A wireless physically secure key distribution system

A secure key distribution protocol protected by light's noise was introduced in 2003 [Phys. Rev. A 68, 052307 (2003)]. That protocol utilized the shot noise of light present in the optical channel (eg., an optical fiber) to restrict information leaks to an adversary. An initial shared information between the legitimate users allowed them to extract more information from the channel than the one obtained by the adversary. That original paper recognized the need for a privacy amplification step but no specific protocol was presented. More recently that original idea was improved with a specific privacy amplification protocol [arXiv:1406.1543v2 [cs.CR] 8 Jul 2015] while keeping the use of an optical communication channel. This work merges main ideas of the protection given by the light's noise in a protocol applied to wireless channels. The use of a wireless channels together with recorded physical noise was introduced from 2005 to 2007 (see eg, arXiv:quant-ph/0510011 v2 16 Nov 2005 and arXiv:0705.2243v2 [quant-ph] 17 May 2007). This work improves those embrionary ideas of wireless channels secured by recorded optical noise. The need for specific optical channels is eliminated with the wireless variation and opens up the possibility to apply the technique to mobile devices. This work introduces this new scheme and calculates the associated security level.


I. INTRODUCTION
A fast and secure key distribution system is presented to operate in generic communication channels, including wireless channels. The transmitted signals are deterministic (or perfectly copied) but include continuously recorded random noise that frustrates an attacker to obtain useful information. This noise affects the attacker but not the legitimate users that share an initial shared secret bit sequence c 0 . The legitimate users will end up with a continuous supply of fresh keys that can be used even to encrypt information bit-to-bit in large volumes and fast rates.
The wireless key distribution system discussed in this work uses the intrinsic light noise of a laser beam to frustrate an attacker to extract meaningful signals. However, this noise is not in the communication channel but it is recorded before reaching the channel.
Historically, cryptography using optical noise from coherent states in a communication channel can be traced back to [1] and [2]. The first uses quantum demolition measurements and quadrature measurements while the second uses direct measurements with no need for phase references or quantum features besides the presence of optical noise. The methods and techniques used are widely different. The use of the optical noise in this paper has a relationship to the one originally used in [2], where fiber optics communication in a noisy channel blocked information leakage to an adversary. An initial shared information on a M -ry coding protocol used by the legitimate users allowed them to extract more information from the channel than the one obtained by the adversary. More recently that original idea was improved with a specific privacy amplification protocol [3] while keeping the use of an optical communication channel.
The present work merges main ideas of the protection given by the light's noise in a protocol applied to wireless channels. Seed ideas on the use of a wireless channels using recorded physical noise were introduced from 2005 to 2007 [4]. This work brings those ideas of wireless channels secured by recorded optical noise to a practical level. It also opens up the possibility to immediate application of the technique to mobile devices. This new scheme is detailed and the associated security level is calculated. This system performs one-time-pad encryption with the securely distributed keys.
Symmetric keys with end-to-end encryption, where keys are kept secret by the users, may provide perfect secure communication for companies. Government distribution of keys for their users could guarantee secure communication among users as well as dispose of tools to access necessary exchanged information whenever a strong need exists. In the same way, companies that distribute keys for their users could comply with legal requirements such as the All Writs Act (AWA) -as long as their key repository are kept under control.
A step-by-step description of this system will be made along this paper. The key distribution system not just generates and distribute cryptographic keys but also provide functions like encryption and decryption between users (or "stations") A and B: It is a platform for secure communications. Fig. 1 shows a block diagram of this platform for one of the users, say A. Users A and B have similar platforms. Communication between A and B proceeds through the communication ports of a PC with access to the Internet (Top portion of Fig. 1). This PC works as the interface with the exterior and is isolated from the platform (Bottom of Fig. 1) by an air gap. In other words, the platform has no direct access to or from the Internet. Data flow in and out is done through a Dynamic memory conjugate with OR switches that only allow authenticated and fixed size packets.

II. PLATFORM FOR SECURE COMMUNICATIONS
The platform is roughly composed of two opto-electronic parts: 1) A fast Physical Random Bit Generator (PhRBG) and 2) a Noise Generator. The PhRBG delivers bits to a Bit Pool where a Privacy Amplification (PA) protocol is applied and encryption and decryption functions are performed. Description of these parts will be made along the paper; they are intertwined in their functionalities as as such their understanding are necessary for a full comprehension of the proposed system. A PC-mother board (not discussed in this paper) in the platform perform several operations and provide access for the users, including a graphical interface for platform control.
Although this is a quite general system allowing privacy in communications one could mention a few applications like secure communications for embassies or the secure transfer of large volumes of patient data among medical centers and insurance companies.

