Synchronized DNA sources for unconditionally secure cryptography

Sync hronized DNA sources for unconditionally secure cryptograph y Sandra Jaudou*, 1 H ´ el ` ene Gasnier*, 2 Elias Boudjella*, 3 Marc Can ` ev e, 2 Victoria Blo quert, 1 V asily Shenshin, 1 Tilio Pilet, 2 Sac ha Gaucher, 1 So o Hyeon Kim, 3, 4 Philipp e Gab orit, 5 Gouenou Coatrieux, 2 Matthieu Lab ousse, 1 An thony Genot, 3 and Y annick Rondelez 1 , ∗ 1 Gul liver CNRS, ESPCI Paris, Universit´ e PSL, 75005 Paris, F r anc e 2 IMT Atlantique, Inserm, L aTIM, Br est, F r anc e 3 LIMMS, CNRS-Institute of Industrial Scienc e, The University of T okyo, 4-6-1 Komab a, Me gur o-ku, T okyo, 153-8505 Jap an 4 Institute of Industrial Scienc e, The University of T okyo, 4-6-1 Komab a, Me gur o-ku, T okyo, 153-8505 Jap an 5 XLIM, University of Limo ges, Limo ges, F r anc e Secure comm unication is the cornerstone of mo dern infrastructures, from finance and healthcare to defense and elections, yet ac hieving unconditional securit y—resistant to any computational at- tac k—remains a fundamen tal c hallenge. The One-Time Pad (OTP), prov en b y Shannon to offer p erfect secrecy , requires a shared random key as long as the message, used only once. How ever, distributing large keys ov er long distances has b een impractical due to the lac k of secure and scalable sharing options. Here, we in tro duce a DNA-based cryptographic primitive that lev erages random p ools of synthetic DNA to install a synchronized entrop y source b etw een distant parties. Our approac h uses duplicated DNA molecules—comprising random index-payload pairs—as a shared secret. These molecules are lo cally sequenced and digitized to generate a common binary mask for OTP encryption, achieving unconditional security without relying on computational assumptions. W e exp erimen tally demonstrate this protocol b etw een T oky o and Paris, using in-house nanop ore sequencing, generating a shared secret mask of ∼ 400 Mb with a residual error rate of ∼ 5 × 10 − 5 , correctable via Bose–Chaudh uri–Ho cquenghem (BCH) co des to achie ve the usual ov erall decryp- tion failure rate of 2 − 128 . The min-entrop y of the binary mask meets the most recent National Institute of Standards and T echnology requiremen ts (SP 800-90B), and is comparable to that of appro ved cryptographic random n umber generators. Critically , our system can resist tw o t yp es of adv ersarial in terference through molecular copy-n um b er statistics, pro viding an additional lay er of securit y reminiscen t of Quantum Key Distribution (QKD), but without distance limitations. This w ork establishes DNA as a scalable en trop y source for long-distance OTP , enabling high-throughput and secure comm unications in sensitive con texts. By bridging molecular biology and cryptography , DNA-based k ey distribution op ens a promising new route to ward unconditional security in global comm unication netw orks. ∗ yannic k.rondelez@espci.psl.eu 2 * Equal con tributions I. MAIN TEXT In tro duction During the encryption of a communication, a sender scram bles a plain message using a shared mask whic h is known only to the sender (Alice) and receiv er (Bob), either with a symmetric or an asymmetric proto col. In practice, a combination of the tw o approaches is often used in cryptography . T o communicate securely , Alice and Bob first use a computationally intensiv e yet robust asymmetric protocol to exch ange a small key (such as, e.g. , Diffie-Hellman [ 1 ] or quan tum-resistan t schemes lik e ML-KEM [ 2 ] or HQC-KEM [ 3 ]). They then cipher and decipher their large messages with their k ey via an efficien t symmetric algorithm, often AES - A dvanc e d Encryption Standar ds [ 4 ]. Ho w ev er, the securit y of this hybrid approac h depends on both the robustness of the asymmetric key exchange proto col and that of the symmetric encryption scheme; ultimately such proto cols rely on computational security . With constant increase of computational p o wer av ailable to attack ers, security levels must ev olve. F or instance, in the 80’s, keys with 64 bits were considered sufficient, whereas current standards require 128 bits. In practice, it means that data arc hiv ed 40 years ago with 64 bits hybrid sc hemes can now b e crack ed using a mo dern computer. Basing security guarantees on the computational limits of an attack er introduces a fundamental vulnerabilit y . An alternative to computational key exchange proto cols is Quan tum Key Distribution (QKD) [ 5 – 7 ]. Once a quan tum c hannel is established, Alice and Bob can generate a shared secret key using a physical pro cess whose securit y is grounded in the fundamen tal laws of quantum mec hanics. Accordingly , QKD resists computational attac ks and offers prov able securit y guaran tees, including the ability to detect any eav esdropping attempts. This prop ert y is particularly significant, as it is not achiev able with classical computational or physical key exc hange metho ds, where transmitted data may b e copied stealthily , leaving no observ able trace. How ev er, fib er-based, twin field or device-indep endent QKD still remains impractical for sending large keys o v er distances longer than ab ov e ∼ 1000 km [ 8 – 15 ]. Although some recent techniques are promising candidates for longer distances in the future [ 16 ], they face the fundamental limitations of quan tum rep eaters [ 17 ]. Satellite-based QKD [ 18 – 20 ] has achiev ed long distance ground-to-satellite exc hange, but this strategy remains limited by w eather conditions. Moreov er, the short op erational time window of low orbit satellites - ab out 5 min p er day - results in a demonstrated record throughput of ab out ≈ 10 3 kbit/da y [ 20 ]. Finally , the full feasibility of satellite-mediated ground-to-ground QKD has not yet b een achiev ed. Cryptographic schemes providing unconditional securit y , i.e. , that remain secure against an adv ersary with unlim- ited computational p o wer, do exist and hav e b een kno wn for a long time. In 1949, Shannon demonstrated that the One-Time P ad (OTP) cryptosystem, introduced as early as 1882, offers unconditional security [ 21 ]. In OTP cryptograph y (Fig. 1 a), Alice and Bob share a secret binary mask. This mask must fulfil the following criteria: b e as long as the message to b e sent, p erfectly random, used only once and destroy ed after use. Alice com bines the message and the mask with a X OR function. This creates an encrypted message, which can be safely sent o ver a public channel. A t the receiver location, the reverse operation -again a XOR with the shared secret mask- restores the plain message (Fig. 1 b). Although simple and efficient, OTP encryption p oses tw o challenges, which in practice, strongly limit its applications: first the generation of large masks with high qualit y of randomness and, second, their secure sharing at tw o distant lo cations. The holy grail for secure communication would b e to create pairs of unclonable and p erfectly random sources that remain synchronized indep endently of the distance b etw een them. Alice and Bob could then each use their lo cal device to generate large random (but identical) num bers, with which they w ould communicate with uncondi- tional OTP-based securit y , a metho d that remains beyond current reach. Pioneering works [ 22 , 23 ] suggest that molecular media, in particular synthetic informational p olymers such as DNA, displa y several in teresting features with resp ect to cryptographic applications [ 24 ]. First, the syn thesis of random DNA is a simple yet massive source of randomness: lab-scale step-by-step chemical synthesis of a few 1 mg of DNA with a balanced mixture of the four