1 A wireless physically secure key distribution system GeraldoA.Barbosa∗ Abstract—Afastandsecurekeydistributionsystemisshownthatoper- possibilitytoimmediateapplicationofthetechniquetomobile atesinclassicalchannelsbutwithadynamicprotectiongivenbytheshot devices.Thisnewschemeisdetailedandtheassociatedsecurity noiseoflight. Thebinarysignalsinthecommunicationchannelarepro- leveliscalculated. Thissystemperformsone-time-padencryp- tectedbycodinginrandombasesandbyadditionofphysicalnoisethat wasrecordedandaddedbitbybittothesignals. Whiletheresultingsig- tionwiththesecurelydistributedkeys. nalsareclassicaltheycarrytheuncontrollablerandomnessinformationin Symmetrickeyswithend-to-endencryption,wherekeysare the signal sent. The legitimate users start with a shared secret between keptsecretbytheusers,mayprovideperfectsecurecommuni- themcreatingameasuringadvantageovertheadversary. Thiswaythe 6 introducednoisedoesnotaffecttheusersbutfrustratestheattacker. cationforcompanies. Governmentdistributionofkeysfortheir 1 IndexTerms—Random,physicalprocesses,cryptography,privacyam- users could guarantee secure communication among users as 0 plification. wellasdisposeoftoolstoaccessnecessaryexchangedinforma- 2 tionwheneverastrongneedexists. Inthesameway,companies ul I. INTRODUCTION that distribute keys for their users could comply with legal re- J quirementssuchastheAllWritsAct(AWA)-aslongastheir Afastandsecurekeydistributionsystemispresentedtoop- keyrepositoryarekeptundercontrol. 5 erate in generic communication channels, including wireless 2 Astep-by-stepdescriptionofthissystemwillbemadealong channels.Thetransmittedsignalsaredeterministic(orperfectly this paper. The key distribution system not just generates and ] copied) but include continuously recorded random noise that distributecryptographickeysbutalsoprovidefunctionslikeen- R frustrates an attacker to obtain useful information. This noise cryptionanddecryptionbetweenusers(or“stations”)AandB: C affectstheattackerbutnotthelegitimateusersthatshareanini- Itisaplatformforsecurecommunications. . tialsharedsecretbitsequencec . Thelegitimateuserswillend s 0 c upwithacontinuoussupplyoffreshkeysthatcanbeusedeven II. PLATFORMFORSECURECOMMUNICATIONS [ toencryptinformationbit-to-bitinlargevolumesandfastrates. 2 The wireless key distribution system discussed in this work Fig. 1 shows a block diagram of this platform for one v uses the intrinsic light noise of a laser beam to frustrate an at- of the users, say A. Users A and B have similar platforms. 2 tackertoextractmeaningfulsignals. However,thisnoiseisnot Communication between A and B proceeds through the com- 8 inthecommunicationchannelbutitisrecordedbeforereaching municationportsofaPCwithaccesstotheInternet(Topportion 0 thechannel. ofFig.1). ThisPCworksastheinterfacewiththeexteriorand 0 Historically,cryptographyusingopticalnoisefromcoherent is isolated from the platform (Bottom of Fig. 1) by an air gap. 0 . states in a communication channel can be traced back to [1] Inotherwords,theplatformhasnodirectaccesstoorfromthe 1 and [2]. The first uses quantum demolition measurements and Internet. DataflowinandoutisdonethroughaDynamicmem- 0 6 quadraturemeasurementswhilethesecondusesdirectmeasure- ory conjugate with OR switches that only allow authenticated 1 ments with no need for phase references or quantum features andfixedsizepackets. : besides