III. PHYSICAL RANDOM BIT GENERATOR
The fast Physical Random Bit Generator (PhRBG) is of a novel type described in Ref. [ bandwidth fluctuations (shot-noise) of a laser light beam and delivers random voltage signals (V + , V − ) -signals that can be expressed as random bits-to the Bit Pool. Fig. 2 provides more details. Left upper part of Fig. 2 shows the PhRBG. A laser beam excites a multi-photon detector and the voltage output pass through amplifiers G and an analog-todigital (ADC) converter. The laser intensity I 1 and the gain G are adjusted to enhance the current from the noisy optical signals well above electronic noises: It also necessary to work below the range where the ratio noise/signal is too small. In terms of the number of photons n: In other words, the desired signals are optimized optical shotnoise signals that allow a good number of detection levels from an ADC. The stream of digitalized fluctuating signals are classified within short time intervals in signals above the average value as bit 1 signals (V + ) while signals below the average are identified as bit 0 signals (V − ).
Sampling time for acquisition of the bit signals are set much shorter than the coherence time of the laser used. By doing so samplings occur within a fixed optical phase of the sampled photons. This leads to photon number fluctuations that are maximal: Although phase and number (or photon amplitude) are not strictly conjugate variables, there is an uncertainty relationship for number and phase.
The individual bit signals generated by the PhRBG around time instants t i will be designated by a i and a sequence of a i by a. Notation a sometimes designates a sequence of bits or the size of this sequence whenever this does no give rise to notational problems.
User A wants to transmit in a secure way these random a bits to user B. Appendix A comments on the PhRBG.

IV. BIT POOL AND NOISE GENERATOR
Fig. 2 also shows at the right upper side a Bit Pool where random bits generated from the PhRBG are stored together with bits b i that were already acquired and recorded. The initial sequence {b 0 } is taken from a secret sequence c 0 of size c 0 = ma initially shared between the legitimate users. The Bit Pool outputs signals b i + a i . Bits b i act as a modulation or encryption signals to the random bits a i . After application of the PA protocol a final distillation of z bits, over which the attacker has no knowledge, will be available for encryption and decryption purposes. A full discussion of these operations are made ahead when discussing the physical modulation of the signals and the Privacy Amplification protocol.

A. Noise Generator and recorded optical shot-noise
Bottom part of Fig. 2 shows the Noise Generator. A laser beam with intensity I 2 is detected, amplified to produce optical shot noise limited signals. These signals are digitalized producing a sequence of independent noise signals The noise contribution V N replaces the intrinsic optic noise in an optical channel. The magnitude and format of this noise will be shown after presenting the idea of M −ry bases.
The first modulation signal b 0 is defined by m random bits from c 0 . In general the modulating random signal b i can be seen as a transmission basis for a i . One may as well see bits a i as a message and b i as an encrypting signal. To generate each b i , or one number among M , m bits are necessary (m = log 2 M ).
It is to be understood that the M −ry coding interleaves bits in the sense that the same bit signal superposed to a basis b k representing a bit 1 (or 0) represents the opposite bit 0 (or 1) in a neighbor basis b k−1 or b k+1 . For example, see Fig. 1 in [3] for a physical representation of these interleaved bits in the optical phase space. Other possible realization of distinct neighboring levels with distinct bits could be made with levels separated by small physical displacements different from phase, e.g. amplitude, as shown in Fig. 3. This, together with the added noise V N do not allow the attacker to obtain the bit a i .

B. Noise Generator and M −ry bases
As shown in the bottom right part of Fig. 2 It is emphasized that although the signal sent from A to B is deterministic, V i is a recorded random noise that varies from bit to bit. A recorded signal is deterministic by definition because it can be perfectly copied. However, this recorded noise is an instance of an unpredictable event by nature.
In nature the noise intensity is continuous but the recorded digitalized noise is distributed among the M levels supplied by an Analog to Digital Converter. This statistical distribution among M levels also has a characteristic deviation σ V . This will be discussed ahead.
The noise signal V i is derived from a split beam of intensity I 2 (see left bottom part of Fig. 2). Light from this derived beam excites a multi-photon detector, the output is amplified by G and digitalized. An extra amplifier G may be adjusted to levels compatible to the signal a i + b i . In other words, the added noise mix potential bases and bits so that the attacker could not identify either the bit or the basis sent. Fig. 3 sketches the addition of the random basis b i and the added noise V i . The attacker does not know either the basis b i neither the noise V i and, therefore, cannot deduce the bit sent a i from the total signal a i + b i + V i .

