Table Of Content1
A wireless physically secure
key distribution system
GeraldoA.Barbosa∗
Abstract—Afastandsecurekeydistributionsystemisshownthatoper- possibilitytoimmediateapplicationofthetechniquetomobile
atesinclassicalchannelsbutwithadynamicprotectiongivenbytheshot devices.Thisnewschemeisdetailedandtheassociatedsecurity
noiseoflight. Thebinarysignalsinthecommunicationchannelarepro-
leveliscalculated. Thissystemperformsone-time-padencryp-
tectedbycodinginrandombasesandbyadditionofphysicalnoisethat
wasrecordedandaddedbitbybittothesignals. Whiletheresultingsig- tionwiththesecurelydistributedkeys.
nalsareclassicaltheycarrytheuncontrollablerandomnessinformationin Symmetrickeyswithend-to-endencryption,wherekeysare
the signal sent. The legitimate users start with a shared secret between
keptsecretbytheusers,mayprovideperfectsecurecommuni-
themcreatingameasuringadvantageovertheadversary. Thiswaythe
6 introducednoisedoesnotaffecttheusersbutfrustratestheattacker. cationforcompanies. Governmentdistributionofkeysfortheir
1 IndexTerms—Random,physicalprocesses,cryptography,privacyam- users could guarantee secure communication among users as
0 plification. wellasdisposeoftoolstoaccessnecessaryexchangedinforma-
2
tionwheneverastrongneedexists. Inthesameway,companies
ul I. INTRODUCTION that distribute keys for their users could comply with legal re-
J quirementssuchastheAllWritsAct(AWA)-aslongastheir
Afastandsecurekeydistributionsystemispresentedtoop-
keyrepositoryarekeptundercontrol.
5
erate in generic communication channels, including wireless
2 Astep-by-stepdescriptionofthissystemwillbemadealong
channels.Thetransmittedsignalsaredeterministic(orperfectly
this paper. The key distribution system not just generates and
] copied) but include continuously recorded random noise that
distributecryptographickeysbutalsoprovidefunctionslikeen-
R frustrates an attacker to obtain useful information. This noise
cryptionanddecryptionbetweenusers(or“stations”)AandB:
C affectstheattackerbutnotthelegitimateusersthatshareanini-
Itisaplatformforsecurecommunications.
. tialsharedsecretbitsequencec . Thelegitimateuserswillend
s 0
c upwithacontinuoussupplyoffreshkeysthatcanbeusedeven
II. PLATFORMFORSECURECOMMUNICATIONS
[ toencryptinformationbit-to-bitinlargevolumesandfastrates.
2 The wireless key distribution system discussed in this work Fig. 1 shows a block diagram of this platform for one
v uses the intrinsic light noise of a laser beam to frustrate an at- of the users, say A. Users A and B have similar platforms.
2 tackertoextractmeaningfulsignals. However,thisnoiseisnot Communication between A and B proceeds through the com-
8 inthecommunicationchannelbutitisrecordedbeforereaching municationportsofaPCwithaccesstotheInternet(Topportion
0 thechannel. ofFig.1). ThisPCworksastheinterfacewiththeexteriorand
0
Historically,cryptographyusingopticalnoisefromcoherent is isolated from the platform (Bottom of Fig. 1) by an air gap.
0
. states in a communication channel can be traced back to [1] Inotherwords,theplatformhasnodirectaccesstoorfromthe
1
and [2]. The first uses quantum demolition measurements and Internet. DataflowinandoutisdonethroughaDynamicmem-
0
6 quadraturemeasurementswhilethesecondusesdirectmeasure- ory conjugate with OR switches that only allow authenticated
1 ments with no need for phase references or quantum features andfixedsizepackets.
: besides the presence of optical noise. The methods and tech- The platform is roughly composed of two opto-electronic
v
i niques used are widely different. The use of the optical noise parts:1)AfastPhysicalRandomBitGenerator(PhRBG)and2)
X inthispaperhasarelationshiptotheoneoriginallyusedin[2], aNoiseGenerator.ThePhRBGdeliversbitstoaBitPoolwhere
r where fiber optics communication in a noisy channel blocked aPrivacyAmplification(PA)protocolisappliedandencryption
a
information leakage to an adversary. An initial shared infor- and decryption functions are performed. Description of these
mationonaM-rycodingprotocolusedbythelegitimateusers partswillbemadealongthepaper;theyareintertwinedintheir
allowedthemtoextractmoreinformationfromthechannelthan functionalitiesasassuchtheirunderstandingarenecessaryfora
the one obtained by the adversary. More recently that original fullcomprehensionoftheproposedsystem.APC-motherboard
idea was improved with a specific privacy amplification pro- (notdiscussedinthispaper)intheplatformperformseveralop-
tocol [3] while keeping the use of an optical communication erationsandprovideaccessfortheusers,includingagraphical
channel. interfaceforplatformcontrol.
