Synthesis of Sources of Common Randomness Based on Keystream Generators with Shared Secret Keys

Abstract

Secure autonomous secret key distillation (SKD) systems traditionally depend on external common randomness (CR) sources, which often suffer from instability and limited reliability over long-term operation. In this work, we propose a novel SKD architecture that synthesizes CR by combining a keystream of a shared-key keystream generator $KSG\left(K_G\right)$ with locally generated binary Bernoulli noise. This construction emulates the statistical properties of the classical Maurer satellite scenario while enabling deterministic control over key parameters such as bit error rate, entropy, and leakage rate (LR). We derive a closed-form lower bound on the equivocation of the shared-secret key $K_G$ from the viewpoint of an adversary with access to public reconciliation data. This allows us to define an admissible operational region in which the system guarantees long-term secrecy through periodic key refreshes, without relying on advantage distillation. We integrate the Winnow protocol as the information reconciliation mechanism, optimized for short block lengths ($N=8$), and analyze its performance in terms of efficiency, LR, and final key disagreement rate (KDR). The proposed system operates in two modes: ideal secrecy, achieving secret key rates up to 22% under stringent constraints (KDR < 10⁻⁵, LR < 10⁻¹⁰), and perfect secrecy mode, which approximately halves the key rate. Notably, these security guarantees are achieved autonomously, without reliance on advantage distillation or external CR sources. Theoretical findings are further supported by experimental verification demonstrating the practical viability of the proposed system under realistic conditions. This study introduces, for the first time, an autonomous CR-based SKD system with provable security performance independent of communication channels or external randomness, thus enhancing the practical viability of secure key distribution schemes.

1. Introduction

This paper addresses the design and synthesis of artificial sources of common randomness (CR) suitable for autonomous secret key distillation (SKD) by public discussions. The proposed CR source is based on a shared-key keystream generator $KSG\left(K_G\right)$, combined with locally injected Bernoulli noise. This construction ensures equivalence with the classical Maurer satellite scenario [1] while affording precise and deterministic control over critical parameters, including key disagreement rate (KDR), secret key rate, and information leakage rate (LR). To fulfill these requirements, the synthesized CR source is required to satisfy the following conditions:

• General Accessibility: Both parties (Alice and Bob) can implement and observe the CR source efficiently.
• Integrity: An adversary (Eve) cannot influence or manipulate the generation parameters of the CR source.
• Optimality: The CR synthesis mechanism must be designed to maximize the achievable secrecy capacity of the SKD system, thereby operating at theoretical efficiency bounds.
• Key Security: The integration of the CR source with the SKD protocol must ensure provably secure key generation with rigorously bounded information LR, under the assumption that the adversary employs an optimal inference strategy based on complete knowledge of the public discussion and system specifications.

A key contribution of this work is the derivation of a closed-form lower bound on the equivocation of the secret key $K_G$, ensuring provable secrecy even in the presence of public reconciliation data. This analytical result facilitates the rigorous characterization of an admissible operational region wherein long-term secrecy can be maintained through periodic key refresh without relying on traditional advantage distillation (AD) techniques.

The remainder of this paper is organized as follows:

Section 2 provides an overview of related works and discusses the key contributions and innovations of this study.

Section 3 presents the overall system architecture, detailing each component and their interactions within the SKD framework.

Section 4 provides an information-theoretic analysis of the proposed CR source, including the derivation of equivocation bounds and operation constraints.

Section 5 describes the design and performance analysis of the optimized CR KSG and Winnow reconciliation protocol with emphasis on secrecy performance and implementation feasibility.

Section 6 introduces two system operating modes of SKD based on CR KSG and Winnow reconciliation protocol: ideal secure and perfect secure mode.

Section 7 presents a computational complexity analysis of the proposed system and highlights its advantages compared to traditional SKD systems that rely on natural sources of common randomness.

Section 8 presents experimental verification to validate the theoretical analysis developed in Section 4, Section 5 and Section 6.

Section 9 provides security analysis and discusses practical considerations, implementation trade-offs, and design guidelines for deployment in real-world settings.

Section 10 concludes the paper with a summary of results and directions for future research.

2. Related Works and Contributions

The foundation of secret key agreement from correlated random sources was laid by works of Csiszár & Körner [2], Ahlswede & Csiszár [3], and Maurer [1], who introduced the satellite scenario to formalize secrecy generation in the presence of an eavesdropper. This model has since inspired significant research, particularly in quantum key distribution (QKD) and physical layer security, where the main sources of CR are different observable and measurable characteristics of the wireless communication channels between legitimate parties [4,5,6,7,8,9,10,11].

A principal limitation of secret key extraction from wireless channels lies in its strong dependence on channel dynamics and fluctuations, which significantly constrains the achievable secret key rate. Under conditions of frequent fading or deliberate jamming by an adversary, the volume of extractable secret key material typically becomes negligible, thereby rendering practical deployment infeasible [8,12].

Subsequent research has broadened the applicability of SKD beyond the physical layer, incorporating diverse CR source models, including those based on biometric signals [13,14,15,16]. However, a critical limitation of biometric signals as CR sources stems from the intrinsically bounded entropy of biometric patterns. In operational contexts requiring continuous and reliable real-time secret key generation, such sources are generally unsuitable or restricted to a limited subset of communication modalities—most notably, voice-based systems [16].

Artificial generation of common randomness via pseudorandom constructs has also been investigated, yet with limited attention to closed-form entropy analysis or integration with adaptive SKD protocols [12,17]. Notably, prior designs often depend on unstable or external entropy sources with inconsistent long-term performance.

Recent surveys have comprehensively analyzed key agreement and authentication protocols in IoT environments [18] and the use of intelligent reflecting surfaces to enhance physical layer secret key generation [19], emphasizing the practical challenges of secure key establishment under varying physical conditions. In parallel, advances in quantum information processing and integrated photonic platforms have led to high-performance heterodyne receivers supporting secure quantum random number generation and continuous-variable quantum key distribution (CV-QKD) with high secret key rates [20]. Techniques for establishing common randomness through round-trip travel times in packet data networks have been explored as a novel frontier in physical layer security, enabling secrecy level adaptation based on the similarity of common randomness [21]. Furthermore, random modulation has been utilized to enhance secret key generation over atmospheric optical channels, demonstrating practical improvements in the robustness and efficiency of key distribution schemes [22]. These developments collectively underscore the growing interest in autonomous and adaptable secret key generation mechanisms across classical, quantum, and hybrid environments, aligning with the motivation of the present study to design a scalable SKD system with bounded leakage and autonomous operation.

More recently, equivocation-based analysis, following Shannon’s original concept of ideal secrecy, has been used to evaluate the robustness of cryptographic protocols against adversaries observing public exchanges [23]. However, existing systems rarely incorporate mechanisms to ensure a quantifiable lower bound on equivocation over time.

This paper addresses these gaps by proposing a theoretically grounded and practically implementable system for CR synthesis based on deterministic keystream generators. It further integrates a high-efficiency, short-block Winnow protocol for reconciliation, optimized for minimal communication overhead and robustness under constrained bit error rate (BER) conditions.

Contributions and Innovations of This Work

This work introduces a structured approach for synthesizing artificial CR sources using a shared-key KSG and local pure randomness injection. The novelty of this system lies in its ability to deterministically emulate the statistical behavior of naturally correlated sources while enabling precise control over security-relevant parameters. The core innovations of the proposed architecture include:

• A formal mathematical framework for generating cryptographically secure common randomness from a deterministic keystream generator, enabling predictable system behavior.
• A tunable and transformable CR source that statistically mimics Maurer’s satellite model, but with enhanced control over secrecy capacity, KDR, and LR.
• Closed-form analytical expressions for bounding the equivocation of the secret key $K_G$ under conditions of full public discussion information (Theorem 1).
• A fully autonomous SKD system architecture, capable of internal key refreshing and separation of reusable versus system-maintenance keys (Theorem 2–4).
• Integration and optimization of the Winnow protocol for highly efficient reconciliation over short block lengths (e.g., $N=8$), resulting in low KDR and LR along with minimal communication overhead (Theorem 5 and 6).
• Identification of two system operating modes—ideal secrecy and perfect secrecy—in relation to system parameters, and determination of the maximum secret key generation rate in both modes (Theorem 7).
• Elimination of the AD phase without degrading secrecy performance, thereby simplifying protocol design and reducing complexity.
• Practical guidelines for system parameterization to maximize the achievable secrecy rate, while ensuring sustained key confidentiality through equivocation management.

3. System Architecture

Figure 1 shows the general architecture of the proposed autonomous system for secret key distillation based on public discussion.

The system consists of three subsystems:

• A CR block, which functions as a source of common randomness;
• A SKD block, which performs information reconciliation (IR) and privacy amplification (PA);
• A Splitter, which divides the distilled secret key $K$ into two parts, $K_G$, used for refreshing the secret key $KSG\left(K_G\right)$, and $K_S$, intended for further cryptographic use. The lengths of $K_G$ and $K_S$ can be arbitrary, provided that their total length satisfies $\left|K\right|=\left|K_G\right|+\left|K_S\right|$, and are typically chosen according to the system’s operational requirements.

In each operation cycle $i$ of the system, the CR block generates the output sequence $Y$ by performing a bitwise modulo-2 addition (XOR) of the sequences $X$ and $C_K$, i.e.,

$$Y=X \oplus { C}_K$$

(1)

where $X$ is a sequence distributed according to the Bernoulli distribution, generated by a local source of true randomness

$$X~B\left(\epsilon \right), \epsilon =Pr\left\{X=1\right\}, 0<\epsilon \le 1,$$

(2)

and the sequence $C_K$ is a running key (or keystream) produced by key stream generator $KSG\left(K_G\right)$, where $K_G$ is the secret key.

Remark 1. 

If Alice and Bob have a pre-shared secret key $K_G$, they can generate their local sequences $Y_A$ and $Y_B$

$$Y_A=X_A\oplus C_K, Y_B=X_B\oplus C_K.$$

(3)

The probability of disagreement between those sequences, i.e., the BER is

$$p_{AB}=P\left(Y_A\oplus Y_B=1\right)=P\left(X_A\oplus X_B=1\right)={\epsilon }_A\ast {\epsilon }_B$$

(4)

where $\ast$ denotes binary convolution

$$p\ast q=p\left(1-q\right)+\left(1-p\right)q, 0\le p, q\le 1.$$

(5)

If ${\epsilon }_A={\epsilon }_B=\epsilon$ is adopted, then it follows:

$$p_{AB}=2\epsilon \left(1-\epsilon \right).$$

(6)

The inverse relation also follows, which will be of interest in the subsequent discussion

$$\epsilon ={\displaystyle \frac{1}{2}}(1-\sqrt{1-2p_{AB}}).$$

(7)

Therefore, the proposed CR source can be considered as a variant of Maurer’s satellite scenario, where by controlling the parameter $\epsilon$, any desired BER between Alice’s and Bob’s sequences can be achived; see Figure 2.