A, C, G and T nucleotides can pro duce exabytes (10 19 bits) of randomness in a few hours. Second, unlike man y ph ysical sources of en tropy [ 25 ], DNA is natively discrete - canonical DNA is a quaternary alphabet. This discreteness simplifies the mathematical pro cessing of the molecule as an information-carrying medium. Third, large amounts of information stored in DNA p o ols can b e duplicated or amplified by autonomous biomolecular op erations. This happ ens in a massiv ely parallel wa y (typically 10 12 parallel op erations p er mL) and without the need to extract the information stored at the molecular lev el. Hence, the milligrams of random DNA mentioned ab ov e can b e replicated b y DNA p olymerases and distributed so that 3 FIG. 1. DNA-based One-Time-P ad cryptograph y . a In OTP cryptography , a message, mapp ed to binary (e.g. using ASCI I-code) is encrypted with a random mask using a bit-b y-bit XOR function ( b ). The receiv er deco des by applying a bit-b y-bit XOR with the same random mask. c , Two independent po ols containing random DNA strands, eac h of them being unique, playing the role of index and pa yload, asso ciate at random ( d ), and are extended o ver each other b y a p olymerase to form reverse-complemen ted duplexes ( e ). f , The p o ol is optionally amplified and split into tw o pads: Alice k eeps one and passes the other to Bob. Multiple pads can b e duplicated and shared at once, providing synchronized random generation for man y future exc hanges. g Alice and Bob sequence their pad, and publicly share the indices to sift and assemble the corresp onding secret payloads into a common binary mask, which they use to communicate via OTP ( h ). t wo distan t parties share exabytes of common, but still unknown, secret. If the molecular strings are prop erly stored [ 26 ], the secret can b e archiv ed for centuries b efore retriev al [ 27 ]. F ourth, the information contained in large molecular DNA archiv es can b e extracted in a digital form b y commercial sequencing machines. These machines curren tly output terabytes of information p er run [ 28 ], at rates reaching ≃ 10 8 basepairs p er second [ 29 ]. Some se- quencing devices are barely larger than a USB stick, and many are push-and-go op erations. Lastly , next generation sequencing protocols allow each DNA molecule in a mixture to b e uniquely identified and counted [ 30 , 31 ]. As w e demonstrate b elow, this direct access to the discrete and stochastic nature of molecular processes can b e leveraged to provide an additional level of securit y . Here, we show that duplicated random DNA pads can b e used to synchronize the generation of large random binary n um b ers at arbitrarily distant lo cations. W e c haracterize the resulting channel in terms of throughput and the quality of the randomness. W e measure the residual mask reconciliation error around 5 × 10 − 5 , which can be comp ensated b y an error correction co de with limited ov erhead. Using standard lab equipment and a c heap com- mercial sequencer, w e demonstrate that a DNA-based OTP pro cess is curren tly compatible with intercon tinen tal comm unication at a rate reac hing 10 8 − 10 9 bits p er run and a decryption failure rate below 2 − 128 . Once the sources are installed, k ey generation happ ens without transfer of confidential information, limiting interception options. Still, we sho w that the channel can b e further secured against attacks. W e exp erimentally sim ulate adversarial in terference in tw o different scenarios and provide statistical measures to detect interception. Installation of synchronized random sources. The creation of duplicated random DNA pads uses three sto c hastic steps (Metho ds and supplementary note 1). First, Alice orders the synthesis of tw o p o ols of partially random DNA oligon ucleotides, called index strands and pa yload strands, from a commercial manufacturer (Fig. 1 c). During the indep endent syntheses of the random domain of these strands, random bases are selected from among 4 A, C, G, T. A standard order provides ab out ∼ 4 nmol of oligonucleotides, or ab out 10 15 unique strands, and m uch larger syn theses are p ossible. Second, Alice dilutes the strands to ab out 100 nM and randomly assem ble around 10 12 index strands with an equiv alen t num b er of payload strands (Fig. 1 d). A p olymerase extends the t wo oligonucleotides o ver each other to generate double-stranded index-pa yload DNA duplexes, which we will call double-stranded DNA k eys (Fig. 1 e). Third, a defined n umber of DNA keys, on the order of 10 6 -10 9 molecules, is randomly sampled by taking an aliquot from this p o ol. Each of these step adds a la y er of discrete randomness and con tribute to the securit y of the c hannel. F or example, ev en if the p o ol of payload strands w as not fully random, or the DNA provider is not fully trusted, it would be impossible to guess which pa yload strand asso ciated with a particular index strand, or which of these com binations w ere actually sampled in step three. Imp ortan tly , in the resulting DNA k ey p o ol, sequence information exists in exactly t wo copies, in the form of t w o rev erse-complemented DNA molecules. Then, the aliquot is physically partitioned, with or without further amplification, whic h allows to share information betw een tw o pads. Alice keeps one and sends the second to Bob (Fig. 1 f ). The process can b e parallelized and repeated to generate multiple duplicated DNA pads, at negligible cost and adaptable capacity (Supplemen tary note 2). After that stage, the synchronized source is installed and all communications can happen on public c hannels. Authen tication and creation of a shared secret . When Alice wan ts to send a message, she selects a pad, informs Bob, and b oth enter the pro cess of generating a common random mask. (Fig. 1 g). Each part y inde- p enden tly sequences its pad using standard protocols. The sequencing mac hines rep ort a list of DNA k ey sequences, in the form of millions to billions of indep endent index-payload asso ciations. Alice and Bob’s sets ov erlap, but, b ecause of statistical sampling and biomolecular or sequencing errors, they do not necessarily fully coincide. Bob then publicly sends to Alice his list of index sequences while keeping the asso ciated payloads secret, and Alice compares them to her own list. As the diversit y of indices scales exp onentially with index length, Alice can now authen ticate Bob with a high lev el of confidence (Supplementary note 3). Then, she computes the intersection b et ween the t w o sets, decides of a sp ecific ( e.g. , random) index ordering, and publicly sends bac k that list to Bob. The corresp onding ordered payloads then form the shared secret b et ween Alice and Bob, whic h they conv ert to a binary OTP mask (Fig. 1 h). This is equiv alen t to a sifting stage in QKD. Imp ortan tly , no information concerning the payload sequences w as exchanged in the pro cess. W e lo calized Alice in P aris and Bob in T okyo and experimentally tested the full biomolecular protocol. F or installation, Alice obtained degenerate oligonucleotides p o ols from IDT (Integrated DNA T echnologies), assembled, amplified b y PCR and split the sample in duplicated pads containing approximately 30 × 10 6 unique DNA keys. The random parts of the DNA k eys w ere comp osed of 14 domains of length n = 5, separated by spacer sequences iden tical in all strands (Fig. 2 a), hence a combinatorial space of more than 2 140 ≈ 10 42 p ossible DNA k eys. This design was selected to facilitate alignment and digitization of the keys (see b elow). A pad was sent to T okyo and stored. F or communication the tw o