We propose and implement a protocol for a scalable, cost-effective, information-theoretically secure key distribution and management system. The system, called Distributed Symmetric Key Establishment (DSKE), relies on pre-shared random numbers between DSKE clients and a group of Security Hubs. Any group of DSKE clients can use the DSKE protocol to distill from the pre-shared numbers a secret key. The clients are protected from Security Hub compromise via a secret sharing scheme that allows the creation of the final key without the need to trust individual Security Hubs. Precisely, if the number of compromised Security Hubs does not exceed a certain threshold, confidentiality is guaranteed to DSKE clients and, at the same time, robustness against denial-of-service (DoS) attacks. The DSKE system can be used for quantum-secure communication, can be easily integrated into existing network infrastructures, and can support arbitrary groups of communication parties that have access to a key. We discuss the high-level protocol, analyze its security, including its robustness against disruption. A proof-of-principle demonstration of secure communication between two distant clients with a DSKE-based VPN using Security Hubs on Amazon Web Server (AWS) nodes thousands of kilometres away from them was performed, demonstrating the feasibility of DSKE-enabled secret sharing one-time-pad encryption with a data rate above 50 Mbit/s and a latency below 70 ms.

翻译：我们提出并实现了一种可扩展、经济高效、具有信息论安全性的密钥分发与管理系统协议。该系统称为分布式对称密钥建立（DSKE），其依赖于DSKE客户端与一组安全枢纽之间预先共享的随机数。任何一组DSKE客户端均可使用DSKE协议，从预共享数中提取出秘密密钥。通过采用秘密共享方案，客户端受到保护，免受安全枢纽被攻破的影响，该方案允许在不需信任单个安全枢纽的情况下生成最终密钥。具体而言，若被攻破的安全枢纽数量未超过特定阈值，则可保证DSKE客户端的机密性，同时确保系统能够抵御拒绝服务（DoS）攻击。DSKE系统可用于量子安全通信，易于集成到现有网络基础设施中，并可支持能够访问密钥的任意通信方组。我们讨论了高层协议，分析了其安全性，包括其抗中断鲁棒性。我们在亚马逊网络服务（AWS）节点上部署了距离两个远端客户端数千公里的安全枢纽，基于DSKE的虚拟专用网络（VPN）实现了这两个客户端之间的安全通信原理验证演示，证明了启用DSKE的秘密共享一次性密码本加密的可行性，其数据速率超过50 Mbit/s，延迟低于70毫秒。