Continuous-variable quantum key distribution with a leakage from state preparation

We address side-channel leakage in a trusted preparation station of continuous-variable quantum key distribution with coherent and squeezed states. We consider two different scenarios: multimode Gaussian modulation, directly accessible to an eavesdropper, or side-channel loss of the signal states prior to the modulation stage. We show the negative impact of excessive modulation on both the coherent- and squeezed-state protocols. The impact is more pronounced for squeezed-state protocols and may require optimization of squeezing in the case of noisy quantum channels. Further, we demonstrate that the coherent-state protocol is immune to side-channel signal state leakage prior to modulation, while the squeezed-state protocol is vulnerable to such attacks, becoming more sensitive to the noise in the channel. In the general case of noisy quantum channels the signal squeezing can be optimized to provide best performance of the protocol in the presence of side-channel leakage prior to modulation. Our results demonstrate that leakage from the trusted source in continuous-variable quantum key distribution should not be underestimated and squeezing optimization is needed to overcome coherent state protocols.

Figure 1

Prepare-and-measure CV QKD schemes with lossy channels and information leakage from state preparation stations (dashed boxes indicate trusted stations of Alice and Bob). Source $V$ radiates Gaussian states (coherent or squeezed states) in the signal mode (green). States receive amplitude and phase displacements on modulator $M_S$, and are sent to Bob via quantum channel characterized by losses $\eta$. Signal states are measured on the receiver station by a homodyne detector $H$. (a) In addition to signal mode, the source generates additional leakage mode (orange line) $L$. States in the latter undergo displacement, correlated to the one of the main signal and characterized by modulation ratio $k$. An eavesdropper Eve can directly obtain information from an additional mode as well as from the quantum channel. The mode $L$ is present due to the multimode structure of the source and cannot be technically eliminated. Generally an arbitrary amount of modes $L_n$ can be modulated and leak, however, such a case can be reduced to a single effective mode $L_{\mathrm{eff}}$. (b) A side-channel leakage (orange line) is present between state generation and state modulation stages. The initial signal state interacts with another state of mode $E_S$ on a beam splitter with transmittance ${\eta }_E$, and only after that is being encoded with information on the modulator $M_S$. Eve can obtain information from $E_S$ and quantum channels.

Figure 2

Key rate (in bits per channel use) versus distance $d$ (in kilometers) in a standard telecom fiber (with attenuation of $-0.2dB/km)$ under collective attacks in the case of modulation leakage for different values of ratio between additional and signal state modulation variances $k=0$ (blue, upper lines), 1 (light blue, middle lines), 1.5 (light green, lower lines) for optimized squeezed-state protocol (solid lines), squeezed-state protocol (dashed lines) with $V_L=V_S=1/2$, and coherent state protocol with $V_L=V_S=1$ (dotted lines). Modulation variance $V_M$ is optimized for given parameters, excess noise $\varepsilon =1\%$, post-processing efficiency $\beta =97\%$. Evidently the distance is shortened by modulation leakage. Squeezing optimization allows one to achieve overall longer secure distances. Comparing unoptimized squeezing- and coherent-state protocols, the first one prevails under weak leakage $k⩽1$, the latter under stronger leakage $k>1$.

Figure 3

Performance of the squeezed-state protocol with and leakage from the modulator under collective attacks. The coherent-state protocol, due to combined effects of modulation leakage, excess noise and limited post-processing efficiency, cannot be used for secure key generation at given parameters. Key rate dependency on the leaked modulation ratio $k$ is shown for different values of squeezing (starting from top) $V_S$=0.1, 0.3, 0.5, 0.7, 0.9 SNU. All solid lines display the key rate with the symmetry of signal and leakage variances $\left(V_L=V_S\right)$. The thick (orange) line illustrates the key rate of the protocol with both modulation $V_M$ and signal squeezing $V_S$ optimized. Dashed lines display the case when leakage mode input is fixed and independent of the signal $\left(V_L=1\right)$. Lowest solid and dashed lines, corresponding to $V_S=0.9$, very nearly overlap. Signal modulation is optimized for given parameters. Reconciliation efficiency $\beta =95\%$, channel losses $\eta =0.1$, and excess noise $\varepsilon =1\%$. Apparently the squeezed-state protocol is sensitive to leakage, especially for high squeezing. Provided that the source outputs identical states, security is broken when leakage is larger than half of the signal modulation. Robustness to leakage is higher if $V_L>V_S$, but leakage remains a security threat. Squeezing optimization (thick, orange line) heightens robustness and the key rate, but it's not sufficient to maintain security for arbitrary amounts of leakage.

Figure 4

The key rate (in bits per channel use) versus distance $d$ (in kilometers) in a standard telecom fiber (with attenuation of $-0.2dB/km)$ in the case of collective attacks on the coherent-state protocol (orange, lower line) and the squeezed-state protocol with $V_S=1/10,1/2$ (upper dark blue and middle light blue, respectively). The premodulation channel coupling ratio ${\eta }_E=0.5$ (dashed lines) and 1, i.e., the absence of the channel (solid lines). Modulation variance is optimized for given parameters, $\beta =97\%,\epsilon =5\%$. Evidently the premodulation channel reduces the secure distance of the squeezed-state protocol. However, even small squeezing allows one to achieve longer distances. Maximal influence of the premodulation channel is set by the performance of the coherent-state protocol.

Figure 5

Purification of modulation leakage $(N=1)$ on the preparation side of the Gaussian CV QKD protocol. Alice's side contains two EPR sources, radiating modes $A,B$ with variance $V_1$, and modes $D,L$, with variance $V_2$. One mode from each source is kept on the preparation side $\left(A,D\right)$ while the other two $\left(B,L\right)$ interact on the beam splitter with transmittance $T_1$, undergo single-mode squeezing $r_1$ and $r_2$, respectively, and subsequently interact on the beam splitter with transmittance $T_2$. Signal mode $B$ proceeds through the untrusted channel $(\eta ,\varepsilon )$ to Bob, while the $L$ mode is accessible to Eve.

Figure 6

Purification of the Gaussian CV QKD protocol with the side channel between source and modulation. Source $S$ radiates signal (mode $B)$ that, using entangled source $V$ (modes $C,D)$, receives amplitude and phase modulation, and is sent to Bob, that conducts homodyne detection $H$. Source $S_0$ (mode $A)$ generates infinitely squeezed states that are kept on the preparation side. Source $S_E$ (mode $E_S)$ establishes correlations with, and provides Eve with information about signal $\left(B\right)$. Losses $\eta$ and noise $\varepsilon$ in the untrusted channel (mode $E)$ are attributed to Eve.