Optimization of intensity-modulation/direct-detection optical key distribution under passive eavesdropping

We analyze theoretically optimal operation of an optical key distribution (OKD) link based on fine intensity modulation of an optical signal transmitted over an attenuating channel to a direct detection receiver. With suitable digital postprocessing, the users may generate a secret key that will be unknown to an unauthorized party collecting passively a fraction of the signal that escapes detection by the legitimate recipient. The security is ensured by the presence of the shot noise that inevitably accompanies eavesdropper's attempt to detect the collected signal. It is shown that the key amount depends on a ratio that compares legitimate recipient's and eavesdropper's capabilities to detect the signal, including noise contributed by their respective detectors. A simple proportionality relation is derived in the strong eavesdropping regime and closed expressions for the optimal depth of binary intensity modulation as well as the discrimination thresholds for hard-decoded direct detection are given. The presented results substantially simplify design of practical OKD systems operating under changing external conditions, e.g. variable atmospheric absorption in the case of free-space optical links.


Introduction
Modern day cyber security relies primarily on software solutions.However, there is a growing recognition for the need to protect also the physical layer of communication systems [1].One of the emerging techniques in this field is quantum key distribution (QKD) [2][3][4], which allows two parties, customarily called Alice and Bob, to generate a secure key.Any eavesdropping attack carried out by an unauthorised third party, usually referred to as Eve, can be detected by legitimate users as errors in the generated raw key.Such an attack reduces the amount of a secure key after the privacy amplification step or, if forceful enough, renders its generation impossible.The ambition of QKD technology is to make the key distribution secure even against the most sophisticated physical attacks permitted by quantum theory, including use of a quantum processor to manipulate quantum signals transmitted between Alice and Bob, or exploitation of side channels [5][6][7][8].However, this ambitious goal is inseparably entwined with stringent requirements on noise properties of components used in QKD systems and the quality of the communication channel.In practice, such imperfections markedly limit the range of QKD links and the attainable key rates.
An interesting alternative explored in recent years is to assume a restricted class of eavesdropping attacks that can be viewed as imminent with current or near-term technology.One relevant scenario is to consider the actual threat in the form of passive eavesdropping, i.e.Eve's ability to access a fraction of the signal that does not reach Bob's receiver.Such a threat is formally equivalent to the beam splitting attack considered in the security analysis of QKD systems [9].As recently proposed [10] and discussed in a number of following works [11][12][13][14], in such a scenario the key security can be ensured by shot noise properties of the electromagnetic radiation.In order to distinguish this approach from QKD protocols, which rely essentially on incompatible quantum measurements, we will use for the former the designation of optical key distribution (OKD), as the optical band is the most obvious choice for communication links operated at or near the shot noise limit.
The purpose of this paper is to analyze theoretically optimization of an OKD link based on intensity modulation/direct detection (IM/DD) transmission, which is one of the simplest options for communication systems.It is shown that when the photodetection noise is modelled using Gaussian statistics, the attainable key rate depends on a simple quantity that compares Bob's and Eve's capabilities to detect the signal sent by Alice, including noise contributed by their respective detection subsystems.Furthermore, in the strong eavesdropping regime, when Eve's capability significantly exceeds that of Bob, we give simple recipes for determining the optimal signal modulation depth used in Alice's transmitter, as well as discrimination thresholds implemented in Bob's receiver.This regime is especially relevant to long-haul free-space optical (FSO) links, where Bob's device can often capture only a small fraction of the optical signal produced by Alice, while a substantially higher portion may be available to Eve.General results presented here substantially simplify realistic modelling of practical OKD links, that needs to include e.g.variable atmospheric conditions.The approach to physical layer security explored here can be viewed as complementary to encodings designed for quantum wiretap channels [15][16][17][18], which usually give the legitimate user an advantage in collecting the optical signal compared to an eavesdropper.In contrast, postselection of detection events used in OKD enables Alice and Bob to generate a secure key even when Eve has access to a substantially larger fraction of the signal compared to Bob.
This work is organized as follows.Sec. 2 describes the model of an OKD link investigated in subsequent parts of the paper.Sec. 3 analyzes the case of Gaussian signal modulation, which will serve later as a reference for the simpler and more practical technique of binary modulation.The latter is discussed in Sec. 4 considering both soft and hard decoding at Bob's receiver.Finally, Sec. 5 concludes the paper.

