Trusted Noise in Continuous-Variable Quantum Key Distribution: a Threat and a Defense

We address the role of the phase-insensitive trusted preparation and detection noise in the security of a continuous-variable quantum key distribution, considering the Gaussian protocols on the basis of coherent and squeezed states and studying them in the conditions of Gaussian lossy and noisy channels. The influence of such a noise on the security of Gaussian quantum cryptography can be crucial, even despite the fact that a noise is trusted, due to a strongly nonlinear behavior of the quantum entropies involved in the security analysis. We recapitulate the known effect of the preparation noise in both direct and reverse-reconciliation protocols, as well as the detection noise in the reverse-reconciliation scenario. As a new result, we show the negative role of the trusted detection noise in the direct-reconciliation scheme. We also describe the role of the trusted preparation or detection noise added at the reference side of the protocols in improving the robustness of the protocols to the channel noise, confirming the positive effect for the coherent-state reverse-reconciliation protocol. Finally, we address the combined effect of trusted noise added both in the source and the detector.


Introduction
Quantum key distribution (QKD; see [1,2] for reviews) is the branch of quantum information science, whose goal is to develop methods (protocols) that allow two trusted parties to share a random secret key so that its security is provided by the very laws of quantum physics. The key can be then used in the one-time pad cryptographic system [3], which was shown to be information-theoretically secure [4]. Therefore, QKD provides a quantum-cryptographic physics-based solution as an alternative to the classical asymmetrical cryptosystems, which are currently widely used, but are based on the mathematical complexity assumptions.
The first theoretical idea of QKD was the BB84 protocol (named after its authors Bennett and Brassard) [5] based on the use of the discrete-variable (DV) quantum systems, namely single photons, so that the key bits were encoded to (and obtained from) the measurements of the polarization degree of freedom in the two randomly-switched bases. BB84 and its modifications, such as B92 (named after its author Bennett) [6] or SARG (named after its authors Scarani, Acín, Ribordy and Gisin) [7], was used as the basis of DV QKD in the prepare-and-measure (P & M) implementations typically performed with weak coherent pulses or heralded singe photon sources using, besides polarization, e.g., phase or time encoding [6,8]. The presence of the additional photons in the weak coherent pulses was shown to be a potential vulnerability of DV QKD in the case of photon number splitting attacks, and the use of the decoy states was suggested to overcome such a threat [9]. On the other hand, the use of photonic entanglement was suggested in the entanglement-based (also called EPR-based after the famous Einstein-Podolsky-Rosen paradox [10]) E91 protocol [11], where trusted parties are supposed to perform polarization measurements in the certain sets of bases on the two spatially distant non-classically correlated photons. By verifying a loophole-free violation of the Bell inequalities [12,13] from the measurements in one set of bases, the trusted parties can ensure the security of the key obtained from the measurements in another one. Although the E91 protocol can be seen as an alternative way of implementing BB84 [14], it also offers potential device independence based on the quantum nonlocality. While the security of However, channel imperfections are not the only threat to the security of the protocols coming from the physical effects in the set-up, and device imperfections may also contribute to the information on the key, which is accessible to a potential eavesdropper. There are two main approaches to studying the security of QKD with imperfect devices. One is the device-independent (DI) approach, when the protocols are designed in such a way that device imperfections have no impact on the security of the key. This is achieved by verifying the fragile nonclassical properties of the quantum states in the DI QKD, which was inspired by the above-mentioned E91 protocol [11]. The idea of using nonclassical correlations to verify the security of QKD when the devices (including the source of the quantum states) are not trusted was first stated by Mayers and Yao [77] and developed by Barrett et al. [78] and by Acín et al. [79] to prove security against no-signaling post-quantum eavesdropper, which goes beyond the typical assumption used in QKD that an eavesdropper is limited by the laws of quantum physics. The security of DI QKD protocols against collective attacks in its connection with Bell-type inequality violation was shown by Acín et al. [80], and a practical proposal based on heralded qubit amplifier for the implementation of DI QKD protocols was suggested by Gisin et al. [81]. The full security of DI QKD was recently shown by Vazirani and Vidick [82]. For the Gaussian CV QKD, however, the possibility to build the fully DI schemes based on the Bell-inequality violation is limited and requires non-Gaussian resources or measurements [83][84][85]. DI CV QKD protocol was recently suggested by Marshall and Weedbrook [86] based on the qubit encoding [87] using squeezed states and homodyne detection. The potentially more feasible measurement device-independent (MDI) QKD being a way to at least isolate detectors and prevent side-channel attacks was suggested by Braunstein and Pirandola [88] and by Lo et al. [89] and supposes the use of an untrusted relay between the trusted parties. Differently from DI QKD, the MDI QKD can be potentially realized only with Gaussian states and measurements. Therefore, the concept of MDI QKD was recently applied to the CV protocols by Pirandola et al. [90,91] and studied by Zhang et al. [92] and by Li et al. [93].
