Practical Security Analysis of Reference Pulses for Continuous-Variable Quantum Key Distribution

By manipulating the reference pulses amplitude, a security vulnerability is caused by self-reference continuous-variable quantum key distribution. In this paper, we formalize an attack strategy for reference pulses, showing that the proposed attack can compromise the practical security of CVQKD protocol. In this scheme, before the beam splitter attack, Eve intercepts the reference pulses emitted by Alice, using Bayesian algorithm to estimate phase shifts. Subsequently, other reference pulses are re-prepared and resubmitted to Bob. In simulations, Bayesian algorithm effectively estimates the phase drifts and has the high robustness to noise. Therefore, the eavesdropper can bias the excess noise due to the intercept-resend attack and the beam splitter attack. And Alice and Bob believe that their excess noise is below the null key threshold and can still share a secret key. Consequently, the proposed attack shows that its practical security can be compromised by transmitting the reference pulses in the continuous-variable quantum key distribution protocol.

www.nature.com/scientificreports www.nature.com/scientificreports/ intercept-resend attack and the Bayesian algorithm to decrease the phase estimation error noise. Therefore, Eve can bias the excess noise due to the beam splitter attack and the intercept-resend attack, and Alice and Bob believe their excess noise estimation is below the null key threshold and they can still share a secret key. To intercept-resend attack, that is, Eve can monitor and intercept the reference pulses emitted by Alice. Subsequently, she measures each reference pulse and then estimates the phase drift using the Bayesian algorithm. After phase estimation and compensation operation, she re-prepares and resubmits another reference pulses, which is sent to Bob. What's more, we propose to utilize Bayesian algorithm to estimate the reference pulses. The algorithm not only can obtain a confidence interval, but also has robustness to noise. Therefore, the algorithm can increase the accuracy of phase estimation for Eve. This series of operations can cause a security vulnerabilities through the manipulation of the reference pulses.