It should be noted that such precise control of the correlation properties of sequences generated in Maurer’s satellite scenario is practically impossible to achieve [11]. Moreover, if Eve does not possess the secret key $K_G$, then the error probability between her sequence and Alice’s sequence is

$$p_{EA}=P\left(Y_E\oplus Y_A=1\right)=P\left(X_E\oplus C_{KE}\oplus X_A\oplus C_K\right)=0.5$$

(8)

given that

$$C_{KE}\oplus C_K~B\left(0.5\right),$$

(9)

where $C_{KE}$ denotes the keystream generated by the key stream generator $KSG\left(K_{KE}\right)$, with Eve’s secret key $K_{KE}\ne K.$ Condition (9) is a mandatory property of any secure cryptographic $KSG\left(K\right)$ and is closely related to the so-called avalanche effect; see [24,25]. Similarly, we obtain

$$p_{EB}=P\left(Y_E\oplus Y_B=1\right)=P\left(X_E\oplus C_{KE}\oplus X_B\oplus C_K\right)=\left({\epsilon }_E\ast {\epsilon }_B\right)\ast 0.5=0.5$$

(10)

Figure 3 illustrates the equivalent Maurer satellite scenario, where $KSG\left(K_G\right)$ functions as a satellite, broadcasting the keystream $C_K$. To this signal, binary additive noises are superimposed at Alice’s, Bob’s, and Eve’s channels. In the case of Alice’s and Bob’s channels, these noises correspond to sequences generated by local sources of pure randomness distributed according to $B\left(\epsilon \right).$ Eve’s optimal strategy for selecting the sequence $X_E$ is

$$X_E={C_{KE}\oplus E}_E, E_E~B\left(\epsilon \right),$$

(11)

which is structurally identical to Alice’s and Bob’s sequences $X_A$ and $X_B$, but generated with her own encryption key $C_{KE}$. Then, Eve’s equivalent binary noise ${\tilde{E}}_E$ relative to the satellite signal $C_K$ is given by

$$X_E={C_{KE}\oplus E}_E=C_K\oplus {{(C}_{KE}\oplus C_K\oplus E}_E)=C_K\oplus {\tilde{E}}_E$$

(12)

$${\tilde{E}}_E={C_{KE}\oplus C_K\oplus E}_E$$

(13)

which has a Bernoulli distribution with parameter ${\epsilon }_{\tilde{E}}$ given by

$${\epsilon }_{\tilde{E}}=\left(0.5\ast 0.5\right)\ast \epsilon =0.5.$$

(14)

Remark 2. 

In the analyses presented, see (8)–(14), we have, among other considerations, employed the well-known result that the modulo-two sums of a binary sequence distributed as $B\left(0.5\right)$ with an independent sequence distributed as $B\left(\epsilon \right)$, for any $\epsilon \in \left[\mathrm{0,1}\right],$ results in a sequence that remains distributed as $B\left(0.5\right)$. This result is a classical property in information theory, particularly within the analysis of the Binary Symmetric Channel (BSC), where it is well known that if the channel input is uniformly distributed (i.e., each bit is $B\left(0.5\right)$) and the channel noise is an independent $B\left(\epsilon \right)$ random variable, the channel output remains uniformly distributed regardless of the parameter $\epsilon$. This property ensures that an adversary observing the output gains no information about the input, which underlies the statement that the “most secure change” of a sequence is achieved when each bit changes with probability 0.5. Although this property is often considered folklore, it is systematically presented in standard references such as [26,27,28]. Additionally, we would like to point out that this result aligns with the random-in/random-out property of non-expanding ciphers, as discussed by Massey [29], where it is shown that the cascade of a binary symmetric source (BSS), corresponding to a $B\left(0.5\right)$ source, with a non-expanding cipher (such as additive stream ciphers or block ciphers) yields an output that is also a BSS, regardless of the secret key distribution. This implies that the ciphertext sequence is statistically independent of the secret key, guaranteeing that no information about the key can be obtained from the ciphertext alone, no matter how much ciphertext is observed by an adversary. This further supports the security principle that the highest level of uncertainty—and thus security—is achieved when bit changes occur with probability 0.5.

It is well known that, in the case of the satellite scenario (see [1]), the secrecy capacity, thus the maximum length of a secret key that can be distilled in the presence of an eavesdropper, is

$$C_S=min\left\{I\right(X_A;X_B), I(X_A;X_B \left|X_E\right)\},$$

(15)

where $I(X_A;X_B)$ denotes the mutual information between $X_A$ and $X_B$, while $I(X_A;X_B |X_E)$ denotes this mutual information conditioned by $X_E$. Taking into account (8) and (10), we conclude that Eve’s sequence $X_E$ is independent of Alice and Bob sequence $X_A$ and $X_B$, which reduces (15) to

$$C_S^{max}=I\left(X_A ;X_B\right).$$

(16)

The advantage of the SKD strategy, which consists of applying PA to the result of the IR protocol, lies in achieving all secret key rates below the secrecy capacity $C_S^{max}$, as well as its explicit practical implementation [1].

In the SKD block, a suitably chosen IR algorithm is first applied, whose primary function is to eliminate differences between Alice’s and Bob’s sequences by exchanging various types of parity information over the available public authenticated channel [1,4,30]. As a result of this phase, Alice and Bob share identical sequences ${\mathrm{W}}_{\mathrm{i}}$ with high probability (see Figure 1). In the final phase of the SKD protocol, PA is performed by Alice and Bob agreeing over the public channel on the choice of a compression function $G$, to distill from $W_i$ a shorter string $K_i$ about which Eve has only a negligible amount of information [31,32]. As a rule, it is achieved by applying a suitable hash function from the class of universal hash functions [1,33,34]. Universality means that for any two different inputs, the chance they collide (hash to the same output) is at most ${\displaystyle \frac{1}{|\mathrm{o}\mathrm{u}\mathrm{t}\mathrm{p}\mathrm{u}\mathrm{t} \mathrm{s}\mathrm{p}\mathrm{a}\mathrm{c}\mathrm{e}|}}$. From Theorem 3 and Corollary 4 in [35], it follows that if the hash output length is at most the Rényi entropy of order 2 of the input minus a small security parameter, then the output is nearly indistinguishable from uniform. Moreover, if Eve holds some side information about the reconciled sequence (the input to the hash function) after the IR phase, then her information about the hash output becomes negligibly small, provided her conditional Rényi entropy of order 2 is greater than the hash output length minus a small security parameter.

In the splitter block, from the distilled key $K_i$, the key $K_{G,i}$ is selected to refresh the secret key of $KSG\left(K_{G,i-1}\right)$, resulting in the updated $KSG\left(K_{G,i}\right)$, while the remaining part, $K_{Si}$, is reserved for subsequent use. From the system’s end-use perspective, the generation rate of usable secret keys is equal to the generation rate of $K_{Si}$.

The refresh rate of $KSG\left(K_{G,i}\right)$, is chosen such that Eve’s equivocation

$$H\left(K_{G,i}\mid S\right)\ge {∆}_{K_G},0\le {∆}_{K_G}\le \left|K_{G,i}\right|\mathrm{for} \forall i, i=\mathrm{0,1},2,\dots$$

(17)

never falls below a predetermined margin ${∆}_{K_G}$ for every operation cycle $i$, where $S$ denotes the total information that Eve obtains by observing the public channel during the execution of the SKD protocol for the $i$-th block cycle.

Summary of Assumptions Made in the Design of Proposed System

Finally, let us summarize the assumptions made in the design of the proposed autonomous SKD systems from Figure 1. The proposed architecture operates under the following assumptions:

• Pre-shared secret key $K_G$ is available to Alice and Bob for initializing the keystream generator $KSG\left(K_G\right)$ and is refreshed securely in each cycle.
• Both parties have trusted local sources of true randomness generating Bernoulli-distributed sequences with a tunable parameter $\epsilon$, enabling precise control over the BER in the system, thus emulating a synthetic Maurer satellite scenario.
• The keystream generator $KSG\left(K_G\right)$ satisfies the avalanche criterion, ensuring that without knowledge of $K_G$, the keystream appears statistically indistinguishable from a Bernoulli$\left(0.5\right)$ sequence to an adversary.
• An authenticated public channel is available for IR and PA, assumed to be observable but not modifiable by an adversary.
• Eve is assumed to have unlimited computational power (information-theoretic security model) and complete access to the public channel, but no access to $K_G$ or the synchronized keystream.
• The system assumes the use of efficient IR protocols capable of reconciling Alice’s and Bob’s sequences to enable secret key rates approaching the secrecy capacity.
• PA is performed using universal hash functions, assuming sufficiently high conditional Rényi-2 entropy (or Shannon equivocation) of the reconciled sequences with respect to Eve’s view to ensure negligible leakage.
• Security is guaranteed cycle-by-cycle, with the refreshed secret key $KSG\left(K_{G,i}\right)$ satisfying conditions (17), maintaining a controlled secrecy margin against any information Eve may have acquired through public communications $S.$

These assumptions ensure that the architecture enables autonomous secret key distillation while maintaining forward secrecy under practical, information-theoretic security constraints.

4. Information-Theoretic Analysis of the Source of Common Randomness Based on KSG(K_G)

Theorem 1. 

Let the set of information available to Eve over the public channel during the execution of the IR phase of an SKD protocol be denoted as $S=\left\{S_i\right\}$, $/S/=n_p$, where

$$S_i={\sum }_{j=1}^{N_i}{Y}_j·m_{ij }.$$

(18)

Let $m_i$ denote the binary vector—mask associated with each $S_i$, of the form

$$m_i=\left[m_{i1}, m_{i2}, \dots , m_{i{N}_i}\right], m_{ij}\in \left\{\mathrm{0,1}\right\}.$$

(19)

Then, the lower bound on the equivocation of the secret key of $KSG\left(K_G\right)$, based on observations from the public channel, is given by

$$H\left(K_G\mid S_1, S_2,\dots , S_{n_p}\right)\ge \left|K_G\right|-n_p\left(1-{\displaystyle \frac{1}{n_p}}\sum _{i=1}^{n_p}{h}_b\left({\epsilon }_i\right) \right)$$

(20)

$${\epsilon }_i={\displaystyle \frac{1}{2}}\left(1-{(1-2\epsilon )}^{\sum _{j=1}^{N_i}{m}_{ij}}\right)$$

(21)

where $\epsilon$ is the parameter of the Bernoulli distribution $B\left(\epsilon \right)$, of the random variable $X$, and $h_b$ denotes the binary entropy function

$$h_b\left(x\right)=-p\mathit{log}\left(p\right)-\left(1-p\right)log(1-p), p\in \left(\mathrm{0,1}\right).$$

(22)

Proof of Theorem 1. 