Contrary to DI and MDI QKD, a more practical and robust way to provide security with imperfect devices is to perform a comprehensive characterization of the devices and suggest the feasible methods allowing one to compensate or reduce the possibility of eavesdropping through the device imperfections. In this approach, alternative to DI and MDI QKD, the devices can be assumed trusted, which can be referred to as the device-dependent (DD) approach in QKD. In this case, the devices must be properly studied, modeled and calibrated in order to distinguish their imperfections from the influence of the untrusted quantum channel (otherwise, the so-called 'paranoid' approach in DD QKD, when all of the imperfections are attributed to the channel, has typically very limited applicability, since the security of conventional DD QKD protocols in this case is quickly degraded by the imperfect devices). The trusted noise despite being directly inaccessible to an eavesdropper may, however, still contribute to the information leakage and limit the security of the protocols. On the other hand, the proper amounts of the trusted noise may improve the security of DD QKD protocols by decoupling an eavesdropper from the reference side of the data reconciliation. The two approaches to security of QKD with imperfect devices were recently generalized by Pirandola [94] in their connection to quantum discord (being sufficient for DD QKD and upper bounding the secure key rate) and entanglement (being necessary for DI QKD).
In the current paper, we review the main known results of the studies of trusted noise in CV QKD and also provide some new results filling the gaps that existed in the comprehensive analysis of the role of trusted preparation and detection noise in CV QKD. We show the negative effect of trusted noise on the receiver side of the protocols and the potentially positive role of such noise on the reference side. The novel results of the paper include: the negative role of the trusted detection noise in the DR scheme and the analytical bound on such a noise; the advantage of the squeezed-state protocol above the coherent-state one in the DR regime and the imperfect post-processing; the positive role of the preparation noise in the squeezed-state DR protocol; analysis of the joint influence of the two types of noise simultaneously present in the protocols.

Gaussian Continuous-Variable Quantum Key Distribution Protocols
In our work we deal with the Gaussian states of the modes of electromagnetic radiation defined as the states with a Gaussian Wigner function (see [22] for a review). In particular, we consider the coherent states, each being the eigenstate a|α = α|α of the annihilation operator of a given mode, as the possible signal states for CV QKD protocols. We study the one-way Gaussian CV QKD protocols based on the Gaussian modulation of the amplitude and phase quadratures, which can be defined as the real and the imaginary parts of the complex amplitude of an n-th mode: x n = a † n + a n and p n = i(a † n − a n ) with the commutation relation [x n , p n ] = 2i. In such notation, the quadrature fluctuations of a coherent (or of the vacuum) state are equal to one, which is defined as a shot noise unit (SNU). We also consider squeezed states with the fluctuations of one of the quadratures being suppressed below the shot noise.
We study the one-way Gaussian CV QKD protocols as depicted in Figure 1a. The sender trusted party, Alice, prepares a signal state using a source, which can be a laser (in the case of coherent states) or an optical parametric oscillator (in the case of squeezed states). The signal states are characterized by the quadrature values x S , p S randomly distributed around zero according to Gaussian distributions with variances Var(x S ) = x 2 s ≡ V xS and Var(p S ) = p 2 s ≡ V pS , while coherent states saturate the uncertainty principle with V xS = V pS = 1 SNU. Alice uses the amplitude and phase modulator to apply random quadrature displacements x M , p M of amplitude and phase quadratures of the signal states, respectively, so that the resulting modulated state is characterized by quadratures {x, p}M is the variance of the Gaussian modulation applied to x and p quadratures, respectively. All together, the state generation and modulation can be defined as the state preparation.

Source
Modulator H Figure 1. (a) Continuous variable (CV) QKD prepare-and-measure (P & M) scheme based on the signal state preparation (with variance V S in the measured quadrature) in the source and the subsequent modulation using the modulator (up to variance V A in the measured quadrature) on the side of Alice, propagation through an untrusted quantum channel with loss η and excess noise ǫ, and measurement of the resulting state (with variance V B in the measured quadrature) by Bob using homodyne detector H; (b) Beam splitter model of the eavesdropping attack on P & M CV QKD protocol for the purely attenuating channel. The beam splitter with transmittance η, corresponding to the channel loss, couples the signal to a vacuum mode. The reflected mode is available to an eavesdropper, Eve, for collective measurement.
The modulated state then travels through the untrusted quantum channel, which is generally lossy and noisy, and is measured by the remote trusted party (Bob) using homodyne measurements.
Following the optimality of Gaussian collective attacks on the Gaussian CV QKD, which we discuss later, we assume a Gaussian channel, parametrized by transmittance η and by the variance of the excess noise with respect to the input of the channel ǫ. Then, the quadrature values at the output of the channel, which are measured by the remote trusted party Bob, are {x, In the following, we assume that Bob is measuring the x−quadrature, which is also squeezed by Alice if the squeezed-state protocol is considered (i.e., the "x-x" protocol is implemented). We omit the discussion of the heterodyne measurement at Bob's side, because its role is mainly in adding noise to the quadrature measurement. Such noise is known to make the heterodyne protocol suboptimal in the DR case. On the other hand, the noise in the heterodyne detection can also improve the robustness of the protocols in the noisy channels in the RR case, but this improvement can be optimized beyond coupling to a vacuum, as we discuss below. Note that the trusted parties need to perform bases switching in their preparation and measurement to estimate the channel parameters in both the quadratures, but the discussion of the channel estimation is not within the scope of the current paper, so we only consider the measurements, which are contributing to the key rate, assuming that the channel parameters are properly estimated.