practical Security Analysis
In this section, we start by describing the protocol of the self-reference CVQKD. Subsequently, we analyze how Eve can intercept the reference pulses and estimate the phase drift for the discrete-modulated and Gaussian-modulated self-reference CVQKD, respectively. The self-reference CVQKD protocol, as shown in Fig. 1, consists of two parts, one is the coherent states preparation and propagation, and the other part is the coherent states detection and processing. At the transmitter, Alice prepares the Gaussian-modulated coherent states (or the discrete-modulated states) and then transmits to Bob. The arbitrary phase drift of the states will be inevitably induced through the quantum channel. Therefore, the phase reference pulses are necessary to transmit along with the signal pulses. As depicted in Fig. 1, the reference pulses and signal pulses are sent by Alice alternatively and periodically. At the receiver, Bob can utilize the relatively strong reference pulses to estimate the phase 35 . In theory, quantum phase noise φ ∆ between the two users can be written as 41 where L represents the length of the fiber, ∆v is the difference frequency between the user's lasers, and s denotes the speed of light in the fiber. Although several protocols are proposed to the phase compensation, the strong reference pulses are still indispensable in the self-reference CVQKD. However, propagating the relatively strong reference pulses may result in security vulnerabilities.
In what follows, we analyze the practical security of reference pulses for CVQKD with discrete modulation. In this scenario, Eve has the ability to monitor and intercept the reference pulses from Alice to Bob. Basically, Eve measures each reference pulse and estimates the phase drift emitted by Alice. After the phase compensation, she re-prepares and resubmits reference pulses, which are sent to Bob. Next, we introduce how Eve employs Bayesian algorithm to estimate the phase drift of the intercepted reference pulses. Without loss of generality, we analyze the four-state self-reference CVQKD protocol [42][43][44] . The four-state can be denoted as α α = π + e k i k (2 1) /4 with ∈ k {0, 1, 2, 3}, and the modulation variance is α = + V 1 2 2 . When Eve intercepts reference pulses through the noisy channel, as shown in Fig. 2, the photon number resolving detector (PNRD) performs the measurement operation. Specifically, the measurement outcomes are denoted as E α α α α ∈ { , , , 3 , and the total number of detected photons are described as N = ∑ = n i i 0 3 , where n i symbolizes the detected photon of state α i . Then, we provide the critical process of Bayesian estimation. Above all, in order to estimate the correct eigenphase, an initial prior probability distribution P φ ( ) is provided to express the confidence interval that the current hypotheses is the correct eigenphase. Subsequently, the mean µ and its standard derivation σ are updated on the basis of the measurement results of PNRD. What's more, the posterior probability distribution can be calculated as 45,46  www.nature.com/scientificreports www.nature.com/scientificreports/ Specifically, some particles drawn from the P φ ( ) mismatch the likelihood function, which will be discarded later. The likelihood function is defined as Without loss of generality, the qubit undergoes a phase diffusion process whose amplitude is characterized by the parameter ∆. After obtaining the posterior distribution in Eq. 2, we set the posterior probability distribution to equal the prior probability distribution. This updating program can be deemed as the iterative processing for each of the emulation.
Subsequently, we provide the mathematical definition of probability density function (PDF) to illustrate the relation between the phase shift and the detected photons N. The PDF is defined as P N The simulation results of phase drift are depicted in Fig. 3. The two subgraphs illustrate that, the phase drift tends to zero if we increase the number of n 0 (where n 1 , n 2 and n 3 are constant). Here, n i is defined in the previous paragraph. Consequently, increasing the detected photons for intercepted reference pulses can improve the accuracy of phase estimation, thus reducing the possibility of phase shift. Next, we describe the main implementation steps of the Bayesian algorithm. In the initial interation of the algorithm, a prior distribution N µ σ ( , ) 0 0 is to express the confidence interval. Then, the dataset is utilized to update the µ and σ of the posterior probability distribution in accordance with Bayes' theorem. The parameter estimation for the inferred σ 2 of the posterior probability density is simulated in Fig. 4a, and the shaded region stands for the proportion correct ratio of the predicted trials. In other words, increasing the signal intensity level can improve the proportion correct of concentration. As shown in Fig. 4b, we utilize the different initial σ 2 to simulate and test that the performance is insensitive to the initial σ 2 . In other words, the Bayesian algorithm has the high robustness. Furthermore, the main steps of the algorithm 45,47,48 are described in the Appendix.
By comparison to the discrete-modulated CVQKD protocol, the Gaussian-modulated CVQKD protocol is more complicated. We adopt the Mach-Zehnder (MZ) interferometer to estimate the phase drifts [49][50][51][52][53] . The Mach-Zehnder interferometer, as shown in Fig. 5, has two inputs labelled 1 and 2, one input is the intercepted reference pulses, and the other is the coherent light source. The two inputs are combined in two beamsplitters (BS 1 and BS 2 ) and two internal arms. On the one of the branches for output, a beamsplitter (BS 3 ) has two outputs labelled as 3 and 4. On the other branch, a beamsplitter (BS 3 ) has two outputs labelled as 5 and 6. According to the mentioned above, photodetectors are applied to outputs and respond to intensities I k . Therefore, we integrate over some observations T , and define the parameter with ∈ k {3, 4, 5, 6}. Particularly, the parameter W k can be substituted by the integer n k , where n k represents the photodetection result in the time interval T . Based on the NFM theory (Noh, Fougères and Mandel) 51 , the unambiguous value of phase φ is estimated as  When the photon number n in at input 1 and 2 is determined, the outputs 3 6 have the mean values where the maximum likelihood estimate can be given by Consequently, based on the Poissonian distribution of photoncount and mean value n in , the likelihood of φ and n in is with the notation = n n n n n [ , , , ] 3 4 5 6 . Assuming that n in is independent of φ and V, we have Consequently, the posterior probability distribution takes the following form which is in accordance with the Eq. 2 of four-state self-reference CVQKD protocol.