Thepresentworkmergesmainideasoftheprotectiongiven Although this is a quite general system allowing privacy in
by the light’s noise in a protocol applied to wireless chan- communicationsonecouldmentionafewapplicationslikese-
nels. Seed ideas on the use of a wireless channels using cure communications for embassies or the secure transfer of
recordedphysicalnoisewereintroducedfrom2005to2007[4]. large volumes of patient data among medical centers and in-
This work brings those ideas of wireless channels secured by surancecompanies.
recordedopticalnoisetoapracticallevel. Italsoopensupthe
III. PHYSICALRANDOMBITGENERATOR
∗G.A.Barbosa,QuantaSec–ConsultingandProjectsinPhysicalCryptog-
The fast Physical Random Bit Generator (PhRBG) is of a
raphyLtd.,Av. Portugal1558,BeloHorizonteMG31550-000Brazil. E-mail:
GeraldoABarbosa@gmail.com novel type described in Ref. [5]. The PhRBG extract broad
2
to B Samplingtimeforacquisitionofthebitsignalsaresetmuch
shorter than the coherence time of the laser used. By doing
communication ports
A
sosamplingsoccurwithinafixedopticalphaseofthesampled
(wireless, ethernet)
photons.Thisleadstophotonnumberfluctuationsthataremax-
Dynamic imal:Althoughphaseandnumber(orphotonamplitude)arenot
PC (IP connected)
memory strictlyconjugatevariables,thereisanuncertaintyrelationship
fornumberandphase.
OR
“airgap”
switches The individual bit signals generated by the PhRBG around
time instants t will be designated by a and a sequence of a
i i i
KeyBITS platform
bya. Notationasometimesdesignatesasequenceofbitsorthe
random size of this sequence whenever this does no give rise to nota-
𝑥𝑥⊕𝑧𝑧
PhRBG bits BIT PO𝑎𝑎O𝑖𝑖−L1 tionalproblems.
(PA)
UserAwantstotransmitinasecurewaytheserandomabits
𝑧𝑧
+ touserB.
𝑎𝑎𝑖𝑖 𝑏𝑏𝑖𝑖 𝑥𝑥
𝐼𝐼2 +
A
BS NoiseGenerator 𝑉𝑉𝑖𝑖 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖 laser detector G G classifier 𝑎𝑎𝑖𝑖−1
+ 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖+𝑉𝑉𝑖𝑖 ADC +,- ( , ) BIT( PPAO)OL
BS𝐼𝐼1 𝑉𝑉+𝑉𝑉−
𝑧𝑧
Fig.1 𝐼𝐼0
PhRBG
EACHSTATION(AORB)ISPHYSICALLYCONTROLLEDBYEACHUSER
𝑎𝑎𝑖𝑖 + 𝑏𝑏𝑖𝑖
ANDISCOMPOSEDOFANIPCONNECTEDPCTHATEXCHANGE
COMMUNICATIONSBETWEENSTATIONS.THEPLATFORMHASNODIRECT 𝐼𝐼2=𝐼𝐼0−𝐼𝐼1
detector
CONNECTIONTOTHECOMMUNICATIONCHANNELS.DATAFLOWINAND G 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖
BS ADC +
OUTFROMTHEPLATFORMTOTHECOMMUNICATIONPCISDONE Noise 𝑉𝑉𝑖𝑖
THROUGHADYNAMICMEMORYANDORSWITCHES.THISMEMORY Generator
CONTAINSINSTRUCTIONSONLYALLOWINGTRANSITOFAUTHENTICATED toB𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖+𝑉𝑉𝑖𝑖
PACKETSWITHFIXEDSIZE.THEPLATFORMCONTAINSTHEPHYSICAL
RANDOMBITGENERATOR(PHRBG),ABITPOOLANDANOISE Fig.2
GENERATORTOEFFICIENTLYMIMICTHEOPTICALSHOTNOISEOFA HARDWARETOGENERATERANDOMBITS(PHRBG),NOISEGENERATOR
NOISYOPTICALCOMMUNICATIONCHANNEL. ANDBITPOOLFORPRIVACYAMPLIFICATION.THEBITPOOLCONTAIN
MEMORIESANDAFPGA(FIELDPROGRAMMABLEGATEARRAY)TO
PERFORMFASTOPERATIONSLOCALLY.
bandwidth fluctuations (shot-noise) of a laser light beam and
delivers random voltage signals (V ,V ) –signals that can be
+ − AppendixAcommentsonthePhRBG.
expressedasrandombits–totheBitPool.