Model
As shown in Fig. 1, Alice generates the optical signal by modulating finely the intensity of laser light carried in discrete temporal slots.In order to facilitate the analysis of shot noise effects it will be convenient to specify the emitted optical energy as the mean number   of photons contained in an individual slot.The average optical energy per slot will be denoted as E[  ] = n.A fraction   of the emitted signal reaches Bob's receiver, whereas a fraction   can be accessed by Eve. Bob measures the intensity of the received signal by means of direct detection.If the phase of the optical field is random between individual slots, Eve is also left with the intensity measurement to determine the signal modulation.It will be assumed that the optical signals received by Bob and Eve are strong enough to justify Gaussian statistics for the detection outcomes, denoted respectively by variables   and   .In the case of small modulation depth it is reasonable to assume that the variances  2  and  2  of Bob's and Eve's detectors are independent of the mean photon number received in a given slot.Thus the conditional distributions for Bob's and Eve's outcomes for a given optical energy   sent by Alice will be: For shot noise limited detection of a weakly modulated signal one can take to a good approximation  2  =   n and  2  =   n [19].

Rx
Rx The most intuitive protocol for key distribution in the setup described above is based on binary modulation [10], when the optical energy   in each temporal slot assumes one of two equiprobable values  0 or  1 satisfying ( 0 +  1 )/2 = n that are selected according to Alice's random bit value   = 0, 1.For concreteness, let us take  1 >  0 .Suppose that Bob selects two discrimination thresholds located symmetrically around   n.For sufficiently large spacing between the thresholds, obtaining a detection event in one of the two outer regions enables Bob to identify almost unambiguously the value of   .Sifted slots for which such events have been obtained are communicated by Bob to Alice over a public channel.The recorded bit values form the raw key between Alice and Bob.If the modulation depth is so low that the distributions of Eve's outcomes   for   =  0 and   =  1 overlap substantially, i.e.   ( 1 −  0 )   , Eve cannot learn much about the sifted key.For example, if she implements dual-threshold discrimination analogous to that used by Bob, most key generating events will produce outcomes   that lie in the central region.In general it is advantageous for Eve to gain information about the key from the "soft" values   , without threshold discrimination [12].This more powerful eavesdropping strategy will be investigated in the present work.
The basic theoretical tool in the security analysis will be the Csiszár-Körner formula [20]: which expresses the attainable key per slot K as the mutual information I( ; ) between the legitimate users Alice and Bob reduced by the mutual information I(; ) specifying how much Eve might have learnt about Bob's outcomes.The above expression describes the reverse reconciliation scenario, when Alice corrects her raw key according to information received from Bob.This scenario is more robust against eavesdropping compared to the direct reconciliation approach, in which Alice's and Bob's roles in correcting the raw key are reversed.One can note here a formal similarity with reconciliation in continuous-variable QKD protocols [21][22][23][24][25].