The variance of the data measured by Bob in the x − x protocol is then is the variance of that modulated at the input of the channel, V S is the signal state variance and V M is the modulation variance. The correlation between the datasets at Alice and Bob is then C AB = √ ηV M , scaled down by the channel loss. The security of the key in QKD protocols is based on the generalization of the Csiszár-Körner theorem [95], which states that the information shared between the trusted parties must exceed the information that a potential eavesdropper (Eve) has on the data that either of the parties possesses, then the classical algorithms can distill the secure key. It was extended to the case of quantum communication taking into account the possibility of an eavesdropper to perform the more general collective measurement (which involves storing probe states after their interaction with the signal in a quantum memory and then optimal collective measurement on the probes) by Devetak and Winter [15], who derived the lower bound on the secure key in QKD as: where indexes DR and RR stand for direct and reverse reconciliation, respectively. The positivity of the lower bound Equation (1) means that the quantum protocol is secure because the classical data processing algorithms (error correction, privacy amplification) are then able to distill the secret key from the data shared between the trusted parties if they have the information advantage over an eavesdropper. The Gaussian states were shown to minimize the functions of the states that satisfy the continuity in the trace norm, the invariance under local unitary transformations and the strong super-additivity [44]. The lower bound on the key rate satisfies these conditions, and therefore, the attacks, which preserve the Gaussian character of the states are optimal [42,43]. This allows us to analyze the security of CV QKD protocols considering only Gaussian channels (characterized by transmittance η and Gaussian excess noise ǫ) and the Gaussian properties of the states.
The quantity I AB in Equation (1) is the classical mutual information, which is the symmetrical quantity, expressed though the entropies of the input random variable X and the output random variable Y of a channel as where H(XY) is the joint entropy, quantifying the amount of transmission errors, and H(X|Y) is the conditional entropy of the input with respect to the output. On the other hand, χ AE and χ BE are the Holevo quantities [96] in the case of DR and RR, respectively, being the capacity of a hypothetical bosonic channel between an eavesdropper and the reference side of data reconciliation. The Holevo quantity then upper bounds the classical information available to an eavesdropper upon collective attacks. Finally, the post-processing efficiency β ∈ (0, 1), typically taking values of up to 0.95 for the Gaussian data in RR at low SNR [68], is introduced as a factor to the mutual information in the lower bounds Equation (1). It defines how close the trusted parties can approach the classical mutual information, taking into account the reduction of data ensembles in the process of error correction. For the finite efficiency β, the modulation variance V M needs to be limited and optimized [65,71].
In the case of the Gaussian-distributed continuous random variables, the classical mutual information between the trusted parties can be calculated from the variances and the conditional variances of the data possessed by these parties as, for example, where V A is the variance of Alice's data (V M in our case) and V A|B is the variance of Alice's data conditioned on the measurement results of Bob, which can be expressed through the correlation C AB between Alice and Bob, and the variance V B of Bob's data as Taking base-two logarithms, we estimate the mutual information and other information quantities further (e.g., the lower bound on the key rate) in bits per use of the channel. The Holevo bound χ YE = S(E) − S(E|Y) between Eve and the reference trusted party Y is calculated as the difference of the von Neumann (quantum) entropy S(E) of the state available to an eavesdropper and the conditional entropy S(E|Y) of the eavesdropper's state conditioned on the measurement results of the reference side of the protocol, here denoted as Y (the latter entropy in the general case should be integrated over all possible outcomes of the measurement on Y, but collapses in the case of the Gaussian-distributed data). A generally multimode Gaussian state is explicitly described by a covariance matrix γ with elements γ ij = ( r i r j + r j r i )/2 − r i r j containing the second moments of the quadratures in the form r i = {x i , p i } for an i-th mode, i.e., variances of the modes' quadratures and quadrature correlations between the modes. Following the above-mentioned optimality of Gaussian collective attacks, it is the worst case assumption that the states involved in CV QKD are Gaussian, and therefore, the covariance matrix formalism is sufficient for security analysis of the Gaussian protocols.
The von Neumann entropy S(E) of a general N-mode Gaussian state can be directly calculated using the symplectic eigenvalues λ {1..N} of the covariance matrix γ E of a state through the bosonic entropic function [97] G(x) = (x + 1) log 2 (x + 1) − x log 2 x as: Similarly, the conditional entropy is in the case of the Gaussian states straightforwardly calculated though the symplectic eigenvalues of the conditional covariance matrix γ E|Y , calculated after the homodyne measurement in x-quadrature on mode Y as: where σ EY is the correlation matrix between the mode(s) accessible to an eavesdropper and the mode Y measured by a trusted party; the diagonal matrix X = Diag(1, 0) (similarly, matrix P = Diag(0, 1) would stand for the measurement in p-quadrature); and MP stands for the Moore-Penrose (pseudo-)inverse of a matrix [98], which is used because the matrix X · γ Y · X is singular.
The symplectic eigenvalues of the covariance matrices can be analytically found using the Williamson's form of a covariance matrix for one-and two-mode matrices [99] or numerically for a higher number of modes.
In the P & M scheme assuming the symmetrical modulation of both the quadratures of a signal state with the diagonal covariance matrix γ S = Diag(V S , 1/V S ) with the same variance V M , the covariance matrix of the modulation data possessed by Alice is given by γ mod . After the channel characterized by loss η and excess noise ǫ, the signal state measured by Bob is characterized by the matrix The mutual information between Alice and Bob is then given by: In the simple case of a purely-attenuating channel (ǫ = 0), the state γ E is explicitly defined as the output of the beam splitter with transmittance η, which models the channel by coupling the signal to a vacuum [72], as shown in Figure 1b. In this case, the covariance matrix of the state available to Eve for collective measurement is given by while the matrices describing the correlation between Eve and Alice and Eve and Bob, respectively, are σ AE = − 1 − ηV M I, where I is the 2 × 2 unity matrix, and The straightforward calculations based on the symplectic eigenvalues of covariance matrices γ E and γ E|B or γ E|A result in the analytical lower bounds on the key rate Equation (1), which can be simplified in the limit of arbitrarily strong modulation V M → ∞ and in the regime of perfect post-processing β = 1 as: and: for an arbitrary signal state with variance V S or as: for coherent states (V S = 1) and as: for the infinitely-squeezed states (V S → 0), which gives a lower bound on the key rate twice as large compared to the infinitely-modulated coherent states [72].
