Open Access
Add to BibSonomy
Abstract
Secret key agreement using physical properties of a wireless channel is becoming a promising scheme to establish a secret key between two users, especially in short-distance radio frequency (RF) communications. In this scheme, the existence of codes or key distillation that can make the leaked information to an eavesdropper arbitrarily small can be derived in an information theoretical way, given a priori knowledge on the channel linking a sender (Alice), a legitimate receiver (Bob), and an eavesdropper (Eve), which is called the wiretap channel. In practice, however, it is often difficult for Alice and Bob to get sufficient knowledge on Eve. In this study, we implement a free-space optical wiretap channel in a 7.8 km-terrestrial link and study how to estimate Eve’s tapping ability, demonstrating high speed secret key agreement in the optical domain under a certain restricted condition of line-of-sight.
© 2018 Optical Society of America under the terms of the OSA Open Access Publishing Agreement
1. Introduction
Secure key establishment is at the core of network security. Conventionally, public key cryptography is widely used as the world standard for this purpose. Recently, rapid increase of internet of things (IoT) including satellite networks and high-altitude platform raises the issue on how to share secure key with IoT. It would be associated with difficulty in applying public key cryptography or post quantum cryptography, because many IoT have very limited hardware resources for security options. Moreover, there is no clue for such public key cryptography to be secure against attacks with advanced or even unforeseen computing technologies, which is especially serious for some wireless network platforms, especially for satellites, since remote maintenance and update of their security system are not easy at all unlike those on the ground. Therefore, crypto schemes with information theoretical security (ITS) is an attractive option. Particularly, peer-to-peer key-sharing technology is an effective way to establish the secure network with ITS. This includes quantum key distribution (QKD) and other physical layer security whose security is ensured based on the laws of physics which govern the characteristics of the channel.
QKD was proposed by Bennett and Brassard [1] in 1984 and by Ekert [2] in 1991, and allows one to share a secure key even against a malicious third party who eavesdrops the channel by any physically implementable attacks and has unbounded computational ability (i.e. ITS). Its security is ensured by the laws of quantum mechanics, i.e., no-cloning theorem on non-orthogonal quantum states. In the 2000s, metropolitan scale QKD networks were deployed in installed fibers [3,4]. The commercialization of QKD has also been successful [5–7]. In the 2010s, intercity and continental scale QKD networks have been constructed [8]. And QKD network has recently been used to demonstrate a long-term storage solution [9]. In 2017, satellite QKD and quantum communications in an intercontinental scale were demonstrated [10–12]. A key rate at around 1 kbps over a 1,200-km channel between a low-earth orbit and the ground was reported. Space QKD will enable global key distribution with ITS, which will not be possible in fiber networks at present. Next step is to increase the key rate not only to widen a range of practical applications but also to analyze the security with sufficient size of statistical data of the keys.
Secret key agreement (SKA) was formulated by Maurer [13] and Ahlswede and Csiszár [14] in 1993. This scheme does not matter whether the laws of physics are classical or quantum, but assumes some a priori knowledge on eavesdropper’s ability to access the channel physically, as the joint probability distribution of random variables at a legitimate sender (Alice), a legitimate receiver (Bob), and an eavesdropper (Eve). Such a channel between Alice and Bob in the presence of Eve is called the wiretap channel (WTC). There have been extensive theoretical studies on deriving the secret key capacities and bounds on them, designing efficient codes and protocols, and extending the scheme to various complex scenarios [15]. In the last decade, experimental efforts have been made in the radio frequency (RF) domain [16], exploiting randomness due to unpredictable multipath scattering and fading as well as the channel reciprocity in the RF transmissions. If multipath scattering is rich, Eve located more than a half-wavelength away from Alice and Bob cannot have correlation with them, while Alice and Bob can share common randomness thanks to the channel reciprocity. This principle can enhance the effective use of WTC to generate secure keys [16,17]. The key rate of SKA in the RF domain is, however, still very low, at about 100 bps even in a short range, which is mainly due to the limited bandwidth of random sources.