Gaussian modulation
As a reference case that can be solved in a closed analytical form, we will consider first Gaussian modulation implemented by Alice, where the mean photon number in an individual temporal slot follows a normal distribution with a variance  2  : In the following, it will be convenient to use shifted and normalized variables defined by for Alice and for Bob and Eve, respectively.In the Gaussian scenario, Bob and Eve process "soft" outcomes   and   without threshold discrimination.Therefore mutual information in Eq. ( 2) needs to be calculated for pairs of Gaussian variables (  ,   ) and (  ,   ).
It is straightforward to obtain that the covariance matrix C for the triplet of the random variables Applying the standard expression for the mutual information for a pair of Gaussian variables (  ,   ) given by yields for Alice and Bob whereas for Bob and Eve one has The expression for the key in the reverse reconcilliation scenario calculated according to Eq. ( 2) can be simplified to the form It will be convenient to denote  =     /  and write where the ratio R, defined by compares Bob's capability to detect the signal to that of Eve.It is immediately seen that the right-hand side of Eq. ( 11) is a monotonically increasing function of  and the maximum is reached asymptotically for  → ∞, where the last, approximate form of the upper bound on the key is valid when R 1, i.e. when Eve has much stronger capability to detect the signal compared to Bob.This regime will be designated as the strong eavesdropping scenario and will be the main focus of further analysis.The upper key bound K * Gauss is plotted as a function of R in Fig. 2(a).From the perspective of legitimate users it is natural to assume the worst-case scenario that Eve's detector operates at the shot noise level, i.e.  2  =   n.Taking Bob's detector variance as a sum of contributions produced by the shot noise and the detector thermal noise,  2  =   n +  2 ,th , yields: The second term in the round brackets can be interpreted as Bob's detector thermal noise variance specified in shot noise units.When Bob's detector operates at the shot noise level, the above expression reduces to a simple ratio of channel transmissions to Bob and to Eve, R =   /  .Note that although the upper key bound K * Gauss given in ( 13) is attained in the asymptotic limit of an infinite variance of Alice modulation, the key amount becomes comparable with K * Gauss when  1, which translates into the condition       .This means that fluctuations of Eve's detection outcome introduced by Alice's modulation should be at least as large as the noise of Eve's detection.

Binary modulation
In a more practical scenario, Alice uses binary modulation and choses the optical energy    determined by the value of her bit   = 0, 1, as described in Sec. 2. The average optical energy constraint implies that ( 0 +  1 )/2 = n.The normalized variables describing outcomes of Bob's and Eve's detection are given by: Here the parameters characterize the modulation depth as detected respectively by Bob's and Eve's receivers and mapped onto normalized variables   and   .Note that these two parameters are related through a simple rescaling: where the parameter R has been defined in Eq. (12).In order to make the discussion more realistic, the expression for the key given in Eq. ( 2) will be replaced by a more general formula where the positive factor  characterizes reconciliation efficiency that is usually lower than its Shannon limit,  ≤ 1.Further analysis depends on whether Bob extracts the key from the continuous outcomes   themselves (soft decoding), or applies dual-threshold discrimination to convert in a fraction of cases the outcome   into a binary variable   (hard decoding), as described qualitatively in Sec. 2. The key limit for Gaussian modulation K * Gauss (grey dashed-dotted line) and the binary modulation assuming soft K * bin,soft (solid lines) and hard K * bin,hard (dashed lines) decoding, plotted as a function of the ratio R for the reconciliation efficiencies  = 100% (black), 70% (red), and 50% (gold).(b) Corresponding optimal binary modulation depth, characterized by   =   ( 1 −  0 )/  .(c) The key reduction compared to the Gaussian limit K * bin,soft /K * Gauss (solid lines) and K * bin,hard /K * Gauss (dashed lines).The asymptotic values in the limit R → 0 based on Eqs. ( 22), ( 23) and ( 29) are indicated with arrows on the vertical axes of panels (b,c).

Soft decoding
In the soft decoding approach, Bob aims to infer the value of   from the continuous outcome   .It is convenient to rewrite the expression (18) for the key to the equivalent form In the above formula, the conditional entropy H(|) is calculated for the joint probability distribution ) Further, the conditional entropy in the second term reads H(| ) = 1 2 log 2 (2), and the marginal entropy H() is given by [26]: The optimal modulation depth is found by maximizing K bin,soft given in Eq. ( 19) over   , or equivalently   , as these two variables are linearly dependent through Eq. ( 17).Fig. 2(a) depicts the optimized key K * bin,soft as a function of R for perfect reconciliation,  = 100%, as well as limited reconciliation efficiencies  = 70% and  = 50%.The corresponding optimal argument values  *  are shown in Fig. 2(b).It is seen that in the strong eavesdropping regime, when R 1, the key exhibits linear scaling with R and the parameter  *  tends to a constant value dependent on the reconciliation efficiency .It will be convenient to write where the multiplicative factor  as () characterizes reduction in the key amount compared to the Gaussian upper bound in the asymptotic limit R → 0. As shown in Appendix A, the factor  as () can be found by optimizing the expression and the argument  as  (), for which the maximum on the right-hand side of the above expression is attained, defines the optimal modulation depth as detected by Eve.The asymptotic values match well the results of numerical optimization as seen in Fig. 2(b,c).The analysis of the strong eavesdropping scenario with soft decoding is summarized with Fig. 3 which depicts the reduction in the key amount  as () and the optimal modulation depth  as  () as functions of the reconciliation efficiency .