pads were indep endently sequenced using nanop ore technology on lo cal P2 Solo mac hines, a miniaturized sequencer with a fo otprint of just 15 × 11 × 9 cm. After qualit y filtering and aligning, the t wo datasets w ere clustered, and consensus sequences were extracted for each cluster, along with cluster size and qualit y metric. These metrics w ere used for a final filtering stage, after which Alice and Bob retained 26 586 748 and 27 915 041 high-qualit y DNA k ey sequences, resp ectiv ely . When exchanging their list of indices, they found an o verlap of 22 603 540 exact corresp ondences (Supplementary T able S1). Generating the binary k ey and assessing the quality of the randomness . The simplest approach to binarizing a DNA sequence op erates at the nucleobase level, employing a canonical quaternary co de ( e.g. , A = 00, G = 01, C = 10, T = 11). This enco ding scheme maximizes the amoun t of digital information that can b e extracted from DNA—up to 2 bits p er base in theory , but closer to 1.83 bits per base once exp erimen tal con- strain ts are considered [ 36 ]. Ho wev er, it is not suitable for generating random bits from synthetic DNA due to its sensitivit y to biases and correlations commonly asso ciated with degenerate DNA syn thesis [ 22 ]. F or example, Fig. 2 b shows the unbalanced distribution of the four nucleobases with a gradual drift along the chemical synthesis direction, observed in Bob’s filtered consensus set. In addition, we observe pairwise correlations (Fig. 2 e) up to a length of 5 (Supplementary note 4a). Consequently , standard debiasing approaches, such the von Neumann proto col [ 22 ] which requires indep endence of the bits, cannot b e directly applied to DNA sequences. Here, we level out p osition-dep endent representation biases, and av erage ov er spatial correlations along the p olymer chain via blo c kwise binarization of DNA key sequences (Supplementary note 4c). Among this family of functions which com- promise b et ween randomness qualit y and throughput, we sele cted the blo c k-5 Purine Parit y Digitization (5PPD), whic h counts mo dulo 2 the n umber of purines in each block of 5 degenerate bases (Fig. 2 c). The bits are then concatenated column-wise, generating the binary mask (Fig. 2 d,e). The randomness of a binary mask is an essential feature of a secure OTP proto col, and its quality must ad- 5 FIG. 2. Generating a shared binary mask using DNA pads . a Index-payload key architecture. b , Nucleobase distribution along the payload p ositions. c , Principle of block5 Purine P arity Digitization (5PPD). d , Probabilit y of measuring a 1 (red) and 0 (blue) along the binary sequence obtained with a 5PPD of the sequences strands sequenced b y Alice (circle) and Bob (square). e Pair distribution and correlation in DNA sequences b efore 5PPD. Pairs and triplets distribution after 5PPD. f , Estimated entrop y of DNA binary masks according to the NIST standard 800-90B [ 32 ] and comparison with a NIST-appro ved deterministic RNG [ 33 ] (see Supplemen tary T ables S4 and S5). The standard computes ten en tropy estimates and retains the minimum v alue. The min-entrop y is dictated by the compression entrop y and all the other estimates are group ed in blue for Alice and Bob sequences. g Comparison with commercial RNGs [ 34 ]. h DNA-OTP ciphering of 2704 × 2826 image, 130 Mb, of the Horsehead Nebula in the constellation of Orion. Credits: NASA, ESA, and the Hubble Heritage T eam (AURA/STScI) [ 35 ]). here to established cryptographic standards. Here we follo w the latest entrop y estimation guidelines [ 32 , 37 ]. F urthermore, we select the most conserv ativ e scenario by using the min-entrop y metric, which is the minimal v alues obtained ov er 10 different en tropy tests (Fig. 2 f ). F or our exp erimental demonstration, applying 5PPD results in a shared binary mask of 316 Mb. W e measured the min-entrop y for subsequences of v arious length (Fig. 2 f ). F or the 6 full-length mask, w e obtained min-en trop y v alues of 0.9588 from Alice’s side and 0.9604 from Bob. Irresp ective of the mask length used, these v alues are on par with the ones produced b y a numerical Random Num b er Generator (RNG) approv ed by the Standards FIPS 140-3 [ 33 ]), e.g., Hash-DRBG-SHA256, whic h applies to all sensitive comm unications among U.S. federal agencies, and with the ones pro duced by other commercial RNGs (Fig. 2 g and comparativ e table in [ 38 ]). Message sending and correction of residual errors . T o a void any risk of electronic leak age, sequenc- ing, authentication and binary mask generation are p erformed at the last moment, using a lo cal hardware. The residual error b etw een the masks is treated via a standard lay er of error-correcting co de. W e selected the Bose–Chaudh uri–Ho cquenghem (BCH) cyclic co de (Supplementary note 5), which is widely accepted for correcting random binary errors [ 39 , 40 ]. T o set the BCH co de parameters, Alice needs an estimate of the error rate of the c hannel -whic h conceiv ably may v ary with pad storage or exp erimen tal conditions. Alice and Bob thus publicly share the 5PPD of an additional random stretch included in the index strand. In the exp erimen tal demonstration the tw o binary differed at 4189/157401800 p ositions, giving an estimated error rate of 3 × 10 − 5 (the actual error on the whole shared binary mask w as measured at ≈ 5 × 10 − 5 ). Alice then adjusts the parameters of BCH error correc- tion co de suc h that the probability that Bob cannot reconstruct error-free is lo wer than the standard cryptographic decryption failure rate of 2 − 128 , and sends the message. T o comply to the OTP requirement, immediately after transmission and deco ding, all traces of the binary mask are erased on b oth side. This includes residual DNA in the sequencing c hip or exp erimen tal w aste (suc h as liquids or contaminated surfaces) whic h is degraded chemically using standard lab pro cedures. W e tested the full OTP proto col b etw een Paris and T okyo b y OTP-encrypting, sending and deciphering a large color image using the exp erimentally generated random masks (Fig. 2 h and (Supplementary Files 1 for high-resolution pictures). Securing the DNA-synchronized c hannel . In DNA-OTP , the random DNA keys are assem bled directly b y Alice and remain unknown to anybo dy un til sequencing. Thanks to the exceptional information densit y and stabilit y of DNA, DNA pads are extremely compact and can b e easily concealed, transported using ph ysical securit y measures and securely stored for long times. Accordingly , pad transp ort can b e extremely infrequent, or even hap- p en only at installation. Still, it is conceiv able that an attack er (Ev e) can get access to a DNA pad during storage. W e en vision tw o main scenarios for such an attack (among p ossibly other options). First, Ev e could withdra w a fraction of Bob’s pad and sequence it indep enden tly , exp ecting that the partial material loss will go unnoticed. Second, with more time and resources, Eve could steal a full pad, PCR-amplify it, split the amplified solution in t wo, replace Bob’s share and k eep the rest for sequencing. W e show b elow that a simple pro cedure, based on the molecular prop erties of random DNA p o ols, is av ailable to resist these tw o types of attacks. In this secure version of the proto col, Alice prepares the DNA pads b y thermal denaturation and splitting, without PCR preamplification (Fig 3 a); the sto chastic partitioning pro cess thus applies to molecules present in exactly tw o copies (one direct and one rev erse-complemented). In addition, Alice and Bob add a step in their sequencing proto col, where they initially mark