V. PRIVACY AMPLIFICATION AND FRESH BIT GENERATION BY A AND B
The Privacy Amplification process to be utilized was first shown in Section IX of Ref. [3]; it utilized the formalism originally developed in Ref. [6]. In the present work it is applied to a classical communication channel instead of a noisy fiber optic channel.
Briefly, the following steps are performed: 1) The Bit Pool starts with the bit sequence of size c 0 = ms (bits b i ) already shared by A and B. A sequence a of bits, a = {a i }, is generated by the PhRBG and stored in the Bit Pool by user A. The sequence a is sent from A to B after the preparation that add bases and noise. A number of bits a + ma is used for the task of creating bits a i and bases b i to be sent from A to B as {a i + b i }.  2) An instance of a universal hash function f is sent from A to B.
3) The probability for information leakage of bits obtained by the attacker over the sequence sent is calculated (as indicated ahead), generating the parameter t (number of possibly leaked bits). In other words, from sequence {0, 1} n the attacker may capture {0, 1} t .
The PA protocol includes the following steps: From the n = a + b bits stored in the Bit Pool, t bits are destroyed: An extra number of bits λ is reduced as a security parameter [6]. This reduction in bit numbers is then where {0, 1} n−t−λ is the final number of bits. The initial total amount of bits n in the Bit Pool was then reduced to r = n − t − λ. These remaining bits are then further randomized by the PA protocol [3]. The protocol establishes that the attacker has no information on these reduced and "shuffled" number of bits r.
The number r of bits can be rearranged in sizes as follows The sequence of size z ≡ (a − t − λ) (see output from Bit Pool in Fig. 2) will be used as fresh bits for encryption while the sequence of size ma will form the new bases {b i } for the next round of bit distribution. The process can proceed without the legitimate users having to meet or use a courier to refresh an initial sequence ma. Other rounds then may proceed. The PA theory [6] says that after reducing the initial number of bits from n = a + ma (ma initially shared and a fresh bits) to r = n − t − λ, the amount of information that may be acquired by the attacker is given by the Mutual Information I λ . Corollary 5 (pg. 1920) in Ref. [6], gives the information leaked to the attacker: A. Protocol steps Table I list all steps of the protocol. The basis assigned for each bit sent uses log 2 M to encode it and the process is continuously sustained in rounds of s bits, in an unlimited way. This procedure has been shown to be very fast in hardware.
A and B use the protocols in a concerted manner and extract a sequence z of bits over which the attacker has no knowledge. One should recall that the communication channel is classical and the signals contain recorded optical noise modulating each bit sent. At every round A and B know the basis used and they use this to their advantage so that the noise V N does not disturb identification of a i . A secure distilled stream of bits from A is transferred to B.
The protocols proceeds to other similar runs. After n runs, Alice and Bob share nz bits.

VI. LEAKAGE PROBABILITY AND MUTUAL INFORMATION
I λ Calculation of the mutual information I λ that is directly connected to the probability for an attacker to extract useful information sent from A to B. It depends on the parameter t (number of possibly leaked bits in a sequence sent).
In the wireless scheme the number of levels used as bases depends on the digital hardware utilized (8 bits resolution→ M = 256, 10 bits resolution → M = 1024 and so on). This converter sets the maximum number of levels M . Voltage signals V k , (k = 0, 1, 2 . . . M ) will represent these bases and to alternate bits in nearby bases one may chose bases by voltage values given by At the same time, as voltage signals V N representing recorded optical noise will be added to these values, these values should have a span smaller than V max (see Fig. 3). However, bits from pool as the key stream z.
The remaining m s bits form the bases for next round.

Station B
1a no matching step to A's 1b b i = c i−1 [1, ms] Get bases bits from initial pool value 1c bits from pool as the key stream z.
The remaining m s bits form the bases for next round.
this span must be large enough to cover a good number of bases so that the attacker cannot resolve the basis b i when a bit a i is sent. The actual optical noise has a continuous span but the recorded region is set by digitalized levels of the ADC used. Setting the spacing of signals for bases similar to the spacing V max /M of recorded noise levels, one could set the digitalized noise deviation, by adjusting the gain G, such that This condition can be mapped to the same formalism utilized in the POVM (Positive Operator Valued Measure) calculation developed in [2] and from which the leakage bit probability t can be obtained. One may write the probability for indistinguishability between two levels separated by ∆k, as The expected deviation σ k in the number of levels is where n = |α| 2 and α is the coherent amplitude of a laser. Calculation of the probability of error P e for an attacker to obtain a bit sent follows what was done in [2]. Fig. 4 exemplifies these errors for a set of M values (number of bases) and number n of photons detected. For a sequence of s bits sent the parameter t (bit information leaked in s) in Eq. 6 will be t = (0.5 − P e ) × s. With t calculated and the safety parameter λ defined, the probability for information that could be leaked to the attacker is calculated. It can be shown [2] that t ∼ 10 −4 can be easily obtained; therefore with a sequence os s = 10 6 bits sent, this gives t ∼ 10 2 . Fig. 5 exemplifies the PA effect by (log 10 I λ ) (see Eq. 6) as a function of r, (0, 1) n → (0, 1) r , and t, number of bits leaked to the attacker.