According to [36], for every symmetric cipher system $\left\{K, X, Y\right\}$, where $K$ is the secret key, $X$ is the message, and $Y$ is the ciphertext, the following holds

$$H\left(K∣Y\right)=H\left(K\right)+H\left(X\right)-H\left(Y\right).$$

(23)

Based on Equation (18), it follows that

$$S_i={\sum }_{j=1}^{N_i}\left(X_j ⨁C_j\right)·m_{ij}={\sum }_{j=1}^{N_i}{X}_j·m_{ij}⨁{\sum }_{j=1}^{N_i}{C}_j·m_{ij}={\widetilde{\stackrel{~}{X}}}_i⨁{\widetilde{\stackrel{~}{C}}}_i.$$

(24)

Therefore, the observations $S_i$ on the public channel can be regarded as the ciphertext of an equivalent cipher system $\left\{K_G,{\widetilde{\stackrel{~}{X}}}_i,S_i\right\}$, given that each sequence ${\widetilde{\stackrel{~}{C}}}_i$ is generated by the corresponding ${KSG}_i\left(K_G\right)$ using the same secret key $K_G.$ The entropy of the equivalent plaintext ${\widetilde{\stackrel{~}{X}}}_i$ is given by

$$\begin{gathered} H\left({\widetilde{\stackrel{~}{X}}}_i\right)=H\left({\sum }_{j=1}^{N_i}{X}_j ·{ m}_{ij }\right)=h_b\left({\epsilon }_i\right) , \\ {\epsilon }_i={\displaystyle \frac{1}{2}}\left(1-{(1-2\epsilon )}^{\sum _{j=1}^{N_i}{m}_{ij}}\right). \end{gathered}$$

(25)

Namely, Equation (25) directly follows from the fact that ${\widetilde{\stackrel{~}{X}}}_i$ is the sum $\sum _{j=1}^{N_i}{m}_{ij}$ of i.i.d. random variables $X_j$ distributed according to $B\left(\epsilon \right)$; see for example proofs in [37,38].

If the observations $\left\{S_i\right\}$ on the public channel are considered as the ciphertext of the cipher system $\left\{K_G, X, S\right\}$, then the following equalities hold

$$\begin{gathered} H\left(K_G\mid S_1\right)=H\left(K_G\right)+h_b\left({\epsilon }_1\right)-H\left(S_1\right), \\ H\left(K_G\mid S_2\right)=H\left(K_G\right)+h_b\left({\epsilon }_2\right)-H\left(S_2\right), \\ .......................................... \\ H\left(K_G\mid S_{n_p}\right)=H\left(K_G\right)+h_b\left({\epsilon }_{n_p}\right)-H\left(n_p\right). \end{gathered}$$

(26)

The sum of these equations results in

$${\sum }_{i=1}^{n_p}H\left(K_G\mid S_i\right)=n_{p}H\left(K_G\right)+{\sum }_{i=1}^{n_p}{h}_b\left({\epsilon }_i\right)-{\sum }_{i=1}^{n_p}H\left(S_i\right).$$

(27)

Given that $S_i$ are mutually independent, the following holds

$${\sum }_{i=1}^{n_p}H\left(K_G\mid S_i\right)=H\left(K_G\mid S_1, S_2, \dots , S_{n_p}\right)-\left(n_p-1\right)H\left(K_G\right).$$

(28)

which, by substitution into (27), gives

$$H\left(K_G\mid S_1,S_2,\dots ,S_{n_p}\right)=H\left(K_G\right)+{\sum }_{i=1}^{n_p}{h}_b\left({\epsilon }_i\right)-{\sum }_{i=1}^{n_p}H\left(S_i\right).$$

(29)

Bearing in mind that the entropy satisfies the inequality $H\left(S_i\right)\le 1$, we obtain

$$H\left(K_G\mid S_1, S_2,\dots , S_{n_p}\right)\ge \left|K_G\right|+{\sum }_{i=1}^{n_p}{h}_b\left({\epsilon }_i\right)-n_p.$$

(30)

which proves the claim (20) of the theorem. This completes the proof. □

Remark 3. 

To assist the reader, we emphasize that Theorem 1 provides a lower bound on the uncertainty (equivocation) that an eavesdropper retains about the secret key even after observing all public communication. This result is crucial, as it ensures that the secret key $K_G$ maintains a provable level of secrecy regardless of public leakage. The bound directly quantifies how the entropy of the key is preserved, depending on the properties of the system’s injected randomness and the structure of the reconciliation masks.

Remark 4. 

Knowing the lower bound of the equivocation of the secret key $K_G$ allows us to formulate conditions under which this bound never falls below a predetermined threshold ${∆}_{K_G}$. According to (20), if the following condition is satisfied:

$$\left|K_G\right|+{\sum }_{i=1}^{n_p}{h}_b\left({\epsilon }_i\right)-n_p\ge {∆}_{K_G}, 0\le {∆}_{K_G}\le \left|K_G\right|,$$

(31)

then, based on the observations $S=\left\{S_i\right\}$, $\left|S\right|=n_p$, from the public channel during the execution of the given IR protocol, Eve cannot reduce the initial uncertainty of the key $K_G$ below ${∆}_{K_G}$, where $0\le {∆}_{K_G}\le \left|K_G\right|$.

Definition 1. 

The admissible region $D\left(\epsilon , {∆}_{K_G}, K_G, t,{ K}_S\right)$ of the system operation shown in Figure 1 is defined by the following constraints:

$$0<{∆}_{K_G}<K_G$$

(32)

$$H\left(K_G\mid S_1, S_2,\dots , S_{n_p}\right)\ge {∆}_{K_G}$$

(33)

$$\left|K\right|=\left|K_S\right|+\left|K_G\right|$$

(34)

$$\left|K\right|+t\le n_{IR0}·{\mu }_{IR}$$

(35)

$$IE=n_{IR0}·h_b\left(\epsilon \right)+\left|K_G\right|\ge \left|K\right|$$

(36)

$$P\left\{K_A\ne K_B\right\}\le \delta$$

(37)

where $t$ is the security margin, $n_{IR0}$ is the length of initial Alice and Bob strings before starting IR protocol, while ${\mu }_{\mathit{IR}}$ is so-called data remaining efficiency, defined as the ratio of the length $n_{\mathit{IR}}$ of reconciliated sequences after completion of the IR protocol and the length of initial sequences, i.e.,

$${\mu }_{IR}={\displaystyle \frac{n_{IR}}{n_{IR0}}}.$$

(38)

The $IE$ denotes the so-called innovative or fresh entropy [38].

For the considered system, IE is actually the amount of entropy introduced into the system by the local source of randomness.

Condition (32) ensures the selection of the lower bound of the equivocation of the keys $K_G$, as given by (33). Condition (34) guarantees the autonomy of the system in maintaining this lower bound. This is achieved through regular refreshing of the keys $K_G$ after each block of newly generated sequences $\left\{Y_i\right\}$ of length $n_{IR0}$, during which the system simultaneously distills keys $K_S$ for independent use. Condition (35) establishes a relation between the length of the distilled keys $\left|K\right|$, the security margin $t$, which reflects the compression rate of the PA block, and the length of the reconciled sequences resulting from the IR phase [1,35]. Condition (36) imposes the constraint on the length of the distilled keys and the amount of innovative entropy introduced in each system cycle. Through condition (37), the KDR is controlled. Typical values for $t$ range from 30 to 40, while $\delta$ is on the order of ${10}^{-5}$.

Remark 5. 

The admissible region $D$ can also be defined using quantities normalized by the length $n_{IR0}$, which allows clearer interpretation and visualization. Let us introduce the following notation for the normalized quantities of interest

$${\widetilde{∆}}_{K_G}={\displaystyle \frac{{∆}_{K_G}}{n_{IR0}}}, {\tilde{K}}_G={\displaystyle \frac{K_G}{n_{IR0}}}, {\tilde{K}}_S={\displaystyle \frac{K_s}{n_{IR0}}}, \tilde{K}={\displaystyle \frac{K}{n_{IR0}}}, \widetilde{IE}={\displaystyle \frac{IE}{n_{IR0}}}, \tilde{t}={\displaystyle \frac{t}{n_{IR0}}}.$$

(39)

These can now be interpreted as the corresponding rates. The corresponding definition of the normalized admissible region $\tilde{D}\left(\epsilon ,{\widetilde{∆}}_{K_G},{\tilde{K}}_G,\tilde{t},{\widetilde{ K}}_S\right)$ is given by the following set of constraints

$$0<{\widetilde{∆}}_{K_G}<{\tilde{K}}_G$$

(40)

$$\tilde{H}\left(K_G\mid S_1, S_2,\dots , S_{n_p}\right)\ge {\widetilde{∆}}_{K_G}$$

(41)

$$\left|\tilde{K}\right|=\left|{\tilde{K}}_S\right|+\left|{\tilde{K}}_G\right|$$

(42)

$$\left|\tilde{K}\right|+\tilde{t}\le {\mu }_{IR}$$

(43)

$$\widetilde{IE}=h_b\left(\epsilon \right)+\left|{\tilde{K}}_G\right|\ge \left|\tilde{K}\right|$$

(44)

$$P\left\{K_A\ne K_B\right\}\le \delta .$$

(45)

It is particularly convenient to represent the admissible region $\tilde{D}$ in the $(Rates,{ p}_{IR0})$ coordinates (see Figure 4) where $p_{IR0}$ denotes the initial BER, $p_{AB}$, between Alice’s and Bob’s sequence at the beginning of the IR protocol. Theorem 2 provides the lower and upper bounds of the admissible region $\tilde{D}$ in $(Rates, p_{IR0})$ coordinates in the general case.

Theorem 2. 

Let the set of information available to Eve over the public channel during the IR phase of a given SKD protocol be denoted by $S=\left\{S_i\right\}$, $\left|S\right|=n_p$, where each $S_i$ is given by equation (18), and $m_i$ denotes the binary mask vector associated with each $S_i$, as defined in equation (19). Let $n_{IR0}$ denote the initial sequence length and $p_{IR0}$ the initial BER between Alice’s and Bob’s sequences. Then, the admissible region $\tilde{D}$ is bounded with upper

$${\Psi }_U\left(p_{IR0},{ \mu }_{IR}\right)=min\left\{{\left|{\tilde{K}}_G\right|+h}_b\left({\displaystyle \frac{1}{2}}(1-\sqrt{1-2p_{IR0}}\right),{\mu }_{IR}\left(p_{IR0}\right)-\tilde{t}\right\},$$

(46)

and lower bound

$${\Psi }_L\left(p_{IR0},{ \mu }_{IR}\right)=1-{\mu }_{IR}\left(p_{IR0}\right)-{\displaystyle \frac{1}{n_{IR0}}}{\sum }_{i=1}^{n_p}{h}_b\left({\displaystyle \frac{1}{2}}\left({1-\left(1-2 p_{IR0}\right)}^{{\displaystyle \frac{1}{2}}{\sum }_{j=1}^{N_i}{m}_{ij}}\right)\right),$$

(47)

where ${\mu }_{\mathit{IR}}$ is data remaining efficiency of the applied IR protocol.

Proof of Theorem 2. 