Hard decoding
The numerical complexity of key reconciliation can be reduced substantially by applying dualthreshold discrimination to Bob's detection outcome   as described in Sec. 2. Such hard decoding produces a discrete variable where  defines the discrimination threshold.Events X are treated as erasures and removed from further processing in the sifting step.The probability of generating a raw key bit is consequently given by Reconciliation ef iciency The probability of error in the raw key is symmetric and reads Under reverse reconciliation investigated here, the key amount per slot is given by where  is the reconciliation efficiency, H bin () = − log 2  − (1 − ) log 2 (1 − ) is the binary entropy and the function G(•, •) is defined as: In order to optimize the key amount, the right hand side of Eq. ( 27) needs to be maximized over the modulation depth characterized by   and the discrimination threshold .Note that when   is chosen as the free parameter in the optimization procedure, one needs to express   = √ R  in Eqs.(25) and (26).
The optimized key K * bin,hard and the corresponding optimal modulation depth  *  as functions of R are shown respectively in Fig. 2(a) and (b) for reconciliation efficiencies  = 100%, 70%, and 50%.It is seen that in the strong eavesdropping regime the key amount is reduced by a constant factor compared to the soft decoding case, while the optimal modulation depth remains to a very good approximation at the same level.Interestingly, the optimal discrimination threshold  * weakly depends on either R or , as seen in Fig. 4(a).The resulting probability of generating a raw key bit  raw and the probability of error  are depicted in Fig. 4(b).
The features identified above in numerical results can be characterized quantitatively with the help of the analysis of the asymptotic limit R → 0 presented in Appendix B. In this limit, the reduction in the key amount is given by a numerical factor Interestingly, the factor  as () as well as the optimal modulation depth  as  () are the same as in the soft decoding case.Furthermore, the optimal discrimination threshold  as = 0.6120 does not depend on the reconciliation efficiency.The asymptotic values for the optimal modulation depth, the reduction of the key amount, and the optimal threshold are indicated with arrows on the vertical axis respectively in Figs.2(b), 2(c), and 4(a).It is seen that as long as the reconciliation efficiency is above 50%, the asymptotic values can be used in the analysis for the ratio R below approximately −15 dB.

Discussion and conclusions
The purpose of this work was to identify theoretically the optimal operation of an optical key distribution link utilizing weak intensity modulation, when an adversary implements a passive eavesdropping attack.In this scenario, the key security is ensured by the shot noise present in the signal detected by the eavesdropper.The key amount depends primarily on the ratio R defined in Eq. ( 12) which compares the capabilities of the legitimate user and the eavesdropper to detect the optical signal.For Gaussian modulation, an upper bound on the attainable key is given by Eq. ( 11).In the strong eavesdropping regime, when R 1 the key amount is simplified to a linear expression 1  2 R log 2 .For other signal modulation formats and receivers setups considered in this work, this expression is reduced by a certain multiplicative factor.
In the case of binary modulation and soft decoding with reconciliation efficiency , the key amount is reduced by a factor  as () that can be calculated using Eq. ( 23).The dependence of  as () on  is depicted in Fig. 3(a).The argument  as  () maximizing the expression on the right hand side of Eq. ( 23) specifies the optimal modulation depth: namely, the sender should use in individual slots optical energies given by n ±  as  ()  /  .Importantly, when R 1 the optimal modulation depth depends only on Eve's channel transmission   and the detection noise   of her receiver, rather then corresponding parameters for Bob's link.
When dual-threshold hard decoding is used in the receiver, the key amount is further reduced by an approximately constant factor specified in Eq. ( 29).The optimal discrimination threshold exhibits weak dependence on either R or .A possible difficulty in practical implementation of the binary modulation scheme with dual-threshold discrimination is the high probability of error in the raw key, as seen in Fig. 4(b), which may limit the practically attainable reconciliation efficiency [27].Finally let us note that if there is uncertainty regarding Eve's eavesdropping capability, the worst-case scenario should be assumed.This will overestimate Eve's information about Bob's detection outcomes and hence ensure the security of the generated key, although may diminish its amount.Qualitatively, the key per slot for all variants of the OKD protocol considered here has the same linear dependence on the ratio R. While Gaussian modulation offers the highest efficiency in terms of attainable key rate, its practical implementation may be technically challenging and pose difficulties to attain high reconciliation efficiencies [28,29].Therefore one can envisage that in practice the variant of choice will be binary modulation combined with hard-decision detection, whose overall simplicity should compensate for the minor reduction in the secret key rate.