each molecule in the pad with a small Unique Molecular Iden tifier (UMI, Fig. 3 a). Suc h identifiers are generally made of a short stretch of random DNA and are commonly used in Next Generation Sequencing workflo ws [ 41 , 42 ]. Once these iden tifiers are co v alen tly attached to the individual DNA c hains, it b ecomes p ossible to use the deep sequencing data to unambiguously access the molecular coun t of eac h key in the original sample, regardless of the steps and biases that o ccur during sample pro cessing. Because Alice’s pad w as prepared b y partitioning a 2-copy sample, she theoretically exp ects either t wo UMIs p er cluster (when she receiv ed b oth direct and rev erse-complemented chains of a given key) or a single UMI (in the case where she received only one of the t wo chains, that is, among the shared set). By increasing the cop y n um b er and in tro ducing an additional partitioning, Ev e’s copy-and-replace attac k will alter the molecular coun t statistics and b ecome noticeable. T o test this concept, we exp erimentally prepared 10 denaturated DNA pad pairs, from a sampled diversit y of appro ximately 2 million DNA k eys eac h, and sim ulated Eve’s attacks under the tw o scenarios ab ov e, with v arious in tensities (Fig. 3 b-c). Alice and Bob then entered the key sequencing stage as b efore, except for the addition of the UMI-tagging preliminary step (Supplementary note 6). After sequencing, Alice (or Bob) groups the reads b y their index-pa yload conten t, and counts the num ber of different UMI asso ciated with each of these clusters. As exp ected, the simple partial theft b y Ev e resulted in a strictly null tripartite shared set in all cases ( 3 d), meaning that the c hannel remains safe. With a copy-and-replace attac k on Bob’s pad, Eve could get access to a part of the shared secret, but the statistical analysis of UMI counts within Bob’s clusters was clearly affected by the interference (Fig. 3 e-f ). Due to some imp erfections in the biomolecular op erations, some clusters with multiplicities greater than 2 were observed ev en in uncompromised samples. Ho wev er, in ternal renormalization b etw een the shared and nonshared set pro vides a very sensitive ”interference index”. This index reacted even to the most conserv ativ e 7 FIG. 3. Securization and simulation of attacks . a Installation of UMI tags to secure the c hannel. b Scenario 1: Ev e steals a fraction of the DNA keys within Bob’s pad, without replacemen t. c Scenario 2: Ev e steals Bob’s pad, am- plifies the keys by PCR, splits the solution and replace Bob’s p o ol. d Ensemble represen tation of the shared DNA keys for v arious fractions of theft in scenario 1, sho wing { Alice ∩ Bob } ∩ { Eve } = Ø in all cases. The diagrams indicate the n umber of shared keys, in thousands. e Ensemble representation for v arious amplification factors b y Eve, and normalized distribution of UMI multiplicit y mi in clusters in scenario 2. The four replicates for Alice are shown as a single c hart with error bars. The safety probability P = 1 − α in inset is calculated from the type-I, critical α of χ 2 test of the dif- ference b etw een nativ e (Alices’) and intercepted (Bobs’) UMI multiplicit y distributions. f In terference index defined as ( P i ≥ 2 ( N ( m i ) / N ( m 1 )) unshared keys ) / ( P i ≥ 2 ( N ( m i ) / N ( m 1 )) shared keys ) one-cop y attack, which only provided Eve with 15% of the shared secret, a fraction that would b e easily mitigated via standard priv acy amplification techniques [ 43 ]. The interference is also noticable in the corresp onding PCR amplification curves (Supplementary note 7). Discussion Our work introduces a no v el paradigm in secure comm unication by lev eraging synthetic DNA as a medium for generating large shared cryptographic keys, combining the prov ed security of OTP with the scalabil- it y and original properties of random DNA p olymers. 8 A t the heart of this approach lie the unique features of DNA, and its associated biotec hnological tools. W e demonstrate that DNA-based randomness—arising from the statistical incorp oration of nucleotides during c hem- ical syn thesis; from the inherent sto chasticit y of bio c hemical reactions in the assembly of index-payload DNA k eys; and from sampling in high-div ersit y p o ols—enables the safe generation of high-quality cryptographic masks. Sharabilit y leverage the double helical pairing of DNA molecules, the same prop erty that enable biological heredity . Securit y rest on limited attack options, and also exploits the discrete nature of molecular p o ols, where information can exist on molecules with small -p ossibly single- cop y num b er. When only a single pair of direct and reverse- complemen t is present, tripartite sharing is naturally forbidden. A ttacks then necessarily inv olv e a molecular-level cop ying pro cess, which ma y leav e scars, such as detectable anomalies in copy-n um b er statistics. Additional security could b e provided by con v erting the DNA to a non-amplifiable—but still sequencable— informational p olymer [ 44 ], as recently demonstrated [ 45 ]. Compared to more explored alternatives for secure k ey distribution [ 5 – 15 ], a critical adv an tage of DNA-based system lies in the capacity to generate synchronized random n umbers across very distant lo cations. While physical transp ort is required for initial installation, mask generation itself happ ens without material or photon exchange, only public information is transmitted on a classical c hannel. The high density and long-term stability of DNA allo w for exceptionally infrequent installation: a single gram of DNA pads could supp ort p etabytes of uncondi- tionally secure transmissions o ver extended p erio ds. Assuming a one-hour hands-on time to pro cess a pad, we estimate the throughput at ≃ 10 5 bit/s with standard equipment and sequencer, a v alue that compares fav orably with KQD [ 11 – 15 ]. Overall, while QKD is grounded in quantum principles but faces challenges in distance and scalabilit y , DNA—and more generally molecular—key generation op ens a promising new av en ue for cryptographers to explore its op erational c haracteristics [ 46 ]. Because of its density and stability , DNA is also actively explored as a medium for massive digital data storage [ 47 ]. Beside supp orting OTP encryption, DNA-based proto cols could b e adapted to secure long-term data archiving, where sensitive information stored in DNA databases could only b e deciphered b y the owner of a matching DNA k ey . Despite its promises, several c hallenges must be addressed to fully realize the potential of DNA in OTP or other cryptographic applications. Latency and cost (Supplementary note 2) remain k ey considerations, and may b e limiting for high-bandwidth communications. F uture work could explore faster sequencing tec hnologies, whic h promise large throughput increase and exp onential cost decrease [ 29 ]. Combined with automated and pack aged w orkflows for DNA archiv es manipulation [ 48 ], this could make DNA-OTP more accessible. Finally , standardization and interoperability are critical for real-w orld deplo yment, requiring the establishmen t of standardized proto cols for DNA pad generation, usage, and destruction.These developmen t may how ev er soon open the widespread application of molecular randomness in securing sensitive communications, financial transactions or arc hiving [ 25 ]. I I. METHODS Oligon ucleotide sequence design Index and pa yload sequences were designed with 14 regions containing 5 ran- dom nucleotides (N-blo cks) separated b y 6-n ucleotide defined spacers, summing to 197 and 195 bases, resp ectively . The 3’ end of b