For each fixed $p_{IR0}$, the upper bound ${\Psi }_U(p_{IR0},{ \mu }_{IR})$ corresponds with the maximum achievable rate of the distilled key, i.e.,

$${\Psi }_U\left(p_{IR0},{\mu }_{IR}\right)=max\left\{\left|\tilde{K}\right|\right\}.$$

(48)

Based on constraints (43) and (44), we conclude that the following must hold simultaneously

$$\left|\tilde{K}\right|\le {\mu }_{IR}-\tilde{t}\mathrm{and} \left|\tilde{K}\right|\le \widetilde{IE}=\left|{\tilde{K}}_G\right|+h_b\left(\epsilon \right),$$

(49)

from which it follows that

$${\Psi }_U(p_{IR0}, {\mu }_{IR})=min\left\{\left|{\tilde{K}}_G\right|+h_b\left(\epsilon \right), { \mu }_{IR}\left(p_{IR0}\right)-\tilde{t}\right\}.$$

(50)

The lower bound is equal to the minimum achievable rate of the distilled key that guarantees system autonomy and the specified lower bound on the secret key equivocation (41) for a given $p_{IR0}$, i.e.,

$${\Psi }_L\left(p_{IR0},{ \mu }_{IR}\right)=min\left\{\left|\tilde{K}\right|\right\}.$$

(51)

From (42) and (31), after normalizing by $n_{IR0}$, we obtain

$$\left|\tilde{K}\right|\ge {\widetilde{∆}}_{K_G}+\left|{\tilde{K}}_S\right|-{\displaystyle \frac{1}{n_{IR0}}}{\sum }_{i=1}^{n_p}{h}_b\left({\epsilon }_i\right)+{\displaystyle \frac{n_p}{n_{IR0}}},$$

(52)

given that

$${\displaystyle \frac{n_p}{n_{IR0}}}={\displaystyle \frac{n_{IR0}-{\mu }_{IR}{n}_{IR0}}{n_{IR0}}}=1-{\mu }_{IR}.$$

(53)

The right side of equation (52) reaches its minimum value for ${\widetilde{∆}}_{K_G}=0$ and $\left|{\tilde{K}}_S\right|=0$, giving

$${\Psi }_L\left(p_{IR0},{ \mu }_{IR}\right)=min\left\{\left|\tilde{K}\right|\right\}=1-{\mu }_{IR}-{\displaystyle \frac{1}{n_{IR0}}}{\sum }_{i=1}^{n_p}{h}_b\left({\epsilon }_i\right).$$

(54)

Taking into account (25) and (7), we find that

$${\epsilon }_i={\displaystyle \frac{1}{2}}\left(1-{(1-2\epsilon )}^{\sum _{j=1}^{N_i}{m}_{ij}}\right)={\displaystyle \frac{1}{2}}\left({1-\left(1-2p_{IR0}\right)}^{{\displaystyle \frac{1}{2}}\sum _{j=1}^{N_i}{m}_{ij}}\right),$$

(55)

which into (54), results in (47). This completes the proof of the theorem. □

Based on Theorem 2, it immediately follows that for a given $p_{IR0}=p_{IR0}^{\ast }$, where $p_{IR0}^{\ast }\in \tilde{D},$ the maximum rate of distilled keys is

$${\left|\tilde{K}\right|}_{max}={\Psi }_U\left(p_{IR0}^{\ast } ,{ \mu }_{IR}\right) , p_{IR0}^{\ast }\in \tilde{D}.$$

(56)

For a fixed $\left|{\tilde{K}}_G\right|$, given the condition (42), the maximum rate of the usable component of the distilled keys is given by

$${\left|{\tilde{K}}_S\right|}_{max}={\left|\tilde{K}\right|}_{max}-\left|{\tilde{K}}_G\right|={\Psi }_U\left(p_{IR0}^{\ast } ,{ \mu }_{IR}\right)-\left|{\tilde{K}}_G\right| , p_{IR0}^{\ast }\in \tilde{D}.$$

(57)

The maximum possible equivocation for additionally fixed $\left|{\tilde{K}}_S\right|$, given the condition (52), is

$${\widetilde{∆}}_{K_{G}max}={\left|\tilde{K}\right|}_{max}-\left|{\tilde{K}}_S\right|-{\Psi }_L\left(p_{IR0}^{\ast },{ \mu }_{IR}\right) , p_{IR0}^{\ast }\in \tilde{D}.$$

(58)

By combining (57) and (58), we obtain an alternative expression

$${\widetilde{∆}}_{K_{G}max}=\left|{\tilde{K}}_G\right|-{\Psi }_L\left(p_{IR0}^{\ast },{ \mu }_{IR}\right) , p_{IR0}^{\ast } \in \tilde{D}.$$

(59)

Finally, from (57) and (57), it follows that

$${\left|{\tilde{K}}_S\right|}_{max}={\Psi }_U\left(p_{IR0}^{\ast } , {\mu }_{IR}\right)-{\Psi }_L\left(p_{IR0}^{\ast }, {\mu }_{IR}\right)-{\widetilde{∆}}_{K_{G}max}.$$

(60)

Figure 4 illustrates the relationships and interdependencies among the quantities ${\left|\tilde{K}\right|}_{max}$,${\left|{\tilde{K}}_S\right|}_{max}$,${\widetilde{∆}}_{K_{G}max}$, ${\Psi }_L\left(p_{IR0}^{\ast },{\mu }_{IR}\right)$ and ${\Psi }_U\left(p_{IR0}^{\ast } ,{\mu }_{IR}\right)$ for an arbitrarily chosen $p_{IR0}^{\ast }\in \tilde{D}$, given by relations (56–60). Since it makes sense to consider only the maximum values for the quantities $\left|\tilde{K}\right|$, $\left|{\tilde{K}}_S\right|$ and ${\widetilde{∆}}_{K_G}$, in the following text they will be denoted without explicitly indicating that these are maximum values.

Based on (60), we can formulate the following theorem.

Theorem 3. 

The maximum distillation rate of secret keys ${\tilde{K}}_S$ for further use is achieved at $p_{IR0}$ given by

$$p_{IRmax}=\underset{p_{\mathit{IR}0}\in \tilde{D}}{\mathit{arg\; max}}\left\{{\Psi }_U\left(p_{IR0}, {\mu }_{IR}\right)-{\Psi }_L\left(p_{IR0},{ \mu }_{IR}\right)\right\}.$$

(61)

Remark 6. 

Theorem 3 identifies the optimal operating point of the system in terms of the initial bit error rate $p_{IR0}$ at which the maximum usable key rate is achieved. This result is significant for system designers, as it provides a clear criterion for tuning the parameters to maximize secure key output. Figure 4 now illustrates this optimal point and its associated values for all critical quantities.

For the autonomy of the proposed system, it is crucial that the successively generated keys are mutually independent.

Theorem 4. 

Let a sequence of distilled keys $\left\{K_i\right\}$, $\left|K_i\right|=\left|K\right|$, $i=1, 2,\dots$ be generated during the autonomous operation of the system shown in Figure 1. Then, it holds that

$$I\left(K_i;K_{i-1}\right)\le {\displaystyle \frac{1}{\mathit{ln}2}}{2}^{-t}$$

(62)

$$t=n_{IR0}·{\mu }_{IR}-\left|K\right|$$

(63)

where $n_{IR0}$ is the length of the block of sequence $\left\{Y_i\right\}$ over which the IR protocol is executed, and ${\mu }_{IR}$ is its data remaining efficiency given by (38).

Proof of Theorem 4. 

By applying the chain rule for entropy, it can be written

$$\begin{array}{ll}H\left(K_{i-1}, X, Y,{ K}_i\right)& =H\left(K_{i-1}\right)+H\left(X∣K_{i-1}\right)+H\left(Y∣K_{i-1}, X\right)+H\left(K_i∣K_{i-1}, X, Y\right)\\ & =H\left(K_{i-1}\right)+H\left(X\right)+H\left(K_i∣Y\right)\end{array}$$

(64)

Since $H\left(X∣K_{i-1}\right)=H\left(X\right)$, $H\left(Y∣K_{i-1},X\right)=0,$ and $H\left(K_i∣K_{i-1},X,Y\right)=H\left(K_i∣Y\right)$. The same joint entropy can be written in another way

$$\begin{array}{ll}H\left(K_{i-1},K_i,X,Y\right)& =H\left(K_{i-1}\right)+H\left(K_i∣K_{i-1}\right)+H\left(X∣K_{i-1},K_i\right)+H\left(Y∣K_{i-1},K_i,X\right)\\ & =H\left(K_{i-1}\right)+H\left(K_i∣K_{i-1}\right)+H\left(X∣K_i\right)\end{array}$$

(65)

given that $H\left(X∣K_{i-1},K_i\right)=H\left(X∣K_i\right)$ and $H\left(Y∣K_{i-1},K_i,X\right)=0$. By equating the right sides of the equations (64) and (65), we obtain

$$H\left(K_i∣K_{i-1}\right)=H\left(X\right)+H\left(K_i∣Y\right)-H\left(X∣K_i\right)=H\left(K_i∣Y\right)+I(X;{ K}_i)$$

(66)

Since $I(X;K_i)\ge 0$, from (66) it follows

$$H\left(K_i∣K_{i-1}\right)\ge H\left(K_i∣Y\right).$$

(67)

According to Theorem 3 [32], the following holds

$$H\left(K_i∣W_i\right)\ge \left|K\right|-{\displaystyle \frac{1}{\mathit{ln}2}}{2}^{\left|K\right|-R\left(W_i\right)},$$

(68)

where the compression function

$$G:W_i\to {\left\{\mathrm{0,1}\right\}}^{\left|K\right|},$$

(69)

is a member of a universal class of hash functions [35], while $R\left(W_i\right)$ denotes the second order Renyi entropy [31]. Since the random variables $Y$, $W_i$, and $K_i$, form a Markov chain, i.e., $Y\to W_i\to K_i$, it holds that

$$H\left(K_i∣Y\right)\ge H\left(K_i∣W_i\right),$$

(70)

Thus, based on (67)–(70)

$$H\left(K_i∣K_{i-1}\right)\ge H\left(K_i∣Y\right)\ge H\left(K_i∣W_i\right)\ge \left|K\right|-{\displaystyle \frac{1}{\mathit{ln}2}}{2}^{\left|K\right|-R\left(W_i\right)}.$$

(71)

Considering that $W_i~B\left(0.5\right)$, $H\left(K_i\right)=\left|K\right|$, and $R\left(W_i\right)=H\left(W_i\right)=n_{IR0}·{\mu }_{IR}$, we finally obtain

$$\left|K\right|-H\left(K_i∣K_{i-1}\right)=H\left(K_i\right)-H\left(K_i∣K_{i-1}\right)=I\left(K_i;K_{i-1}\right)\le {\displaystyle \frac{1}{\mathit{ln}2}}{2}^{-\left(n_{IR0}·{\mu }_{IR}-\left|K\right|\right)},$$

(72)

which completes the proof. □

Remark 7. 

Based on Theorem 4, we conclude that the secret keys generated by the CR KSG system have maximum entropy and are mutually independent. This property fully justifies expression (36) for the innovative entropy, which includes not only of a component originating from the local true random number generator but also of an additional component $\left|K_G\right|$ derived from the distillation of secret keys in the previous cycle of the system.

Remark 8. 

In practical implementation, we fix the security margin t, affecting the compression rate of the hash function G, at t = 34 based on the leakage bound in Equation (62) of Theorem 4, which states that the key leakage is bounded by ${\displaystyle \frac{1}{\mathit{ln}2}}{2}^{-t}$. This choice ensures that the leakage remains below ${10}^{-10 }$ while maintaining computational efficiency within the SKD system.

The specific shape of the admissible region depends on the choice of the IR protocol. In the following chapter, the admissible region $\stackrel{\mathrm{~}}{\mathrm{D}}$ will be analyzed in detail for the case when the IR protocol is based on the Winnow protocol [39].