Fig.2providesmoredetails. LeftupperpartofFig.2shows IV. BITPOOLANDNOISEGENERATOR
the PhRBG. A laser beam excites a multi-photon detector and
Fig.2alsoshowsattherightuppersideaBitPoolwhereran-
thevoltageoutputpassthroughamplifiersGandananalog-to-
dom bits generated from the PhRBG are stored together with
digital (ADC) converter. The laser intensity I and the gain
1 bitsb thatwerealreadyacquiredandrecorded. Theinitialse-
G are adjusted to enhance the current from the noisy optical i
quence{b }istakenfromasecretsequencec ofsizec =ma
signalswellaboveelectronicnoises: 0 0 0
initiallysharedbetweenthelegitimateusers. TheBitPoolout-
puts signals b +a . Bits b act as a modulation or encryption
(∆I )2(cid:29)(∆I )2. (1) i i i
light electronic
signalstotherandombitsa . AfterapplicationofthePApro-
i
tocol a final distillation of z bits, over which the attacker has
It also necessary to work below the range where the ratio
no knowledge, will be available for encryption and decryption
noise/signal is too small. In terms of the number of photons
purposes. Afulldiscussionoftheseoperationsaremadeahead
n:
whendiscussingthephysicalmodulationofthesignalsandthe
(cid:112)
Noise ((cid:104)∆n(cid:105))2 1 PrivacyAmplificationprotocol.
= = →notsmall. (2)
(cid:112)
Signal (cid:104)n(cid:105) (cid:104)n(cid:105)
A. NoiseGeneratorandrecordedopticalshot-noise
Inotherwords,thedesiredsignalsareoptimizedopticalshot- Bottom part of Fig. 2 shows the Noise Generator. A laser
noisesignalsthatallowagoodnumberofdetectionlevelsfrom beamwithintensityI isdetected,amplifiedtoproduceoptical
2
anADC.Thestreamofdigitalizedfluctuatingsignalsareclas- shotnoiselimitedsignals. Thesesignalsaredigitalizedproduc-
sified within short time intervals in signals above the average ing a sequence of independent noise signals V ={V }. V is
N i i
valueasbit1signals(V )whilesignalsbelowtheaverageare added to the signals a +b giving a +b +V and sent to B.
+ i i i i i
identifiedasbit0signals(V ). The noise contribution V replaces the intrinsic optic noise in
− N
BARBOSA:AWIRELESSPHYSICALLYSECURE KEYDISTRIBUTIONSYSTEM 3
anopticalchannel. Themagnitudeandformatofthisnoisewill
beshownafterpresentingtheideaofM−rybases.
𝑎𝑎𝑀𝑀−1
The first modulation signal b is defined by m random bits
0
from c . In general the modulating random signal b can be 𝑎𝑎𝑖𝑖+1 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖 +
0 i
seenasatransmissionbasisforai. Onemayaswellseebitsai 𝑉𝑉𝑚𝑚𝑚𝑚𝑚𝑚 𝑎𝑎𝑖𝑖 𝑎𝑎𝑖𝑖+𝑏𝑏𝑖𝑖 𝑉𝑉𝑁𝑁
asamessageandb asanencryptingsignal.Togenerateeachb , 𝑎𝑎𝑖𝑖−1
i i
oronenumberamongM,mbitsarenecessary(m=log M).