the presence of optical noise. The methods and tech- The platform is roughly composed of two opto-electronic v i niques used are widely different. The use of the optical noise parts:1)AfastPhysicalRandomBitGenerator(PhRBG)and2) X inthispaperhasarelationshiptotheoneoriginallyusedin[2], aNoiseGenerator.ThePhRBGdeliversbitstoaBitPoolwhere r where fiber optics communication in a noisy channel blocked aPrivacyAmplification(PA)protocolisappliedandencryption a information leakage to an adversary. An initial shared infor- and decryption functions are performed. Description of these mationonaM-rycodingprotocolusedbythelegitimateusers partswillbemadealongthepaper;theyareintertwinedintheir allowedthemtoextractmoreinformationfromthechannelthan functionalitiesasassuchtheirunderstandingarenecessaryfora the one obtained by the adversary. More recently that original fullcomprehensionoftheproposedsystem.APC-motherboard idea was improved with a specific privacy amplification pro- (notdiscussedinthispaper)intheplatformperformseveralop- tocol [3] while keeping the use of an optical communication erationsandprovideaccessfortheusers,includingagraphical channel. interfaceforplatformcontrol. Thepresentworkmergesmainideasoftheprotectiongiven Although this is a quite general system allowing privacy in by the light’s noise in a protocol applied to wireless chan- communicationsonecouldmentionafewapplicationslikese- nels. Seed ideas on the use of a wireless channels using cure communications for embassies or the secure transfer of recordedphysicalnoisewereintroducedfrom2005to2007[4]. large volumes of patient data among medical centers and in- This work brings those ideas of wireless channels secured by surancecompanies. recordedopticalnoisetoapracticallevel. Italsoopensupthe III. PHYSICALRANDOMBITGENERATOR ∗G.A.Barbosa,QuantaSec–ConsultingandProjectsinPhysicalCryptog- The fast Physical Random Bit Generator (PhRBG) is of a raphyLtd.,Av. Portugal1558,BeloHorizonteMG31550-000Brazil. E-mail: [email protected] novel type described in Ref. [5]. The PhRBG extract broad 2 to B Samplingtimeforacquisitionofthebitsignalsaresetmuch shorter than the coherence time of the laser used. By doing communication ports A sosamplingsoccurwithinafixedopticalphaseofthesampled (wireless, ethernet) photons.Thisleadstophotonnumberfluctuationsthataremax- Dynamic imal:Althoughphaseandnumber(orphotonamplitude)arenot PC (IP connected) memory strictlyconjugatevariables,thereisanuncertaintyrelationship fornumberandphase. OR “airgap” switches The individual bit signals generated by the PhRBG around time instants t will be designated by a and a sequence of a i i i KeyBITS platform bya. Notationasometimesdesignatesasequenceofbitsorthe random size of this sequence whenever this does no give rise to nota- 𝑥𝑥⊕𝑧𝑧 PhRBG bits BIT PO𝑎𝑎O𝑖𝑖−L1 tionalproblems. (PA) UserAwantstotransmitinasecurewaytheserandomabits 𝑧𝑧 + touserB. 