Free-space optical (FSO) communication is becoming a promising scheme to realize high-capacity wireless links thanks to high-directional and power-efficient transmission with an unregulated wideband spectrum, and with smaller and lighter terminals. FSO links is an attractive platform for SKA. Usually, an FSO channel must be in the line-of-sight (LoS) from Alice and Bob to connect optical link properly. This automatically means that the channel is somehow monitored by Alice and Bob, which makes Eve much harder to eavesdrop the signal. That is, it would be reasonable to assume that Eve’s ability to access the FSO channel is physically limited. In other words, in practical situation, it would be too pessimistic to assume that Eve can be everywhere in free-space and can do anything allowed by the laws of physics as considered in the scenario of QKD.
In this work, we demonstrate the high-speed secret key agreement with ITS in an FSO link under the LoS assumption such that Eve cannot detect Alice’s signal inside the channel (i.e. in the LoS). We employ an FSO wiretap channel in a 7.8 km-terrestrial link established in our previous work [18,19] and implement a key distillation unit which enables us the real-time key generation. In general, it is difficult to estimate the real WTC. However, under the LoS assumption, one can estimate the worst case of the leaked information to Eve. To do so, we propose to introduce a second legitimate receiver that we call “virtual Eve”. The virtual Eve is located at the edge of the LoS (i.e. the best position that Eve could locate) and behaves as an eavesdropper. By using the virtual Eve’s data, the legitimate users can upper bound the worst possible leaked information to Eve (see Sec. 2 for details). The LoS assumption and the virtual Eve allow us the high-speed (and possibly long distance) generation of the secure keys with ITS. We demonstrate the real-time key generation of 4 Mbps from the 10 MHz on-off keyed optical signals.
Before closing the introduction, we briefly mention the LoS security assumption. Though we assume the LoS assumption throughout this paper, in realistic situation, it is a non-trivial question how to certify this intuitive assumption in a quantitative manner. To guarantee the quantitative physical security, it may be necessary to employ some physical probing/sensing schemes to characterize the FSO-WTC and to exclude somehow likely risks that Eve’s receiving strategy is superior to what Alice and Bob expect (such as stealth attacks). To our best knowledge, no literature has been published on experimental investigations in this direction yet. Our work is the first important step toward more complete SKA system and may provide useful data to design future FSO-SKA systems in a realistic condition.
2. Concept and experimental setup of secret key agreement
A conceptual configuration of SKA is shown in Fig. 1. The link between Alice and Bob is referred to as the main channel, while that between Alice and Eve as the tapping channel. These two links constitutes the WTC, which is mathematically described by a joint conditional probability distribution PYZ|X(y, z| x) of random variables Y and Z given X. Alice and Bob can use a public noiseless channel where Eve can receive all the messages but cannot modify or forge them. Alice and Bob use the WTC n times, and share random variables Xn, Yn, and Zn. With large n, it is known that they can establish a secret key with at least a rate of
where I(X;Y) = H(Y)-H(Y|X) is the mutual information between random variables X and Y, H(Y) and H(Y|X) are entropy and conditional entropy, respectively, and p(x) is the prior probability distribution of Alice’s input signal. Thus, the net key rate is given by the difference between the mutual information between Alice and Bob and that between Eve and Alice/Bob. After sharing the random variables, Alice and Bob perform the key distillation, which consists of information reconciliation and privacy amplification by exchanging information through the public channel [13,14,20] that we will describe in detail later.
Fig. 1 A conceptual configuration of SKA. e: bit error rate, and PYZ|X(y, z| x): probability distribution between Y and Z.
As clearly seen in Eq. (1), SKA relies on a priori knowledge about the WTC modeled by PYZ|X(y, z| x). Now one serious question is how Alice and Bob can know where Eve is located and how she can receive Alice’s signal. Note that in QKD the no-cloning principle of non-orthogonal quantum states allows one to detect any kinds of attacks launched by Eve, automatically eliminating the necessity of a priori knowledge on Eve’s tapping channel, but at the expense of the key rate and transmission distance. FSO-SKA should be able to increase the key rate and transmission distance beyond those of QKD, but instead it requires some mechanisms to validate that the real situation is described by PYZ|X (y, z| x). The only physical principle for classical FSO channel is the property of laser, i.e., high directionality of the channel in the LoS. Then validating the model of PYZ|X (y, z| x) implies to introduce some physical probing/sensing schemes to characterize the FSO-WTC, such as additional detectors for channel estimation as well as surveillance scope/camera, radar, light detection and ranging (LIDAR), and so on for alarming when Eve gets close to the main channel. However, it is still difficult in this direction to derive convincing criteria for practical security certification. The first step might be to investigate a simpler scenario under some assumptions, and acquire sufficient data for further studies on FSO-SKA.