oth oligos are cross-complementary sequences for annealing and extension. The 5’ end domains are primer binding site for PCR amplification. The spacers serv e t wo roles: they ease alignment by providing lo cal alignmen t marks and insulate the v ariable regions from each other during syn thesis, PCR, and sequencing. The dsDNA keys assembly principle is based on the complementarit y of 3’ end of these tw o sequences (index strand and pa yload strand). Hence, the index strand, p ossess at 3’ end a 27-nucleotide long region complementary to the 3’ end of the payload strand. Oligon ucleotides were ordered at In tegrated DNA T echnology (IDT) and their sequences are av ailable in Supplementary File 3. Generating double-stranded Index-payload DNA keys (dsDNA k eys). Index strands and payload strands w ere annealed at 100 nM and extended in a 50 µ L reaction mix containing final concen trations of 1 × Q5 ® reaction buffer (NEB, M0493), 200 µ M dNTP (NEB, N0447), 0.2 × Ev aGreen (BIOTIUM, 31000-T), 1% rAlbumin (NEB, B9200). The following proto col w as run on CFX96 T ouc h Real-Time PCR detection system (BioRad): 25 ◦ C for 10 sec and signal acquisition, 98 ◦ C for 30 sec, 97 ◦ C to 60 ◦ C at -0.5 ◦ C p er min, 60 ◦ C for 40 sec and addition of 1% Q5 ® Hot Start High-Fidelity DNA p olymerase (NEB, M0493) at this p oint, 60 ◦ C to 72 ◦ C at +0.5 ◦ C p er min and a final extension at 72 ◦ C for 10 min. P ost annealing and extension, dsDNA keys, exp ected at 365 bases long, w ere purified using SPRIselect b eads 9 (Bec kman Coulter F rance, B23318) with a b eads-to-sample ratio of 1 × , following manufacturer’s recommendation, except that 85% EtOH was used. dsDNA k eys were then quantified using Qubit double-stranded DNA High Sensitivit y kit. T o estimate the num ber of dsDNA keys in the sample p ost purification, which at this stage corresp ond to the p o ol’s diversit y , an electrophoresis w as run on a 4200 T ap eStation System (Agilen t) using High Sentitivit y D1000 reagen ts and ScreenT ape, following manufacturer’s instructions. W e measured 60.5 pg of DNA p er µ L for the 365 bp p eak, corresp onding to 1.5 × 10 8 dsDNA keys p er µ L. Sync hronized random num ber generation using duplicated DNA pads betw een ESPCI P aris and the Univ ersit y of T oky o. Double str ande d DNA keys b ottlene cking. Purified dsDNA keys (quantified at 1.5 × 10 8 molecules p er µ L) w ere diluted and sampled to obtain approximately 30 million of molecules in 2 µ L. A mplifying dsDNA keys. T o amplify dsDNA key sample, a PCR was run using a mix containing 1 × Q5 reac- tion buffer (NEB, M0493), 200 µ M dNTP (NEB, N0447), 500 nM forward-index and reverse-pa yload primers, 0.2 × Ev aGreen (BIOTIUM, 31000-T), 1% rAlbumin (NEB, B9200), 1% Q5 ® HotStart High-Fidelity DNA polymerase (NEB, M0493) in a total volume of 20 µ L. Amplification w as realized on CFX96 T ouch Real-Time PCR Detection System using the following proto col: first denaturation step at 95 ◦ C for 30 sec, 39 cycles of 95 ◦ C 30 sec, 70 ◦ C 30 sec and 72 ◦ C 1 min and a final extension step at 72 ◦ C for 5 min. T o av oid hetero duplexes formation, PCR was follo wed in real time by fluorescent tracking and stopp ed at the end of the exp onential phase by skipping step after 30 sec of extension at 72 ◦ C. PCR pro duct was purified using SPRIselect beads as previously mentioned using a 0.95 × b eads-to-sample ratio. Estimation of the diversity. Prior to sequencing the whole sample, a part was sequenced using Oxford Nanop ore T ec hnology (ONT) on a Flongle flo w cell to estimate k ey div ersit y . The remaining sample was kept at +4 ◦ C un til ready to use. Library preparation step was realized on amplified and purified dsDNA keys using the LSK-SQK114 ligation kit, with some mo difications. The full proto col is av ailable in Supplementary File 4a. Libraries were sequenced on FLO-FLG114 flo w cell. Due to a sequencing crash, left-ov er libraries w ere loaded on a new flow cell. The reads were filtered, clustered and the div ersit y estimated b y fitting the cluster size distribution to a Poisson la w. Splitting amplifie d dsDNA keys. The remaining sample was end-prepp ed follo wing the supplier’s proto col pro- vided in Supplementary File 4b. The sample was purified and was split in tw o parts of 31 µ L. The first part was k ept in Paris for library preparation, while the other half was sent to T okyo (LIMMS lab oratory , Komaba Campus T oky o Universit y , Japan) at room temp erature where it was k ept at 4 ◦ C un til sequencing, roughly 1 month later. The adapter ligation step w as prepared just before sequencing. Pr omethION se quencing in Paris and T okyo. A total of 130 fmol of libraries w as loaded on PRO-MIN114 flow cell and sequenced on PromethION Solo 2 platform, generating 195.55M reads. The same proto col w as applied in T oky o, except that the left-ov er libraries ( ∼ 50 fmol) were loaded on a second flow cell. First T oky o run generated a total of 178.21M reads, while the second run generated 143.42M reads. After aligning and filtering, Alice and Bob’s runs retained 146 033 874 and 201 264 655 reads, resp ectively . Secure data sharing proto col: DNA k ey sample splitting at single copy stage and UMI tagging. Denatur ation of dsDNA keys. W e first measured the melting temp erature of dsDNA k eys and found an ex- p erimen tal Tm of 74 ◦ C. dsDNA keys w ere prepared as mentioned previously but using the following proto col: 25 ◦ C for 10 sec and signal acquisition, 85 ◦ C for 1 min, 84 ◦ C to 60 ◦ C at -0.5 ◦ C p er min, 60 ◦ C for 40 sec and addition of 1% Q5 ® Hot Start High-Fidelity DNA polymerase (NEB, M0493) at this p oint, 60 ◦ C to 72 ◦ C at +0.5 ◦ C p er min and a final extension at 72 ◦ C for 10 min. The prepared dsDNA k eys w ere b ottleneck ed via dilution and sampling to the targeted diversit y and diluted in Milli-Q containing the double-stranded circular plasmid pUC19 (NEB, N3041), used as a carrier, at a final concentration of 4.7 nM. This sample was then denaturated by heating to 85 ◦ C for 30 sec and co oling down to 24 ◦ C with a rate of -3 ◦ C p er min. The denaturated sample was separated in tw o 2.9 µ L aliquots, for Alice and Bob. T agging the denatur ate d DNA keys with Unique Mole cular Identifiers. The forward and rev erse UMI-primers w ere designed with 3 domains. F rom 5’ to 3’: a tail domain corresp onding to the sequence of the external amplifica- tion primers (forward and reverse reamplification primers), used for library amplification, a short N 5 UMI domain; 10 a 3’ head identical to standard amplification primers (forw ard-index and reverse-pa yload primers, Supplemen tary File 4). The DNA keys were submitted to tw o-cycles PCR using UMI-primers in a mix containing: 1 × Q5 ® reaction buffer (NEB, M0493), 200 µ M dNTP (NEB, N0447), 200 nM forw ard and reverse UMI primers, 0.2 × Ev aGreen (BIOTIUM, 31000-T), 1% rAlbumin (NEB, B9200), 1% Q5 ® Hot Start High-Fidelity DNA p olymerase (NEB, M0493). The follo wing proto col w as used: first denaturation at 98 ◦ C for 15 sec, 2 cycles: 98 ◦ C 10 sec, 70 ◦ C for 30 sec, 72 ◦ C for 1 min and a final extension step at 72 ◦ C for 30 sec. Although Q5 enzyme requires a final concen tration of primers of 500 nM, optimization had shown that the efficiency of this PCR do es not deteriorate do wn to 200 nM of eac h primers. Excess UMI primers were then enzymatically digested. Exon ucleaseI thermolabile enzyme (NEB, M0568) was diluted 6 times as follow: 6.3 µ L Milli-Q, 2 µ L Q5 reaction buffer 5X and 1.68 µ L exonucleaseI thermolabile. One µ L of this solution was added to the PCR tub e and incubated at 20 ◦ C for 10 min. After the reaction, the enzyme w as deactiv ated