Quantum Pulse Gate Attack on IM/DD Optical Key Distribution Exploiting Symbol Shape Distortion

Intensity modulation/direct detection (IM/DD) optical key distribution (OKD) is a method to generate a secret key whose security against passive eavesdropping is guaranteed by the shot noise inherent to the photodetection process. Here the effects of intensity-dependent symbol shape distortion on the IM/DD OKD security are investigated assuming that the eavesdropper can implement temporal mode demultiplexing using e.g. the quantum pulse gating technique. The quantitative analysis includes key generation based on either hard- or soft-decoding of the detected signal as well as the impact of excess detection noise. A simple, rule-of-thumb relation between the severity of the symbol shape distortion and the signal strength required to ensure key security is presented.


I. INTRODUCTION
P RESENTLY, substantial effort is dedicated to fortifying optical communication systems with physical layer security solutions [1]. Among various approaches currently being pursued, secret random keys shared between distant nodes can be generated using techniques of quantum key distribution (QKD) [2], or by exploiting shot noise inevitably accompanying detection of optical radiation [3]. The latter technique, henceforth referred to as optical key distribution (OKD), places less stringent requirements on the physical system implementation compared to QKD while offering protection against passive, beam-splitting-type eavesdropping attacks that are conceivable using current or near-term technology. Remarkably, OKD can be implemented in intensity modulation/direct detection (IM/DD) communication systems [4], providing security against passive eavesdropping even if the fraction of the signal captured by an adversary (Eve) is much larger than that collected by the legitimate recipient (Bob) [5]. This makes IM/DD OKD an attractive option to ensure physical layer security in free-space optical links that could be incorporated e.g. in future satellite-to-earth optical communication systems [6], [7].
The purpose of this Letter is to analyze the security of IM/DD OKD in a practically relevant scenario when the signal intensity modulation applied by the sender (Alice) is associated with a change of the shape of optical pulses encoding distinct key bit values. Such symbol shape distortions can arise e.g. due to the nonlinear characteristics of the modulator used to carve out OKD pulses from a cw source laser beam. While a pulse shape modification does not constitute a security threat if Eve measures only the total optical energy of received pulses, as assumed in previous security analyses [3], [4], [5], [6], the presence of such distortions opens up a possibility to deploy more powerful eavesdropping strategies based on separating the captured signal into a set of orthogonal temporal modes while retaining their individual quantum statistical properties. Such temporal demultiplexing can be implemented using the quantum pulse gate (QPG) technique based on mode-selective three-wave mixing of the optical signal with suitably shaped pump pulses [8]. Currently the QPG technology undergoes rather swift progress with prospective applications such as noise reduction in classical and quantum communications [9], [10] and improving the resolution of time-delay measurements [11]. It is worth noting that concurrently even more powerful time-frequency signal processing techniques are being developed [12].
This letter is organized as follows. Sec. II describes the physical system for OKD including the QPG attack by the adversary. The principle of secure key distribution is presented in Sec. III and its generation rates are analyzed quantitatively in Sec. IV. Finally, Sec. V concludes the letter.