5. Optimal SKD System Based on CR KSG and Winnow IR Protocol

According to Theorem 1, the crucial influence on the shape of the admissible region comes from the parity bit structure that Alice and Bob send over the public channel, i.e., the structure of the entire set of masks $\left\{m_i\right\}=\left\{\left[m_{i1},m_{i2}, \dots ,m_{i{N}_i}\right]\right\}$, $i=\mathrm{1,2},\dots , n_p$, where $m_{ij}\in \left\{\mathrm{0,1}\right\}$. We denote by ${CR KSG}_W$ the CR KSG system in which the Winnow protocol is used for the IR phase of the SKD protocol. The choice of this IR protocol is based on its efficiency in the case of a small initial error $p_{IR0}$ between Alice’s and Bob’s sequences. Recall that in the CR KSG system $p_{IR0}$, and according to (7) equivalently the parameter $\epsilon$, are system design choices. Therefore, properly chosen $p_{IR0}$ will enable this protocol to correct errors efficiently and quickly with minimal communication while simultaneously preventing information leakage to Eve (so-called privacy maintenance) [39,40,41]. The Winnow protocol begins by dividing the initial sequences into data blocks of length $N$. The choice of this length has been the subject of intensive analysis over the past two decades, predominantly within QKD algorithms. Reference [39] demonstrates that the Winnow protocol with shorter block lengths, especially for $N=8$, is more efficient at error correction than with longer block lengths. Therefore, in the following, we adopt this value as a fixed parameter of the ${CR KSG}_W$ system. A detailed explanation of the protocol steps is provided below (Algorithms 1 and 2).

Algorithm 1. The Winnow protocol

1: Alice and Bob permute their initial key strings according to the negotiated rule and    divide the permuted key strings into blocks of length $\mathrm{N} = 2^{\mathrm{r}}$, $\mathrm{r} \ge 3$.

2: Alice and Bob calculate the parity of each N-bit block.

3: Alice and Bob compare their block parity pair.          If the block parity pair is accordant error-correcting operation is not performed but          the first bit of the block is discarded for privacy maintenance. Otherwise, an odd          number of errors exist in the N-bit block, and the first bit of the block is discarded for          privacy maintenance. Then, an error-correcting operation is performed with the          Hamming algorithm for the remaining N-1 bits.

4: Steps 1–3 are performed iteratively until the predetermined number of iterations are reached.

Algorithm 2. Hamming algorithm

a: Let ${\mathrm{I}}_{\mathrm{a}}$ be Alice’s (N-1)-bit string and ${\mathrm{I}}_{\mathrm{b}}$ be Bob’s (N-1)-bit string. Alice and Bob     calculate r-bit syndromes ${\mathrm{S}}_{\mathrm{a}}$ and ${\mathrm{S}}_{\mathrm{b}}$,${\mathrm{S}}_{\mathrm{a}}={\mathrm{I}}_{\mathrm{a}}{H}^T$, and ${\mathrm{S}}_{\mathrm{b}}={\mathrm{I}}_{\mathrm{b}}{H}^T$ on their (N-1)-bit     blocks, respectively, where $H$ is the Hamming check matrix.

b: Alice transmits ${\mathrm{S}}_{\mathrm{a}}$ to Bob, and errors are only discovered if the syndrome difference,      ${\mathrm{S}}_{\mathrm{d}}$, is non-zero, where ${\mathrm{S}}_{\mathrm{d}}={\mathrm{S}}_{\mathrm{a}}\oplus {\mathrm{S}}_{\mathrm{b}}$. Bob corrects errors.

c: Finally, r bits are deleted from each block to prevent the potential loss of privacy     to Eve due to the public transmission of Alice’s syndrome.

The following theorem provides explicit expressions for the upper and lower bounds of the admissible region of ${CR KSG}_W$, thereby enabling the optimal synthesis of the corresponding SKD system.

Theorem 5. 

The upper and lower bounds of the region ${\tilde{D}}^W$, which corresponds to the ${CR KSG}_W$ system with the Winnow IR protocol, are given by the following expressions

$${\Psi }_U^{Win}(p_{IR0}, {\mu }_{IR}^{Win})=min\left\{{\left|{\tilde{K}}_G\right|+h}_b\left({\displaystyle \frac{1}{2}}(1-\sqrt{1-2p_{IR0}}\right), {\mu }_{IR}^{Win}\left(p_{IR0}\right)-\tilde{t} \right\} ,$$

(73)

$${\Psi }_L^{Win}\left(p_{IR0},{ \mu }_{IR}^{Win}\right)=1-{\mu }_{IR}^{Win}\left(p_{IR0}\right)-{\displaystyle \frac{1}{n_{IR0}}}\left[{2n}_b{h}_b\left({\displaystyle \frac{1}{2}}\left({1-\left(1-2p_{IR0}\right)}^4\right)\right)+n_H{h}_b\left({\displaystyle \frac{1}{2}}\left({1-\left(1-2p_{IR0}\right)}^2\right)\right)\right] ,$$

(74)

where ${\mu }_{IR}^{Win}$ is the data remaining efficiency of the Winnow protocol, and $p_{IR0}$ denotes the initial BER between Alice’s and Bob’s sequences. The variable $n_b$ denotes the number of parity blocks of length $N=8$ sent by Alice, while $n_H$ represents the number of her transmitted syndromes from the (7,4) Hamming error-correcting code.

Proof of Theorem 5. 

During the execution of the Winnow protocol, two classes of parity bits are transmitted over the public channel

$$S_b=\left[Y_1,Y_2, \dots , Y_8\right]·{\left[1, 1, \dots ,1\right]}^T ,$$

(75)

$$S_H=\left[\begin{array}{c}{S}_{H1}\\ S_{H2}\\ S_{H3}\end{array}\right]=H_3·{\left[Y_2,Y_3, \dots , Y_8\right]}^T=\left[\begin{array}{ccc}1& 0& 1\\ 0& 1& 1\\ 0& 0& 0\end{array} \begin{array}{ccc}0& 1& 0\\ 0& 0& 1\\ 1& 1& 1\end{array} \begin{array}{c}1\\ 1\\ 1\end{array}\right]·{\left[Y_2,Y_3, \dots , Y_8\right]}^T.$$

(76)

The $S_b$ class is computed for each block and exchanged with the other party. In terms of Theorem 1, all masks corresponding to this class have a fixed length of 8 and contain eight ones, i.e.,

$$m_b=\left[m_{b1},m_{b2}, \dots ,{ m}_{b8}\right]=\left[1, 1, \dots ,1\right] , {\sum }_{j=1}^8{m}_{bj}=8.$$

(77)

The $S_H$ class is computed for each block in which Alice’s and Bob’s parity bits $S_b$ differ. The matrix $H_3$ is the parity-check matrix of the (7,4) Hamming error-correcting code, so $S_H$ is a three-bit syndrome of this code [42]. By examining the structure of the matrix $H_3$, we observe that each row contains exactly four ones, which implies that the masks in this class satisfy the following property

$$m_{Hi}=\left[m_{Hi1}, m_{Hi2}, \dots ,m_{Hi7}\right] , {\sum }_{j=1}^7{m}_{Hij}=4 , i=\mathrm{1,2},3.$$

(78)

Therefore, the sum in the expression for the lower bound (47) in Theorem 2 can be split into two terms: one corresponding to the parity bits from class $S_b$ and the other corresponding to the parity bits from class $S_H$. Based on (77), we have ${\displaystyle \frac{1}{2}}\sum _{j=1}^{N_i}{m}_{ij}=8$ and ${\displaystyle \frac{1}{2}}\sum _{j=1}^{N_i}{m}_{ij}=4$ for classes $S_b$ and $S_H$, respectively. Since $N_i=8$, for all $i$, we finally obtain

$${\sum }_{i=1}^{n_p}{h}_b\left({\displaystyle \frac{1}{2}}\left({1-\left(1-2p_{IR0}\right)}^{{\displaystyle \frac{1}{2}}\sum _{j=1}^{N_i}{m}_{ij}}\right)\right)={2n}_b\left({\displaystyle \frac{1}{2}}\left({1-\left(1-2p_{IR0}\right)}^4\right)\right)+n_H{h}_b\left({\displaystyle \frac{1}{2}}\left({1-\left(1-2p_{IR0}\right)}^2\right)\right).$$

(79)

The factor of 2 in the first term arises from the fact that, in addition to Alice, Bob also sends his parity bits from class $S_b$. By substituting (79) into (47), we obtain the statement (74) for the lower bound. The upper bound (73) follows directly from (46) by instantiating the general remaining data efficiency ${\mu }_{IR}\left(p_{IR0}\right)$ with ${\mu }_{IR}^{Win}\left(p_{IR0}\right)$, which corresponds to the Winnow protocol. This completes the proof of the theorem. □

In [40], a complete algorithm is presented for calculating ${\mu }_{IR}^{Win}\left(p_{IR0}\right)$, $n_b$, $n_H$, $n_p$, and $p_{IR\_end}$, where $p_{IR\_end}$ denotes the BER between Alice’s and Bob’s sequences at the end of the protocol. Figure 5, Figure 6 and Figure 7 show how these quantities vary as functions of $p_{IR0}$, with the number of parity bits normalized with respect to the initial sequence length $n_{IR0}$

$${\tilde{n}}_p={\displaystyle \frac{n_p}{n_{IR0}}} , {\tilde{n}}_b={\displaystyle \frac{n_b}{n_{IR0}}} , {\tilde{n}}_H={\displaystyle \frac{n_H}{n_{IR0}}}.$$

(80)

Remark 9. 

The Winnow protocol iteratively applies the basic operations of dividing strings into blocks, exchanging block parity bits, computing and sending (7,4) Hamming code syndromes, performing error correction, and discarding a corresponding number of bits to maintain privacy. As the number of iterations increases, the value of ${\mu }_{IR}^{Win}\left(p_{IR0}\right)$ decreases for every $p_{IR0}$, as shown in Figure 5, thereby reducing the key distillation rate of the ${CR KSG}_W$ system. On the other hand, according to Figure 7, a smaller number of iterations increases $p_{IRend}$ for each $p_{IR0}$, effectively reducing the key distillation rate. Therefore, selecting the number of iterations is a trade-off between these two opposing effects and is typically determined through experimental evaluation of the system. Our choice of a maximum of four iterations ($max iter=4$) has been practically confirmed as the optimal solution.

In Figure 8 (middle), the admissible region for the key distillation rate of the ${CR KSG}_W$ system is shown, with Winnow protocol parameters $N=8$, $max iter=4$, and an upper bound on the KDR $\delta \le {10}^{-4}$.

In Figure 8 (top), the correspondence between the parameter $p_{IRend}=\delta ={10}^{-4}$ and $p_{IR0}\left(\delta \right)=0.0995$ is shown, which determines the upper bound of the admissible region ${\tilde{D}}^W$ along the $p_{IR0}$ axis. Taking into account relation (7), the corresponding parameter is $\epsilon \left(\delta \right)=0.0525$.