for 1 min at 80 ◦ C. T o minimize pip etting and a void losing molecules on surfaces, these reactions w ere conducted in the same PCR tub e. A mplifying UMI-tagge d DNA keys for se quencing. A PCR using external reamplification primers were realized with 1 × Q5 reaction buffer (NEB, M0493), 200 µ M dNTP (NEB, N0447), 500 nM forward and reverse reamplifica- tion primers (Supplementary File 5), 0.2 × Ev aGreen (BIOTIUM, 31000-T), 1% rAlbumin (NEB, B9200), 1% Q5 ® Hot Start High-Fidelity DNA p olymerase (NEB, M0493). The PCR was run with a first denaturation step at 98 ◦ C for 15 sec, 39 cycles as follow: 98 ◦ C for 10 sec, 65 ◦ C for 30 sec and 72 ◦ C for 1 min; and a last extension step at 72 ◦ C for 5 min. The PCR w as follow ed in real time by fluorescent tracking and stopped at the end of the exp onential phase by skipping step after 30 sec of extension at 72 ◦ C. Final extension w as performed for 5 min at 72 ◦ C. Lastly , PCR pro ducts w ere purified using SPRIselect magnetic b eads using a b eads-to-sample ratio of 0.95x and 85% EtOH. A ttack sc enario 1: Eve ste als p art of the message without r eplac ement. First, four single cop y DNA pad pairs with div ersit y 2 million were created as men tioned ab o ve (See Denaturation of dsDNA keys). F our stealing frac- tions w ere tested: 0% (no-stealing con trol), 10%, 50% and 90%. Eve sampled the corresp onding v olume (0.29 µ L, 1.95 µ L and 2.61 µ L) from Bob’s pad and replaced it with the same amount of Milli-Q water. Ev e’s amplified the stolen sample via a standard DNA key amplification (See Amplifying dsDNA keys) but using the follo wing proto col: first denaturation step at 98 ◦ C for 10 sec, 39 cycles of 98 ◦ C 15 sec, 70 ◦ C 30 sec and 72 ◦ C 1 min and a final extension step at 72 ◦ C for 5 min. This proto col is later referred as “Eve Stealing Protocol” (ESP). She then prepared the sample for sequencing without UMI tagging. Alice and Bob tagged their denatured and split DNA keys with UMI and amplified their UMI k eys as men- tioned previously (See UMI-tagging and amplifying UMI-tagged sections). ONT libraries were prepared on stolen amplified k eys as w ell as Alice and Bob keys using the SQK-NBD114-24 library preparation kit with native bar- co ding as mentioned in Supplementary File 4c. Libraries (60 fmol) were loaded on a promethION flow cell and run on a PromethION Solo 2 platform. A ttack sc enario 2: Eve ste als Bob’s p ads, amplifies it by PCR, splits and r eplac es. First, four single copy DNA pad pairs with diversit y 2 million were created as ab ov e. Eve to ok the entiret y of Bob’s pads and p erformed PCR using the ESP protocol, butlimiting the cyle n um b er to 1, 2 or 10 PCR cycles in order to adjust the copy num ber. One of Bob’s pads was left un touched as a control. T o a v oid b eing unco vered by left-ov er primers, Eve then degraded her primers using exonucleaseI thermolabile/6 follo wing the proto col men tioned in T agging denatur ate d DNA keys with Unique Mole cular Identifiers . Then, she sampled her PCR pro duct to collect 2 million DNA strands for Bob, amounting to half of her sample in the 1 cycle case,1 / 4 of for 2 cycles and 1/1000 of for the 10 cycles case. Additionally , she adjusted the volume restituted to Bob to 2.9 µ L. Prior to sequencing, Eve performed as describ ed ab ov e (See ESP of Attac k 1 section). On their side, Alice and Bob p erformed UMI-tagging and sequencing as previously describ ed (See UMI-tagging and amplifying UMI-tDNA sections). A total of 130 fmol of libraries w as loaded onto a PromethION flo w cell. Basecalling and sequence pro cessing for mask generation. Base c al ling. Raw data w ere acquired using live basecalling except for the run of T oky o. Basecalling for all exp eri- men ts was p erformed using dorado v .1.1.1+3c7eef9 with the follo wing mo del: dna r10.4.1 e8.2 400bps sup@v5.0.0 or v5.2.0. In the case of p o oled sequencing, the differen t exp eriments were tagged with the native barco ding kit SQK-NBD114-24, and liv e dem ultiplexed using dorado demux and the – b ar c o de-b oth-ends parameter. 11 All sequence pro cessing follow ed the same pip eline, using custom co de written in Mathematica or Python. The raw basecalls w ere filtered by median Qscore and length. (-) reads w ere conv erted to (+) reads and all w ere then aligned on a reference where the exp ected random regions were represented by N, allowing the aligning algorithm to match an y bases at these p ositions without p enalities. After aligning, the non-constant regions (including sequencing barco des and random blo cks -such as UMI, index blo cks or payload blo cks) were extracted from the sequence, along with their associated Qscores. Insertions w ere replaced with the first base at the corresponding p osition in alignmen t (and giv en the minimal v alue of the asso ciated Qscores), to allow a dense tabular format. Qscores for deletions were computed as the min of the tw o nearest attributed Qscores. In the case of indexed sequencing ( i.e. , using the nativ e barcoding kit on ONT to p ool multiple samples in the same sequencing run), w e then extracted, for eac h barco de, only the reads with prop er matching barcodes on b oth sides (allo wing an edit distance of 3 for barcode attribution). Clustering and c onsensus c al ling. W e then p erformed clustering of all reads according to their index and pay- load blo cks (and ignoring UMIs in case UMIs w ere present) via an iterative process. The median Qscore M q of eac h blo ck, av eraged ov er all reads, w as computed and ordered. W e then selected the 6 blo cks with the highest M q and concatenated the corresp onding sequences to generate an i 1 read iden tifier (of length 30 nt). W e then group ed the reads by p erfect i 1 matc h. Within each group, we extracted the list of sequences for the second-b est group of 6 blo c ks, and computed a consensus via simple ma jorit y v oting, to generate i 1 . If a group con tained only one read, the ra w sequence w as used as i 2 . W e then iterated the grouping, combining all groups that had the same i 2 . The pro cess was rep eated un til all blo cks had b een used. F or example, the n umber of clusters and the num b er of clusters containing more than one read along the it- erativ e process for Bob’s sequencing shown in Fig.2 in the main text, is giv en in Supplementary T able S6. W e then retained only the clusters with more than one read and computed a complete consensus, while also estimating the error probabilit y (as a consensus Qscore) at eac h p osition. F or each p osition, the consensus base w as selected by w eighted ma jorit y voting, where each weigh t was the Qscore pro vided by the basecaller for that base. Indeed, as the Qscore are defined on a logarithmic scale, the most lik ely base is the one with the highest total Qscore. Its consensus Qscore can then b e approximated as the sum of all Qscores asso ciated with the winning base, minus the sum of all Qscores asso ciated with non-ma jorit y bases, minus a p enalt y of 4.8 p er non ma jorit y base (Supplementary note 8 for a deriv ation). Consensus filtering. Once all consensuses were computed, the data was organized in an index/pa yload format b y fusing blo cks 8-14 as an index and 15-28 as a payload (that is, 6 blo cks originating from the index strand as index, and all blo c ks from the payload strand as payload). This design offered an indexing capacity of 4 30 ∼ 10 18 sequences. The blocks 1-7 w ere reserved for error estimation. The consensuses w ere then filtered, retaining only those with a minimum Qscore in the pa yload ab ov e 30. T o filter out PCR errors (whic h are exp ected to generate a p oin t-wise defect in the