𝑎𝑎𝑖𝑖 𝑏𝑏𝑖𝑖 𝑥𝑥 𝐼𝐼2 + A BS NoiseGenerator 𝑉𝑉𝑖𝑖 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖 laser detector G G classifier 𝑎𝑎𝑖𝑖−1 + 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖+𝑉𝑉𝑖𝑖 ADC +,- ( , ) BIT( PPAO)OL BS𝐼𝐼1 𝑉𝑉+𝑉𝑉− 𝑧𝑧 Fig.1 𝐼𝐼0 PhRBG EACHSTATION(AORB)ISPHYSICALLYCONTROLLEDBYEACHUSER 𝑎𝑎𝑖𝑖 + 𝑏𝑏𝑖𝑖 ANDISCOMPOSEDOFANIPCONNECTEDPCTHATEXCHANGE COMMUNICATIONSBETWEENSTATIONS.THEPLATFORMHASNODIRECT 𝐼𝐼2=𝐼𝐼0−𝐼𝐼1 detector CONNECTIONTOTHECOMMUNICATIONCHANNELS.DATAFLOWINAND G 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖 BS ADC + OUTFROMTHEPLATFORMTOTHECOMMUNICATIONPCISDONE Noise 𝑉𝑉𝑖𝑖 THROUGHADYNAMICMEMORYANDORSWITCHES.THISMEMORY Generator CONTAINSINSTRUCTIONSONLYALLOWINGTRANSITOFAUTHENTICATED toB𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖+𝑉𝑉𝑖𝑖 PACKETSWITHFIXEDSIZE.THEPLATFORMCONTAINSTHEPHYSICAL RANDOMBITGENERATOR(PHRBG),ABITPOOLANDANOISE Fig.2 GENERATORTOEFFICIENTLYMIMICTHEOPTICALSHOTNOISEOFA HARDWARETOGENERATERANDOMBITS(PHRBG),NOISEGENERATOR NOISYOPTICALCOMMUNICATIONCHANNEL. ANDBITPOOLFORPRIVACYAMPLIFICATION.THEBITPOOLCONTAIN MEMORIESANDAFPGA(FIELDPROGRAMMABLEGATEARRAY)TO PERFORMFASTOPERATIONSLOCALLY. bandwidth fluctuations (shot-noise) of a laser light beam and delivers random voltage signals (V ,V ) –signals that can be + − AppendixAcommentsonthePhRBG. expressedasrandombits–totheBitPool. Fig.2providesmoredetails. LeftupperpartofFig.2shows IV. BITPOOLANDNOISEGENERATOR the PhRBG. A laser beam excites a multi-photon detector and Fig.2alsoshowsattherightuppersideaBitPoolwhereran- thevoltageoutputpassthroughamplifiersGandananalog-to- dom bits generated from the PhRBG are stored together with digital (ADC) converter. The laser intensity I and the gain 1 bitsb thatwerealreadyacquiredandrecorded. Theinitialse- G are adjusted to enhance the current from the noisy optical i quence{b }istakenfromasecretsequencec ofsizec =ma signalswellaboveelectronicnoises: 0 0 0 initiallysharedbetweenthelegitimateusers. TheBitPoolout- puts signals b +a . Bits b act as a modulation or encryption (∆I )2(cid:29)(∆I )2. (1) i i i light electronic signalstotherandombitsa . AfterapplicationofthePApro- i tocol a final distillation of z bits, over which the attacker has It also necessary to work below the range where the ratio no knowledge, will be available for encryption and decryption noise/signal is too small. In terms of the number of photons purposes. Afulldiscussionoftheseoperationsaremadeahead n: whendiscussingthephysicalmodulationofthesignalsandthe (cid:112) Noise ((cid:104)∆n(cid:105))2 1 PrivacyAmplificationprotocol. = = →notsmall. (2) (cid:112) Signal (cid:104)n(cid:105) (cid:104)n(cid:105) A. NoiseGeneratorandrecordedopticalshot-noise Inotherwords,thedesiredsignalsareoptimizedopticalshot- Bottom part of Fig. 2 shows the Noise Generator. A laser noisesignalsthatallowagoodnumberofdetectionlevelsfrom beamwithintensityI isdetected,amplifiedtoproduceoptical 2 anADC.Thestreamofdigitalizedfluctuatingsignalsareclas- shotnoiselimitedsignals. Thesesignalsaredigitalizedproduc- sified within short time intervals in signals above the average ing a sequence of independent noise signals V ={V }. V is N i i valueasbit1signals(V )whilesignalsbelowtheaverageare added to the signals a +b giving a +b +V and sent to B. + i i i i i identifiedasbit0signals(V ). The noise contribution V replaces the intrinsic optic noise in − N BARBOSA:AWIRELESSPHYSICALLYSECURE KEYDISTRIBUTIONSYSTEM 3 anopticalchannel. Themagnitudeandformatofthisnoisewill beshownafterpresentingtheideaofM−rybases. 𝑎𝑎𝑀𝑀−1 The first modulation signal b is defined by m random bits 0 from c . In general the modulating random signal b can be 𝑎𝑎𝑖𝑖+1 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖 + 0 i seenasatransmissionbasisforai. Onemayaswellseebitsai 𝑉𝑉𝑚𝑚𝑚𝑚𝑚𝑚 𝑎𝑎𝑖𝑖 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖 𝑉𝑉𝑁𝑁 asamessageandb asanencryptingsignal.Togenerateeachb , 𝑎𝑎𝑖𝑖−1 i i oronenumberamongM,mbitsarenecessary(m=log M). 