In the more general case, when the channel noise is present, it is assumed that Eve is able to purify the channel noise, and so, the Holevo bound can be assessed by using the purification method [43]. When Eve is holding the purification of the channel noise, the state of the system ABE shared between Alice, Bob and Eve is pure, so that S(ABE) = 0 and, from the triangle inequality [100], directly follows that S(E) = S(AB). Similarly, when Alice or Bob perform the projective measurement of the respective subsystem A or B, the state of the systems BE or AE is pure, and it follows that S(E|A) = S(B|A) or S(E|B) = S(A|B). This allows estimating the Holevo bound from the entropic characteristics of the state shared between Alice and Bob, where all of the impurity is attributed to Eve.
To analyze the security in the above described case of collective attacks in a noisy channel, the equivalent EPR-based representation [73] is used to purify the state preparation at Alice's side, as shown in Figure 2. Indeed, the state of the system AB must be pure before the interaction in the quantum channel with Eve's system in order to distinguish between the trusted and untrusted noise; otherwise, all of the impurity of this state would also be attributed to Eve. If the prepared state on the input of the channel is a zero-mean thermal state with variance V A , being symmetric on the phase space, the state preparation is purified by a two-mode squeezed vacuum quadrature-entangled state with variance V A of the spatial modes A and B shared between Alice and Bob, respectively. Such a state is described by a two-mode covariance matrix of the form: with σ z = Diag(1, −1). After the homodyne measurement on mode A performed by Alice and yielding the result x A , the squeezed state with variance 1/V A in the x-quadrature is conditionally prepared in mode B, centered around √ 1 − 1/V 2 (x A , 0) (the variance of the conditionally-prepared states in p-quadrature is respectively V A ). Therefore, the EPR-based scheme with the states Equation (10) and homodyne measurement at Alice becomes fully equivalent to the P & M scheme  Similarly, if Alice performs heterodyne measurement on her mode A (which is equivalent to splitting the mode A on a beam splitter set to T D = 1/2 with another input mode C being in a vacuum state, and then measurement of both the output modes in x and p quadratures), resulting in the outcome {x A , p A }, the coherent state centered around 2 The EPR-based scheme with heterodyne detection is then fully equivalent to the P & M scheme with coherent signal states Note that in the general case, the modulation variance can be independent of the signal state variance. While this is easily accessible in the case of the coherent-state protocol, where modulation variance V M is a free parameter, it is not in the standard squeezed-state symmetrical protocol where modulation depth is fixed by the antisqueezing. Therefore, the generalized EPR-based scheme, which is equivalent to the preparation of the arbitrarily-squeezed signal state V S ∈ [0, 1] and modulation with arbitrary variance was suggested to analyze the role of squeezing in CV QKD [71] and will be used in the further analysis instead of the standard EPR-based scheme by replacing the entangled source in the cases when modulation needs to be optimized independently of the signal state squeezing.
In the standard EPR-based scheme, the entropy S(E) = S(AB), being the first part of the Holevo bounds χ BE and χ AE , is calculated from the Gaussian state of modes AB described by the covariance matrix after the propagation through the channel: (the coupling to mode C being in a pure vacuum state can be omitted in this case because it does not affect the purity of the overall state shared between the trusted parties). Similarly, the entropy S(E|B) = S(A|B), being the second part of the Holevo bound χ BE , can be obtained from the respective conditional matrix of mode A conditioned on the measurement on mode B: In the case of a squeezed-state protocol, the entropy S(E|A) = S(B|A), being the second part of the Holevo bound χ AE , can be obtained from the respective conditional matrix of mode B conditioned on the measurement on mode A: However, for the entropy S(E|A) in the case of a coherent-state protocol, the structure of the measurement at Alice must be taken into account, so the equality S(E|A) = S(BC|A) holds, and the entropy must be calculated from the matrix of modes BC conditioned on the x-measurement on mode A: From the derived matrices, the key rate can be calculated numerically.
The security of the protocols in terms of the positivity of the lower bound on the secure key rate is thus limited by the channel transmittance and channel noise, which have a joint negative impact on security. Therefore, the protocols are mainly studied in terms of the tolerable loss (or, equivalently, the secure distance, assuming a standard telecom fiber with −0.2 dB attenuation per kilometer) and tolerable channel excess noise. We illustrate the typical performance of the protocols in the regime of optimal modulation for the given β = 0.95 for RR and β = 0.99 for DR (since the SNR is typically higher as the DR is applicable only for low loss, and the post-processing is less demanding in the DR regime) in Figure 3. It is evident that RR CV QKD provides security at much stronger values of attenuation, while DR CV QKD can tolerate higher noise in the low-loss channels. The squeezed-state protocol shows better performance and robustness to noise in the RR case both for the perfect and imperfect post-processing. Interestingly, in the regime of non-ideal post-processing, the squeezed-state protocol also becomes superior to the coherent-state one in the DR case. The imperfect post-processing is taken as β = 0.95 for RR and β = 0.99 for DR. The curves on the maximum tolerable channel excess noise plots, which vanish at (or below) 3 dB, correspond to DR; the rest refer to RR.