The scenario in this paper is that Eve is behind Bob, and tries to tap the side lobe of the laser beam, assuming that if Eve is located in the main channel between Alice and Bob, they can detect Eve somehow by the methods mentioned above. To extract knowledge on the tapping channel, a probing receiver, referred to as “virtual eavesdropper (v-Eve)”, is introduced just next to Bob’s receiver. Figure 2 illustrates the schematic view of this scenario. In this case, the rate of Eq. (1) is maximized by the latter term, and can be achieved by the reverse reconciliation where Bob sends information to Alice at the information reconciliation step. Alice and Bob use the signal detected at Bob’s receiver to distill the key whereas use both signals at Bob and v-Eve to estimate the upper bound of I(Y;Z) for the reverse reconciliation.
Fig. 2 Schematic of the FSO-SKA assumption. Alice sends optical signal to Bob where the beam center is focused on Bob’s receiver. The legitimate users set the second receiver, v-Eve, who is under control of Alice and Bob. Eve, who may detect the signal to eavesdrop the signal, is assumed to be the outside of the supervised area by Alice, Bob, and v-Eve. Therefore, the signal intensity of Eve’s detector is always weaker than that of v-Eve’s.
In our experiment, we adopt on-off keying modulation with equal probabilities for on and off signals for the main channel. Bob measures the optical intensity by a photodiode and makes binary decision to demodulate Alice’s signal. The v-Eve measures the optical intensity as Bob does but directly uses the continuous value of intensity to make the best estimation of I(Y;Z), adopting soft decision. In addition, in the real experiment, Alice and Bob cannot achieve the rate of I(X;Y) since the code length is not infinitely large but finite. Therefore, in the experiment, I(X;Y) is replaced by the actual rate of error correction R which is the efficiency in the error correction process. Then instead of Eq. (1), the practical key rate is given by
where, Isoft(Y;Z) is the mutual information between Bob and v-Eve with soft decision. The detailed definition is given in Eq. (3) in Sec. 3. Alice optimizes her signal intensity not to be so weak that Bob fails in discriminating the signal, but not to be so strong either that v-Eve can discriminate the signal well, trying to maximize the rate of Eq. (2).An experimental setup of FSO-WTC is constructed in the Tokyo FSO Testbed, which is a 7.8-km terrestrial link between the University of Electro-Communication (UEC) and National Institute of Information and Communications Technology (NICT). Alice’s transmitter is in an all-weather telescope dome on the rooftop of a building in UEC. Bob’s receiver is set on the sixth floor of a building in the NICT premises. All optical components of Bob are mounted on a motorized gimbal. The receiver of v-Eve is a container type terminal set on the rooftop of the building which is just above the sixth floor roughly 10 m apart from Bob. This terminal consists of an all-weather scanner on the top of the container. Receiver optics and electronics are located on an optical breadboard inside of the container. The detailed components and specifications were reported in [19].
For readers’ convenience, we describe the main features of the setup relevant to the present context. Figure 3 shows the experimental setup of FSO-WTC constructed in the Tokyo FSO Testbed. Laser beam irradiated from Alice in UEC spreads about 7.8 m of full width at half maximum (FWHM) which corresponds to a Gaussian beam of 6.6 m radius. When the beam focuses on Bob preciously, a ratio of received power in front of telescopes at Bob and v-Eve is the above 100:1 because Bob and v-Eve is about 10 m apart. A 111 mm diameter Cassegrainian telescope set in Bob focuses the received optical signal to a 200 μm diameter multimode fiber. The optical signal is received by a PIN photodiode detector (TIA-525, Terahertz Technologies Inc.). v-Eve uses a 100 mm diameter Cassegrainian telescope with a 2-axis (θ-φ) scanner and receives the optical signal using an avalanche photodiode detector (APD) (A-CUBE-I200-10, Laser Components). The optical losses in Bob’s and v-Eve’s systems are 14dB and 9dB, respectively. Responsivities (noise equivalent powers) of Bob’s and v-Eve’s detectors are 0.8 A/W (3.0 pW/√Hz) and 11 A/W (160 fW/√Hz), respectively. Thus v-Eve’s receiver is less lossy and has higher sensitivity than that of Bob, and hence can be expected to be able to estimate the worst case scenario here. The scanner of v-Eve has a 50 mm-diameter CCD camera (BG030 TOSHIBA TELI Corporation) with an angular field of view of 25 mrad, which can monitor a view in her LoS. Note that there is a limit of surveillance only with such a passive camera for the purpose of detecting malicious objects around the channels, but the detailed analysis on the channel surveillance is out of the scope of this paper.