Based on Theorem 3, it follows that the maximum value of ${\left|{\tilde{K}}_S\right|}_{max}$, regardless of the choice of ${\widetilde{∆}}_{K_{G}max}$, is achieved by finding the maximum of the function

$$f\left(p_{IR0}\right)={{\Psi }_U}^{Win}\left(p_{IR0} ,{\mu }_{IR}\right)-{{\Psi }_L}^{Win}\left(p_{IR0},{\mu }_{IR}\right) , p_{IR0}\in {\tilde{D}}^W.$$

(81)

Due to the highly complex analytical expressions for ${{\Psi }_U}^{Win}\left(p_{IR0} ,{\mu }_{IR}\right)$ and ${{\Psi }_L}^{Win}\left(p_{IR0},{\mu }_{IR}\right)$, this maximum can be obtained numerically. Figure 8 (bottom) shows the function $f\left(p_{IR0}\right)$ and its maximum $f\left(p_{IR0max}\right)$, which is achieved at $p_{IR0max}=0.0905$, corresponding to ${\epsilon }_{max}=0.0525$. Figure 8 (middle) shows points $A$ and $B$ on ${{\Psi }_L}^{Win}$ and ${{\Psi }_U}^{Win}$, respectively, for the $p_{IR0max}$ value. The coordinates of these points are

$$A\left(0.0905, C_1\right) , B\left(0.0905, { C}_2-\tilde{t}\right),$$

(82)

where $C_1$ and $C_2$ denote

$$C_1={{\Psi }_L}^{Win}\left(p_{IR0max},{ \mu }_{IR}\right)=0.1751 , C_2={\mu }_{IR}\left(p_{IR0max}\right)=0.4023.$$

(83)

The value $p_{IRend}\left(0.0905\right)=2.5822·{10}^{-5}$, indicates an extremely low probability of KDR.

Remark 10. 

From Equation (60) and the definition of normalized values given in (39), we obtain

$$\left|{\tilde{K}}_S\right|=C_2-{\displaystyle \frac{t}{n_{IR0}}}-{\displaystyle \frac{C_1}{1-r}} ,$$

(84)

and based on Equations (59) and (39), we obtain

$$n_{IR0}={\displaystyle \frac{K_G-{∆}_{K_G}}{C_1}}=K_G{\displaystyle \frac{1-r}{C_1}}$$

(85)

$$r={\displaystyle \frac{{∆}_{K_G}}{K_G}}={\displaystyle \frac{{\widetilde{∆}}_{K_G}}{{\tilde{K}}_G}}, {\widetilde{∆}}_{K_G}<C_2-C_1$$

(86)

where the constants $C_1$ and $C_2$ are given in Equation (83). For sufficiently large $n_{IR0}$ and sufficiently small r, from (84) we conclude that the asymptotic value of the maximal effective secrecy capacity is equal to ${\left|{\tilde{K}}_s\right| }_{max}=C_2-C_1$ = 0.2272, or 22.72%.

The effective secrecy capacity (84) can also be expressed in terms of $K_G$, by substituting (85) into (84), which gives

$$\left|{\tilde{K}}_S\right|=C_2-{\displaystyle \frac{C_1}{1-r}}\left(1+{\displaystyle \frac{t}{K_G}}\right)$$

(87)

The synthesis of the optimal ${CR KSG}_W$ system begins with the selection of the parameter $r$ and $K_G$, which according to (87) uniquely determine the secrecy capacity $\left|{\tilde{K}}_S\right|$; see Figure 9.

The selection of the secret key length $K_G$ can be made based on various practical considerations. For example, if a standard KSG is used, such as AES, DES, or 3DES, which typically comes with predefined key lengths [41], then one of the available options is chosen.

This value uniquely determines the base block length $n_{IR0}$, according to (85). Figure 10 shows the functions $n_{IR0}\left(r\right)$, for several typical values of $\left|K_G\right|$.

Example 1. 

If we choose $r=0.3$ and $\left|K_G\right|=512$, the resulting effective secrecy rate is $\left|{\tilde{K}}_S\right|=0.1355$, which is achieved by selecting a base block length of $n_{IR0}=2047$. In this case, the lower bound on equivocation is ${∆}_{K_G}=r{ K}_G=0.3·512=154$. The compression parameter $t$ is, as before, fixed at $t=34,$ which ensures a leakage rate below ${10}^{-10}$, see Remark 8.

Table 1. Maximum effective secret key rate ${\left|{\tilde{K}}_s\right|}_{max}$ and the corresponding base block length $n_{IR0}$, for typical values of key length $\left|K_G\right|$ and a fixed security margin $t=34$.

$\left|{\mathit{K}}_{\mathit{G}}\right|$	$\mathit{r}$	${∆}_{{\mathit{K}}_{\mathit{G}}}$	${\left|{\tilde{\mathit{K}}}_{\mathit{s}}\right|}_{\mathit{m}\mathit{a}\mathit{x}}$	${\mathit{n}}_{\mathit{I}\mathit{R}0}$
256	0.500	128	0.0056	732
512	0.250	128	0.1533	2194
1024	0.125	128	0.1955	5118
4096	0.031	128	0.2005	20,469

provides an overview of the values of ${\left|{\tilde{K}}_s\right| }_{max}$ and $n_{IR0}$ for typical values of $\left|K_G\right|$, while maintaining the equivocation lower bound ${∆}_{K_G}$ at a constant value of $128 b$.

6. From Ideal Security Towards Perfect Security by SKD Based on CR KSG and Winnow IR Protocol

The security of the proposed SKD based on the CR KSG relies on the ideality of the KSG in the Shannon sense [36]. In Shannon’s definition of an ideal system, it is important that the key equivocation is not reduced to zero with an unlimited increase in the available ciphertext [36].

An extension of the original Shannon concept to the so-called Ideally Secret Autonomous Robust (ISAR) ciphering system was introduced in [23]. According to Definition 3, in [23], the ISAR ciphering system can maintain minimal key equivocation at a predefined value ${\Delta }_K$, independently of the message’s probability distribution and without an additional secret key distribution system.

Remark 11. 

According to Theorem 1, common randomness block of proposed SKD based on CR KSG is an ISAR ciphering system, in which the ciphertext consists of all parity bits transmitted over the public channel. Therefore, an attack on the system aimed at reconstructing the key $K_G$ faces an uncertainty on the order of $2^{{\Delta }_{K_G}}$. In other words, the cryptanalyst is presented with $2^{{\Delta }_{K_G}}$ equally probable hypothesis for the key $K_G$.

Figure 11 illustrates an extension of the basic CR SKD System from Figure 1 to a system whose ultimate purpose is the generation of secret keys for the Vernam cipher [43], which is used to encrypt an independent message source $M$. An intriguing question is whether and under what conditions this system can achieve perfect secrecy. To answer this question, it is necessary to prove the following theorem.

Theorem 6. 

For the CR SKD system the following holds

$$H\left(W_i|S\right)=H\left(W_i\right) ,$$

(88)

$$R\left(W_i|S=s\right)=\left|W_i\right|.$$

(89)

Proof. 

The information from the public channel, $S=\left\{S_i\right\}$, available to Eve, is always in the form of parity bits given by

$$S_i={\sum }_{j=1}^N{Y}_j·m_{ij} , m_{ij}\in \left\{\mathrm{0,1}\right\}$$

(90)

where $m_{ij}\in \left\{\mathrm{0,1}\right\}$ are the bits of the mask vector associated with $S_i$, as indicated in Theorem 1, Formulas (18) and (19). After transmitting the bit $S_i$, Alice discards one bit from a known position $j^{\ast }$ within the current block of length $N$, as a result of which Equation (90) is transformed into equation

$${\overline{S}}_i={\sum }_{\begin{array}{c}j=1\\ j\ne j^{\ast }\end{array}}^N{Y}_j·m_{ij}.$$

(91)

Equation (91) can also be written in the following equivalent form

$${\overline{S}}_i=S_i⨁Y_{j^{\ast }}.$$

(92)

Since $P\left(Y_{j^{\ast }}=1\right)=P\left(Y_{j^{\ast }}=0\right)=0.5$, knowing the parity bit $S_i$ does not provide any information about ${\overline{S}}_i$ of the remaining bits. After the completion of the IR protocol, the sequence $W_i$ consists only of the bits that remain after the exclusion of the bits at positions $j^{\ast }$. Eve gains no additional knowledge about their values, even though all parity bits $S=\left\{S_i\right\}$ transmitted over the public channel are available to her. Hence, $H\left(W_i|S\right)=H\left(W_i\right)$, which is precisely the first claim of this theorem.

To prove statement (89), let us recall that for the conditional Rényi entropy of order two and the corresponding Shannon entropy, the following inequality holds

$$H\left(W_i|S=s\right)\ge R\left(W_i|S=s\right) ,$$

(93)

where equality is achieved only when $H\left(W_i\right)=\left|W_i\right|$, which is when the sequence $W_i$ has maximum entropy. Given that each bit in $W_i$ is of the form $W=X\oplus C_K$, $C_K~B\left(0.5\right)$, we conclude that $H\left(W_i\right)=\left|W_i\right|$, and therefore, from (93), it follows that

$$R\left(W_i|S=s\right)=H\left(W_i|S=s\right)=H\left(W_i\right)=\left|W_i\right| ,$$

(94)

which completes the proof of the theorem. □

Remark 12. 

Based on Corollary 5 [35], Theorems 4 and 6, it follows that

$$I\left(K_s;G,S\right)\le {\displaystyle \frac{1}{\mathit{ln}2}}{ 2}^{-t} ,$$

(95)

where $t$ is the compression rate of the applied universal hash function $G$. In other words, Eve’s information about $K_s$ given $G$ and $S$ can be made arbitrarily small.

Theorem 7. 

The system shown in Figure 11 is perfectly secret if

$$\left|{\tilde{K}}_s\right|={\widetilde{∆}}_{K_G} ,$$

(96)

up to an error smaller than ${\displaystyle \frac{1}{\mathit{ln}2}}{ 2}^{-t},$ where t is the security margin defining the compression rate of the applied universal hash function G. The maximum effective secrecy rate, $\left|{\tilde{K}}_s\right|$ is given by

$${\left|{\tilde{K}}_s\right|}_{max}={\displaystyle \frac{1}{2}}\left({{\Psi }_U}^{Win}\left(p_{IR0\_max},{\mu }_{IR}\right)-{{\Psi }_L}^{Win}\left(p_{IR0\_max},{\mu }_{IR}\right)\right) , p_{IR0\_max}=0.0905.$$

(97)

Proof. 

A necessary and sufficient condition for perfect secrecy is that the eavesdropper’s observations do not change their uncertainty about the applied secret keys, that is, the following must hold

$$H\left(K_s|Z,S\right)=H\left(K_s\right)=\left|K_s\right|$$

(98)

Note that the condition for perfect secrecy (98) involves the complete set of observations $\left\{Z,S\right\}$ available to the attacker, not only the ciphertext $Z$, but also all the information $\left\{S\right\}$ from the public channel during the execution of the associated SKD protocol.

The relationship between $M$, $Z$, and $K_s$ is defined by the Vernam cipher.

$$Z=M⨁K_s$$

(99)

where $K_s~B\left(0.5\right)$ and is independent of $M$. It follows that $Z$ is independent of $K_s$, that is,

$$H\left(K_s|Z,S\right)=H\left(K_s|S\right)$$

(100)

Based on (95), from (100) it follows that

$$H\left(K_s|Z,S\right)=H\left(K_s|S\right)\ge \left|K_s\right|-{\displaystyle \frac{1}{\mathit{ln}2}}{2}^{-t}$$

(101)

which means that Eve’s entropy about the secret key $K_s$ is close to maximum, or in other words

$$H\left(K_s|Z,S\right)=H\left(K_s|S\right)=H\left(K_s\right)$$

(102)

with accuracy ${\displaystyle \frac{1}{\mathit{ln}2}}{ 2}^{-t}$. This proves that the condition for perfect secrecy (98) holds with respect to the secret key $K_s$.