2 𝑎𝑎0 ItistobeunderstoodthattheM−rycodinginterleavesbits in the sense that the same bit signal superposed to a basis b noiserange k (ADClevels) representingabit1(or0)representstheoppositebit0(or1)in 1(or0) aneighborbasisb orb .Forexample,seeFig.1in[3]for 𝜎𝜎𝑉𝑉 k−1 k+1 noiserange aphysicalrepresentationoftheseinterleavedbitsintheoptical 𝑉𝑉𝑚𝑚𝑚𝑚𝑚𝑚 phasespace. Otherpossiblerealizationofdistinctneighboring > 2 levelswithdistinctbitscouldbemadewithlevelsseparatedby smallphysicaldisplacementsdifferentfromphase, e.g. ampli- 0(or1) Fig.3 tude,asshowninFig.3.This,togetherwiththeaddednoiseVN TOP-THEPHYSICALAMPLITUDESIGNALREPRESENTINGAGIVENBASIS donotallowtheattackertoobtainthebitai. biISADDEDTOTHESIGNALREPRESENTINGABITai.THEBASISSIGNAL ISKNOWNTOUSERSAANDBBUTNOTTOTHEATTACKER.ASIGNALai B. NoiseGeneratorandM−rybases ISTOBESEENASAGIVENBITINBASISbi(1OR0)BUTTHISSAME AsshowninthebottomrightpartofFig.2arandomsignal SIGNALaiWILLBESEENASTHEOPPOSITEBIT(0OR1)WHENATTACHED V is added to a +b , giving a +b +V to be sent to B. It TONEIGHBORINGBASESbi+1ORbi−1.THEREFOREEVENASMALL i i i i i i is emphasized that although the signal sent from A to B is de- NOISEViADDEDTOai+biDONOTALLOWANATTACKERTOKNOW terministic, V is a recorded random noise that varies from bit WHICHBASESHAVEBEENUSED.HOWEVER,BOTHAANDBKNOWbi i tobit. Arecordedsignalisdeterministicbydefinitionbecause ANDTHUSTHEBITSENTaiCANBEEXTRACTED.PHYSICALLY,DISTINCT it can be perfectly copied. However, this recorded noise is an MODULATIONVOLTAGESIGNALSMAYREPRESENTBITSANDBASES. instanceofanunpredictableeventbynature. THEREAREM BASES;THEYCANBEASSUMEDSEPARATEDBYVmax/M. ABIT1ANDABIT0CANBEASSUMEDPHYSICALLYSEPARATEDBY In nature the noise intensity is continuous but the recorded digitalized noise is distributed among the M levels supplied Vmax/2.VOLTAGESIGNALSCANBEASSUMEDCYCLICINTHESENSE by an Analog to Digital Converter. This statistical distribution THATVmax+(cid:15)→(cid:15).BOTTOM-THEAMPLITUDEBETWEENASIGNALai REPRESENTINGABITANDTHEOPPOSITEONEISGREATERTHANTHE among M levels also has a characteristic deviation σ . This V NOISERANGE.ASVOLTAGEMODULATIONOFSIGNALSREPRESENTING1 willbediscussedahead. AND0ARESEPARATEDBYVmax/2THISALLOWSAPRECISEBIT ThenoisesignalV isderivedfromasplitbeamofintensity i DETERMINATIONBYTHELEGITIMATEUSERS.ONTHECONTRARY,THE I (seeleftbottompartofFig.2). Lightfromthisderivedbeam 2 ATTACKERSTRUGGLESUNSUCCESSFULLYWITHRESOLUTIONOF excites a multi-photon detector, the output is amplified by G NEIGHBOURINGLEVELS. anddigitalized. AnextraamplifierGmaybeadjustedtolevels compatibletothesignala +b .Inotherwords,theaddednoise i i mixpotentialbasesandbitssothattheattackercouldnotiden- tifyeitherthebitorthebasissent. Fig.3sketchestheaddition 2)Aninstanceofauniversalhashfunctionf issentfromA oftherandombasisb andtheaddednoiseV .Theattackerdoes toB. i i notknoweitherthebasisb neitherthenoiseV and,therefore, 3)Theprobabilityforinformationleakageofbitsobtainedby i i cannotdeducethebitsenta fromthetotalsignala +b +V . the attacker over the sequence sent is calculated (as indicated i i i i ahead), generating the parameter t (number of possibly leaked V. PRIVACYAMPLIFICATIONANDFRESHBIT bits). In other words, from sequence {0,1}n the attacker may GENERATIONBYAANDB capture{0,1}t. ThePAprotocolincludesthefollowingsteps: Fromthen= The Privacy Amplification process to be utilized was first a+bbitsstoredintheBitPool,tbitsaredestroyed: showninSectionIXofRef.