needs to be addressed.Nagubandi et al. [148] proposed the relay-assisted selective inversion (RASI) protocol, which uses a ground relay to assist PKG between UAVs.The idea of this protocol stems from the fact that the channel from UAV to ground relay has more randomness than that from UAV to UAV.In this protocol, the two UAVs send pilot signals with a length of 1 successively, assuming that the channel coefficients of UAV A and UAV B to the ground relay are h ar and h br .After receiving the pilot signals, the ground relay sends different broadcast signals based on the relative magnitudes of h ar and h br , and then the two UAVs determine their final form of the received signal according to this broadcast signal respectively.This scheme performs better than another relay-based scheme in the case of low SNR.However, since the UAVs determine the form of their received signal based on the relative magnitudes of h ar and h br , it is possible for there to be a sequence of h ar greater than h br , or vice versa.As a result, the randomness of PKG in the proposed RASI protocol may be affected.However, the study did not consider the presence of attackers, an active attacker may interfere with the ground relay to send broadcast signals.In [149], the authors constructed a UAV-assisted relay network outdoors, and implemented RSS-based PKG between UAVs and ground nodes, respectively.• PKG in UAV-assisted communication.Han et al. [150] proposed DroneKey, which is a UAVassisted group-key generation (GKG) scheme for large-scale IoT networks.In the proposed scheme, a UAV flies in a predetermined 3D trajectory and keeps broadcasting wireless signals to ensure that the secret key in the network is updated.Every device in the network receives the signals.To express how the channel between the device and the UAV changes, the CSI stream is extracted.Then the inherent correlation between the CSI streams is obtained by using DL.Finally, the group keys are generated.The scheme considered the situation that the flight trajectory of the UAV is obtained by attackers, and used fuzzy function to address the issue to enhance the security of DroneKey.

Satellite network
With the continuous increase in global communication demand, the limitations of ground communication have gradually become insufficient to meet the rapidly growing needs.Satellite networks can expand the application scope of ground networks and overcome the limitations of current network coverage and spectrum utilization.Specifically, it has a large transmission capacity, the signal transmission cost is independent of the transmission distance, and it is not limited by the geographical environment [151].
As a kind of ultra-long-distance communication, satellite communication can theoretically achieve global coverage with only three satellites.Using the vast coverage range of satellites, the collaboration between satellite and ground networks can connect rural and remote areas that are currently beyond the coverage of existing network infrastructures.In addition, the utilization of the current spectrum is already very high and it is difficult to continue to meet the needs of high-bandwidth applications.Therefore, spectrum sharing between satellite and ground networks enables effective spectrum utilization and provides reliable communication.
Satellite communication often involves important areas at the national level, such as the military, making its security particularly important.Therefore, at the current stage, we are more focused on the security and reliability of satellite communication.In satellite communication, the LoS channel typically dominates, making it difficult to extract sufficient randomness directly from the channel characteristic parameters for high KGR.Moreover, satellite communication, unlike most ground wireless communication, has the characteristic of broadcasting over a large range, making signals easier to be received by unauthorized users.Therefore, satellite communication is more vulnerable to active or passive attacks.Passive attacks mainly involve eavesdropping, where the eavesdropper intercepts the signal transmitted by the satellite and attempts to decipher the information, leading to information leakage.Active attacks include spoofing attacks, jamming attacks, etc., where attackers may disguise themselves as legitimate receivers to obtain secret information or send jamming signals, disrupting satellite communication.These attacks could cause serious damage to communication and result in unpredictable economic losses.So it is important to study how to generate the secret key in satellite communication.Figure 8c shows PKG in satellite communication tersely.
Due to the reason mentioned above, many researchers have done extensive exploration.The authors of [152] proposed a PKG scheme for communication between spacecraft.They utilize the reciprocal Doppler frequency shift measurements between spacecraft as a randomness source to generate the secret key.More specifically, the spacecraft uses measurements of the nominal power spectral density samples (NPSDSs), which preserves the effects of Doppler frequency shift.Firstly, the communication nodes send pilot signals, respectively, then use the maximum likelihood estimation to estimate the NPSDS.Finally, quantize the estimation to generate the secret key.As an extension of [152], the authors model the mobility of the spacecraft in [153].Specifically, in order to obtain high-security capacity, the authors use a specific Brownian motion model to simulate the random motion component of the spacecraft.The maximum achievable KGR is provided.The method proposed in [154] is also appropriate to be applied to satellite communication.It exploits the reciprocal carrier frequency offset (CFO) between the communication nodes to extract randomness.The communication nodes first exchange binary phase-shift keying (BPSK) signals to estimate the CFO, and then quantize their individual CFO estimations by using equiprobable or uniform quantization.Finally, they reconcile information using linear block codes.Zhang et al. [155] proposed the reconciliation efficiency index (CREI) and the adaptive information reconciliation scheme selection (AIRSS) protocol.The CREI is maximized in the protocol to reduce the disagreements caused by channel non-reciprocity in PKG.The simulation results showed the CREI of different protocols in satellite communication scenarios.In [156], the authors reduced the correlation between the legal channel and the wiretap channel by leveraging the advantage of the multi-satellite scheme in space-to-ground satellite PKG.