On the other hand, since the CR block is an ISAR cryptosystem, it holds that

$$H\left(K_G|Z,S\right)=H\left(K_G|S\right)\ge {\Delta }_{K_G}$$

(103)

From (102) and (103), it follows that in the case when

$$\left|K_s\right|={\Delta }_{K_G}$$

(104)

the attacker gains no advantage in reconstructing $K_G$ compared to reconstructing $K_s,$ since due to (103) and (104), they face a set of equally likely alternatives of the same cardinality $2^{\left|K_s\right|}$, meaning that simultaneously the following holds

$$H\left(K_G|Z,S\right)=H\left(K_s\right) , H\left(K_s|Z,S\right)=H\left(K_s\right)$$

(105)

with accuracy ${\displaystyle \frac{1}{\mathit{ln}2}}{ 2}^{-t}$. This completes the proof of the theorem. □

Remark 13. 

Starting from (84) and (85), we can derive expressions that relate the maximum ${\left|{\tilde{K}}_s\right| }_{max}$ and the length of the basic block $n_{IR0}$ with $\left|K_G\right|$ and the security margin $t$

$${\left|{\tilde{K}}_s\right| }_{max}={\displaystyle \frac{1}{2}}\left(C_2-C_1-t·{\displaystyle \frac{C_2+C_1}{2{|K}_G|+t}}\right) ,$$

(106)

$$n_{IR0}={\displaystyle \frac{2{|K}_G|+t}{C_2+C_1}},$$

(107)

where the constants $C_1$ and $C_2$ are given by (83), see Figure 12. For sufficiently large $\left|K_G\right|$, from (106), we conclude that the asymptotic value of the maximal effective secrecy capacity is equal to ${\left|{\tilde{K}}_s\right| }_{max}={\displaystyle \frac{1}{2}}\left(C_2-C_1\right)$ = 0.1136, or 11.36%.

The synthesis is straightforward and consists first of selecting $\left|K_G\right|$ and $t$, which then uniquely determine $n_{IR0}$. Note from Figure 12a, that once $\left|K_G\right|>400$, we enter the saturation region where ${\left|{\tilde{K}}_s\right|}_{max}$ does not increase by more than 10%.

Table 2. Maximum effective rate of secret key generation ${\left|{\tilde{K}}_s\right|}_{max}$ and the corresponding basic block length $n_{IR0}$, for typical key lengths $\left|K_G\right|$ and a security margin $t=34$.

$\left|{\mathit{K}}_{\mathit{G}}\right|$	${\left|{\tilde{\mathit{K}}}_{\mathit{s}}\right|}_{\mathit{m}\mathit{a}\mathit{x}}$	${\mathit{n}}_{\mathit{I}\mathit{R}0}$
128	0.0797	502
256	0.0956	946
512	0.1043	1833
1024	0.1088	3606
4096	0.1124	14,244

provides an overview of these values for standard $\left|K_G\right|$ settings.

Example 2. 

By selecting the optimal parameters ${\epsilon }_{max}=0.0525$, $t=34$, $\left|K_G\right|=512$, $n_{IR0}=1833$, we synthesized a perfectly secret autonomous encryption system capable of protecting an information source with a rate up to ${\left|{\tilde{K}}_s\right| }_{max}=0.1043$, with $KDR<2.5822·{10}^{-5}$, and a key leakage rate $I(K_s, K_G;Z,S)<{10}^{-10}$.

The selection of the system’s operational mode fundamentally depends on the operational environment and the prioritized security requirements. If it is assessed that the adversary does not possess computational capabilities sufficient to feasibly analyze all $2^{{\Delta }_{K_G}}$ hypotheses regarding the applied secret key $K_G$ within an acceptable timeframe, then the ideal security mode, with the corresponding equivocation bound on the secret keys, becomes the logical choice. Here, the acceptable analysis time is practically defined by the period during which the protected information retains its relevance. However, if the system is required to provide forward secrecy and ensure the impossibility of decryption regardless of the adversary’s computational resources, including quantum computing, then the perfect secrecy mode should be selected. The trade-off in this case is a reduction in the secret key distillation rate. In the subsequent Example 3, we present two practical scenarios in which each operational mode offers distinct advantages.

Example 3. 

Mode Selection for Secure Communications.

Consider a secure messaging system in a high-latency environment (e.g., satellite communication). The system requires key updates every 60 s and operates with a constrained public channel. In this context, the ideal secrecy mode is appropriate—it enables higher secret key rates by tolerating a strictly bounded (but non-zero) leakage rate, ensuring timely key availability.

In contrast, a critical infrastructure application (e.g., defense-grade secure storage) may prioritize zero leakage over key throughput. For such use cases, the perfect secrecy mode is preferred, despite halving the key rate, as it guarantees zero information disclosure to an adversary even under full public observation.

Summary of Additional Assumptions Made in in the Design of Proposed Perfectly Secure System

For clarity, let us summarize the assumptions made in the design of the proposed autonomous perfectly secure system from Figure 11. In addition to the assumptions outlined for system from Figure 1, (see Section “Summary of Assumptions Made in the Design of Proposed System”), the system in Figure 11 assumes:

• The secret key output $K_s,$ from the SKD system is used for encryption of an independent message source $M$ under the Vernam cipher, requiring statistical independence between $K_s$ and $M$.
• The distilled key $K_s$ is uniformly distributed $K_S~B\left(0.5\right)$, ensuring maximum entropy, and its length is dimensioned to match the secrecy margin, i.e., $\left|K_s\right|={\Delta }_{K_G}$, maintaining effective secrecy when used for encryption.
• The Winnow IR protocol is implemented with puncturing, ensuring that the leakage of parity bits over the public channel $S$ does not reduce the entropy of the reconciled sequence, satisfying $H\left(W_i|S=s\right)=H\left(W_i\right)$.
• The system operates with sufficient block lengths and a chosen compression rate to achieve the perfect secrecy region within a negligible error, ensuring that $H\left(K_s|Z,S\right)=H\left(K_s\right)$ holds to within an error bounded by ${\displaystyle \frac{1}{\mathit{ln}2}}{ 2}^{-t}$, where $t$ is the compression rate of the universal hash function.
• The CR SKD block is assumed to function as an ISAR cryptosystem, maintaining the secrecy margin on the key even under unlimited ciphertext exposure, with $H\left(K_G|Z,S\right)\ge {\Delta }_{K_G}$.
• The authenticated but public communication channel remains assumed secure against injection or modification by the adversary, consistent with the assumptions made for system from Figure 1.

These additional assumptions collectively enable the system to transition from ideal secrecy to practical perfect secrecy in the Shannon sense, ensuring the effective and autonomous generation of secure keys for Vernam encryption under practical conditions.

7. Computational Complexity and Overhead Analysis

The proposed autonomous SKD system based on a synthetic CR source using a shared-key keystream generator $KSG\left(K_G\right)$ and local pure randomness achieves bounded, predictable computational complexity and communication overhead per cycle, which is critical for deployment in embedded and resource-constrained environments.

7.1. CR Generation Phase

The CR block performs bitwise modulo-2 addition (XOR) between the local Bernoulli-generated sequence $X$ and the keystream ${ C}_K$ from $KSG\left(K_G\right)$, see (1), requiring n XOR operations per data block of length $n$. The generation of $X$ involves $n$ calls to a local random number generator (RNG), while the $KSG\left(K_G\right)$ satisfies the avalanche criterion and typically requires a fixed, small number of operations per bit depending on the $KSG$ implementation.

Table 3. Comparison of stream cipher keystream generators for SKD systems.

KSG	Block Size	Ops per Bit (SW)	Ops per Bit (HW/AES-NI)	RAM Footprint	Throughput (MB/s, SW)	Remarks
AES (CTR/OFB) [44,45,46]	128 bits	~10–15 ops/bit	~1 op/bit	~2–4 KB (tables)	~30–100 MB/s	High security margin, mature
Grain v1 [47,48]	1 bit	~1–3 ops/bit	~1 op/bit	~80 bytes	~50–150 MB/s	Lightweight, low area
Trivium [48,49]	1 bit	~1–3 ops/bit	~1 op/bit	~36 bytes	~50–200 MB/s	Lightweight, low area
ChaCha20 [50,51]	512 bits	~3–4 ops/bit	~1–2 ops/bit	~128 bytes	~100–400 MB/s	High performance, strong security
HC-128 [48,52]	128 bits	~4–6 ops/bit	~2 ops/bit	~4 KB	~70–200 MB/s	Balanced security and speed

provides a structured comparison of widely used $KSGs$ that can be employed within SKD systems, focusing on their operational complexity, memory footprint, and throughput performance under practical conditions.

The table includes:

• AES in CTR/OFB mode, representing a high-security, block-cipher-based KSG with higher per-bit cost in pure software but highly efficient under AES-NI [44,45,46].
• Lightweight stream ciphers (Grain v1 [47,48], Trivium [48,49]), illustrating extremely low per-bit complexity and minimal memory requirements suitable for resource-constrained SKD embedded implementations with minimal RAM and low power.
• ChaCha20 [50,51] and HC-128 [48,52], demonstrating high throughput and balanced security for SKD systems eliminating the need for hardware accelerators.

Based on these findings, we conclude that for autonomous SKD with $KSG\left(K_G\right)$:

• AES remains suitable when hardware AES-NI support is available, ensuring low latency and secure keystream generation.
• Grain/Trivium may be preferable in microcontroller-based SKD nodes due to minimal computational complexity and energy usage.

7.2. Comparative Operational Complexity per Secret Key Bit in SKD Systems

When comparing SKD architectures, the supreme criterion for practical viability is the operational complexity per distilled secret key bit under equivalent security guarantees. To enable a fair and insightful comparison, consider:

• System A: A classical SKD system based on natural CR sources (e.g., wireless fading, biometric signals) requiring an AD phase to reduce Eve’s correlation while increasing Alice-Bob correlation.
• System B (Proposed): An autonomous SKD system using a synthetic CR source created by combining a local Bernoulli random sequence with a keystream from a shared-key generator, $KSG\left(K_G\right)$. This architecture completely removes the need for AD, operating with maximum intrinsic correlation and maximum second-order Rényi entropy.

The AD phase in System A requires exponentially more initial raw data to achieve the same final block length $n_{IR\_end}$ at the end of IR phase, particularly under high initial Eve–Alice correlations, see [1,40]. The produced sequence has reduced second-order Rényi entropy, necessitating greater compression during PA to meet security parameters. System A typically undergoes a compression $n_{IR\_end}\to \left|R\left(W_i|S=s\right)\right|$, [53] where, due to residual correlation with Eve side information $\left|R\left(W_i|S=s\right)\right|\ll \max H\left(W_i|S=s\right)=\left|W_i\right|,$ leading to a significantly lower yield of distilled secret bits per cycle.

In contrast, System B ensures that the second-order Rényi entropy equals the maximal Shannon entropy for the reconciled sequence. This allows the PA step to operate with minimal compression $n_{IR\_end}\to n_{IR\_end}-t$, where $t=34$ is a fixed security margin independent of data block of length $n$.

As a result, for a reasonably large $n_{IR\_end}$, the final distilled secret key length is close $n_{IR\_end}$ in System B but can be dramatically smaller in System A.