II. PHYSICAL SYSTEM
In the binary-modulated IM/DD OKD protocol, Alice's transmitter Tx A prepares in each temporal slot a symbol in the form a light pulse with one of two optical energies characterized by the mean photon number n 0 or n 1 corresponding to the two equiprobable key bit values q A = 0, 1 that are chosen by Alice at random. The modulation depth is chosen sufficiently low so that the detection shot noise fundamentally prevents either Bob or Eve to identify the value of every transmitted key bit. However, as discussed in Sec. III, a suitable reconciliation protocol makes it is possible for Alice and Bob to postselect events that will yield a secure key unknown to Eve.
In order to account for the possibility of symbol shape distortion, the two optical energies n 0 and n 1 will be associated with two complex temporal pulse envelopes u 0 (t) and u 1 (t) Alice's transmitter Tx A emits pulses with one of two slightly different optical energies n 0 or n 1 depending on the key bit value q A = 0, 1 randomly chosen by Alice for each pulse. In Bob's receiver Rx B the fraction τ B of a pulse received by Bob produces photocounts on the detector PD whose number k B follows a Poisson distribution with a mean that depends on the key bit value chosen by Alice. In the hard-decoding scenario Bob retains outermost events assigning to them the key bit values q B = 0 or q B = 1 and the remaining events X are removed from further processing which is communicated to Alice over a public channel. The fraction τ E of the signal received by Eve is temporally demultiplexed using a quantum pulse gate QPG into modes u(t) ≡ u 0 (t) and the orthogonal complement v(t) defined in Eq. (3), followed by photon counting. For ideal shot-noise limited photodetection, registering one or more photocounts in the channel v(t) unambiguously indicates a pulse emitted in the mode u 1 (t) corresponding to Alice's key bit value q A = 1.
that are normalized to one, dt |u 0 (t)| 2 = dt |u 1 (t)| 2 = 1, as illustrated in Fig. 1(a). The symbol shape distortion will be characterized using the parameter that is equal to zero when the two pulse envelopes are identical, and approaches one for orthogonal envelope functions. The parameter D represents the fraction of the optical power that is lost when one filters out a given temporal mode from the signal prepared in the other mode, in full analogy with spatial mode filtering in optical waveguides [13]. As shown in Fig. 1(b) the legitimate recipient, Bob, receives a fraction τ B of the signal power sent by Alice. His receiver Rx B measures light intensity with a photon counting detector PD. In order to keep the notation concise, the transmission factor τ B is taken to include also Bob's detector efficiency. The photocount number k B obtained from Bob's measurement is characterized by a conditional Poisson distribution The above expression accounts for excess background noise by adding to the distribution mean the parameter n b that can include both stray radiation collected by Bob as well as detector dark counts. The pulse shape distortion associated with intensity modulation opens up for Eve the possibility to implement the following attack shown in Fig. 1(b). The signal captured by Eve, whose relative power constitutes a fraction τ E of the signal transmitted by Alice, is separated in the receiver Rx E into two orthogonal temporal modes characterized by complex envelopes that specifies the part of u 1 (t) which is orthogonal to u 0 (t).
The factor 1/ √ D ensures normalization of v(t). The three modes involved in the problem are depicted schematically in Fig. 1(a). Separation into orthogonal temporal modes, even if overlapping in the time domain, can be realized using the QPG technique [8].
In the next stage of Eve's receiver Rx E , light carried by the modes u(t) and v(t) is detected individually with photon counting detectors as shown in Fig. 1(b). It will be convenient to denote the two pulse optical energies received by Eve corresponding to Alice's bit values q A = 0, 1 as n E0 = τ E n 0 and n E1 = τ E n 1 respectively. Depending on Alice's chosen key bit value q A the statistics of photocount numbers k Eu and k Ev on detectors monitoring demultiplexed modes u(t) and v(t) are given by: The pair of photocount numbers k u , k v constitutes information available to Eve to learn about the key that is generated between Alice and Bob. Operation of Eve's receiver Rx E with shot-noise limited detection at 100% efficiency has been assumed here. The model described above corresponds to the worst-case eavesdropping scenario where Eve possesses full knowledge about symbol shapes, obtained. e.g. from access to the transmitter design or thorough prior characterization of the signal generated by Alice. The results presented below can be interpreted as lower bounds on the attainable key rates when Eve's knowledge about symbol shape distortion is incomplete.

III. SECURE KEY
The simplest and the most intuitive method for Alice and Bob to generate the cryptographic key is to apply hard decoding to the photocount number k B detected by Bob by setting two thresholds k 0 and k 1 and using the following discrimination recipe: that is shown schematically in Fig. 2.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. Fig. 2. Generation of the secure key. When Bob selects only outermost values of the photocount number k B < k 0 or k B > k 1 , the bit values for retained events will be nearly perfectly correlated with the bit values q A chosen by Alice. Without pulse shape distortion, Eve's knowledge about the generated key is severely limited as for a given pulse optical energy the photocount number k Eu is statistically independent of k B . However, when pulse shape distortion results in redirecting some of the optical energy to the photodetector monitoring the mode v(t), the photocount number k Ev > 0 unambiguously indicates the bit value q A = 1.
Inconclusive outcomes X are communicated to Alice over a public channel and removed from further processing. For thresholds k 0 and k 1 set sufficiently far apart in the outermost regions of the photocount statistics the outcomes q B = 0, 1 will be nearly perfectly correlated with the key bit values q A chosen by Alice. Residual errors can be removed by implementing an error correction protocol [14], [15]. Eve's knowledge about the key is limited by the fact that for a given optical energy n 0 or n 1 of the pulse transmitted by Alice the photocount numbers registered by Bob's and Eve's detectors are statistically uncorrelated. Without pulse shape distortion, when u 0 (t) = u 1 (t), the outermost events that are postselected by Bob to generate the key will correspond at Eve's receiver to randomly distributed outcomes k Eu |q A ∼ Pois(τ E n q A ) and hence on average will carry less information about the key bit value compared to that available to Bob. This observation underlies the security of the generated key, which can be refined by means of privacy amplification to remove completely any remaining Eve's knowledge. In the presence of symbol shape distortion, Eve's ability to detect signal demultiplexed in the set of orthogonal temporal modes described in Sec. II opens up a potentially more powerful eavesdropping strategy. Namely, it is straightforward to see in Fig. 2 that detection of one or more photons in the mode v(t) unambiguously identifies Alice's bit value as q A = 1, thus revealing to Eve much more information about the key.
The quantitative analysis of the key security in the presence of symbol shape distortion will be based on the Csiszár-Körner expression for the attainable key per slot in the reverse reconciliation scenario which reads [16] K = max{I(A; B) − I(B; E), 0}.
Here I is the mutual information, the label A stands for Alice's binary variable q A = 0, 1, whereas B corresponds to Bob's detection outcome and E includes both Eve's variables k Eu and k Ev . It is assumed here that key reconciliation can be implemented with 100% information theoretic efficiency. Error correcting codes approaching such efficiency have been described in the context of QKD implementations [15], [17], [18]. Two decoding scenarios will be considered in the following. For the soft-decoding scenario B stands for the actual photocount number k B , whereas for the hard-decoding scenario it is the discriminated variable q B defined in Eq. (4).