Future works
The space-air-ground integrated network will be more and more valuable in the future, and the development and application of PKG technology can enhance its security.Next, we will introduce promising directions that lack sufficient research as future works.
• Adaptive PKG quantization threshold setting in IoV communication.Because the vehicular communication environment is complex and variable, in the quantization stage of PKG, the fixed threshold currently commonly used may have a great impact on the secret KDR, which will lead to higher expenses in the negotiation stage.Adaptive threshold setting based on DL or other methods can be applied so the threshold can be adjusted adaptively according to the situation, which is helpful to improve the key agreement rate.• Make full use of the mobility of UAV.UAVs have the characteristic of flexible mobility, while most current research assumes that UAVs are in a hovering state.Although this simplifies the system model, it is believed that programming their flight trajectory can significantly improve communication security.Firstly, the dynamic spatial position of UAVs can provide new channel parameters to assist with PKG in static environments.Secondly, due to their non-fixed positions and the ability to optimize flight trajectories for legitimate devices, this can increase the difficulty and cost of eavesdropping attacks.However, UAV mobility also complicates trajectory design and system models.The usual approach is to assume that UAV states are static during each small time slot, but the actual problem is how to appropriately select the length of each time slot to improve system accuracy.Furthermore, it is worth further research on how to combine UAV flight trajectory programming with counteracting eavesdropping attacks and optimizing KGR.Finally, when modeling channels, the LoS and NLoS mixed channel scenario should be considered to fit more practical situations [157].• Considering orbital randomness and multi-satellite scheme.The orbit of a satellite is mainly determined by the gravity of the earth and Newton's laws of mechanics, but strictly speaking, the gravity of the moon, the influence of the atmosphere, and the gravity of the sun are all factors that affect the orbit.Even though the satellite orbit data is open, these factors, which are extremely weak and random, can't be predicted by attackers, so they can be used as random sources to generate secret keys.In addition, multiple satellites will bring more randomness than a single satellite, so more research should be carried out on schemes of PKG through multi-satellite cooperation.• Considering the non-reciprocity of legal channels and the correlation of wiretap channels in PKG of satellite communications.Satellite communication, due to its characteristic of long signal propagation distance and long communication delay, has led to some challenging problems.On one hand, because of the time-varying environment and the long propagation delay [158], the reciprocal channel is difficult to be established; on the other hand, generally, from the satellite's perspective, the eavesdropper and legitimate user are closely located, and the LoS channel is dominant [159], which leads to that the correlation between legitimate and wiretap channel cannot be ignored.There are not many solutions at present.However, addressing these issues is crucial for advancing the practical implementation of PKG in satellite communications.

Quantum technology
Quantum information technology (QIT) has become an emerging technology to enable and boost future wireless communication systems from several key perspectives such as computing, communication, security, and intelligence.The future communication technology based on quantum will bring many advantages, including quantum security, improved privacy protection, using secure quantum communication like quantum key distribution to improve the security of future communication, and real-time optimization based on quantum to improve communication efficiency and capacity.QIT is regarded as one of the essential technologies for realizing efficient, safe, and intelligent wireless networks.Quantum computing is mainly applied in unstructured search, optimization, and quantum simulation.Additionally, it can be coupled with other emerging technologies to enhance precision and accelerate processing speeds.Quantum computing utilizes the advantage of quantum parallelism to make the computing speed far higher than the classical computing technology, and ultimately achieve quantum supremacy on some types of problems such as optimization problems [160].
In classical cryptographic schemes, the legitimate communication parties typically rely on the public key cryptosystem (PKC) to complete key distribution.PKC relies on complex mathematical problems used in the encryption algorithm, which makes it impossible for attackers to calculate the private key.They are called computational security.However, the ability of quantum computing poses a serious risk to this encryption scheme [161].Quantum computers have faster search and factorization capabilities than classical computers.Attackers can use quantum computing to destroy any cryptographic system and algorithm based on integer factoring and discrete logarithm mathematical complexity [162].