To realize SKA with this terrestrial FSO link, random bit sequences (RBSs) are first prepared by using an arbitrary waveform generator (AWG7000C, Tektronix Inc.) based on outputs from a physical random number generator (Quantis, ID Quantique) at Alice. These RBSs are then encoded into 1550-nm wavelength optical signals from a continuous wave laser by non-return to zero on-off keying at a rate of 10 Mbps as in [18,19]. The optical signals are amplified by an Erbium doped optical amplifier, collimated into a 5.5-mm width beam with a divergence angle of 1 mrad, and finally transmitted to Bob.
In order to accomplish SKA in the FSO link, the fading-resistant synchronization is indispensable. We develop a new frame format as illustrated in Fig. 4. Each frame includes a pseudo random noise15 (so-called PN15) sequence of length 215 – 1 = 32767 bits for frame synchronization, the frame identification number (ID number) of 1,024 bits, and the payload of RBS of 1112576 bits. The payload includes 64 kbits of test bits used for the preliminary bit error rate analysis. The PN15 sequence and the frame ID are interleaved to increase the robustness against burst errors. The total length of each frame is 1146367 bits.
At Bob and v-Eve, the optical signals are received by an each photodetector. The photoelectrical waveform from the PIN photodiode detector (APD) in Bob’s (v-Eve’s) receiver passes through low noise amplifiers with low frequency pass filters of 20 MHz bandwidth, is sampled by an oscilloscope at a sampling rate of 50 MHz, and is recorded in a computer. Due to the memory size of the oscilloscope, the data size acquired at one time is limited to 12.8 Mbit size. In the computer, clock data recovery, signal decision, and frame synchronization are executed as follows at each Bob and v-Eve. The photoelectrical waveform sampled at 50 MHz is divided into 230-ms partial waveforms, in each of which the signals corresponding to one frame must be included. The partial waveform is input to a low frequency pass filter with the cutoff frequency of 6 MHz, and is processed in the computer to recover the clock data corresponding to 10 MHz clock at Alice in the same way as in [21]. Then the bit-duration and the timing offset are found, the output values at the recovered clock rate are acquired. Each output value is then subject to the signal decision to discriminate the output value to be the 0 or the 1. To this end, we calculate the threshold by averaging 1500 of output values before and after the output value to be discriminated, and produce the received bit sequence. Finally frame synchronization and de-interleave are carried out by calculating the cross correlation between the received bit sequence and the PN15 sequence, and extracting the received ID numbers and payload data in each frame, respectively.
3. Experimental results and key distillation
After getting payload in Bob and v-Eve, the key distillation process is executed to extract secret keys based on the reverse reconciliation. We evaluate the leaked information by using the mutual information Isoft(Y;Z) from the data written as follows;
where PZ(z) is a probability distribution of v-Eve’s output, and PZ|Y (z|y = 0,1) is the conditional probability distribution of v-Eve’s output given Bob’s output of the 0 or the 1. Ideally, v-Eve’s soft decision should give a continuous distribution. In practice, however, real data of v-Eve is digitized. To combat with this problem, we employ curve fitting of the conditional probability distribution using Gaussian or Bi-Gaussian distributions which are often accepted models for relatively calm atmospheric turbulence. In particular, a Bi-Gaussian distribution involves a characteristic of bimodality, and can model atmospheric phenomena well [22], taking into account the effect of beam wandering due to atmospheric turbulence. We apply a stringent criterion as follows. In the curve fitting of the conditional probability distribution, we accept the fitting only if the coefficient of determination is higher than 0.99. Note that the criterion is arbitrarily set by Alice and Bob. If the conditional probability distribution cannot be fitted by either of these functions with this criterion, we abort the key distillation process to exclude risks that Alice and Bob fail in identifying Eve who is slipping into their LoS.Remaining questions are how many test bits should be used and how to choose test bits to estimate bit error rate and conditional probability distribution. In our payload, test bits are alternating with raw key bits bit-by-bit. In every frame (see the bottom of Fig. 4), even bits are used as test bits, and odd bits are the raw key bits used for distilling secure key. Bob picks up 2 Mbits, and calculates bit error rate by disclosing 1 Mbits to Alice through the public channel. Thereafter, Bob estimates the mutual information Isoft(Y;Z) by collaborating with v-Eve. In this setup, the sampling rate corresponds to 5 MHz. This is high enough to estimate the joint probability under air turbulence since the coherence time in the air is the order of ms [19].