The above-described P & M CV QKD protocol with coherent states was realized using homodyne detection by Lodewyck et al. [65] and by Jouguet et al. [70] and using heterodyne detection (corresponding to the no-switching regime) by Lance et al. [101].
Besides the fixed (fiber-type) channels, where transmittance is stable and excess noise is relatively low, the Gaussian CV QKD protocols were shown potentially applicable in the free-space atmospheric channels, where transmittance fluctuations due to atmospheric turbulence lead to additional excess noise, which can be however tolerated or compensated by post-selection [102].
The CV QKD protocols were also studied with respect to the imperfections of the trusted devices. First, the real homodyne detectors are inclined to non-unity detection efficiency and electronic noise, which altogether corrupt the data obtained by Bob from the homodyne measurement. The trusted detection noise in the coherent-state RR CV QKD protocol was first taken into account by Lodewyck et al. [65] and later considered in the squeezed-state RR protocol by Garcia-Patron and Cerf [103], who had shown that the trusted detection noise can even be helpful to provide robustness against the channel noise. It was also shown by Fossier et al. [104] that the negative impact of imperfect detectors in the RR coherent-state CV QKD can be compensated using optical pre-amplifiers.
On the trusted sender side, the state generation and modulation can also be imperfect, which results in the excess noise added to the signal at the stage of the state preparation. The preparation noise can therefore be the noise of the signal state itself (e.g., if a thermal state is produced by a noisy laser instead of a coherent one) or the noise added by an imperfect modulator. Such preparation noise was first addressed by Filip [105] and shown harmful for the RR coherent-state CV QKD protocol for purely attenuating channels and then extended by Usenko and Filip to the noisy channels [106]. It was also shown that the preparation noise can be purified by attenuating the signal (using, e.g., a simple variable beam splitter) prior to sending it to the channel. The method allows reduction (up to complete elimination in the regime of strong modulation) of the preparation noise. Later, it was shown by Weedbrook et al. [107,108] that the preparation noise can be tolerable and even helpful for the security of the DR coherent-state CV QKD protocol in the noisy channels.
The role of other practical imperfections in coherent-state CV QKD was analyzed by Jouguet et al. [109], who studied the imperfect realistic Gaussian modulation, the calibration of the detectors and the trusted phase noise in the sender station, and it was shown that these effects should be taken into account in the security analysis, especially in the finite-size regime. It was also shown that CV QKD systems can be in principle compromised using a wavelength attack on the local oscillator in the heterodyne [110,111] and homodyne [112] detection, which can be however prevented by spectral filtering or real-time monitoring of shot noise [113], the latter being also useful against the calibration attacks on the clock pulses in coherent-state CV QKD [114]. Furthermore, the fluctuations of the local oscillator were shown to be potentially harmful in CV QKD [115], which can be compensated by tuning and monitoring of the intensity of the local oscillator by the trusted parties [116].

Trusted Preparation and Detection Noise in CV QKD
In the current paper, we complete the analysis of the role of trusted preparation and detection noise in CV QKD with coherent and squeezed states, generalizing and extending the previously-known results. We consider the phase-insensitive excess noise added to the signal prior to the channel (preparation noise with variance ∆V) and added to the signal after the channel (detection noise with variance N), as shown in Figure 4a.
The preparation and detection types of noise in the P & M scheme do not affect the data, which Alice imposes by the modulation, as well as the correlation between Alice and Bob, but they change the covariance matrix of the state measured by Bob to . Therefore, the mutual information between Alice and Bob reads:  It is evident that both the preparation and detection types of noise reduce the mutual information. However, the effect on the security of the protocols can be different, as we show in the following sections, since the trusted noise also affects the Holevo bounds, which upper limit Eve's information.
In the simplest case of a purely lossy channel, the covariance matrix of the state available to Eve for collective measurement reads the correlation matrix σ AE is not changed, while the correlation matrix σ BE becomes affected by the preparation noise and reads The lower bound on the key rate can be then calculated analytically from these covariance matrices and will be analyzed in the particular cases in the following section.
In the more general case of a noisy untrusted channel, when a purification method must be applied and an equivalent EPR-based scheme is used instead of the P & M one, the trusted preparation and detection noise can be purified by introducing additional EPR sources of modes DF and JL, respectively, and coupling one of the modes of each of the sources to the signal, as shown in Figure 4b. A similar approach was previously used to purify the preparation [106] and detection noise [65] in CV QKD purification-based security analysis. To losslessly add the trusted excess noise on the preparation and detection stage, the transmittance of the beam splitters used to couple the noisy modes with the signal should be made very high T → 1. Then, after setting variances of the EPR-sources to V PN = ∆V/(1 − T) for the preparation noise and V DN = N/(1 − T) for the detection noise, the coupling to EPR modes becomes numerically equivalent to the phase-insensitive trusted preparation excess noise ∆V and detection excess noise N, respectively. Alternatively, purification of the preparation noise (as well as of the detection noise) can be held by a third party [117,118], which however gives the same result as the lossless coupling to an EPR mode.
The calculation of the Holevo bounds in the case of noisy channels is based on the purity of the multimode state shared between the trusted parties and the fact that Eve holds the purification of the channel noise, so that S(E) = S(ABDFJL), S(E|B) = S(ADFJL|B) and S(E|A) = S(BDFJL|A) for squeezed-state protocol and S(E|A) = S(BCDFJL|A) for the coherent-state protocol. The overall covariance matrix of the state of the modes ABDFJL after the propagation through the channel has the form: where:C The conditional matrices used for calculation of the conditional von Neumann entropies can be obtained using Equation (4). From these matrices, the Holevo bound and, respectively, the lower bound on the key rate in the case of collective attacks in a noisy channel can be obtained numerically and will be used in the analysis in the following sections.

