Subcarrier wave continuous variable quantum key distribution with discrete modulation: mathematical model and finite-key analysis

In this paper we report a continuous-variable quantum key distribution protocol using multimode coherent states generated on subcarrier frequencies of the optical spectrum. We propose a coherent detection scheme where power from a carrier wave is used as a local oscillator. We compose a mathematical model of the proposed scheme and perform its security analysis in the finite-size regime using fully quantum asymptotic equipartition property technique. We calculate a lower bound on the secret key rate for the system under the assumption that the quantum channel noise is negligible compared to detector dark counts, and an eavesdropper is restricted to collective attacks. Our calculation shows that the current realistic system implementation would allow distributing secret keys over channels with losses up to 9 dB.

Quantum key distribution (QKD) is a method of sharing symmetric cryptographic keys between two parties that is based on encoding information in the states of quantum objects and subsequent distillation of the key through a classic communication channel. The first quantum cryptography protocols exploited the quantum system with degrees of freedoms [1][2][3] . A numerous amount of different techniques for security proofs for discrete variable QKD systems has already been presented [4][5][6][7][8][9][10][11][12][13] . Experimental implementations of this family of QKD protocols rely on single-photon detectors for quantum state measurements.
In turn, continuous-variable QKD (CV-QKD), which was proposed later, relies on methods of coherent detection, homodyne or heterodyne, for gaining information about the quantum states. In other words, single-photon detection is replaced by conventional optical communication methods. However, security proofs for CV-QKD protocols currently remain less advanced 14,15 .
There are two types of CV protocols that differ by signal modulation method: Gaussian 16,17 , where the complex amplitudes of coherent states are selected randomly from a normal distribution, and discrete modulation (DM) [18][19][20][21][22] with weak coherent phase-coded states. Other CV-QKD protocols are based on two-mode squeezed vacuum states transmission and measurement via homodyne or heterodyne detection 23 . Security proofs for Gaussian CV-QKD protocols remain the most developed: they were presented against general attacks in the finite key regime using several different approaches 24 . Security analysis for CV-QKD protocol with two-mode squeezed vacuum states was also performed 25,26 . Discrete-variable CV-QKD protocols possess several important advantages; among those are relative implementation simplicity and a possibility to minimize the number of parameters that need to be monitored. Nevertheless, security proofs for discrete-modulation CV-QKD systems require special consideration. In the asymptotic limit, its security has been proven against collective attacks 27 . Recently it was shown that security proof for CV-QKD with discrete modulation against general attacks is possible 27 .
Here we propose an implementation of CV-QKD protocol based on subcarrier wave (SCW) technique [28][29][30][31][32][33][34][35][36] . A defining property of subcarrier wave DV-QKD is the method for quantum state encoding. In it, a strong monochromatic wave emitted by a laser is modulated in an electro-optical phase modulator to produce weak sidebands, whose phase with respect to the strong (carrier) wave encodes quantum information (for more details, see 30 ). Like in any other DV-QKD systems, in SCW QKD the weak radiation component is detected by a single photon www.nature.com/scientificreports www.nature.com/scientificreports/ counter, and the measured observable has a discrete spectrum. In SCW CV-QKD protocol described in this work, Alice prepares coherent multimode states, which can be defined as quadratures of the bosonic field, while Bob performs coherent detection to establish correlations with Alice.
We propose a new coherent detection scheme for SCW QKD system, the main advantage of which is using the carrier wave (an essential part of SCW methodology) as a local oscillator. In practice, it solves the well-known problem of transmitting the local oscillator through the quantum channel (or its generation on receiver's side). This is a novel approach that has not been discussed in previous works dedicated to studying multimode CV QKD [37][38][39] .
From telecommunication point of view, SCW approach possesses several additional advantages. Firstly, it is intrinsically robust against external conditions affecting the fiber and is ready to function in conventional telecom infrastructure. Secondly, it demonstrates unmatched spectral efficiency in the quantum channel, allowing for distributing several keys on separate closely-packed sidebands around a single optical carrier 29 . Thirdly, recent experiments 40 have shown that preservation of SCW quantum signal parameters in respect to the carrier allows transmitting phase-encoded quantum signals through the air providing invariance to telescope rotation that remains an important obstacle in traditional polarization-based free-space quantum communication, making the same QKD kit suitable for fiber and free-space QKD networks. Security proof of SCW QKD protocol with discrete variables against collective beam-splitting attack was proposed in 36 , and more recently general finite-key security proof was presented in 41 .