Given that both systems have similar complexity in IR (Winnow: $O(n_{IR}$)) and PA (Toeplitz universal hash: $O(n_{I{R}_{end}}\log n_{I{R}_{end}})$, see [54,55]) the effective per-distilled-bit complexity for System A becomes significantly higher due to the necessity of AD, and reduced output length after PA.

In contrast, System B requires only the additional cost of generating the keystream using $KSG\left(K_G\right)$, which can be efficiently implemented with ~1–15 operations per generated keystream bit depending on the chosen KSG (AES, Grain, Trivium, etc.) and minimal additional RAM and energy overhead, see Table 3.

Moreover, this advantage increases for System B as the initial Eve–Alice correlation in System A increases, further reducing System A’s efficiency. Thus, the proposed architecture not only simplifies the protocol stack by eliminating the AD phase but also maximizes the effective key rate while minimizing operational and communication overheads, achieving superior efficiency for secure autonomous SKD in practical deployments.

8. Experimental Verification

To confirm the theoretical analysis presented in Section 4, Section 5 and Section 6, we conducted 1000 repeated simulations of the proposed CR-based SKD system operating in perfect secrecy mode with a basic data block length of $n_{IR0}=2000$ bits per run.

Figure 13 shows the empirical spread of the measured all four system parameter curves (yellow, pink, red, green), displaying the one-sigma confidence regions around each curve. The results show excellent agreement between the simulated and theoretical predictions from Figure 8, confirming the accuracy of the analytical model under perfect secrecy constraints.

Figure 14 presents the histogram of the generated perfectly secret key lengths across all simulation runs (solid line), with the vertical dashed line indicating the theoretically expected value calculated using Equations (106) and (107). Due to the low variance observed in the simulations, we conclude that the experimental and theoretical results for the perfect secret key rate exhibit exceptional agreement. The expected theoretical value for the distilled secret key rate was computed as: ${\left|{\tilde{K}}_s\right|}_{max}=0.5·\left(C_2-C_1-{\displaystyle \frac{t}{n_{IR0}}}\right)=0.1051$, confirming the system’s ability to consistently generate secret keys at the predicted rate while maintaining perfect secrecy.

The yellow, purple, magenta, and green curves represent different system parameter configurations. The excellent agreement with theoretical predictions from Figure 8 validates the analytical model.

9. Security Analysis and Practical Consideration

Generic attacks on SKD systems are based on optimal eavesdropper strategies for estimating the sequence $W_i$. Based on Theorem 6, we conclude that the proposed system is resistant to this type of attack. However, strategies for reconstructing the secret key $K_G$ are the most critical for this class of systems. If Eve is able to reconstruct $K_G$, she obtains the same keystream $C_K$ as Alice and Bob. In that case, Eve’s optimal strategy consists of generating her own local binary noise $X_E~B\left(\epsilon \right)$ and tracking all steps of the IR and PA protocols executed by Alice and Bob [1]. In that case, based on Equation (15), we obtain that the secrecy capacity is

$$C_S=min\left\{I\left(X_A;X_B\right), I\left(X_A;X_B|X_E\right)\right\}=I\left(X_A;X_B|X_E\right)=h_b\left(P_{AB}\right)-h_b\left(P_{AE}\right)=0 ,$$

(108)

given that

$$P_{AB}=P_{AE}=2\epsilon \left(1-\epsilon \right) ,$$

(109)

and assuming that the AD protocol is not applied, which could otherwise shift the advantage to Alice and Bob over Eve. This type of attack is prevented in the CR KSG system by continuously maintaining the equivocation $H\left(K_G|S\right)$ above a predefined threshold ${\Delta }_{K_G}$. In practical terms, this means that in every operational cycle, the adversary is faced with $2^{{\Delta }_{K_G}}$ equally likely hypotheses about the key $K_G$, making the system ideally secure in the Shannon sense. As shown in Remark 10, within this mode of operation, referred to as the ideal security regime, it is possible to select appropriate parameters to ensure a desired trade-off between the secret key distillation rate and the lower bound on the key $K_G$ equivocation.

In Section 5, Theorem 7 demonstrates how the CR KSG system transitions into the regime of perfect secrecy by equalizing the equivocations of the distilled keys and the KSG secret key. When this regime is compared to the ideal security regime, it becomes evident that the cost of achieving perfect secrecy is a reduction in the effective secret key distillation rate.

Remark 14. 

The distribution of the initial value $K_G$ can be carried out in several ways depending on the security environment of the system. (a) Within well-organized permanent protection systems, the policy of using cryptographic keys can ensure that previously distributed keys are never exhausted to the end. A predefined remainder can be saved for the initial $K_G$ and the start of the autonomous CR KSG system. (b) In other cases, $K_G$ can be distilled by a previous independent stage of SKD based on biometric sources of CR, such as, e.g., EEG or voice [13,14,56].

The proposed autonomous SKD system can always be implemented in practice, provided that the parties involved in the protocol have access to a public authenticated channel with sufficient capacity. To quantify this requirement, we introduce a measure of the load of the public channel per distilled secret key bit $K_S$

$$E_{BC}={\displaystyle \frac{{\left|{\tilde{K}}_s\right|}_{max}}{{\tilde{n}}_p}}={\displaystyle \frac{1}{{\tilde{n}}_p}}\left(C_2-{\displaystyle \frac{t}{n_{IR0}}}-{\displaystyle \frac{C_1}{1-r}}\right) ,$$

(110)

or taking into account (85), we can express $E_{BC}$ in equivalent form

$$E_{BC}={\displaystyle \frac{1}{{\tilde{n}}_p}}\left(C_2-{\displaystyle \frac{C_1}{1-r}}·\left(1+{\displaystyle \frac{t}{{|K}_G|}}\right)\right).$$

(111)

Figure 15 shows the dependence given by (111) for different values of $r$, when the system operates in the ideal secrecy mode. In the case of perfect secrecy, based on (106), we obtain the following dependence

$$E_{BC}={\displaystyle \frac{{\left|{\tilde{K}}_s\right|}_{max}}{{\tilde{n}}_p}}={\displaystyle \frac{1}{{\tilde{n}}_p}}\left(C_2-C_1-{\displaystyle \frac{t}{n_{IR0}}}·{\displaystyle \frac{C_2+C_1}{2{|K}_G|+t}}\right) ,$$

(112)

which is shown in Figure 16.

Based on these dependencies, we can conclude that in the perfect secrecy operating mode, for $\left|K_G\right|=512$, this ratio is not less than 1/8. In other words, for the online operation of an autonomous, perfectly secret CR KSG system, the public channel must support transmission speeds approximately eight times greater than the rate of the information source being protected. From Figure 15, we observe that for the same values of $K_G$, and a secret key $K_S$ equivocation of approximately 128 bits $(r=0.2)$, this requirement is significantly lower, just around 5 times. In the era of modern telecommunications and the internet, this demand does not pose a serious challenge. In offline operation mode, the limitation of the transmission speed over the public channel only affects the time needed to distill the required amount of secret keys.

The practical application of autonomous CR KSG systems encompasses a wide range of scenarios, from commercial to strategic uses for the security of critical infrastructure, diplomatic correspondence, and cover communications during military operations. Since specialized and complex cryptographic key generation and distribution systems are typically developed at strategic levels, autonomous CR KSG systems are ideal as backup systems that can assume their function in the event of failure, compromise, or destruction of the primary systems.

In military applications, these systems become especially attractive due to the widespread availability of mobile internet, such as Starlink. In the event of disruption of standard secure communication links, which are critical for the successful conduct of military or special operations, autonomous CR KSG systems can take over the role of generating and distributing cryptographic keys. For example, the war in Ukraine has demonstrated that the ubiquity of the Starlink system potentially enables perfectly secure communication with central or regional commands even in conditions where military units are completely isolated or surrounded, despite not having been previously supplied with cryptographic keys or having exhausted them entirely.

Limitation of Proposed Systems

While the proposed architectures aim to achieve practical perfect secrecy in the Shannon sense, several limitations merit discussion.

• The systems rely on the availability of trusted, high-quality local randomness sources, whose continuous entropy guarantees and unbiased generation are critical but challenging in practice.
• The requirement for a pre-shared secret key $K_G$, while refreshed autonomously, necessitates an initial secure distribution step.
• The models assume an authenticated public channel immune to modification, requiring additional mechanisms and key resources for robust authentication.
• While the ISAR framework provides theoretical secrecy under unlimited ciphertext observation, practical $KSG\left(K_G\right)$ implementations may face side-channel or physical security challenges affecting effective secrecy.
• Finite block lengths introduce deviations from asymptotic secrecy rates, with practical IR errors and compression factors impacting performance.
• Achieving low BER regimes to maximize secrecy rates may incur latency and throughput trade-offs, particularly for large block operations.
• While information-theoretic security is computation-independent, practical implementations of $KSG\left(K_G\right)$, Winnow IR, and universal hashing must be carefully designed to avoid vulnerabilities and inefficiencies.
• The proposed models focus on message secrecy and do not inherently address traffic analysis resistance, which remains an open area for further development.

Addressing these limitations represents important directions for advancing autonomous, practically secure key distillation and encryption systems.

10. Conclusions

This paper introduces a new SKD paradigm using synthetic CR based on KSG with shared secret key and locally generated binary Bernoulli noise. We have shown that the introduced source of CR meets all the requirements mentioned in the introduction of the paper: general accessibility, integrity, optimality, and key security.

This paradigm offers a comprehensive approach to secure key distribution, combining theoretical rigor with practical applicability. The proposed design has been both theoretically analyzed and practically validated, demonstrating the following key features:

• Parameter-controlled equivocation: The system allows for adjustable equivocation levels, enabling fine-tuning of security parameters to meet specific requirements.
• High-efficiency Winnow-based reconciliation: By implementing the Winnow protocol, the design achieves efficient error reconciliation with reduced communication overhead, enhancing overall system performance.
• Autonomous key refresh: The architecture supports automatic key renewal processes, ensuring sustained security without manual intervention.
• Secure operation without AD: The system maintains robust security standards without relying on AD techniques, simplifying the implementation.
• Explicit optimal design: The framework is explicitly optimized to maximize the secrecy capacity of distilled keys while minimizing potential information leakage to eavesdroppers.
• Dual modes of operation: The system can operate in two distinct modes—ideal and perfect secrecy—providing flexibility to adapt to various security scenarios.

Based on the experimental verification, the proposed SKD system reliably achieves secret key rates close to the theoretical secrecy capacity while maintaining low BER and high collision entropy. The consistent high levels of entropy across repeated simulations confirm that the system remains secure against passive eavesdroppers even under finite-length conditions, thus making it suitable for practical lightweight secure communication systems.

As a direction for future work, we aim to extend the current framework to support adaptive SKD systems that dynamically adjust key generation parameters in response to real-time system conditions, such as varying bit error rates and entropy availability. Another promising direction involves exploring hardware implementations of the proposed architecture under resource-constrained settings, including IoT and edge computing environments. Additionally, integrating post-quantum primitives with the CR KSG model could enhance resilience against future quantum adversaries while maintaining the system’s autonomous operation and bounded leakage guarantees.

Finally, we note that proposed general system design is readily applicable to other information reconciliation protocols, including those based on BCH, LDPC, and Polar Codes (PC) [57], with the potential to extend the optimization methodologies demonstrated here using the Winnow protocol.