Preparation Noise and Reverse Reconciliation
It was previously shown that the trusted preparation noise can break the security of the coherent-state RR CV QKD protocol already for the purely lossy channel in the case of individual attacks [105], which was later extended on the noisy channels [106]. Here, we generalize the result for the arbitrary pure signal states and show that the tolerance to the preparation noise depends on the signal state squeezing. Indeed, following the calculations given in the previous section, we can derive the lower bound on the key rate for RR in the case of collective attacks on the noisy channel, which in the limit of strong modulation (V M → ∞) converges to the simple modification of the expression Equation (7): From this follows that even in the case of a purely-attenuating channel and perfect implementation of the RR CV QKD protocol, the security against collective attacks is bounded by the condition: which converges to the previously-known bound ∆V < 1/(1 − η) for the coherent-state RR protocol [105]. Thus, in the limit of strong attenuation η → 0, which is the region of interest for the RR protocols aimed at implementation upon strong loss compared to the DR ones, the coherent-state protocol can tolerate up to 1 SNU of excess preparation noise ∆V, while the squeezed-state protocol with infinite squeezing V S → 0 would tolerate preparation excess noise ∆V = 2 SNU, which illustrates another potential advantage of the squeezed-state RR CV QKD. However, much stronger preparation noise can be tolerated either upon higher channel transmittance (in the limit η → 1, arbitrarily-strong preparation noise is tolerable by RR CV QKD protocols) or by using the noise filtering method (originally called purification by the authors), when the signal is attenuated prior to being sent to the channel [105,106], which optimally can completely remove the negative impact of preparation noise in RR CV QKD with infinite modulation or at least strongly suppress such impact in the realistic case [106]. Furthermore, the monitoring of the source noise [119] or noiseless amplification [120] can be applied to improve the security of CV QKD with noisy coherent states. Alternatively, DR CV QKD protocols can be used, since, as it was shown and as we recapitulate further, they are in principle robust against preparation noise [107,108]. The given amount of preparation noise effectively limits the tolerable channel loss, which can be seen from the reversed security bound in terms of the channel loss η > 1 − 1/∆V for the coherent-state protocol or η > 1 − 1/(∆V − 1) for infinitely-squeezed states. This imposes a limitation on the channel transmittance in the otherwise perfect implementation starting from ∆V = 1 SNU for the coherent-state protocol and for ∆V = 2 SNU for the squeezed-state one with arbitrarily-strong squeezing.
The preparation noise also reduces the robustness of the protocol to the channel noise, as can be seen in Figure 5a, where the tolerable channel excess noise is given in the presence of preparation noise ∆V = 0.5 SNU in comparison to the perfect implementation of the protocols. The mechanism of the negative effect of preparation noise in the RR CV QKD is two-fold. Firstly, it reduces the mutual information; secondly, it also increases the Holevo bound, i.e., the upper bound on the information leakage, since this type of noise is added prior to the channel and contributes to Eve's information. The preparation noise thus increases both the von Neumann entropies contributing to the Holevo bound, S(E), as well as S(E|B); however, the first one grows faster, and the Holevo bound is increased.
In the practical situations of limited modulation and other imperfections the RR CV QKD protocol is even more sensitive to the preparation noise; we will consider the effect of imperfections jointly in the Section 6.

Detection Noise and Direct Reconciliation
While the DR CV QKD protocols are robust to the preparation noise, they are sensitive to the detection noise, which can lead to a security break, as we show here. Indeed, already in the limit of arbitrarily-strong modulation and perfect implementation of the protocol, when the key rate converges to the simple modification of Equation (6) as: the security is bounded by the condition: which does not depend on the state squeezing V S . The bound converges to zero, which means that any amount of detection noise cannot be tolerated by DR CV QKD, when the loss approaches 50% (being the loss limit for DR protocols). On the other hand, reciprocally to the preparation noise in the RR case, large amounts of detection noise can be tolerated by the protocol, when the channel approaches lossless transmission (η → 1).
In the non-ideal case, however, detection noise can be harmful and must be seriously taken into account in any implementation of the DR protocols. Moreover, such noise quickly (faster than preparation noise in the RR case) limits the tolerable channel loss already for the otherwise perfect implementation of the protocols (β = 1, . Indeed, the bound on the detection noise can be reversed to the bound on the channel loss being η > 1 − 1/(N + 2). That means that, e.g., for 1 SNU of detection noise, the transmittance even for the purely lossy channel should be no less than 66%.
In the presence of channel noise, similarly to the RR and preparation noise, the detection noise also reduces the robustness of the DR protocol to the channel noise, as can be seen in Figure 5b, where the tolerable channel excess noise is given in the presence of detection noise N = 0.5 SNU in comparison to the perfect implementation of the protocols. Moreover, it can be seen that such an amount of detection noise already reduces the tolerable channel loss even for a purely attenuating channel.
Remarkably, the Holevo bound χ AE is not sensitive to the detection noise; already in the purely lossy channel case, this noise is not present in the covariance matrices γ E and γ E|A and, thus, does not contribute to the information leakage (similarly for in the presence of the channel noise). Therefore, the security break due to detection noise in DR CV QKD is caused only by reduction of the mutual information I AB between the trusted parties.
However, the trusted noise not only breaks the security, but can also improve the protocols, as we recapitulate and show in the next section.