performance Analysis
First of all, we define transmission probability and transition probability to analyze the performance of the reference pulses for the discrete modulation protocol. In the four-state self-reference CVQKD protocol, there are four kinds of the intercepted encoding phase, namely the φ = Therefore, the transmission probability can be defined as . Moreover, the transition probability can be expressed as P P = − 1 ij ii with ≠ i j. Subsequently, the QBER for Eve can be calculated as Q R = ∑ QBER n n n , with the notation . Here, n and N c symbolize the transmitted photons (at the Alice's side) and detected photons (at the Eve's side) per pulse, respectively. Figure 6a depicts the QBER for Eve with the discrete modulation protocol. Considering the existence of noise in the channel, two parameters are restricted with > n N c . According to the result, we can see that, increasing the number of n and N c will improve the QBER of the intercept-resend attack for Eve.
In the following, we analyze the performance of the Bayesian estimator for the Gaussian-modulated self-reference CVQKD protocol. The Bayesian cost can be defined by the relation Particularly, if a suitable initial phase value φ ′ is given, the minimum mean squared error (MMSE) estimator of φ ′ has the form where φ ′ can be initialized with the maximum likelihood (ML) estimate, and it can be defined as . Specifically, the blue line denotes the NFM estimator 51,53,54 . Consequently, the Bayesian estimator outperforms NFM estimator.
Although the intercept-resend attack can compromise the practical security of QKD, the two remote participants can discover eavesdropping by the following method. At the receiver, Bob randomly chooses the same number of quantum pulses and reference pulses as training signals 55 . By utilizing the training signals, we can estimate the phase compensation error on reference signals and quantum signals, respectively. If the phase compensation error on signal pulses is different from that on reference pulses, we can conclude that Eve's attack is attached in the quantum channel.

conclusion
In this paper, we analyze a security vulnerability of strong reference pulses in the realistic self-reference CVQKD system. In this scenario, before the beam splitter attack, Eve intercepts the reference pulses emitted by Alice, and utilizing the Bayesian algorithm to estimate phase drifts of reference pulses. After phase estimation and compensation, she resubmits another reference pulses to Bob. The algorithm not only can obtain a well-motivated confidence interval, but also has robustness to noise. Thus, due to the intercept-resend attack and the beam splitter attack, Eve can bias the excess noise. Consequently, it shows that the practical security of the proposed attack can be compromised by transmitting the reference pulses in the continuous-variable quantum key distribution protocol.

Appendix
In the following, we take the four-state self-reference CVQKD protocol as an example, to derive the expression of the secret key rate under the intercept-resend attack. Assuming that the phase noise of quantum channel is zero-mean with variance V ch , while the phase noise reduced by Eve's Bayesian algorithm is zero-mean with variance V Bayes , the deviation of the actual phase compensation error can be given by Bayes . According to the imperfect phase compensation, the actual transmittance can be defined as κ = , and T is the transmission efficiency. Besides, the actual excess noise can be expressed as where β is the reconciliation efficiency, I A B ( : ) is the mutual information between Alice and Bob, and χ B E ( : ) is the mutual information between Bob and Eve. Specifically, the mutual information I A B ( : ) is given by 55 The Holevo bound of the information between Eve and Bob is given by The symplectic eigenvalues λ 1,2 are given by The symplectic eigenvalues λ 3,4 are given by Here, the phase noise reduced by Eve's Bayesian algorithm submits to the normal distribution with variance . 0 001, . 0 004 and . 0 007 (rad 2 ) respectively. In particular, = V 0 Bayes represents the original CVQKD protocol without the intercept-resend. Fig. 7 is the simulation result in the asymptotic scenario. According to the simulation result, we can conclude that, the estimated key rate based on the intercept-resend and Bayesian algorithm is higher than the true security key rate. Therefore, the attack is effective in the self-reference CVQKD protocol. In our manuscript, the proposed algorithm is described as follows.