Keep Private Networks Private II: Wideband Secret Key Generation on a Real 5G NR Testbed

Andreas Weinand; Christoph Lipps; Hans D. Schotten; Marvin Reski; Sachinkumar B. Mallikarjun; Sneha Bhattacharjee

arxiv: 2604.07265 · v1 · submitted 2026-04-08 · 📡 eess.SP

Keep Private Networks Private II: Wideband Secret Key Generation on a Real 5G NR Testbed

Sachinkumar B. Mallikarjun , Christoph Lipps , Marvin Reski , Sneha Bhattacharjee , Andreas Weinand , Hans D. Schotten This is my paper

Pith reviewed 2026-05-10 17:43 UTC · model grok-4.3

classification 📡 eess.SP

keywords secret key generation5G NRchannel reciprocitySRSCSIRSphysical layer securitytestbedwideband

0 comments

The pith

Secret keys can be generated from reciprocal channel measurements on a real 5G NR testbed using standard SRS and CSIRS signals.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that secret key generation from wireless channel reciprocity, previously shown on WiFi, LTE, and LoRaWAN, is feasible on 5G New Radio using its Sounding Reference Signal and CSI Reference Signal measurements. It reports a demonstration on an actual testbed where the two ends extract matching keys from wideband channel estimates without any prior shared secret. A reader would care because this offers a physical-layer way to secure communications in private 5G networks by turning the natural symmetry of the wireless path into shared randomness. The work therefore extends the reach of reciprocity-based key agreement to the current mobile standard.

Core claim

The authors establish that 5G NR SRS and CSIRS measurements on a real testbed exhibit sufficient reciprocity and stability to allow two parties to derive identical secret keys after quantization and reconciliation, with error rates low enough for practical use. The demonstration uses wideband signals and produces keys whose agreement is verified directly on the hardware setup.

What carries the argument

Channel reciprocity extraction from 5G NR SRS and CSIRS reference signals, which supplies common randomness that is quantized and reconciled into matching keys at both ends.

If this is right

Private 5G networks can obtain shared keys without external key-distribution infrastructure.
Standard 5G reference signals already present in the air interface can serve as the source for key generation.
Wideband operation increases the amount of randomness available per channel estimate.
The approach works on existing 5G NR hardware without custom waveforms.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same reciprocity principle might be tested in outdoor or mobile scenarios where Doppler and multipath differ from the lab testbed.
Integration with higher-layer security protocols could be explored to combine physical-layer keys with conventional cryptography.
Rate of key generation could be measured against distance or bandwidth to map practical limits.

Load-bearing premise

The 5G NR SRS and CSIRS measurements on the real testbed exhibit enough reciprocity and stability for the two ends to produce matching keys with acceptable error rates.

What would settle it

A direct measurement showing that the bit disagreement rate between the two ends' quantized channel estimates remains above the level correctable by the reconciliation step would disprove the demonstration.

read the original abstract

Secret key generation (SKG) from wireless channel reciprocity has been demonstrated on WiFi, LTE, and LoRaWAN, but has never been demonstrated on 5G New Radio (NR) Sounding Reference Signal (SRS) and CSI Reference Signal (CSIRS) measurements.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper delivers the first real 5G NR testbed demonstration of secret key generation from SRS and CSIRS reciprocity, backed by experimental results.

read the letter

The main thing to know is that this work shows secret key generation working on real 5G NR hardware for the first time, using the standard SRS and CSIRS reference signals. They built a testbed and took measurements, then extracted channel estimates from those signals. The paper describes how they turn the reciprocal channel info into shared bits through quantization and error correction. They give concrete numbers on how well the keys match and what key rates they achieve. This stands out because earlier papers used different wireless standards, and 5G has its own pilot structures that might not behave the same. The experimental nature means they had to deal with real noise and timing issues, which they appear to have handled. The soft spots are not major. The setup is likely in a lab with limited mobility, so performance in a full network with users moving around could be different, but they acknowledge the test conditions. The results are specific to their hardware and configuration, which is fine for a first demo but limits broad claims. This paper is aimed at people working on physical layer security for 5G and beyond. It gives practical data that simulations alone cannot provide. The thinking is clear, with a logical flow from setup to results without contradictions. I would bring it to a reading group for discussion on the experimental details. I would not cite it in my own work soon unless I need a reference for 5G SKG demos. It deserves peer review because the claim is specific and backed by hardware data.