2 𝑎𝑎0
ItistobeunderstoodthattheM−rycodinginterleavesbits
in the sense that the same bit signal superposed to a basis b noiserange
k
(ADClevels)
representingabit1(or0)representstheoppositebit0(or1)in
1(or0)
aneighborbasisb orb .Forexample,seeFig.1in[3]for 𝜎𝜎𝑉𝑉
k−1 k+1 noiserange
aphysicalrepresentationoftheseinterleavedbitsintheoptical
𝑉𝑉𝑚𝑚𝑚𝑚𝑚𝑚
phasespace. Otherpossiblerealizationofdistinctneighboring >
2
levelswithdistinctbitscouldbemadewithlevelsseparatedby
smallphysicaldisplacementsdifferentfromphase, e.g. ampli- 0(or1) Fig.3
tude,asshowninFig.3.This,togetherwiththeaddednoiseVN TOP-THEPHYSICALAMPLITUDESIGNALREPRESENTINGAGIVENBASIS
donotallowtheattackertoobtainthebitai. biISADDEDTOTHESIGNALREPRESENTINGABITai.THEBASISSIGNAL
ISKNOWNTOUSERSAANDBBUTNOTTOTHEATTACKER.ASIGNALai
B. NoiseGeneratorandM−rybases ISTOBESEENASAGIVENBITINBASISbi(1OR0)BUTTHISSAME
AsshowninthebottomrightpartofFig.2arandomsignal SIGNALaiWILLBESEENASTHEOPPOSITEBIT(0OR1)WHENATTACHED
V is added to a +b , giving a +b +V to be sent to B. It TONEIGHBORINGBASESbi+1ORbi−1.THEREFOREEVENASMALL
i i i i i i
is emphasized that although the signal sent from A to B is de- NOISEViADDEDTOai+biDONOTALLOWANATTACKERTOKNOW
terministic, V is a recorded random noise that varies from bit WHICHBASESHAVEBEENUSED.HOWEVER,BOTHAANDBKNOWbi
i
tobit. Arecordedsignalisdeterministicbydefinitionbecause ANDTHUSTHEBITSENTaiCANBEEXTRACTED.PHYSICALLY,DISTINCT
it can be perfectly copied. However, this recorded noise is an MODULATIONVOLTAGESIGNALSMAYREPRESENTBITSANDBASES.
instanceofanunpredictableeventbynature. THEREAREM BASES;THEYCANBEASSUMEDSEPARATEDBYVmax/M.
ABIT1ANDABIT0CANBEASSUMEDPHYSICALLYSEPARATEDBY
In nature the noise intensity is continuous but the recorded
digitalized noise is distributed among the M levels supplied Vmax/2.VOLTAGESIGNALSCANBEASSUMEDCYCLICINTHESENSE
by an Analog to Digital Converter. This statistical distribution THATVmax+(cid:15)→(cid:15).BOTTOM-THEAMPLITUDEBETWEENASIGNALai
REPRESENTINGABITANDTHEOPPOSITEONEISGREATERTHANTHE
among M levels also has a characteristic deviation σ . This
V
NOISERANGE.ASVOLTAGEMODULATIONOFSIGNALSREPRESENTING1
willbediscussedahead.
AND0ARESEPARATEDBYVmax/2THISALLOWSAPRECISEBIT
ThenoisesignalV isderivedfromasplitbeamofintensity
i DETERMINATIONBYTHELEGITIMATEUSERS.ONTHECONTRARY,THE
I (seeleftbottompartofFig.2). Lightfromthisderivedbeam
2
ATTACKERSTRUGGLESUNSUCCESSFULLYWITHRESOLUTIONOF
excites a multi-photon detector, the output is amplified by G
NEIGHBOURINGLEVELS.
anddigitalized. AnextraamplifierGmaybeadjustedtolevels
compatibletothesignala +b .Inotherwords,theaddednoise
i i
mixpotentialbasesandbitssothattheattackercouldnotiden-
tifyeitherthebitorthebasissent. Fig.3sketchestheaddition 2)Aninstanceofauniversalhashfunctionf issentfromA
oftherandombasisb andtheaddednoiseV .Theattackerdoes toB.
i i
notknoweitherthebasisb neitherthenoiseV and,therefore, 3)Theprobabilityforinformationleakageofbitsobtainedby
i i
cannotdeducethebitsenta fromthetotalsignala +b +V . the attacker over the sequence sent is calculated (as indicated
i i i i
ahead), generating the parameter t (number of possibly leaked
V. PRIVACYAMPLIFICATIONANDFRESHBIT bits). In other words, from sequence {0,1}n the attacker may
GENERATIONBYAANDB capture{0,1}t.
ThePAprotocolincludesthefollowingsteps: Fromthen=
The Privacy Amplification process to be utilized was first
a+bbitsstoredintheBitPool,tbitsaredestroyed:
showninSectionIXofRef.[3];itutilizedtheformalismorigi-
nallydevelopedinRef.[6]. Inthepresentworkitisappliedto {0,1}n→{0,1}n−t. (3)
aclassicalcommunicationchannelinsteadofanoisyfiberoptic
channel.