Figure 5 shows conditional probability distributions PZ|Y(z|y = 0,1) of even and odd bit stream. Solid lines are measured data and hatched lines are fitting curves. The bit error rate between Alice and Bob of the even string coincides with that of the odd string, and leaked information estimations from fitting curves in both cases also does. In these fittings, the coefficient of determinations are more than 0.99. We use even bit strings for the channel estimation. We think the coefficient of determinations of the fitting curves would be one of criterions of how many bits should be used for estimation of error rates and leaked information to Eve in our proposed scheme.
Fig. 5 Joint histograms PZ|Y(z|y = 0,1) of Bob-v-Eve at even and odd bits. Solid lines are measured results, and hatched lines are fitted curves. Coefficient of determination at curve fitting are more than 0.99. Mutual information Isoft(Y;Z) are estimated by using fitted results in even and odd events. The output power at Alice was set 100 mW. Data acquisition date and time: 2017-09-19 16:09:00.
Finally Alice and Bob execute reverse reconciliation and privacy amplification by using the bit error rate and the mutual information Isoft(Y;Z). These error correction and privacy amplification processes which were developed with hardware based for the QKD system [23] are newly implemented by software. In privacy amplification, key length of raw key is 1 Mbits. These raw keys are compressed to (1M × [ R-Isoft(Y;Z)]) bits where R mentioned in Section 2 is adjusted according to the bit error rate. After key distillation process, Alice and Bob disclose Message Digest algorithm 5 (MD5) values of secure key to check the existence of residual error. If MD5 values of Alice’s and Bob’s are equal, secure keys are stored after subtracting 128 bits which corresponds to the length of the MD5 hash value.
The conditional probability distributions of even bits at various output power at Alice are shown in Fig. 6. Bit error rates, mutual information, coefficients of determination and secure key rates are listed in Table 1. In any power condition, bit error rates are less than 1%, so R of Low Density Parity Check (LDPC) code is set to be 85%. As a result, we obtain the secure key of 800 kbits per 0.2 s, which corresponds to getting 2 Mbits raw keys, even the output power at Alice is 30 mW. As a result, the secure key rate corresponds to 4 Mbps. Since the rate of RBSs transmitted by Alice is 10 Mbps, and a half of the received sequences were spent for channel estimation, this key rate almost corresponds to the rate of LDPC, meaning that Bob is much superior to Eve. In general, bit error rate increases at the low output power region, while the information leakage increases at the high output power region. Note that this is not always the case. It highly depends on the weather condition. Our scheme is a post-selection-based key generation, in which we execute key generation when we can confirm that the channel condition is stable. This is critical to upper bound the mutual information between v-Eve and Bob which guarantees information theoretical security of the generated keys.
Fig. 6 Joint histogram PZ|Y(z|y = 0,1) of Bob-v-Eve of even bits for various output powers at Alice. Solid lines are measured results, and hatched lines are fitted curves.
Table 1. Error rate, leaked information, coefficient of determination and secure key rate at various output power.
4. Summary
We performed experimental secret key agreement through a 7.8 km terrestrial free-space optical link. We introduced the receiver of v-Eve at the neighbor of Bob, assuming the scenario that Eve is behind Bob and v-Eve. The measurement results by v-Eve are used to estimate the leaked information to Eve in the worst case of the above scenario. We applied a stringent criterion that if conditional probability distributions of the 0 and the 1 received by v-Eve given Bob’s signal, which were estimated by consuming a half of the transmitted bits at a rate of 10 Mbps, could not be well fitted either by Gaussian or Bi-Gaussian functions, then the campaign was aborted. Thus, SKA in this work is a highly opportunistic scheme, selecting only events in the relatively small-scale fading conditions. In such a scheme, secret keys were generated at a rate of around 4 Mbps in the successful campaigns. We believe that there is no previous research of SKA over an FSO channel. Thus, there is no conventional method that can be compared with our proposed method. And this is the first and important step for practical SKA. More efficient schemes applicable to various fading conditions need to be investigated further.