QKD technology and application challenges on mobile devices
In order to solve the security issues caused by the development of quantum technology, researchers have been exploring post-quantum cryptography (PQC).PQC aims to find quantum secure cryptographic solutions to resist the attacks of quantum computers and classical computers [160].PQC develops keys based on mathematical problems, which are hard to solve by quantum computers.However, PQC is not only difficult to study but also a challenging task to integrate into communication systems.In this context, researchers pay much attention to QKD technology.Among all the emerging quantum information technologies, QKD technology is one of the technologies that developed the fastest [163].
QKD is based on a few basic quantum mechanics principles, such as the Heisenberg uncertainty principle and quantum entanglement, to ensure that the increase of computing power cannot and will not affect the security of the key [164].QKD technology can be implemented with different photon degrees of freedom, such as frequency, phase, polarization, time, and trajectory angular momentum.QKD leverages the authenticated classical channel and the quantum communication channel to solve the problem of exchanging keys between communication parties on the insecure channel [163].Quantum physics principles can be utilized to monitor eavesdroppers in the process of key generation to prevent them from obtaining keys or messages.
However, when QKD technology is applied to mobile devices, there are still the following challenges and limitations.
• No suitable security interface.It is difficult for terminal users to securely access key distribution services in QKD networks in quantum computing environments.Because of the high construction cost of quantum nodes, it is unrealistic for each terminal user to have a dedicated quantum node to access the services of the QKD network.Therefore, several terminal users must share a quantum node in a real-time environment, but this poses security risks.distance optical fiber transmission to ensure the security of large-scale infrastructure [165].But longdistance quantum communication faces many problems.Fiber loss will limit the transmission distance.
With the increase in transmission distance, signal loss and SNR decline will seriously affect KGR.At present, some researchers are studying quantum repeaters to solve this problem.These repeaters rely on the transmission of entangled quantum states between repeater nodes, but it is very hard to build such a system, and the required technology is difficult to achieve in a short time [166].Satellite links can also be used for long-distance quantum communication, but the cost is too high.

Solution methods combination of QKD and PKG
The physical layer is the first line of defense for communication security.The physical layer employs the unique characteristics of the wireless channel to ensure communication security without assuming the computing ability of the attacker.The correctly implemented PLS scheme should be quantum-safe.PLS has the advantages of absolute security, endogenous integration of communication and security, and independence of complex mathematical operations.In the future communication systems where quantum computing is rapidly developing, PLS technology can effectively cope with the communication security problems caused by quantum computing [167].The PKG technology uses the wireless channel as the random source of key generation.By reason of the time-varying, uniqueness, and randomness of the wireless channel, CSI changes with time and is difficult to predict.Similar to quantum cryptography, the third party is also hard to measure, reconstruct, and copy, ensuring the security of the key.Moreover, PKG has the same problems as QKD.It is hard to maintain the high reciprocity of signals in long distance transmission, so the conditions for generating the reciprocity key may not be met.A new scheme was proposed to cope with the problem that QKD and PKG are not applicable to remote IoT, i.e., combining the emerging technologies of QKD and PKG to achieve key sharing [168].PKG can be utilized to accomplish the final stage of secret key distribution from a quantum access point (QAP) to IoT users.Figure 9 illustrates the system model that integrates QKD and PKG.Alice and Bob are two remote wireless users without direct contact.QAP1 and QAP2 are two quantum access nodes with wireless links to Alice and Bob respectively.In order to achieve secure key distribution between Alice and Bob, first of all, the physical layer key is generated between Alice and QAP1, Bob and QAP2 by employing PKG technology.Next, use QKD technology to distribute quantum keys between QAP1 and QAP2.Then QAP1 and QAP2 employ their physical layer keys to encrypt and pass the quantum keys to Alice and Bob respectively.Thus Alice and Bob have a unified key and can use the key for encrypted communication.In summary, the entire process is divided into three stages: QKD, PKG, and edge forwarding.The following will elaborate on these stages in detail.
• QKD phase.QKD usually includes two stages: the key-sharing stage and the post-processing stage.
Firstly, in the key sharing phase, QAP1 transmits a group of random qubits selected from a group of four states with two bases to QAP2 through a quantum channel such as fiber optics.Then QAP2 selects one of the two bases on a random measurement basis.QAP1 and QAP2 keep these bits consistently and discard the remaining ones.Secondly, in the post-processing stage, QAP1 will send some bits to QAP2 to avoid eavesdropping attacks.QAP2 compares the detected content with the content sent by QAP1.These shared bits will be invalid if the error rate is higher than the set threshold.Otherwise, QAP1 and QAP2 implement information coordination to correct errors and privacy amplification to reduce privacy disclosure.The post-processing phase is usually done through an authenticated classical channel.Finally, QAP1 and QAP2 obtain the quantum key K Q .• PKG phase.PKG protocols mainly include four stages: channel probing, quantization, information reconciliation, and privacy amplification.Alice and QAP1 perform PKG protocol between them to generate channel key K 1 .Bob and QAP2 also go through all phases of PKG protocol to perform channel key K 2 .• Edge forwarding phase.QAP1 and QAP2 forward the shared quantum keys to Alice and Bob based on the channel keys generated by them respectively to complete the key sharing.With the help of the channel key, the edge can encrypt the quantum key using the One-TimePad (OTP) encryption algorithm.Then the edge forwards the cipher text to the user.
Li et al. [168] also show how to extend the method to multi-user scenarios by optimizing and designing edge-forwarding strategies.In addition, in order to improve practicality, some methods were proposed to reduce time delays and improve key generation rates.