Anextranumberofbitsλisreducedasasecurityparameter[6].
Briefly,thefollowingstepsareperformed: Thisreductioninbitnumbersisthen
1)TheBitPoolstartswiththebitsequenceofsizec =ms
0
(bitsbi)alreadysharedbyAandB.Asequenceaofbits, a= {0,1}n→{0,1}n−t→{0,1}n−t−λ (4)
{a },isgeneratedbythePhRBGandstoredintheBitPoolby
i
userA.ThesequenceaissentfromAtoBafterthepreparation where{0,1}n−t−λ isthefinalnumberofbits. Theinitialtotal
thataddbasesandnoise. Anumberofbitsa+maisusedfor amount of bits n in the Bit Pool was then reduced to r=n−
thetaskofcreatingbitsa andbasesb tobesentfromAtoB t−λ. Theseremainingbitsarethenfurtherrandomizedbythe
i i
as{a +b }. PA protocol [3]. The protocol establishes that the attacker has
i i
4
TABLEI
noinformationonthesereducedand“shuffled”numberofbits
r. PRIVACYAMPLIFICATIONPROTOCOLFORTHE
Thenumberrofbitscanberearrangedinsizesasfollows WIRELESSPLATFORM
PAprotocol
r =n−t−λ=(a+b)−t−λ=(a−t−λ)+b INITIALIZATION:AandBsharec0ofsizeandentropyms.
=(a−t−λ)+ma≡z+ma. (5) StationA
# ACTION OBJECTIVE
Thesequenceofsizez≡(a−t−λ)(seeoutputfromBitPool
in Fig. 2) will be used as fresh bits for encryption while the 1a ai=GetString(PhRBG) GetbitstringfromPhRBG
sequenceofsizemawillformthenewbases{b }forthenext 1b bi=ci−1[1,ms] Extractmsfrompoolforbasesb
roundof bitdistribution. Theprocesscan proceeidwithoutthe 1c Code&Send(ai,bi) Sendoverclassicalchannel
2 Sendf Sendinstanceofuniversalhashf
legitimate users having to meet or use a courier to refresh an
overclassicalchannel
initialsequencema. Otherroundsthenmayproceed.
ThePAtheory[6]saysthatafterreducingtheinitialnumber 3a ci=f(ci−1||ai) AappliesPAfromms+sbits
reducingthemtoms+s−t−λ
ofbitsfromn=a+ma(mainitiallysharedandafreshbits)to
r=n−t−λ,theamountofinformationthatmaybeacquired 3b zi= Ausess−t−λ
bytheattackerisgivenbytheMutualInformationI .Corollary ci[ms+1,ms+s−t−λ] bitsfrompoolasthekeystreamz.
λ
Theremainingmsbitsform
5 (pg. 1920) in Ref. [6], gives the information leaked to the
thebasesfornextround.
attacker:
StationB
1 1
I = = . (6) 1a nomatchingsteptoA’s
λ ln2×2λ ln2×2n−t−r
1b bi=ci−1[1,ms] Getbasesbitsfrominitialpoolvalue
A. Protocolsteps 1c ai=Receive&Decode(bi) Receivebitsfromclassicalchannel
2 Receivef receiveinstanceofuniversalhashf
Table I list all steps of the protocol. The basis assigned for
eachbitsentuseslog M toencodeitandtheprocessiscontin- 3a ci=f(ci−1||ai) BappliesPAfromms+sbits
2 reducingthemtoms+s−t−λ
uouslysustainedinroundsofsbits,inanunlimitedway. This
procedurehasbeenshowntobeveryfastinhardware. 3b zi= Busess−t−λ
ci[ms+1,ms+s−t−λ] bitsfrompoolasthekeystreamz.
Theremainingmsbitsform
AandBusetheprotocolsinaconcertedmannerandextract
thebasesfornextround.
asequencez ofbitsoverwhichtheattackerhasnoknowledge.
One should recall that the communication channel is classical
andthesignalscontainrecordedopticalnoisemodulatingeach
thisspanmustbelargeenoughtocoveragoodnumberofbases
bitsent. AteveryroundAandBknowthebasisusedandthey
so that the attacker cannot resolve the basis b when a bit a
i i
usethistotheiradvantagesothatthenoiseV doesnotdisturb
N is sent. The actual optical noise has a continuous span but the
identificationofa . AsecuredistilledstreamofbitsfromAis
i recorded region is set by digitalized levels of the ADC used.
transferredtoB.