LEO satellite orbit
To illustrate the practical potential of OKD we calculated the length of a secure key that can be generated during a single pass of a low Earth orbit (LEO) satellite equipped with an optical transmitter over an optical ground station (OGS) using parameters collected in Table 1.The parameter R has been taken as −20 dB, which describes a scenario where both Bob's and Eve's detectors are shot-noise limited, but Eve's receive telescope has ten times larger diameter than that of Bob.An equivalent scenario is equal apertures of Bob's and Eve's telescopes, but Bob's detector noise approx.20 dB above the shot noise level.For a pass with a maximum elevation angle of 55 • the optical power received by the OGS exceeds the detection threshold during an interval of 122 s.Taking the slot rate of 1 Gbaud/s and theoretical limit for binary modulation and hard-decoding with 100% reconciliation efficiency yields the total length of the generated key equal to 340 Mbits corresponding to the key rate of 2.79 Mbps.For a non-unit reconciliation efficiency  these figures are reduced by a factor depicted in Fig. 3(a).The presented example indicates that for passive eavesdropping attacks OKD can provide secure key rates contending with those offered by conventional QKD [9] while dispensing with some of elaborate technologies required by the latter.

Fig. 2 .
Fig. 2. (a)The key limit for Gaussian modulation K * Gauss (grey dashed-dotted line) and the binary modulation assuming soft K * bin,soft (solid lines) and hard K * bin,hard (dashed lines) decoding, plotted as a function of the ratio R for the reconciliation efficiencies  = 100% (black), 70% (red), and 50% (gold).(b) Corresponding optimal binary modulation depth, characterized by   =   ( 1 −  0 )/  .(c) The key reduction compared to the Gaussian limit K * bin,soft /K * Gauss (solid lines) and K * bin,hard /K *

Fig. 3 .
Fig. 3. (a) Reduction in the key amount  as () in the asymptotic limit R → 0 given by Eq. (23) as a function of the reconciliation efficiency .(b) The corresponding modulation depth  as  () in units determined by the normalized outcome of Eve's detection.Reconciliation efficiency values chosen for numerical examples depicted in Fig. 2 are indicated with color arrows on the horizontal axes of the panels.

Fig. 4 .
Fig. 4. (a) The optimal discrimination threshold  * for the hard-decoded binary modulation scenario as a function of the ratio R, shown for reconciliation efficiencies  = 100% (black),  = 70% (red) and  = 50% (gold).The asymptotic value  as = 0.6120 derived in Appendix B is indicated with an arrow.(b) The resulting probability of generating a raw key bit  raw (solid lines) and the probability of error  (dashed lines) for the same selection of reconciliation efficiencies.
1. (a) Optical key distribution under passive eavesdropping.Alice's transmitter Tx  generates a finely intensity-modulated signal with mean optical energy per slot n.In the simplest case of binary modulation shown in the inset, one of two optical energies  0 or  1 is chosen according to Alice's bit value   = 0, 1. Bob's and Eve's receivers Rx  and Rx  detect respectively fractions   and   of the signal.The model assumes Gaussian detection noise with respective variances  2  and  2  .A convenient figure to characterize the binary modulation depth is   =   ( 1 −  0 )/(2  ).Binarymodulated signal can be discriminated using two thresholds located symmetrically around the mean value, as depicted at Bob's location.(b) Statistics of Bob's outcomes for binary-modulated signal represented using a normalized variable   = (  −   n)/  .Discrimination thresholds are set at ±.

Table 1 .
Parameters of a LEO-to-ground optical link used to estimate the length of a secure key that could be generated using the OKD technique during a single satellite pass.