Funding
ImPACT Program of Council for Science, Technology and Innovation (Cabinet Office, Government of Japan).
References
1. C. H. Bennett and G. Brassard, “Quantum cryptography: public-key distribution and coin tossing,” in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (Institute of Electrical and Electronics Engineers, New York, 1984), pp. 175–179.
2. A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett. 67(6), 661–663 (1991). [CrossRef] [PubMed]
3. M. Peev, C. Pacher, R. Alleaume, C. Barreiro, W. Boxleitner, J. Bouda, R. Tualle-Brouri, E. Diamanti, M. Dianati, T. Debuisschert, J. F. Dynes, S. Fasel, S. Fossier, M. Fuerst, J.-D. Gautier, O. Gay, N. Gisin, P. Grangier, A. Happe, Y. Hasani, M. Hentchel, H. Hübel, G. Humer, T. Länger, M. Legre, R. Lieger, J. Lodewyck, T. Lorünser, N. Lütkenhaus, A. Marhold, T. Matyus, O. Maurhart, L. Monat, S. Nauerth, J.-B. Page, E. Querasser, G. Ribordy, A. Poppe, L. Salvail, S. Robyr, M. Suda, A. W. Sharpe, A. J. Shields, D. Stucki, C. Tamas, T. Themel, R. T. Thew, Y. Thoma, A. Treiber, P. Trinkler, F. Vannel, N. Walenta, H. Weier, H. Weinfurter, I. Wimberger, Z. L. Yuan, H. Zbinden, and A. Zeilinger, “The SECOQC quantum key distribution network in Vienna,” New J. Phys. 11(7), 075001 (2009). [CrossRef]
4. M. Sasaki, M. Fujiwara, H. Ishizuka, W. Klaus, K. Wakui, M. Takeoka, S. Miki, T. Yamashita, Z. Wang, A. Tanaka, K. Yoshino, Y. Nambu, S. Takahashi, A. Tajima, A. Tomita, T. Domeki, T. Hasegawa, Y. Sakai, H. Kobayashi, T. Asai, K. Shimizu, T. Tokura, T. Tsurumaru, M. Matsui, T. Honjo, K. Tamaki, H. Takesue, Y. Tokura, J. F. Dynes, A. R. Dixon, A. W. Sharpe, Z. L. Yuan, A. J. Shields, S. Uchikoga, M. Legré, S. Robyr, P. Trinkler, L. Monat, J. B. Page, G. Ribordy, A. Poppe, A. Allacher, O. Maurhart, T. Länger, M. Peev, and A. Zeilinger, “Field test of quantum key distribution in the Tokyo QKD Network,” Opt. Express 19(11), 10387–10409 (2011). [CrossRef] [PubMed]
5. https://www.idquantique.com/
6. https://www.ait.ac.at/en/research-fields/physical-layer-security/optical-quantum-technologies/
7. http://www.quantum-info.com/English/
8. R. Courtland, “China’s 2,000-km quantum link is almost complete [news],” IEEE Spectr. 53(11), 11–12 (2016). [CrossRef]
9. M. Fujiwara, A. Waseda, R. Nojima, S. Moriai, W. Ogata, and M. Sasaki, “Unbreakable distributed storage with quantum key distribution network and password-authenticated secret sharing,” Sci. Reports , 6, 28988 (2016).