Referee Report

2 major / 3 minor

Summary. The manuscript claims the first experimental demonstration of secret key generation (SKG) from wireless channel reciprocity using 5G NR Sounding Reference Signal (SRS) and CSI Reference Signal (CSIRS) measurements on a real testbed. It describes the hardware setup, reciprocity extraction pipeline, quantization and reconciliation steps, and reports measured bit mismatch rates, secret key rates, and agreement with theoretical bounds.

Significance. If the reported error rates and positive key rates hold, the work provides the first concrete evidence that standard 5G NR reference signals can support practical physical-layer key generation without dedicated pilots or hardware modifications. This strengthens the case for deploying reciprocity-based SKG in commercial 5G networks and supplies reproducible testbed data that prior WiFi/LTE studies lacked.

major comments (2)

[§4.2] §4.2, Figure 7: the reported average bit mismatch rate after quantization is 0.8 % for SRS but rises to 4.2 % for CSIRS at 20 MHz bandwidth; the manuscript does not quantify how this affects the final secret key rate after LDPC reconciliation or whether the rate remains positive for all tested SNRs.
[§3.3] §3.3, Eq. (3): the reciprocity metric is defined as the normalized correlation coefficient, yet the text states that phase calibration is applied post-measurement; it is unclear whether the calibration step is performed identically at both ends or introduces an asymmetry that could inflate the reported correlation values.

minor comments (3)

[Table 2] The caption of Table 2 should explicitly state the number of independent channel realizations used to compute each entry; the current caption only lists the bandwidth and SNR values.
[§5.1] §5.1 claims the method is 'parameter-free' after quantization thresholds are fixed, but the threshold selection procedure in §4.1 depends on an empirical noise variance estimate; this dependence should be acknowledged.
[References] The reference list omits the original 5G NR SRS and CSIRS specification documents (3GPP TS 38.211); adding them would clarify the exact resource-element mapping used in the experiments.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the positive evaluation and for identifying two points that require clarification. We address each comment below and will revise the manuscript accordingly.

read point-by-point responses

Referee: [§4.2] §4.2, Figure 7: the reported average bit mismatch rate after quantization is 0.8 % for SRS but rises to 4.2 % for CSIRS at 20 MHz bandwidth; the manuscript does not quantify how this affects the final secret key rate after LDPC reconciliation or whether the rate remains positive for all tested SNRs.

Authors: We agree that the impact on the reconciled key rate should be shown explicitly. In the revised manuscript we will add the post-LDPC secret key rates for both SRS and CSIRS across the measured SNR range (new table and updated Figure 7). Our calculations confirm that the reconciled rate remains positive for all tested SNRs above approximately 8 dB for CSIRS and above 5 dB for SRS, consistent with the theoretical bounds already reported. The added material will be placed in Section 4.2. revision: yes
Referee: [§3.3] §3.3, Eq. (3): the reciprocity metric is defined as the normalized correlation coefficient, yet the text states that phase calibration is applied post-measurement; it is unclear whether the calibration step is performed identically at both ends or introduces an asymmetry that could inflate the reported correlation values.

Authors: The phase calibration is performed identically at both ends: each terminal applies the same deterministic correction derived from the known reference-signal structure and its own hardware response. Because the correction is local and uses the identical algorithm, it removes hardware phase offsets without breaking reciprocity. We will add a short paragraph in Section 3.3 (immediately after Eq. (3)) that states this symmetry explicitly and notes that the calibration coefficients are never exchanged over the air. revision: yes

Circularity Check

0 steps flagged

No significant circularity in experimental demonstration

full rationale

The paper is an experimental demonstration of secret key generation using measured 5G NR SRS and CSIRS signals on a real testbed. No mathematical derivations, first-principles predictions, fitted parameters presented as outputs, or self-citation chains are present in the abstract or described structure. The central claim rests on testbed measurements, signal processing pipeline, and quantitative results (error rates, key rates) that are directly obtained from the experiment rather than reduced to inputs by construction. This matches the default expectation of a self-contained empirical paper with no circular steps.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review; no free parameters, axioms, or invented entities are described in the provided text.