consensus p er-base quality scores), we also computed the min v alue of the Qscores normalized b y the block median and filtered out consensuses con taining at least one v alue b elow 0.5. Finally we c heck ed the unicity of each index and discarded the small fraction ( ∼ 1/10000) of consensuses with non-unique indices, which may originate from PCR artifacts. Synchr onization and mask gener ation. Bob sen t the full list of his indices to Alice. Alice computed the inter- section b etw een this list and her own set of indices. F or the large sequencing presen ted in Fig.2, Alice found the in tersection of indices to represen t ≈ 82% of her total and sent that intersection in a random ordering O r bac k to Bob. Both Alice and Bob organized their set of payloads according to the ordering O r (th us discarding the keys whose index are not in the in tersection) and created a file with the corresp onding ordered payloads. They then group ed the pa yload sequences in blocks of 5, applied 5PPD, and concatenated the result column-wise to obtain a single large binary string. The true error rate can b e computed b y comparing the mask computed indep endently b y Alice and Bob. W e found that the error was sligh tly higher ( ∼ 4 folds) in proto col without PCR amplification b efore sample partitioning. Since the sequencing depth we used was typically higher for the later runs, this higher error rate do es not originate from the sequencing. W e speculated that this mild desync hronization originates from 12 the PCR errors o ccurring during the t wo parallel amplifications from single molecules. [1] W. Diffie and M. Hellman, “New directions in cryptograph y ,” IEEE T r ansactions on Information The ory , vol. 22, no. 6, pp. 644–654, 1976. [2] R. Av anzi, J. Bos, L. Ducas, E. Kiltz, T. Lepoin t, V. Lyubashevsky , J. M. Schanc k, P . Sc hw abe, G. Seiler, D. Stehl´ e, et al. , “Crystals-kyb er algorithm sp ecifications and supp orting documentation,” NIST PQC R ound , v ol. 2, no. 4, pp. 1–43, 2019. [3] P . Gab orit, C. Aguilar-Melchor, N. Aragon, S. Bettaieb, L. Bidoux, O. Blazy , J.-C. Deneuville, E. P ersichetti, G. Z´ emor, J. Bos, A. Dion, J. Lacan, J.-M. Robert, P . V ´ eron, P . Barreto, S. Ghosh, S. Gueron, T. G ¨ uneysu, R. Misoczki, R. Ric hter- Brokmann, N. Sendrier, J.-P . Tillich, and V. V asseur, “Hamming quasi-cyclic,” NIST Post-Quantum Standar dization, 4th R ound; National Institute of Standar ds and T e chnology , 2025. [4] D. Joan and R. Vincent, “The design of rijndael, aes - the adv anced encryption standard,” 2002. [5] C. H. Bennett and G. Brassard, “Quan tum cryptography: Public key distribution and coin tossing,” The or etic al Com- puter Scienc e , vol. 560, pp. 7–11, 2014. Theoretical Asp ects of Quantum Cryptograph y – celebrating 30 years of BB84. [6] V. Scarani, H. Bec hmann-Pasquin ucci, N. J. Cerf, M. Du ˇ sek, N. L¨ utk enhaus, and M. Peev, “The security of practical quan tum key distribution,” Rev. Mo d. Phys. , vol. 81, pp. 1301–1350, Sep 2009. [7] F. Xu, X. Ma, Q. Zhang, H.-K. Lo, and J.-W. P an, “Secure quantum key distribution with realistic devices,” R ev. Mo d. Phys. , vol. 92, p. 025002, May 2020. [8] B. Korzh, C. C. W. Lim, R. Houlmann, N. Gisin, M. J. Li, D. Nolan, B. Sanguinetti, R. Thew, and H. Zbinden, “Prov ably secure and practical quan tum key distribution ov er 307 km of optical fibre,” Natur e Photonics , vol. 9, pp. 163–168, Mar 2015. [9] M. Lucamarini, Z. L. Y uan, J. F. Dynes, and A. J. Shields, “Overcoming the rate–distance limit of quan tum key distribution without quantum rep eaters,” Natur e , vol. 557, pp. 400–403, May 2018. [10] M. Pittaluga, M. Minder, M. Lucamarini, M. Sanzaro, R. I. W oo dward, M.-J. Li, Z. Y uan, and A. J. Shields, “600-km rep eater-lik e quantum communications with dual-band stabilization,” Natur e Photonics , vol. 15, pp. 530–535, Jul 2021. [11] S. W ang, Z.-Q. Yin, D.-Y. He, W. Chen, R.-Q. W ang, P . Y e, Y. Zhou, G.-J. F an-Y uan, F.-X. W ang, Y.-G. Zhu, P . V. Morozo v, A. V. Divochiy , Z. Zhou, G.-C. Guo, and Z.-F. Han, “Twin-field quan tum k ey distribution ov er 830-km fibre,” Natur e Photonics , vol. 16, pp. 154–161, F eb 2022. [12] L. Zhou, J. Lin, Y. Jing, and Z. Y uan, “Twin-field quantum key distribution without optical frequency dissemination,” Natur e Communic ations , vol. 14, p. 928, F eb 2023. [13] Y. Liu, W.-J. Zhang, C. Jiang, J.-P . Chen, C. Zhang, W.-X. Pan, D. Ma, H. Dong, J.-M. Xiong, C.-J. Zhang, H. Li, R.-C. W ang, J. W u, T.-Y. Chen, L. Y ou, X.-B. W ang, Q. Zhang, and J.-W. Pan, “Exp erimental twin-field quantum k ey distribution ov er 1000 km fib er distance,” Phys. Rev. L ett. , vol. 130, p. 210801, May 2023. [14] Y. Zheng, H. W ang, X. Jia, J. Huang, H. Y uan, C. Zhai, J. Dai, J. Shi, L. Zhang, X. Zhang, M. Zhuang, J. Liu, J. Mao, T. Dai, Z. F u, Y. Jiao, Y. Shi, D. Dai, X. W ang, Y. Li, Q. Gong, Z. Y uan, L. Chang, and J. W ang, “Large-scale quantum comm unication netw orks with integrated photonics,” Nature , F eb 2026. [15] B.-W. Lu, C.-W. Y ang, R.-Q. W ang, B.-F. Gao, Y.-Z. Zhen, Z.-G. W ang, J.-K. Shi, Z.-Q. Ren, T. A. Hahn, E. Y.-Z. T an, X.-P . Xie, M.-Y. Zheng, X. Jiang, J. Zhang, F. Xu, Q. Zhang, X.-H. Bao, and J.-W. P an, “Device-independent quan tum key distribution ov er 100 km with single atoms,” Scienc e , vol. 391, no. 6785, pp. 592–597, 2026. [16] S. Gupta, Y. Huang, S. Liu, Y. Pei, Q. Gao, S. Y ang, N. T omm, R. J. W arburton, and T. Zhong, “Dual epitaxial telecom spin-photon interfaces with long-lived coherence,” Natur e Communic ations , vol. 16, p. 9814, Nov 2025. [17] S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banc hi, “F undamental limits of repeaterless quan tum communications,” Natur e Communic ations , vol. 8, p. 15043, Apr 2017. [18] S.-K. Liao, W.-Q. Cai, J. Handsteiner, B. Liu, J. Yin, L. Zhang, D. Rauc h, M. Fink, J.-G. Ren, W.-Y. Liu, Y. Li, Q. Shen, Y. Cao, F.-Z. Li, J.-F. W ang, Y.-M. Huang, L. Deng, T. Xi, L. Ma, T. Hu, L. Li, N.-L. Liu, F. Koidl, P . W ang, Y.-A. Chen, X.-B. W ang, M. Steindorfer, G. K irc hner, C.-Y. Lu, R. Shu, R. Ursin, T. Scheidl, C.-Z. Peng, J.-Y. W ang, A. Zeilinger, and J.-W. Pan, “Satellite-relay ed intercon tinen tal quantum netw ork,” Phys. Rev. L ett. , vol. 120, p. 030501, Jan 2018. [19] S.-K. Liao, W.-Q. Cai, W.-Y. Liu, L. Zhang, Y. Li, J.-G. Ren, J. Yin, Q. Shen, Y. Cao, Z.-P . Li, F.-Z. Li, X.-W. Chen, L.-H. Sun, J.-J. Jia, J.-C. W u, X.-J. Jiang, J.-F. W ang, Y.-M. Huang, Q. W ang, Y.-L. Zhou, L. Deng, T. Xi, L. Ma, T. Hu, Q. Zhang, Y.-A. Chen, N.-L. Liu, X.-B. W ang, Z.-C. Zhu, C.-Y. Lu, R. Shu, C.-Z. Peng, J.-Y. W ang, and J.-W. P an, “Satellite-to-ground quantum k ey distribution,” Nature , v ol. 549, pp. 43–47, Sep 2017. [20] Y. Li, W.-Q. Cai, J.-G. Ren, C.-Z. W ang, M. Y ang, L. Zhang, H.-Y. W u, L. Chang, J.-C. W u, B. Jin, H.-J. Xue, X.-J. Li, H. Liu, G.-W. Y u, X.-Y. T ao, T. Chen, C.-F. Liu, W.-B. Luo, J. Zhou, H.-L. Y ong, Y.-H. Li, F.-Z. Li, C. Jiang, H.-Z. Chen, C. W u, X.-H. T ong, S.-J. Xie, F. Zhou, W.-Y. Liu, Y. Ismail, F. Petruccione, N.-L. Liu, L. Li, F. Xu, Y. Cao, J. Yin, R. Shu, X.-B. W ang, Q. Zhang, J.-Y. W ang, S.-K. Liao, C.-Z. P eng, and J.-W. Pan, “Microsatellite-based real-time quantum key distribution,” Natur e , vol. 640, pp. 47–54, Apr 2025. [21] C. E. Shannon, “Communication theory of secrecy systems,” The Bel l System T echnic al Journal , vol. 28, no. 4, pp. 656– 715, 1949. [22] L. C. Meiser, J. Ko ch, P . L. Antk o wiak, W. J. Stark, R. Heck el, and R. N. Grass, “Dna synthesis for true random n umber generation,” Natur e Communic ations , vol. 11, p. 5869, No v 2020. 