Future works
Although combining QKD and PKG can enhance communication security, this technology still faces many challenges in future communication.Moreover, research in this area is relatively scarce at present.The following are some open issues that we believe need to be addressed urgently: • Device authentication.Considering the hybrid architecture of QKD and PKG, both QKD and PKG cannot authenticate the transmission source, making them very vulnerable to spoofing attacks.Identity authentication can be further enhanced through emerging PLS technologies, such as radio frequency fingerprint technology [169].• Untrusted intermediate QAP.The combination system of PKG and QKD relies on the trust of the intermediate QAP.When QAP is not trusted, how to implement the solution is also a good research direction.In this case, it may be beneficial to use multiple QAPs so that they can verify and monitor each other's behavior.Additionally, other security mechanisms can be explored to ensure the security of the system.Ultimately, further research and development of alternative solutions are needed to ensure system security in situations where QAPs cannot be trusted.• Security risks of hybrid architecture.The security of existing PKG schemes mainly depends on changes in the environment.When the environment changes slowly, PKG schemes may encounter security vulnerabilities.The current research on addressing PKG in slowly changing channels is challenging [170].• Extension to Point to Multipoint (P2M) mechanisms.Existing QKD services can only support point-to-point (P2P) key distribution, which means that a separate key distribution channel needs to be established for each node when establishing QKD communication.The system becomes more complex and costly as a result.As a consequence, the practical application of the P2M mechanism in QKD networks still needs further research and development.

Conclusion
In this survey, we reviewed recent trends in utilizing the advantages of PKG to enhance network security by implementing secure key generation through wireless channel properties such as spatial decorrelation, time variation, and channel reciprocity.At the same time, new technologies that are expected to be widely applied in the NextG networks will also be in favor of the application of PKG in the NextG networks.We first analyzed the challenges faced by traditional key generation schemes in NextG network scenarios, analyzed the possibility of PKG overcoming corresponding difficulties, and emphasized the differences between previous investigations and our work.Then, the preliminary knowledge of PKG was summarized, including its development history, principles, protocols, channel parameters, and evaluation metrics, to help target readers have a more comprehensive understanding of PKG.Finally, we conducted an in-depth analysis of the five new technologies widely adopted in the NextG networks and provided a detailed explanation of the background, advantages and disadvantages, challenges, solutions, and open issues that still need to be addressed when combining each technology with PKG.

Figure 1 .
Figure 1.New technologies and potential applications of NextG networks

Figure 2 .
Figure 2. The structure of our paper

Figure 3 .
Figure 3.The general procedures of PKG protocols

Figure 4 .
Figure 4.The workflow of ECC-based information reconciliation

Figure 5 .
Figure 5. System model of massive MIMO for PKG

Figure 6 .
Figure 6.Positive and negative impacts of RIS on PKG.(a) The KGR is very low in static environments.(b) Positive impacts: RIS provides (i) more randomness for PKG in static environments, and (ii) more possibilities for KGR optimization in dynamic environments.(c) Negative impacts: RIS may be exploited by active attackers

Figure 8 .
Figure 8. Three typical networks in the space-air-ground integrated network.(a) IoV network.(b) UAV network.(c) Satellite network

Figure 9 .
Figure 9. Communication between two remote users using a combination of QKD and PKG

Table 1 .
Comparison with available reviews in recent years