10. J. Yin, Y. Cao, Y.-H. Li, S.-K. Liao, L. Zhang, J.-G. Ren, W.-Q. Cai, W.-Y. Liu, B. Li, H. Dai, G.-B. Li, Q.-M. Lu, Y.-H. Gong, Y. Xu, S.-L. Li, F.-Z. Li, Y.-Y. Yin, Z. Q. Jiang, M. Li, J.-J. Jia, G. Ren, D. He, Y.-L. Zhou, X.-X. Zhang, N. Wang, X. Chang, Z.-C. Zhu, N.-L. Liu, Y.-A. Chen, C.-Y. Lu, R. Shu, C.-Z. Peng, J.-Y. Wang, and J.-W. Pan, “Satellite-based entanglement distribution over 1200 kilometers,” Science 356(6343), 1140–1144 (2017). [CrossRef] [PubMed]
11. S.-K. Liao, W.-Q. Cai, W.-Y. Liu, L. Zhang, Y. Li, J.-G. Ren, J. Yin, Q. Shen, Y. Cao, Z.-P. Li, F.-Z. Li, X.-W. Chen, L.-H. Sun, J.-J. Jia, J.-C. Wu, X.-J. Jiang, J.-F. Wang, Y.-M. Huang, Q. Wang, Y.-L. Zhou, L. Deng, T. Xi, L. Ma, T. Hu, Q. Zhang, Y.-A. Chen, N.-L. Liu, X.-B. Wang, Z.-C. Zhu, C.-Y. Lu, R. Shu, C. Z. Peng, J. Y. Wang, and J. W. Pan, “Satellite-to-ground quantum key distribution,” Nature 549(7670), 43–47 (2017). [CrossRef] [PubMed]
12. J.-G. Ren, P. Xu, H.-L. Yong, L. Zhang, S.-K. Liao, J. Yin, W.-Y. Liu, W.-Q. Cai, M. Yang, L. Li, K.-X. Yang, X. Han, Y.-Q. Yao, J. Li, H.-Y. Wu, S. Wan, L. Liu, D.-Q. Liu, Y.-W. Kuang, Z.-P. He, P. Shang, C. Guo, R.-H. Zheng, K. Tian, Z.-C. Zhu, N.-L. Liu, C.-Y. Lu, R. Shu, Y.-A. Chen, C.-Z. Peng, J.-Y. Wang, and J.-W. Pan, “Ground-to-satellite quantum teleportation,” Nature 549(7670), 70–73 (2017). [CrossRef] [PubMed]
13. U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. Inf. Theory 39(3), 733–742 (1993). [CrossRef]
14. R. Ahlswede and I. Csiszár, “Common randomness in information theory and cryptography. I. secret sharing,” IEEE Trans. Inf. Theory 39(4), 1121–1132 (1993). [CrossRef]
15. H. V. Poor and R. F. Schaefer, “Wireless physical layer security,” Proc. Natl. Acad. Sci. U.S.A. 114(1), 19–26 (2017). [CrossRef] [PubMed]
16. J. W. Wallance and R. K. Sharma, “Experimental investigation of MIMO reciprocal channel key generation,” Proceeding of IEEE Int. Conf. Communications 1–5 (2010).
17. T. Aono, K. Higuchi, T. Ohira, and H. Sasaoka, “Wireless secret key generation exploiting reactance-domain scalar response of multipath fading channels,” IEEE Trans. Antenn. Propag. 53(11), 3776–3784 (2005). [CrossRef]
18. M. Fujiwara, T. Ito, M. Kitamura, H. Endo, M. Toyoshima, H. Takenaka, Y. Takayama, R. Shimizu, M. Tkeoka, and M. Sasaki, “Secret key agreement demonstration over 7.8 km free-space optical channel,” International Conference on Quantum Communication, Measurement and Computing 2016, Singapore, July 2016.
19. H. Endo, M. Fujiwara, M. Kitamura, T. Ito, M. Toyoshima, Y. Takayama, H. Takenaka, R. Shimizu, N. Laurenti, G. Vallone, P. Villoresi, T. Aoki, and M. Sasaki, “Free-space optical channel estimation for physical layer security,” Opt. Express 24(8), 8940–8955 (2016). [CrossRef] [PubMed]
20. I. Csiszár and J. Körner, “Broadcast channels with confidential messages,” IEEE Trans. Inf. Theory 24(3), 339–348 (1978). [CrossRef]
21. H. Takenaka, A. Carrasco-Casado, M. Fujiwara, M. Kitamura, M. Sasaki, and M. Toyoshima, “Satellite-to-ground quantum-limited communication using a 50-kg-class microsatellite,” Nat. Photonics 11(8), 502–508 (2017). [CrossRef]
22. L. Liu, F. Hu, and X.-L. Cheng, “Probability density functions of turbulent velocity and temperature fluctuations in the unstable atmosphere surface layer,” J. Geophys. Res. 116(D12D12117), 1–13 (2011). [CrossRef]
23. A. Tanaka, M. Fujiwara, K. Yoshino, S. Takahashi, Y. Nambu, A. Tomita, S. Miki, T. Yamashita, Z. Wang, M. Sasaki, and A. Tajima, “High-speed quantum key distribution system for 1-Mbps real-time key generation,” IEEE J. Quantum Electron. 48(4), 542–550 (2012). [CrossRef]