Setting the spacing of signals for bases similar to the spacing
The protocols proceeds to other similar runs. After n runs,
V /M of recorded noise levels, one could set the digitalized
AliceandBobsharenzbits. max
noisedeviation,byadjustingthegainG,suchthat
VI. LEAKAGEPROBABILITYANDMUTUALINFORMATION
V /M (cid:28)σ (cid:28)V . (8)
I max V max
λ
CalculationofthemutualinformationI thatisdirectlycon- Thisconditioncanbemappedtothesameformalismutilized
λ
nectedtotheprobabilityforanattackertoextractusefulinfor- in the POVM (Positive Operator Valued Measure) calculation
mationsentfromAtoB.Itdependsontheparametert(number developed in [2] and from which the leakage bit probability t
ofpossiblyleakedbitsinasequencesent). can be obtained. One may write the probability for indistin-
Inthewirelessschemethenumberoflevelsusedasbasesde- guishabilitybetweentwolevelsseparatedby∆k,as
pendsonthedigitalhardwareutilized(8bitsresolution→M =
256, 10 bits resolution → M = 1024 and so on). This con- P∆k=e−|α4|2(cid:0)VV∆makx(cid:1)2 =e−|α4|2(∆Mk2)2 ≡e−2(∆σkk2)2 . (9)
verter sets the maximum number of levels M. Voltage signals
Vk,(k =0,1,2...M) will represent these bases and to alter- Theexpecteddeviationσk inthenumberoflevelsis
natebitsinnearbybasesonemaychosebasesbyvoltagevalues
(cid:115)
givenby 2
σ = M, (10)
(cid:20) k 1−(−1)k(cid:21) k (cid:104)n(cid:105)
V =V + . (7)
k max M 2
where(cid:104)n(cid:105)=|α|2andαisthecoherentamplitudeofalaser.
At the same time, as voltage signals V representing Calculation of the probability of error P for an attacker to
N e
recordedopticalnoisewillbeaddedtothesevalues,theseval- obtainabitsentfollowswhatwasdonein[2]. Fig.4exempli-
uesshouldhaveaspansmallerthanV (seeFig.3). However, fies these errors for a set of M values (number of bases) and
max
BARBOSA:AWIRELESSPHYSICALLYSECURE KEYDISTRIBUTIONSYSTEM 5
The current rack holding the PhRBG can be reduced to a
smallsizewithoutputdirectlycoupledtoasmartphone. This
canprovidetruesecurecommunications(bit-to-bitencryption)
𝑛 ≡ ∝2=10 between cellular telephone users as another application exam-
𝑛 =100 ple. Itisalsousefultocalltheattentiontothereaderthatade-
centralized protocol for bit-by-bit encryption for N−users ex-
𝑛 =1000
ists[7].Underthisprotocol,onceN usersacquirealongstream
𝑛 =10000
ofrandombitsfromthePhRBG,theycanexchangesecurein-
formation among them without any need to contact a central
stationtosynchronizetheirbitstreams.
BothSecureDataandVoiceOverInternet(VOIP)canbeim-
plemented. Itshouldbeemphasizedthatitisimportantthatthe
keystoragemustbekept“outside”ofthemobiledeviceandthat
Fig.4
theflowofinformationfromthekeygenerationandencrypting
PROBABILITYOFERRORFORANATTACKERONABITASAFUNCTIONOF
unit to the device connected to the Internet should be strictly
THENUMBERM OFBASESUSEDANDTHEAVERAGENUMBEROF
controlled.
PHOTONS(cid:104)n(cid:105)CARRYINGABIT.
Othersteps,morecostly,canproduceanASIC(Application
SpecificIntegratedCircuit)toreducethesystemtoachipsize
device.
number(cid:104)n(cid:105)ofphotonsdetected. Forasequenceofsbitssent Another possible application example for the platform is to
the parameter t (bit information leaked in s) in Eq. 6 will be feedaSoftware-Defined-Radio(SDR)withcryptographickeys
t=(0.5−P )×s.Withtcalculatedandthesafetyparameterλ for bit-by-bit encryption/decryption capabilities. This could
e
defined,theprobabilityforinformationthatcouldbeleakedto bring absolute security for Data and Voice communications
theattackeriscalculated. Itcanbeshown[2]thatt∼10−4can throughSDR.
be easily obtained; therefore with a sequence os s=106 bits
sent,thisgivest∼102. VIII. CONCLUSIONS
Fig.5exemplifiesthePAeffectby(log I )(seeEq.6)asa
10 λ It was shown how to achieve wireless secure communica-
functionofr,(0,1)n→(0,1)r,andt,numberofbitsleakedto
tion at fast speeds with bit-to-bit symmetric encryption. The
theattacker.
hardware requirements was described and it was shown how
tocalculatethesecuritylevelassociatedtothecommunication.