13 [23] A. M. Luescher, A. L. Gimp el, W. J. Stark, R. Heck el, and R. N. Grass, “Chemical unclonable functions based on op erable random dna p o ols,” Natur e Communic ations , vol. 15, p. 2955, Apr 2024. [24] G. B. M. Wisna, D. Sukharev a, J. Zhao, P . Chopade, D. Saty abola, M. Matthies, S. Roy , C. W ang, P . ˇ Sulc, H. Y an, and R. F. Hariadi, “High-sp eed 3d dna paint and unsup ervised clustering for unlo cking 3d dna origami cryptography ,” Natur e Communic ations , vol. 16, p. 11514, D ec 2025. [25] O. Amer, S. Chakrabarti, K. Chakrab orty , S. Eloul, N. Kumar, C. Lim, M. Liu, P . Niroula, Y. Satsangi, R. Shaydulin, and M. Pistoia, “Applications of certified randomness,” Natur e Reviews Physics , vol. 7, pp. 514–524, Sep 2025. [26] S. D. Lemaire, D. T urek, D. Landsman, M. Colotte, and T. F. A. de Greef, “Challenges and opp ortunities in dna computing and data storage,” Natur e Nanote chnolo gy , vol. 20, pp. 710–714, Jun 2025. [27] K. H. Kjær, M. Win ther Pedersen, B. De Sanctis, B. De Cahsan, T. S. Korneliussen, C. S. Michelsen, K. K. Sand, S. Jelavi ´ c, A. H. Ruter, A. M. A. Schmidt, K. K. Kjeldsen, A. S. T esak o v, I. Snowball, J. C. Gosse, I. G. Alsos, Y. W ang, C. Dockter, M. Rasmussen, M. E. Jørgensen, B. Sk adhauge, A. Prohask a, J. ˚ A. Kristensen, M. Bjerager, M. E. Allentoft, E. Coissac, I. G. Alsos, A. Rouillard, A. Simak ov a, A. F ernandez-Guerra, C. Bowler, M. Macias-F auria, L. Vinner, J. J. W elch, A. J. Hidy , M. Sikora, M. J. Collins, R. Durbin, N. K. Larsen, E. Willerslev, and P . Consortium, “A 2-million-y ear-old ecosystem in greenland unco v ered b y en vironmental dna,” Natur e , v ol. 612, pp. 283–291, Dec 2022. [28] W. KA, “Dna sequencing costs: Data from the nhgri genome sequencing program (gsp),” 2022. www.genome.gov/ sequencingcostsdata Accessed [22 Jan. 2026]. [29] B. Ha jieghrari and S. Nejati-Jahromi, “Next generation sequencing and b eyond: a review of genomic sequencing meth- o ds,” F unctional & Inte gr ative Genomics , vol. 25, p. 242, Nov 2025. [30] J. K¨ onig, K. Zarnack, G. Rot, T. Curk, M. Kayik ci, B. Zupan, D. J. T urner, N. M. Luscombe, and J. Ule, “iclip reveals the function of hnrnp particles in splicing at individual nucleotide resolution,” Natur e Structur al & Mole cular Biolo gy , v ol. 17, pp. 909–915, Jul 2010. [31] T. Kivio ja, A. V¨ ah¨ arautio, K. Karlsson, M. Bonke, M. Enge, S. Linnarsson, and J. T aipale, “Counting absolute num bers of molecules using unique molecular identifiers,” Natur e Metho ds , vol. 9, pp. 72–74, Jan 2012. [32] M. S¨ onmez T uran, E. Barker, J. Kelsey , K. McKay , M. Baish, and M. Boyle, “Recommendation for the entrop y sources used for random bit generation, nist sp ecial publication 800-90b,” 2018. [33] “Security requirements for cryptographic mo dules,” 2019. [34] M. Aslan, A. Do˘ ganaksoy , Z. Saygı, M. S¨ onmez T uran, and F. Sulak, “Observ ations on nist sp 800-90b entrop y estima- tors,” Crypto gr aphy and Communic ations , Jan 2025. [35] NASA, ESA, and the Hubble Heritage T eam, “New infrared view of the horsehead nebula — hubble’s 23rd anniversary image. heic1307a,” 2013. https://esahubble.org/images/heic1307a/ Accessed [13 F eb.2026]. [36] Y. Erlich and D. Zielinski, “Dna foun tain enables a robust and efficien t storage architecture,” Scienc e , v ol. 355, no. 6328, pp. 950–954, 2017. [37] M.-J. O. Saarinen, “Sp 800–22 and gm/t 0005–2012 tests: Clearly obsolete, p ossibly harmful,” in 2022 IEEE Eur op e an Symp osium on Security and Privacy Workshops (Eur oS & PW) , pp. 31–37, 2022. [38] G. V rana, D. Lou, and R. Kuang, “Raw qpp-rng randomness via system jitter across platforms: a nist sp 800-90b ev aluation,” Scientific Rep orts , vol. 15, p. 27718, Jul 2025. [39] A. Ho cquenghem, Co des c orr e cteurs d’err eurs . Chiffres (Paris), Asso ciation fran¸ caise de calcul, 1956. [40] R. Bose and D. Ra y-Chaudhuri, “On a class of error correcting binary group codes,” Information and Contr ol , vol. 3, no. 1, pp. 68–79, 1960. [41] O. Stegle, S. A. T eichmann, and J. C. Marioni, “Computational and analytical challenges in single-cell transcriptomics,” Natur e R eviews Genetics , vol. 16, pp. 133–145, Mar 2015. [42] H. Y eom, N. Kim, A. C. Lee, J. Kim, H. Kim, H. Choi, S. W. Song, S. Kwon, and Y. Choi, “Highly accurate sequence- and p osition-indep endent error profiling of dna syn thesis and sequencing,” ACS Synthetic Biolo gy , v ol. 12, pp. 3567–3577, Dec 2023. [43] A. Bittau, U. Erlingsson, P . Maniatis, I. Mirono v, A. Raghunathan, D. Lie, M. Rudominer, U. Kode, J. Tinnes, and B. Seefeld, “Pro c hlo: Strong priv acy for analytics in the crowd,” in Pr o c e e dings of the 26th Symp osium on Op er ating Systems Principles , SOSP ’17, (New Y ork, NY, USA), p. 441–459, Asso ciation for Computing Machinery , 2017. [44] J.-F. Lutz, M. Ouchi, D. R. Liu, and M. Saw amoto, “Sequence-controlled p olymers,” Science , vol. 341, no. 6146, p. 1238149, 2013. [45] M. Kok oris, R. McRuer, M. Nabavi, A. Jacobs, M. Prindle, C. Cec h, K. Berg, T. Lehmann, C. Mac hacek, J. T abone, J. Chandrasek ar, L. McGee, M. Lop ez, T. Reid, C. Williams, S. Barrett, A. Lehmann, M. Kov arik, R. Busam, S. Miller, B. Banasik, B. Kesic, A. Arryman, M. Rogers-P eckham, A. Kimura, M. LeProwse, M. W olfin, S. Kritzer, J. Leadb etter, M. Babazadeh, J. Chase, G. Thiessen, W. Lin t, D. Goo dman, D. O’Connell, N. Lumanpau w, J. Hoffman, S. V ellucci, K. Collins, J. V ellucci, A. T a ylor, M. Murphy , M. Lee, and M. Corning, “Sequencing by expansion (sbx) – a nov el, high-throughput single-molecule sequencing technology ,” bioRxiv , 2025. [46] F. W alter, H. Nara yanan, J. Bariffi, A. L ¨ usc her, R. Bitar, R. Grass, A. W ac h ter-Zeh, and Z. Y akhini, “A securit y framew ork for chemical functions,” 2026. [47] G. M. Churc h, Y. Gao, and S. Kosuri, “Next-generation digital information storage in dna,” Scienc e , v ol. 337, no. 6102, pp. 1628–1628, 2012. [48] C. N. T ak ahashi, B. H. Nguy en, K. Strauss, and L. Ceze, “Demonstration of end-to-end automation of dna data storage,” Scientific R ep orts , vol. 9, p. 4998, Mar 2019. 14 I I I. A CKNOWLEDGEMENTS Dr. A.G. passed aw a y on April 2025 Before his passing, the late A.G. w as deeply in volv ed in conceptualizing and implemen ting the present studies. This manuscript is based on a preliminary outline that he pro duced. W e are incredibly grateful for his contributions and would lik e to dedicate this work to his memory . The authors also thank Y annic k T auran, K´ evin Ricard for their help in sequencing, Guillaume Gines for critical comments, Nicolas Cl ´ emen t, Masahiro Nomura, Bruno Le Pioufle, the Service p our la Science et la T ec hnologie and the press service of the F renc h Em bassy in Japan for his their kind assistance and supp ort. W e would like to thank Y uri Klebanov and Naoto T ak a yama from the I IS T oky o Design Lab for the design of a DNA capsule. This work is funded by the ANR DNASec (ANR-24-CE39-3908-04), and the PEPR MoleculArXiv (ANR-22-PEXM-0002). IV. A UTHORS CONTRIBUTIONS SJ p erformed the exp eriments and analysed the results with YR and VS. HG and MC p erformed the en tropy analysis. EB p erformed preliminary exp eriments. VB and VS contributed to the exp erimental workflo w. TP , SG p erformed additional statistical analysis. All authors participated in data acquisition, writing and critical revision of the manuscript. YR, PG, ML, SHK, GC and AG were resp onsible for, conceptualization, sup ervision and funding acquisition. All authors (excepted AG) read and approv ed the final v ersion of the manuscript. V. DECLARA TION OF INTEREST A patent rep orting some of the metho ds was filed by the CENTRE NA TIONAL DE LA RECHERCHE SCI- ENTIFIQUE, INSTITUT MINES TELECOM, UNIVERSITE DE LIMOGES and ´ ECOLE SUP ´ ERIEURE DE PHYSIQUE ET DE CHIMIE INDUSTRIELLES DE LA VILLE DE P ARIS.