IV. KEY RATES
The attainable secure key rate K defined in Eq. (5) will be analyzed as a function of the distortion parameter D defined in Eq. (1) and the signal strength. The latter can be conveniently characterized with the average pulse optical energy detected by Even E = (n E0 + n E1 )/2. With this choice of parameters, the performance of Bob's receiver is determined by the transmission ratio τ B /τ E and the background photocount number n b . For given values of these parameters the key rate needs to be optimized with respect to the signal modulation depth that can be characterized using a rescaled parameter and, in the hard decoding scenario, additionally over the discrimination thresholds used in Eq. (4). The results are shown in Fig. 3 for the ratio τ B /τ E = 1 (left column), when Bob and Eve collect the same fraction of the signal, and for τ B /τ E = 0.1 (right column), when Eve has the capacity to collect ten times as much signal compared to Bob, using e.g. a telescope with a larger aperture in a free-space optical communication scenario. It is worth noting that typical key rates shown in Fig. 3 are substantially higher than those reported in [19] for a prepare-and-measure QKD demonstration between a low Earth orbit satellite and a ground station, which amount to approx. 3 × 10 −6 secure bit per slot. This is because of more stringent security assumptions in the latter case, including Eve's ability to access and manipulate in an arbitrary manner the optical signal at any stage after leaving Alice's transmitter. The graphs in Fig. 3 depict the attainable key per slot as a function of the pulse shape distortion D in decibels [dB] for different signal strengthsn E (coded with colors) and increasing amount of the excess noise n b (top to bottom). Starting with the soft-decoding case, shown in Fig. 3 with solid lines, several observations are in place. In the absence of background noise at Bob's receiver, n b = 0, shown in the top panels of Fig. 3, the key rate tends to the same value for vanishing symbol shape distortion, D → 0 regardless of the signal strength. This can be related to the fact that the key security is a consequence of photocount fluctuations rather than the absolute signal strength. However, the signal strength starts to have an important role when the shape distortion comes into play: the higher the signal strengthn E , the lower the value of the distortion parameter for which Eve starts to gain substantial information about the key. This can be related to the observation made in Sec. III that detecting just one photocount in the mode v(t) is sufficient to identify the key bit value chosen by Alice as q A = 1. Indeed, the values D = 1/n E , shown with vertical lines in Fig. 3 indicate quite well when the symbol shape distortion starts to reduce substantially the attainable key rate. Thus, a rule-of-thumb condition for the symbol shape distortion to have a negligible effect on the key security is Dn E ≪ 1.
The impact of excess background noise n b in Bob's receiver on the attainable key can be analyzed by inspecting panels below the top row in Fig. 3. It is seen that for negligible pulse shape distortion higher signal strength reduces the effects of background noise, as its relative contribution to the photocount statistics becomes less significant. However, at the same time a higher signal strength implies stronger susceptibility to pulse Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
shape distortion, as discussed in the preceding paragraph for the case n b = 0. For a given level of pulse shape distortion and the amount of background noise one can identify an optimal signal strength that gives the maximum key value by counterbalancing the two effects discussed above. Finally, one can see in Fig. 3 that hard decoding of the signal detected by Bob with optimized discrimination thresholds lowers the key by a relatively small amount compared to the soft-decoding case, while it may substantially simplify the error correcting step.

V. CONCLUSION
The simplicity of IM/DD optical communication systems makes them an attractive option as the physical layer to generate a cryptographic key using the OKD technique which ensures security against passive eavesdropping. Security analysis of implementations of key distribution protocols needs to include so-called side channel attacks that are facilitated by a richer physical structure of the optical carrier of information compared to that assumed in the protocol principle of operation. In the case of the OKD protocol, modification of the pulse shape associated with the symbol value has been shown to enable eavesdropping based on temporal mode demultiplexing followed by photon counting. One possible remedy to this threat is to keep the strength of the signal captured by an eavesdropper at a sufficiently low level so that the optical energy carried by individual demultiplexed modes effectively does not allow for identification of the key bit value. Alternatively, a strategy to suppress pulse shape distortion would be to generate the OKD signal by modulating, instead of continuous wave laser source, a train of pulses substantially shorter than the temporal slot duration. This would avoid effects of transient modulator transmission. In this setting, as long as the modulator transmission is flat over the pulse window, the symbol shape is determined solely by the input pulse waveform, independently of the modulated optical energy. On a final note, one should mention that correlations between the symbol value and the modal-temporal or spectral-structure of the emitted electromagnetic field are an issue also in standard QKD protocols, both in discretevariable [20] as well as continuous-variable variants [21].