Papers
Topics
Authors
Recent
Search
2000 character limit reached

Keep Private Networks Private II: Wideband Secret Key Generation on a Real 5G NR Testbed

Published 8 Apr 2026 in eess.SP | (2604.07265v1)

Abstract: Secret key generation (SKG) from wireless channel reciprocity has been demonstrated on WiFi, LTE, and LoRaWAN, but has never been demonstrated on 5G New Radio (NR) Sounding Reference Signal (SRS) and CSI Reference Signal (CSIRS) measurements.

Summary

  • The paper presents a fully bilateral SKG protocol that achieves 0% bit disagreement rates and up to 2,100 bps using 5G NR wideband channel estimates.
  • The paper implements a rigorous seven-stage pipeline—including subband averaging, DCT-based reciprocity enhancement, and cascade reconciliation—to optimize key extraction.
  • The paper resolves firmware-dependent FFT discrepancies with an automated orientation detector, ensuring robust and scalable performance across varied testing conditions.

Wideband Secret Key Generation over 5G NR: Experimental Advances and Implications

Introduction

This work delivers the first experimental demonstration of symmetric secret key generation (SKG) that exploits wideband channel estimates from actual 5G New Radio (NR) transmissions using Sounding Reference Signal (SRS) and CSI Reference Signal (CSI-RS) on a real, over-the-air testbed. Prior studies established the feasibility and scaling of SKG in technologies such as WiFi, LTE, and LoRaWAN, but this paper closes a gap by advancing SKG to the 5G NR domain, targeting the n78 band (3.75 GHz, 40 MHz BW) using COTS USRP B210 SDR hardware and OpenAirInterface (OAI) stacks (2604.07265). The results and techniques introduced are immediately relevant for both physical layer security and network authentication in 5G private and industrial deployments.

Technical Approach and SKG Pipeline

The paper implements a symmetric SKG protocol across a seven-stage pipeline:

  1. Subband Averaging: Raw per-subcarrier frequency-domain channel estimates are grouped and averaged to reduce noise and leverage spatial and frequency diversity. Adaptive subband widths (500 kHz to 2 MHz) match environment-specific channel coherence bandwidths.
  2. Reciprocity Enhancement (DCT+LR): A DCT-based decorrelation step and linear regression remove trends, maximize channel reciprocity, and thereby reduce bit disagreement rates (BDR).
  3. Multi-level Quantization: Frequency-domain magnitudes within each subband are quantized to extract bits, with the baseline protocol employing binary quantization to facilitate low-overhead reconciliation.
  4. Back-propagating Cascade Reconciliation: A two-pass error correction protocol—forward block reconciliation followed by retroactive correction—reduces initial BDR values as high as 31.6% to 0%. This approach tolerates high noise and mismatch, outperforming conventional single-pass approaches.
  5. Privacy Amplification (Toeplitz Matrix): Post-reconciliation bits are compressed to eliminate any information about the key leaked during error correction.
  6. SHA-256 Hashing: Keys are standardized to a fixed 256-bit length with cryptographic hash properties.
  7. Key Verification: Verifies agreement at both endpoints via challenge-response using SHA-256 digests.

A critical implementation contribution addresses subtle, release-dependent FFT bin ordering discrepancies between OAI's gNB and UE software stacks. The paper introduces an orientation detector based on correlation and BDR analysis, fully automating the alignment irrespective of underlying firmware version.

Experimental Setup

Experiments were conducted using two servers, each hosting OAI-based gNB or nrUE stacks attached to USRP B210 SDRs, transmitting and receiving in the 5G NR n78 band (3.75 GHz, 40 MHz bandwidth). Both endpoints extracted channel estimates traceable at the level of physical resource block (PRB) and subcarrier granularity using custom hooks into OAI. Test scenarios encompassed both line-of-sight (LoS) and non-line-of-sight (NLoS) conditions in realistic indoor environments.