A major difference of SCW approach from the previous CV-QKD protocols is using multimode coherent states generated on subcarrier frequencies. It therefore requires special consideration of security proof technique for the CV-QKD protocol. The most advanced security descriptions for typical CV-QKD protocols with Gaussian and discrete modulation assume that the quantum channel has losses and imposes Gaussian noise on the observed quadrature distributions. For CV-QKD this usually requires estimating a covariance matrix of the bipartite state shared by Alice and Bob 24 . In Gaussian modulation protocols the variances and covariances directly measured by Alice and Bob give a covariance matrix. In case of DM protocols it is harder to obtain, but in 27 a major step towards the full security proof of DM CV-QKD has been presented. The lower bound against collective attacks is calculated by solving a semidefinite program that computes the covariance matrix of the state shared by Alice and Bob in the entanglement-based version of the protocol. Our aim in this work is to demonstrate universality of CV-QKD protocol based on SCW technique. Hence we build a mathematical model of CV-QKD protocol based on SCW method and show the possibility of performing security proof analysis in case of multimode coherent states. Unconditional security proof is out of scope of this paper and will be a subject for a separate study. Here we perform finite-key security analysis using fully quantum asymptotic equipartition property technique 8 and calculate the lower bound on secret key rate under the assumption that detector dark counts remain a dominant contribution to the total noise level 20 . The key rates are obtained for direct reconciliation scheme with post-selection in case of collective attacks.

Results
Subcarrier wave CV-QKD setup. In SCW method the signal photons are not emitted directly by a laser source but are generated on subcarrier frequencies, or sidebands, in course of phase modulation of an intense optical carrier. Laser source emits coherent light with frequency ω. Alice modulates this beam in a traveling wave electro-optical phase modulator with the microwave field with frequency Ω and phase ϕ A 42 . As a result, pairs of sidebands are formed at frequencies ω ω = + k k Ω, where integer k runs between the limits: − ≤ ≤ S k S. Modulation index at Alice side is chosen so that the total number of photons in the sidebands is less than unity (according to the QKD protocol). In the proposed SCW CV-QKD setup shown in Fig. 1 Alice sends weak coherent states along with the carrier through a quantum channel. Alice prepares her states using quadrature phaseshift modulation by choosing from a finite set of states ϕ π π π ∈ {0, /2, , 3 /2} A . Receiver (Bob) applies much higher modulation index than Alice on his modulator and randomly selects x or P measurement introducing phase shift ϕ π ∈ {0, /2} B , respectively, in each transmission window T . Here we consider CV-QKD protocol with discrete modulation, so we formally leave Alice's block the same as in initial DV-QKD system 30 , but completely change the detection scheme. Figure 2 describes the operation of proposed coherent detection scheme in detail. We avoid mentioning the words "homodyne" and "heterodyne" purposely because this paper does not consider a classical scheme, but its analog, corresponding to the more general definition of "coherent detection". By definition, homodyne detection is characterized by interference of a weak signal with a powerful local oscillator on a 50/50 beam splitter. After interference, the number of photons at the detectors n 1 and n 2 depends on phase difference Δ = φ φ − A B . Then, the difference in photo-electrons n e can be determined by signal subtraction through the measuring of current. Coherent detection scheme employed in this work is similar to homodyne detection. Homodyning in SCW-CV is carried out directly in the phase modulator in the Bob module (instead o a 50/50 beam splitter) for each of the sidebands independently. After the second modulation interference is observed at frequencies ω ω = + k k Ω if equal microwave field frequencies Ω are used by Alice and Bob. Resulting carrier and subcarriers wave power depends on phase difference between ϕ A and ϕ B . In case of constructive (Fig. 2a) or destructive (Fig. 2b) interference, subcarriers wave power becomes either more or less than the carrier wave power, respectively. A narrow spectral filter then separates the carrier from the sidebands. Finally the two output modes (carrier and all the sidebands) are detected by two different photodiodes, and their photo currents are subtracted. Thus, one can extract information encoded in the the phase of the oscillating signal. Similar to traditional homodyne detection in QKD, Bob measures only one quadrature component at a time.
www.nature.com/scientificreports www.nature.com/scientificreports/ Subcarrier wave CV-QKD protocol. The protocol consists of the following steps: by choosing from a finite set of states (4 states is in our case). She assumes ψ (0) 0 , ψ π ( /2) 0 as "0" and ψ π ( ) 0 , ψ π (3 /2) 0 as "1". 2. Bob measures the received state in one of two bases: x or p applying a random ϕ = 0 shift. The procedures described above are repeated required (large) number of times. 3. For each time instance, Alice and Bob reveal their selected bases, and mismatched bases are discarded. Bob forms his bit string by assigning 0 for negative v and 1 for the positive v values in measurement results. The threshold values are selected to maximize the secure key rate. 4. Alice and Bob apply error correction and privacy amplification procedures. In this paper, we consider only the case of direct reconciliation (DR), when Bob adjusts his data in accordance with the data of Alice. As a result, the secure secret key is distributed.