[3];itutilizedtheformalismorigi- nallydevelopedinRef.[6]. Inthepresentworkitisappliedto {0,1}n→{0,1}n−t. (3) aclassicalcommunicationchannelinsteadofanoisyfiberoptic channel. Anextranumberofbitsλisreducedasasecurityparameter[6]. Briefly,thefollowingstepsareperformed: Thisreductioninbitnumbersisthen 1)TheBitPoolstartswiththebitsequenceofsizec =ms 0 (bitsbi)alreadysharedbyAandB.Asequenceaofbits, a= {0,1}n→{0,1}n−t→{0,1}n−t−λ (4) {a },isgeneratedbythePhRBGandstoredintheBitPoolby i userA.ThesequenceaissentfromAtoBafterthepreparation where{0,1}n−t−λ isthefinalnumberofbits. Theinitialtotal thataddbasesandnoise. Anumberofbitsa+maisusedfor amount of bits n in the Bit Pool was then reduced to r=n− thetaskofcreatingbitsa andbasesb tobesentfromAtoB t−λ. Theseremainingbitsarethenfurtherrandomizedbythe i i as{a +b }. PA protocol [3]. The protocol establishes that the attacker has i i 4 TABLEI noinformationonthesereducedand“shuffled”numberofbits r. PRIVACYAMPLIFICATIONPROTOCOLFORTHE Thenumberrofbitscanberearrangedinsizesasfollows WIRELESSPLATFORM PAprotocol r =n−t−λ=(a+b)−t−λ=(a−t−λ)+b INITIALIZATION:AandBsharec0ofsizeandentropyms. =(a−t−λ)+ma≡z+ma. (5) StationA # ACTION OBJECTIVE Thesequenceofsizez≡(a−t−λ)(seeoutputfromBitPool in Fig. 2) will be used as fresh bits for encryption while the 1a ai=GetString(PhRBG) GetbitstringfromPhRBG sequenceofsizemawillformthenewbases{b }forthenext 1b bi=ci−1[1,ms] Extractmsfrompoolforbasesb roundof bitdistribution. Theprocesscan proceeidwithoutthe 1c Code&Send(ai,bi) Sendoverclassicalchannel 2 Sendf Sendinstanceofuniversalhashf legitimate users having to meet or use a courier to refresh an overclassicalchannel initialsequencema. Otherroundsthenmayproceed. ThePAtheory[6]saysthatafterreducingtheinitialnumber 3a ci=f(ci−1||ai) AappliesPAfromms+sbits reducingthemtoms+s−t−λ ofbitsfromn=a+ma(mainitiallysharedandafreshbits)to r=n−t−λ,theamountofinformationthatmaybeacquired 3b zi= Ausess−t−λ bytheattackerisgivenbytheMutualInformationI .Corollary ci[ms+1,ms+s−t−λ] bitsfrompoolasthekeystreamz. λ Theremainingmsbitsform 5 (pg. 1920) in Ref. [6], gives the information leaked to the thebasesfornextround. attacker: StationB 1 1 I = = . (6) 1a nomatchingsteptoA’s λ ln2×2λ ln2×2n−t−r 1b bi=ci−1[1,ms] Getbasesbitsfrominitialpoolvalue A. Protocolsteps 1c ai=Receive&Decode(bi) Receivebitsfromclassicalchannel 2 Receivef receiveinstanceofuniversalhashf Table I list all steps of the protocol. The basis assigned for eachbitsentuseslog M toencodeitandtheprocessiscontin- 3a ci=f(ci−1||ai) BappliesPAfromms+sbits 2 reducingthemtoms+s−t−λ uouslysustainedinroundsofsbits,inanunlimitedway. This procedurehasbeenshowntobeveryfastinhardware. 