Adaptive subband widths were tuned dynamically per the observed channel delay spread and coherence bandwidth, ensuring that only statistically independent samples contribute to SKG, thereby maximizing entropy extraction.

Numerical Results and Evaluation

Key Generation Rate and Error Rates

Strong claims are supported by numerical results: Eleven independent over-the-air deployments (eight LoS, three NLoS) produced matching 256-bit symmetric keys with post-reconciliation BDRs of 0% in every case. The achievable key generation rates (KGR) varied from 650 to 2,100 bps, a figure representing up to two orders of magnitude improvement over WiFi-derived SKG rates.

Entropy and Statistical Analysis

Per-bit Shannon entropy in the generated keys across scenarios was measured in the range 0.991 to 1.000, indicating nearly perfect uniformity in bit values. Minimum entropy analysis yielded 218 to 253 effective bits per 256-bit key, confirming negligible bias or correlation.

On concatenated key material (total 2,816 bits), 11 out of 12 NIST SP 800-22 randomness tests were passed. Only the DFT Spectral test showed minor deficiencies, attributed to scenario border effects rather than core weaknesses in key randomness.

Robustness to Firmware Variability

A notable engineering achievement is the robust and fully automated correction for OAI firmware-dependent subcarrier ordering on the UE, which can silently invert frequency mappings depending on build date. The automated orientation detector based on maximizing correlation and minimizing BDR ensures reliable operation across versions, eliminating the need for manual intervention or code modifications.

Cross-Technology Comparison

This work punctuates a clear scaling law: as wireless bandwidth increases, so too does the achievable KGR, tracking the number of independent samples extractable per channel coherence. The empirical KGR findings are summarized as:

  • WiFi (20 MHz): 10–20 bps
  • LTE (5 MHz): 50–200 bps
  • LoRaWAN (125 kHz): 1.2–2.44 bits/probe
  • 5G NR (40 MHz): 650–2,100 bps

Such scaling confirms the underlying principle that bandwidth is the dominant enabler for fast, high-entropy SKG and shows the clear practicability of the technique at contemporary 5G rates.

Security and Practical Implications

The protocol achieves information-theoretic security against eavesdroppers physically separated by more than half a wavelength (λ/2\lambda/2), contingent on established models of channel independence. By leveraging only wireless reciprocity and measured randomness, the approach removes dependency on pre-shared secrets or traditional PKI—critical for time-sensitive or infrastructure-free deployments such as private industrial 5G, tactical communications, and dynamically formed device clusters.

The demonstration of fully bilateral, robust, and high-throughput SKG at 5G NR using commercial open-source tools and COTS SDRs is immediately relevant for network access authentication, session key derivation, and potentially as a complement to post-quantum cryptography. The cascade reconciliation and privacy amplification steps ensure that no significant leakage occurs even in the presence of reconciliation overheads or nonideal channel reciprocity.

Limitations and Future Directions

Key limitations include the modest statistical length (≤ 2.8 kbits) used for NIST randomness testing; longer keys (≥106\geq 10^6 bits) are necessary for comprehensive compliance. The maximal testbed bandwidth was constrained by the B210 hardware to 40 MHz. The authors anticipate that using USRP X310 (100 MHz bandwidth) will further improve key rates and entropy extraction capacity.

Future directions also include integrating hybrid post-quantum key establishment schemes (e.g., ML-KEM-768), multi-bit quantization, and expanded SCG pipeline analysis across highly dynamic and outdoor environments.

Conclusion

The paper provides a rigorous and experimentally validated protocol for bilateral SKG on 5G NR, achieving high throughput, minimal error rates, and high entropy over practical channels. By solving key implementation bottlenecks such as subcarrier alignment, reconciling high initial BDRs, and automating adaptation to firmware variants, the contribution solidifies the practicality of wideband physical-layer SKG in 5G networks. Its implications extend to secure device authentication, session key management in private networks, and as a building block for post-quantum-resilient cryptographic protocols (2604.07265).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.