Miniaturization steps may allow easy coupling to mobile de-
vices. The key storage have to be under control of the legit-
imate users and no key should ever be stored where a hacker
could have command/control of the system. A correct imple-
mented system would offer privacy at top-secret level for the
users. Furthermore, the correct choice of parameters creates a
post-quantumsecurityprivacy.
APPENDIX
A. PLATFORM-RACKIMPLEMENTATION
Fig.5 ThePhRBG,withintheplatform,isseenasarackimplemen-
log10OFTHEMUTUALINFORMATIONIλLEAKEDTOTHEATTACKER tationinFig.6andsomedetailsinFig.7.Adetaileddescription
AFTERPRIVACYAMPLIFICATIONISAPPLIED.INTHISEXAMPLE106BITS ofthePhRBGwillbepublishedelsewhere[8]. Justabriefde-
ARESENT.tGIVESTHENUMBEROFBITSLEAKEDTOTHEATTACKER scriptionispresentedhere.
BEFOREPAISAPPLIEDANDrISTHEDISTILLEDORUSEFULREMAINING ThePhRBGisanopto-electronicdevicedesignedtogenerate
BITS. bitscontinuouslytosupplyanydemandforbitsathighspeeds.
The physical principle involved, quantum vacuum fluctuations
thatproducetheopticalshot-noise,isnotbandwidthlimitedand
thedevicespeedcanbeadaptedtoallelectronicimprovements.
VII. OTHERAPPLICATIONEXAMPLES
Amongthedifferenceswithotherquantumrandombitgenera-
Above sections described the basic parts of the platform for tors the presented device has no need for interferometry and a
securecommunications. single detector is used. This gives a time stable operation for
The use of a FPGA (Field Programmable Gated Array) and thesystem.
memoryallowfunctionslikebitstorageandencryptionandper- The PhRBG was currently implemented with off-the-shelf
formthe“BitPool”functionsnecessary. Customtailoredappli- components including low cost amplifiers (See G in Fig. 1).
cations can also be programmed under this fast hardware pro- These amplifiers have a frequency dependent gain profile (a
cessing. monotonoushighgainatlowfrequencies)thatintroducesalow
6
frequency bias in the bit generation. To compensate for this
biaswithoutincreasingcostsaLinearFeedbackShiftRegister
(LFSR)isusedinserieswiththebitoutputtoproduceanextra
randomization.Thisbreaks–theexpectedlymorerare–longse-
quencesofrepeatedbits.Thisprocessdoesnotreducethespeed
ofthePhRBG.
The currently implemented PhRBG works at ∼2.0 Gbit/sec
and passes all randomness tests to which it was submitted, in-
cludingtheNISTsuitedescribedin“NIST’sSpecialPublication
800 - A Statistical Test Suite for Random and Pseudorandom
NumberGeneratorsforCryptographicApplications”. Besides
Fig.8
PLOTOFRELATIVEFOURIERAMPLITUDESAν ASAFUNCTIONOFTHE
FREQUENCYν.TRANSFORMING(0,1)SEQUENCESONTO(−1,1)
FPGA
ADC SEQUENCESALLOWSEASYFOURIERSPECTRUMANALYSISTHATSHOW
Detectorand
amplification THE“WHITE-NOISE”CHARACTEROFTHEOUTPUTSIGNALS.