3b zi= Busess−t−λ ci[ms+1,ms+s−t−λ] bitsfrompoolasthekeystreamz. Theremainingmsbitsform AandBusetheprotocolsinaconcertedmannerandextract thebasesfornextround. asequencez ofbitsoverwhichtheattackerhasnoknowledge. One should recall that the communication channel is classical andthesignalscontainrecordedopticalnoisemodulatingeach thisspanmustbelargeenoughtocoveragoodnumberofbases bitsent. AteveryroundAandBknowthebasisusedandthey so that the attacker cannot resolve the basis b when a bit a i i usethistotheiradvantagesothatthenoiseV doesnotdisturb N is sent. The actual optical noise has a continuous span but the identificationofa . AsecuredistilledstreamofbitsfromAis i recorded region is set by digitalized levels of the ADC used. transferredtoB. Setting the spacing of signals for bases similar to the spacing The protocols proceeds to other similar runs. After n runs, V /M of recorded noise levels, one could set the digitalized AliceandBobsharenzbits. max noisedeviation,byadjustingthegainG,suchthat VI. LEAKAGEPROBABILITYANDMUTUALINFORMATION V /M (cid:28)σ (cid:28)V . (8) I max V max λ CalculationofthemutualinformationI thatisdirectlycon- Thisconditioncanbemappedtothesameformalismutilized λ nectedtotheprobabilityforanattackertoextractusefulinfor- in the POVM (Positive Operator Valued Measure) calculation mationsentfromAtoB.Itdependsontheparametert(number developed in [2] and from which the leakage bit probability t ofpossiblyleakedbitsinasequencesent). can be obtained. One may write the probability for indistin- Inthewirelessschemethenumberoflevelsusedasbasesde- guishabilitybetweentwolevelsseparatedby∆k,as pendsonthedigitalhardwareutilized(8bitsresolution→M = 256, 10 bits resolution → M = 1024 and so on). This con- P∆k=e−|α4|2(cid:0)VV∆makx(cid:1)2 =e−|α4|2(∆Mk2)2 ≡e−2(∆σkk2)2 . (9) verter sets the maximum number of levels M. Voltage signals Vk,(k =0,1,2...M) will represent these bases and to alter- Theexpecteddeviationσk inthenumberoflevelsis natebitsinnearbybasesonemaychosebasesbyvoltagevalues (cid:115) givenby 2 σ = M, (10) (cid:20) k 1−(−1)k(cid:21) k (cid:104)n(cid:105) V =V + . (7) k max M 2 where(cid:104)n(cid:105)=|α|2andαisthecoherentamplitudeofalaser. At the same time, as voltage signals V representing Calculation of the probability of error P for an attacker to N e recordedopticalnoisewillbeaddedtothesevalues,theseval- obtainabitsentfollowswhatwasdonein[2]. Fig.4exempli- uesshouldhaveaspansmallerthanV (seeFig.3). However, fies these errors for a set of M values (number of bases) and max BARBOSA:AWIRELESSPHYSICALLYSECURE KEYDISTRIBUTIONSYSTEM 5 The current rack holding the PhRBG can be reduced to a smallsizewithoutputdirectlycoupledtoasmartphone. This canprovidetruesecurecommunications(bit-to-bitencryption) 𝑛 ≡ ∝2=10 between cellular telephone users as another application exam- 𝑛 =100 ple. Itisalsousefultocalltheattentiontothereaderthatade- centralized protocol for bit-by-bit encryption for N−users ex- 𝑛 =1000 ists[7].Underthisprotocol,onceN usersacquirealongstream 𝑛 =10000 ofrandombitsfromthePhRBG,theycanexchangesecurein- formation among them without any need to contact a central stationtosynchronizetheirbitstreams. BothSecureDataandVoiceOverInternet(VOIP)canbeim- plemented. Itshouldbeemphasizedthatitisimportantthatthe keystoragemustbekept“outside”ofthemobiledeviceandthat Fig.4 theflowofinformationfromthekeygenerationandencrypting PROBABILITYOFERRORFORANATTACKERONABITASAFUNCTIONOF unit to the device connected to the Internet should be strictly THENUMBERM OFBASESUSEDANDTHEAVERAGENUMBEROF controlled. PHOTONS(cid:104)n(cid:105)CARRYINGABIT. Othersteps,morecostly,canproduceanASIC(Application SpecificIntegratedCircuit)toreducethesystemtoachipsize device. number(cid:104)n(cid:105)ofphotonsdetected. Forasequenceofsbitssent Another possible application example for the platform is to the parameter t (bit information leaked in s) in Eq. 6 will be feedaSoftware-Defined-Radio(SDR)withcryptographickeys t=(0.5−P )×s.Withtcalculatedandthesafetyparameterλ for bit-by-bit encryption/decryption capabilities. This could e defined,theprobabilityforinformationthatcouldbeleakedto bring absolute security for Data and Voice communications theattackeriscalculated. Itcanbeshown[2]thatt∼10−4can throughSDR. be easily obtained; therefore with a sequence os s=106 bits sent,thisgivest∼102. VIII. CONCLUSIONS Fig.5exemplifiesthePAeffectby(log I )(seeEq.6)asa 10 λ It was shown how to achieve wireless secure communica- functionofr,(0,1)n→(0,1)r,andt,numberofbitsleakedto tion at fast speeds with bit-to-bit symmetric encryption. The theattacker. hardware requirements was described and it was shown how tocalculatethesecuritylevelassociatedtothecommunication. Miniaturization steps may allow easy coupling to mobile de- vices. The key storage have to be under control of the legit- imate users and no key should ever be stored where a hacker could have command/control of the system. A correct imple- mented system would offer privacy at top-secret level for the users. Furthermore, the correct choice of parameters creates a post-quantumsecurityprivacy. APPENDIX A. PLATFORM-RACKIMPLEMENTATION Fig.5 ThePhRBG,withintheplatform,isseenasarackimplemen- log10OFTHEMUTUALINFORMATIONIλLEAKEDTOTHEATTACKER tationinFig.6andsomedetailsinFig.7.Adetaileddescription AFTERPRIVACYAMPLIFICATIONISAPPLIED.INTHISEXAMPLE106BITS ofthePhRBGwillbepublishedelsewhere[8]. Justabriefde- ARESENT.tGIVESTHENUMBEROFBITSLEAKEDTOTHEATTACKER scriptionispresentedhere. BEFOREPAISAPPLIEDANDrISTHEDISTILLEDORUSEFULREMAINING ThePhRBGisanopto-electronicdevicedesignedtogenerate BITS. bitscontinuouslytosupplyanydemandforbitsathighspeeds. The physical principle involved, quantum vacuum fluctuations thatproducetheopticalshot-noise,isnotbandwidthlimitedand thedevicespeedcanbeadaptedtoallelectronicimprovements. VII. OTHERAPPLICATIONEXAMPLES Amongthedifferenceswithotherquantumrandombitgenera- Above sections described the basic parts of the platform for tors the presented device has no need for interferometry and a securecommunications. single detector is used. This gives a time stable operation for The use of a FPGA (Field Programmable Gated Array) and thesystem. memoryallowfunctionslikebitstorageandencryptionandper- The PhRBG was currently implemented with off-the-shelf formthe“BitPool”functionsnecessary. Customtailoredappli- components including low cost amplifiers (See G in Fig. 1). cations can also be programmed under this fast hardware pro- These amplifiers have a frequency dependent gain profile (a cessing. monotonoushighgainatlowfrequencies)thatintroducesalow 6 frequency bias in the bit generation. To compensate for this biaswithoutincreasingcostsaLinearFeedbackShiftRegister (LFSR)isusedinserieswiththebitoutputtoproduceanextra randomization.Thisbreaks–theexpectedlymorerare–longse- quencesofrepeatedbits.Thisprocessdoesnotreducethespeed ofthePhRBG. The currently implemented PhRBG works at ∼2.0 Gbit/sec and passes all randomness tests to which it was submitted, in- cludingtheNISTsuitedescribedin“NIST’sSpecialPublication 800 - A Statistical Test Suite for Random and Pseudorandom NumberGeneratorsforCryptographicApplications”. Besides Fig.8 PLOTOFRELATIVEFOURIERAMPLITUDESAν ASAFUNCTIONOFTHE