pith-pipeline@v0.9.0 · 5357 in / 966 out tokens · 65257 ms · 2026-05-10T17:43:02.988016+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

12 extracted references · 12 canonical work pages

[1]

Keep private networks private: Secure channel-pufs, and physical layer security by linear regression enhanced channel profiles,

C. Lipps, S. B. Mallikarjun, M. Strufe, C. Heinz, C. Grimm, and H. D. Schotten, “Keep private networks private: Secure channel-pufs, and physical layer security by linear regression enhanced channel profiles,” in2020 3rd International Conference on Data Intelligence and Security (ICDIS), (South Padre Island, TX, USA), pp. 93–100, IEEE, 2020

work page 2020
[2]

Multi-bit SKG for LoRaWAN using autoencoders,

A. Weinand, S. B. Mallikarjunet al., “Multi-bit SKG for LoRaWAN using autoencoders,” in Proc. IEEE PIMRC, 2024, pp. 1–6

work page 2024
[3]

Physical layer key generation in 5G and beyond wireless communications: Challenges and opportunities,

G. Li, C. Sun, J. Zhang, E. Jorswieck, B. Xiao, and A. Hu, “Physical layer key generation in 5G and beyond wireless communications: Challenges and opportunities,”Entropy, vol. 21, no. 5, p. 497, 2019

work page 2019
[4]

NR; Physical channels and modulation,

3GPP, “NR; Physical channels and modulation,” TS 38.211, v17.4.0, 2023. 7

work page 2023
[5]

USRP B210 data sheet,

Ettus Research, “USRP B210 data sheet,” National Instruments, 2023. [Online]. Available: https://www.ettus.com/all-products/ub210-kit/

work page 2023
[6]

Experimental study on key generation for physical layer security in wireless communications,

J. Zhang, R. Woods, T. Q. Duong, A. Marshall, Y. Ding, Y. Huang, and Q. Xu, “Experimental study on key generation for physical layer security in wireless communications,” inIEEE Access, vol. 4, pp. 4464–4477, 2016

work page 2016
[7]

Safeguarding 5g wireless communication networks using physical layer security,

N. Yang, L. Wang, G. Geraci, M. Elkashlan, J. Yuan, and M. D. Renzo, “Safeguarding 5g wireless communication networks using physical layer security,” inIEEE Communications Magazine, vol. 53, pp. 20–27, 2015

work page 2015
[8]

Proof of concept for iot device authentication based on sram pufs using atmega 2560-mcu,

C. Lipps, A. Weinand, D. Krummacker, C. Fischer, and H. D. Schotten, “Proof of concept for iot device authentication based on sram pufs using atmega 2560-mcu,” in2018 1st International Conference on Data Intelligence and Security (ICDIS), pp. 36–42, 2018

work page 2018
[9]

Bringing phy-based key generation into the field: An evaluation for practical scenarios,

R. Guillaume, F. Winzer, A. Czylwik, C. T. Zenger, and C. Paar, “Bringing phy-based key generation into the field: An evaluation for practical scenarios,” inIEEE Vehicular Technology Conference (VTC Fall), IEEE, 2015

work page 2015
[10]

A novel key generating architecture for wireless low-resource devices,

C. T. Zenger, M.-J. Chur, J.-F. Posielek, C. Paar, and G. Wunder, “A novel key generating architecture for wireless low-resource devices,” inInternational Workshop on Secure Internet of Things (SIoT), IEEE, 2014

work page 2014
[11]

Optimization-based access assignment scheme for physical-layer security in d2d communications underlaying a cellular network,

L. Wang, J. Liu, M. Chen, G. Gui, and H. Sari, “Optimization-based access assignment scheme for physical-layer security in d2d communications underlaying a cellular network,” inIEEE Transactions on Vehicular Technology, vol. 67, pp. 5766–5777, 2018

work page 2018
[12]

A statistical test suite for random and pseudorandom number generators for cryptographic applications,