PC –motherboard
hard drive
150000
1
f
o
es100000
c
n
Fig.6 re
r
u
ATOPVIEWWITHSOMECOMPONENTSOFTHEPLATFORM.THELASER, Occ 50000
DETECTOR,AMPLIFIERANDHARDDRIVEAREATTHERIGHTSIDEOFTHE
RACK.THEADCTHATFORMATANALOGSIGNALSFROMTHEOPTICAL
0
AMPLIFICATIONISCONNECTEDTOTHEFPGAFORPROCESSING.A 5 10 15 20
PC-MOTHERBOARDPROVIDESMANAGEMENTOFSEVERALFUNCTIONS Number of 1s in pattern
INCLUDINGAFRIENDLYGRAPHICALINTERFACEFORTHEUSER. Fig.9
HISTOGRAMOF1S.DOTSAREOBTAINEDFROM1,277,874BITS
OBTAINEDANDTHESOLIDLINEISTHEFITTOc=319018±356AND
(cid:15)=−0.003±0.003.
laser
Therawdata[9]forthehistogramsaregivenbylistsL and
1
L :
0
fibers,
opticalisolator, L1={{1,159676},{2,79651},{3,40253},{4,20017},{5,9864},
attenuator {6,4960},{7,2567},{8,1239},{9,623},{10,313},{11,156},
{12,59},{13,37},{14,21},{15,9},{16,8},{17,3},{18,4},
{19,1},{20,0},{21,0}} (12)
Fig.7 L0={{1,159805},{2,79964},{3,39766},{4,20021},{5,9892},
DETAILOFTHELASERLOCATION,OPTICALISOLATORANDATTENUATOR. {6,4962},{7,2488},{8,1306},{9,630},{10,336},{11,148},
{12,71},{13,42},{14,10},{15,11},{16,6},{17,2},{18,0},
{19,1},{20,1},{21,1}}. (13)
passingconventionalrandomnesstests,somevisualinformation
conveys the same idea. Fig. 8 shows amplitudes of a Fourier
Oneshouldobservethatthedeviationparameter(cid:15)isexponen-
analysisofabitstreamrevealingthewhitespectrumcharacter
tially small, giving an estimate of the randomness associated
ofthegeneratedbits. Figs.9and10showdataandtheexpected
withthegeneratedbits.
occurrenceofrandombitsforadistributionwheretheprobabil-
ity to occur 0 or 1s are equal, p=1/2. It is expected that the REFERENCES
probabilitytooccurasequenceofkidenticalbits(either0or1)
[1] F.GrosshansandP.Grangier,Phys.Rev.Lett.88,057902(2002).
isp(k)=1/2k. Ifonechangesbasis2tobasis“e”onewrites [2] G.A.Barbosa,PhysicalReviewA68,052307(2003).
[3] G.A.BarbosaandJ.vandeGraaf,Enigma-BrazilianJournalofInforma-
1
p(k)= =e−kln2(cid:39)e−0.693147k. (11) tionSecurityandCryptography,Vol.1,No.2,16(2015)
2k [4] G.A.Barbosa,arXiv:quant-ph/0510011v216Nov2005andarXiv:quant-
ph/0705.2243v217May2007.
DatainFigs.9and10werefittedtop(n)=ce−an=celn21−(cid:15)n, [5] G. A. Barbosa, Enigma - Brazilian Journal of Information Security and
where(cid:15)willindicateadepartfromthedistributionp(k)=1/2k. Cryptography,Vol.1,No.1,47(2014).
[6] C.H.Bennett,G.Brassard,C.Crepeau,U.M.Maurer,IEEETransactions
onInformationTheory41,1915(1995)
BARBOSA:AWIRELESSPHYSICALLYSECURE KEYDISTRIBUTIONSYSTEM 7
150000
0
f
o100000
s
e
c
n
e
r50000
r
u
c
c
O
0
5 10 15 20
Number of 0s in pattern
Fig.10
HISTOGRAMOF0S.DOTSAREOBTAINEDFROM1,277,874BITS
OBTAINEDANDTHESOLIDLINEISTHEFITTOc=319880±193AND
(cid:15)=−0.003±0.002.
[7] JeroenvandeGraaf,DecentralizedmanagementofOne-TimePadkeyma-
terialforagroup,XIVSimpo´sioBrasileiroemSeguranadaInformac¸a˜oe
deSistemasComputacionais SBSeg2014-Brazil.
[8] The PhRBG implementation was carried out by a team from Universi-
dade Federal de Minas Gerais and QuantaSEC Consulting, Projects and
ResearchinPhysicalCryptographyLtd.withsupportfromMiniste´rioda
Cieˆncia, TecnologiaeInovac¸a˜o(MCTI)-Finep(0276/12)-Fundep(19658)-
ComandodoExe´rcito(DCT)-RENASIC.
[9] RENASICReports: KeyBITSReport3(UniversidadeFederaldeMinas
GeraisandQuantaSEC).