FREQUENCYν.TRANSFORMING(0,1)SEQUENCESONTO(−1,1) FPGA ADC SEQUENCESALLOWSEASYFOURIERSPECTRUMANALYSISTHATSHOW Detectorand amplification THE“WHITE-NOISE”CHARACTEROFTHEOUTPUTSIGNALS. PC –motherboard hard drive 150000 1 f o es100000 c n Fig.6 re r u ATOPVIEWWITHSOMECOMPONENTSOFTHEPLATFORM.THELASER, Occ 50000 DETECTOR,AMPLIFIERANDHARDDRIVEAREATTHERIGHTSIDEOFTHE RACK.THEADCTHATFORMATANALOGSIGNALSFROMTHEOPTICAL 0 AMPLIFICATIONISCONNECTEDTOTHEFPGAFORPROCESSING.A 5 10 15 20 PC-MOTHERBOARDPROVIDESMANAGEMENTOFSEVERALFUNCTIONS Number of 1s in pattern INCLUDINGAFRIENDLYGRAPHICALINTERFACEFORTHEUSER. Fig.9 HISTOGRAMOF1S.DOTSAREOBTAINEDFROM1,277,874BITS OBTAINEDANDTHESOLIDLINEISTHEFITTOc=319018±356AND (cid:15)=−0.003±0.003. laser Therawdata[9]forthehistogramsaregivenbylistsL and 1 L : 0 fibers, opticalisolator, L1={{1,159676},{2,79651},{3,40253},{4,20017},{5,9864}, attenuator {6,4960},{7,2567},{8,1239},{9,623},{10,313},{11,156}, {12,59},{13,37},{14,21},{15,9},{16,8},{17,3},{18,4}, {19,1},{20,0},{21,0}} (12) Fig.7 L0={{1,159805},{2,79964},{3,39766},{4,20021},{5,9892}, DETAILOFTHELASERLOCATION,OPTICALISOLATORANDATTENUATOR. {6,4962},{7,2488},{8,1306},{9,630},{10,336},{11,148}, {12,71},{13,42},{14,10},{15,11},{16,6},{17,2},{18,0}, {19,1},{20,1},{21,1}}. (13) passingconventionalrandomnesstests,somevisualinformation conveys the same idea. Fig. 8 shows amplitudes of a Fourier Oneshouldobservethatthedeviationparameter(cid:15)isexponen- analysisofabitstreamrevealingthewhitespectrumcharacter tially small, giving an estimate of the randomness associated ofthegeneratedbits. Figs.9and10showdataandtheexpected withthegeneratedbits. occurrenceofrandombitsforadistributionwheretheprobabil- ity to occur 0 or 1s are equal, p=1/2. It is expected that the REFERENCES probabilitytooccurasequenceofkidenticalbits(either0or1) [1] F.GrosshansandP.Grangier,Phys.Rev.Lett.88,057902(2002). isp(k)=1/2k. Ifonechangesbasis2tobasis“e”onewrites [2] G.A.Barbosa,PhysicalReviewA68,052307(2003). [3] G.A.BarbosaandJ.vandeGraaf,Enigma-BrazilianJournalofInforma- 1 p(k)= =e−kln2(cid:39)e−0.693147k. (11) tionSecurityandCryptography,Vol.1,No.2,16(2015) 2k [4] G.A.Barbosa,arXiv:quant-ph/0510011v216Nov2005andarXiv:quant- ph/0705.2243v217May2007. DatainFigs.9and10werefittedtop(n)=ce−an=celn21−(cid:15)n, [5] G. A. Barbosa, Enigma - Brazilian Journal of Information Security and where(cid:15)willindicateadepartfromthedistributionp(k)=1/2k. Cryptography,Vol.1,No.1,47(2014). [6] C.H.Bennett,G.Brassard,C.Crepeau,U.M.Maurer,IEEETransactions onInformationTheory41,1915(1995) BARBOSA:AWIRELESSPHYSICALLYSECURE KEYDISTRIBUTIONSYSTEM 7 150000 0 f o100000 s e c n e r50000 r u c c O 0 5 10 15 20 Number of 0s in pattern Fig.10 HISTOGRAMOF0S.DOTSAREOBTAINEDFROM1,277,874BITS OBTAINEDANDTHESOLIDLINEISTHEFITTOc=319880±193AND (cid:15)=−0.003±0.002. [7] JeroenvandeGraaf,DecentralizedmanagementofOne-TimePadkeyma- terialforagroup,XIVSimpo´sioBrasileiroemSeguranadaInformac¸a˜oe deSistemasComputacionais SBSeg2014-Brazil. [8] The PhRBG implementation was carried out by a team from Universi- dade Federal de Minas Gerais and QuantaSEC Consulting, Projects and ResearchinPhysicalCryptographyLtd.withsupportfromMiniste´rioda Cieˆncia, TecnologiaeInovac¸a˜o(MCTI)-Finep(0276/12)-Fundep(19658)- ComandodoExe´rcito(DCT)-RENASIC. [9] RENASICReports: KeyBITSReport3(UniversidadeFederaldeMinas GeraisandQuantaSEC).