VII. OTHER APPLICATION EXAMPLES
Above sections described the basic parts of the platform for secure communications.
The use of a FPGA (Field Programmable Gated Array) and memory allow functions like bit storage and encryption and perform the "Bit Pool" functions necessary. Custom tailored applications can also be programmed under this fast hardware processing.
The current rack holding the PhRBG can be reduced to a small size with output directly coupled to a smart phone. This can provide true secure communications (bit-to-bit encryption) between cellular telephone users as another application example. It is also useful to call the attention to the reader that a decentralized protocol for bit-by-bit encryption for N −users exists [7]. Under this protocol, once N users acquire a long stream of random bits from the PhRBG, they can exchange secure information among them without any need to contact a central station to synchronize their bit streams.
Both Secure Data and Voice Over Internet (VOIP) can be implemented. It should be emphasized that it is important that the key storage must be kept "outside" of the mobile device and that the flow of information from the key generation and encrypting unit to the device connected to the Internet should be strictly controlled.
Other steps, more costly, can produce an ASIC (Application Specific Integrated Circuit) to reduce the system to a chip size device.
Another possible application example for the platform is to feed a Software-Defined-Radio (SDR) with cryptographic keys for bit-by-bit encryption/decryption capabilities. This could bring absolute security for Data and Voice communications through SDR.

VIII. CONCLUSIONS
It was shown how to achieve wireless secure communication at fast speeds with bit-to-bit symmetric encryption. The hardware requirements was described and it was shown how to calculate the security level associated to the communication. Miniaturization steps may allow easy coupling to mobile devices. The key storage have to be under control of the legitimate users and no key should ever be stored where a hacker could have command/control of the system. A correct implemented system would offer privacy at top-secret level for the users. Furthermore, the correct choice of parameters creates a post-quantum security privacy.

A. PLATFORM -RACK IMPLEMENTATION
The PhRBG, within the platform, is seen as a rack implementation in Fig. 6 and some details in Fig. 7. A detailed description of the PhRBG will be published elsewhere [8]. Just a brief description is presented here.
The PhRBG is an opto-electronic device designed to generate bits continuously to supply any demand for bits at high speeds. The physical principle involved, quantum vacuum fluctuations that produce the optical shot-noise, is not bandwidth limited and the device speed can be adapted to all electronic improvements. Among the differences with other quantum random bit generators the presented device has no need for interferometry and a single detector is used. This gives a time stable operation for the system.
The PhRBG was currently implemented with off-the-shelf components including low cost amplifiers (See G in Fig. 1). These amplifiers have a frequency dependent gain profile (a monotonous high gain at low frequencies) that introduces a low frequency bias in the bit generation. To compensate for this bias without increasing costs a Linear Feedback Shift Register (LFSR) is used in series with the bit output to produce an extra randomization. This breaks -the expectedly more rare-long sequences of repeated bits. This process does not reduce the speed of the PhRBG.
The currently implemented PhRBG works at ∼2.0 Gbit/sec and passes all randomness tests to which it was submitted, including the NIST suite described in "NIST's Special Publication 800 -A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications". Besides passing conventional randomness tests, some visual information conveys the same idea. Fig. 8 shows amplitudes of a Fourier analysis of a bit stream revealing the white spectrum character of the generated bits. Figs. 9 and 10 show data and the expected occurrence of random bits for a distribution where the probability to occur 0 or 1s are equal, p = 1/2. It is expected that the probability to occur a sequence of k identical bits (either 0 or 1) is p(k) = 1/2 k . If one changes basis 2 to basis "e" one writes p(k) = 1 2 k = e −k ln 2 e −0.693147 k .
Data in Figs. 9 and 10 were fitted to p(n) = ce −an = ce ln 2 1− n , where will indicate a depart from the distribution p(k) = 1/2 k . The raw data [9] for the histograms are given by lists L 1 and L 0 : One should observe that the deviation parameter is exponentially small, giving an estimate of the randomness associated with the generated bits.