Trusted Noise as a Defense
Despite the fact that trusted noise reduces the mutual information between the trusted parties, it can also, if applied at the reference side of the protocol, effectively decrease the information possessed by an eavesdropper on the data of the respective trusted party, that is decrease the Holevo quantity, upper bounding Eve's information. In the conditions of noisy channels, such a decrease can improve the key rate and extend the bounds of the tolerable channel noise, which is also known as "fighting noise with noise". Further, we describe such effects for DR and RR protocols.

Preparation Noise and Direct Reconciliation
It was already shown that the preparation noise not only can be tolerated by the coherent-state DR CV QKD protocol [107,108] (at least upon perfect implementation with β = 1), but also improves the robustness of the DR protocols to the channel noise. Here, we generalize the result for the arbitrarily signal states and show the levels and the mechanisms of such an improvement.
We demonstrate the typical effect of the preparation noise on the lower bound on the key rate in the DR CV QKD in Figure 6a for fixed channel transmittance and different amounts of the channel noise. When the channel noise is low, the preparation noise gradually reduces the key rate. As the channel noise increases, slight improvement becomes visible for low amounts of preparation noise. Close to the maximum tolerable channel noise; however, the preparation noise evidently improves the key rate and can even restore the security of the protocol. Similar behavior is observed for other channel transmittances. Interestingly, while the squeezed-state protocol is quantitatively superior to the coherent-state one already for feasible squeezing of V S = 0.1 at low channel noise, the situation becomes opposite close to the maximum tolerable channel noise. The presence of the preparation noise in this case makes coherent-and squeezed-state protocols quantitatively equivalent. Evidently, the preparation noise must be optimized to maximize the key rate as the channel noise gets stronger, while close to the maximum tolerable channel noise, the effect of preparation noise saturates. It is also evident that quantitative improvement is such a regime is very small, and one could expect that the improvement would be canceled by the finite-size effects, which reduce the key rate [55,56]. The improvement of the robustness to the channel noise by the preparation noise for DR CV QKD is evident from Figure 7a. When the optimal amount of preparation noise is added, the difference between the coherent-and squeezed-state protocols vanishes. However, the improvement gets less as the channel loss increases. The reason for the improvement is concerned with the fact that the noise, added on the reference side of the protocol (the preparation noise in DR in this case), reduces the Holevo bound. Such noise, in fact, increases the both von Neumann entropies S(E) and S(E|A), but the latter one grows faster, thus contributing to the decrease of χ EA . Therefore, despite the simultaneous decrease of the mutual information I AB , the lower bound on the key rate can be slightly improved and even turned positive by the preparation noise for strong channel noise. This also explains, why in the perfect conditions of noiseless implementation, the coherent-state protocol shows slightly better robustness to the channel noise compared to the squeezed-state protocol, which provides higher mutual information, but also offers more information leakage upon high channel noise. The shot noise of the coherent signal states in this case already reduces the Holevo bound compared to the squeezed signal state.

Detection Noise and Reverse Reconciliation
Similarly to the previous case, the detection noise can improve the robustness of the RR CV QKD protocols to the channel noise. This effect was already shown for the squeezed-state protocol [103], while here, we generalize it for the arbitrary pure signal states and discuss the mechanism of such an improvement.
First, we show in Figure 6b,c how the key rate can be improved by detection noise in the RR case for both the coherent-and squeezed-state protocols. Similarly to the case of DR and preparation noise, the detection noise decreases the key rate when the channel noise is relatively low, but can optimally improve the key rate and even restore the security of the protocols when the channel noise is close to the threshold. Therefore, the detection noise must be optimized and can shift the bounds on the tolerable channel excess noise, as can be seen in Figure 7b. In this case, however, the squeezed-and coherent-state protocols are both improved in their robustness to noise and do not overlap, i.e., the squeezed-state protocol remains to be more robust against noise, contrary to the DR case. This effect also explains why the RR protocols with the heterodyne detection at Bob's side are more stable against the channel noise, because an additional half SNU added at the detection stage in this case serves as the detection noise, improving the robustness of the protocol. However, typically, more noise must be added to achieve optimal performance in the noisy channels, at least in the asymptotic regime.
The reason for the improvement, similarly to DR and preparation noise, lays in the decrease of the Holevo bound, i.e., of the information leakage. While the von Neumann entropy S(E) remains unchanged by the detection noise, the conditional entropy S(E|B) increases (as Eve becomes effectively decoupled from Bob's data upon the addition of the uncorrelated noise) and χ BE decreases. In particular, for the coherent-state protocol V S = 1, already in the purely-attenuating channel ǫ = 0 the derivative of S(E|B) by N at N = 0 in the limit of large modulation V M → ∞ analytically simplifies to (1 − η)/(2 log 2), which is always non-negative. Such an increase of S(E|B) improves the key rate when the channel noise is strong enough despite the decrease of the mutual information I AB .
Note that the quantitative improvement of the key rate in the noisy channels is also minor as in the case of DR and preparation noise. Therefore, one could also expect that the positive effect of the detection noise would be canceled by the reduction of the key rate in the finite-size regime [55,56].

Combined Trusted Noise Effects on Security
In the previous sections, we described the effects of trusted noise in the idealized DR and RR CV QKD protocols independently. However, the implementation of the protocols is never perfect, other different realistic effects may take place, and the types of trusted noise can be combined, which can amplify the negative and compensate the positive effects described above. Therefore, in the current section, we briefly study how the imperfect post-processing affects the performance of the protocols in the presence of trusted noise and what impact do combined sources of noise have on the security and robustness of the protocols.