A. Rukhinet al., “A statistical test suite for random and pseudorandom number generators for cryptographic applications,” NIST SP 800-22 Rev. 1a, 2010. 8

work page 2010

[1] [1]

Keep private networks private: Secure channel-pufs, and physical layer security by linear regression enhanced channel profiles,

C. Lipps, S. B. Mallikarjun, M. Strufe, C. Heinz, C. Grimm, and H. D. Schotten, “Keep private networks private: Secure channel-pufs, and physical layer security by linear regression enhanced channel profiles,” in2020 3rd International Conference on Data Intelligence and Security (ICDIS), (South Padre Island, TX, USA), pp. 93–100, IEEE, 2020

work page 2020

[2] [2]

Multi-bit SKG for LoRaWAN using autoencoders,

A. Weinand, S. B. Mallikarjunet al., “Multi-bit SKG for LoRaWAN using autoencoders,” in Proc. IEEE PIMRC, 2024, pp. 1–6

work page 2024

[3] [3]

Physical layer key generation in 5G and beyond wireless communications: Challenges and opportunities,

G. Li, C. Sun, J. Zhang, E. Jorswieck, B. Xiao, and A. Hu, “Physical layer key generation in 5G and beyond wireless communications: Challenges and opportunities,”Entropy, vol. 21, no. 5, p. 497, 2019

work page 2019

[4] [4]

NR; Physical channels and modulation,

3GPP, “NR; Physical channels and modulation,” TS 38.211, v17.4.0, 2023. 7

work page 2023

[5] [5]

USRP B210 data sheet,

Ettus Research, “USRP B210 data sheet,” National Instruments, 2023. [Online]. Available: https://www.ettus.com/all-products/ub210-kit/

work page 2023

[6] [6]

Experimental study on key generation for physical layer security in wireless communications,

J. Zhang, R. Woods, T. Q. Duong, A. Marshall, Y. Ding, Y. Huang, and Q. Xu, “Experimental study on key generation for physical layer security in wireless communications,” inIEEE Access, vol. 4, pp. 4464–4477, 2016

work page 2016

[7] [7]

Safeguarding 5g wireless communication networks using physical layer security,

N. Yang, L. Wang, G. Geraci, M. Elkashlan, J. Yuan, and M. D. Renzo, “Safeguarding 5g wireless communication networks using physical layer security,” inIEEE Communications Magazine, vol. 53, pp. 20–27, 2015

work page 2015

[8] [8]

Proof of concept for iot device authentication based on sram pufs using atmega 2560-mcu,

C. Lipps, A. Weinand, D. Krummacker, C. Fischer, and H. D. Schotten, “Proof of concept for iot device authentication based on sram pufs using atmega 2560-mcu,” in2018 1st International Conference on Data Intelligence and Security (ICDIS), pp. 36–42, 2018

work page 2018

[9] [9]

Bringing phy-based key generation into the field: An evaluation for practical scenarios,

R. Guillaume, F. Winzer, A. Czylwik, C. T. Zenger, and C. Paar, “Bringing phy-based key generation into the field: An evaluation for practical scenarios,” inIEEE Vehicular Technology Conference (VTC Fall), IEEE, 2015

work page 2015

[10] [10]

A novel key generating architecture for wireless low-resource devices,

C. T. Zenger, M.-J. Chur, J.-F. Posielek, C. Paar, and G. Wunder, “A novel key generating architecture for wireless low-resource devices,” inInternational Workshop on Secure Internet of Things (SIoT), IEEE, 2014

work page 2014

[11] [11]

Optimization-based access assignment scheme for physical-layer security in d2d communications underlaying a cellular network,

L. Wang, J. Liu, M. Chen, G. Gui, and H. Sari, “Optimization-based access assignment scheme for physical-layer security in d2d communications underlaying a cellular network,” inIEEE Transactions on Vehicular Technology, vol. 67, pp. 5766–5777, 2018

work page 2018

[12] [12]

A statistical test suite for random and pseudorandom number generators for cryptographic applications,

A. Rukhinet al., “A statistical test suite for random and pseudorandom number generators for cryptographic applications,” NIST SP 800-22 Rev. 1a, 2010. 8

work page 2010