Trusted Noise and Imperfect Post-Processing
First, we confirm the positive effect of the trusted noise on the reference side of the protocols in the regime of limited post-processing efficiency. Therefore, upon the realistic post-processing, the preparation noise in DR and the detection noise in RR (the latter effect previously shown in [121]) still improve the robustness of the protocols to the channel noise when the modulation variance V M is properly optimized for the given post-processing efficiency β (values discussed above).
On the other hand, the imperfect post-processing leads to a decrease of robustness to the trusted noise on the remote side of the protocols (that is to the detection noise in DR and preparation noise in RR). We illustrate the effect by the plots in Figure 8 (blue lines), where it is evident for both DR and RR protocols that the key rate becomes lower, and the security bound in terms of the noise on the remote side is reduced.
This effect is more significant for RR and is minor in the case of DR protocols, since the post-processing in the DR regime is typically higher, as well as the channel transmittance.

Combination of Preparation and Detection Noise
Finally, we consider the combined effect of the trusted detection and preparation noise on the security of DR and RR CV QKD protocols.
Interestingly, in this regime, the noise added on the reference side of the protocols can improve the robustness to the noise added on the remote side, i.e., the effects similar to "fighting noise with noise" take place, when one type of trusted noise improves the robustness against another.
In the case of DR protocols, the addition of trusted preparation noise slightly improves the robustness to the detection noise (typically in the amount of fractions of a percent of SNU). The mechanism for such an improvement of robustness is similar to using noise on the reference side of the protocol against the channel noise: it leads to the decrease of the Holevo bound due to simultaneous increase of S(E) and S(E|A) entropies in the DR case with the latter one increasing faster. The effect gets less for the lower channel transmittance and upon the imperfect post-processing. This is shown in Figure 8a (red lines): it is evident that the security region in terms of the detection noise is improved when additional preparation noise is present. We also confirm the positive effect of the preparation noise in the DR scheme in the presence of the detection noise, as shown in Figure 9a, where the graphs for the key rate upon the same parameters as in Figure 6 are given in the presence of detection noise N = 8% SNU (note that the lower graph corresponding to ǫ = 0.2 vanished in the presence of such detection noise).
In the case of RR protocols, the addition of trusted detection can result in improvement of the robustness to the trusted preparation noise, which gets less for the lower channel transmittance. For the low transmittance, the effect is negligible, as we demonstrate in Figure 8b,c (red lines), where the security bounds in terms of the preparation noise are not changed by the presence of the detection noise. At the same time, we confirm the positive role of the detection noise in the presence of the preparation noise, as can be seen from Figure 9b,c, where the key rate is plotted upon the same settings as in Figure 6, but with additional preparation noise ∆V = 0.1. Note that, similarly to the DR case, the lines corresponding to the highest considered channel noise vanished in this case. Nevertheless, the positive effect of the detection noise is evident from the plots. Therefore, the positive role of the trusted noise at the reference side of the protocols can be still observed in the presence of the trusted noise on the remote side.

Summary and Discussion
We have recapitulated the known and shown the previously undisclosed effects of the phase-insensitive trusted preparation and detection noise in CV QKD. In particular, we have shown the overlapping saturation of the positive effect of the trusted preparation noise on the robustness of the DR protocols to the channel noise in the case of coherent and squeezed signal states. We have also shown the negative effect (up to security break in the purely attenuating channels) of the trusted detection noise in the DR scenario. We have confirmed the positive effect of the noise on the reference side of the protocols in the regime of imperfect post-processing. Finally we have shown that the combination of two types of trusted noise has practically no influence (and even slight improvement) on the security bounds on the harmful type of noise. We have discussed the mechanisms of the positive and negative influences of the trusted noise, which mainly concern the impact on the mutual information between the trusted parties, as well as on the quantum entropies, defining the information leakage for an imperfect quantum channel.
We have studied the P & M schemes using the equivalent entanglement-based representation only to analyze the security in the case of the channel excess noise. The research, however, can be extended on the entangled-based protocols, which are promising for possible networking configurations and were recently studied in the alternative topology of entanglement in the middle by Weedbrook [122]. Such protocols were shown feasible on a proof-of-principle level by Su et al. [123] without the additional modulation, and by Madsen et al. [121] with additional optimal modulation of the entangled states. They were also studied concerning the possible multi-mode effects [124,125], which can affect the security of the CV QKD protocols with bright multimode (macroscopic) states of light [126,127].
Another promising direction of the study of the role of trusted noise in CV QKD is the two-way protocols suggested by Pirandola et al. [128], which are aimed at tolerating higher channel noise compared to the one-way CV QKD protocols discussed here. The trusted noise can have an impact on such protocols, and the role of trusted preparation noise on the two-way coherent-state CV QKD was recently discussed by Weedbrook et al. [129] and by Wang et al. [130], who had shown that the preparation noise tightens the bounds on the key rate, but preserves the advantage in terms of the tolerable channel noise of the two-way protocol over the one-way counterpart.
The physical discussion of the role of trusted preparation and detection noise in CV QKD is relevant not only for existing optical implementation of the protocols. The original motivation of the proposal of the DR CV QKD protocol with a noisy source [107] was to address the possibility of a short distance implementation of the protocol with noisy microwave sources. However, also the homodyne/heterodyne detection of the microwave states is typically noisy, and therefore, our analysis completes the description of the practical specific issues in the possible future implementations of CV QKD with microwave technology, which is rapidly developing [131][132][133].