Quantum state preparation. The states prepared by Alice can be described in terms of representation basis of abelian cyclic point symmetry groups C M respectively. The protocol which we propose here is based on four coherent states (number of bases = N 2). The initial state at Alice's side is vac SB where vac SB | 〉 is the sidebands vacuum state and µ | 〉 0 0 is the carrier wave coherent state with the average number of photons µ 0 emitted from a coherent monochromatic light source with frequency ω.
The state at the Alice's modulator output is a multimode coherent state  www.nature.com/scientificreports www.nature.com/scientificreports/ where θ 1 is a constant phase and β d ( ) nk S A is the Wigner d-function that appears in the quantum theory of angular momentum 43 . Argument of the d-function β A is determined by the Alice's modulation index m A , disregarding the modulator medium dispersion this dependence can be written as The detailed description of electro-optic modulation process for quantum states can be found in 44 .
Detection. The traveling wave phase modulator on the Bob's side has the same modulation frequency Ω as in the Alice's one, but a different phase ϕ B and modulation index m B . The resulting state is also a multimode coherent state cos cos s in sin cos( ) , where θ 2 and ϕ 0 are phases determined by phase modulator structure 44 . In order to achieve constructive interference, Bob should use ϕ 0 as an offset for his phase and apply microwave phase ϕ ϕ ϕ = + B 0 in his modulator. According to 36 , the average number of photons arriving at the first arm of Bob's detector in the transmission window T is where η B is the losses in Bob's module and ϑ is carrier wave attenuation factor. Thus the average number of photons arriving at the second arm of Bob's detector is After simple mathematical manipulations, we obtain ( 2 cos( ) 1) , where δ β β = / B A . Then, depending on Bob's phase choice ϕ B , the measured quadrature value is proportional to the difference between the photo currents of the two photodiodes. In the absence of noise the normalized quadrature value of the signal is obtained as where s is detector sensitivity, n LO is mean number of photons on the carrier before the second phase modulation. When bases coincide the power arriving at Bob's detectors will be greater either at its first or second arm, depending on the phase difference. The argument of d-function β A (and, subsequently, modulation index) is determined by mean photon number which is selected to maximise secure key rate. Parameter δ, as a ratio of modulation indices, is optimized in order to achieve the same distinguishability of quadratures for different phases in a correctly chosen basis, so that π π − = − n n n n ( (0, 0) (0, 0)) ( , 0) ( , 0) . Hence, Bob observes quadrature distributions that are symmetrically offset with respect to zero. The dependence of mean number of photons on the relative phase shift is illustrated in Fig. 3.
Quantum bit error rate. Succeeding the detection stage for pulses in correct bases we obtain two probability density distributions (Fig. 4) that contain information about binary signals. Our channel is characterised by excess noise variance Ξ and vacuum noise variance, which is constantly defined as = V 1/4 20,45 . So, the probability density to obtain quadrature value v is: we obtain: π ϕ ϕ π ϕ = + + + . e p p p After the post-selection stage, we can calculate bit error rate as = Q E P / , where the error probability E and post-selection rate P, respectively, are obtained as follows Holevo bound. Let us consider a collective attack in the asymptotic limit on infinitely long keys for the case of our system and compute the corresponding asymptotic collective key rate using the Devetak-Winter approach 46 . We estimate an upper bound for Eve's knowledge about the data using Holevo bound 47 for weak coherent states. Finite-key analysis for our protocol is presented in the following section.
Here we use direct reconciliation scheme 48 . In this case Alice sends error correction information to Bob and the secret key is determined by Alice's data. Eve can rotate all states stored in her quantum memory after reconciliation and before her measurement. Holevo bound can be found considering unconditioned channel density operator. The Eve's quantum state, conditioned on Alice's data, is Eve needs to discriminate between the states in one basis Figure 3. Dependence of the mean photon number difference on the relative phase shift represented by a cosine function. In this case the difference is maximal at points 0 and π and equals zero at points π/2 and 3π/2.
www.nature.com/scientificreports www.nature.com/scientificreports/ The Holevo bound is given by where ρ S( ) is the von Neumann entropy, index j enumerates the possible states in the quantum channel, ρ j is the ancilla state under condition that jth state was attacked, p j is the weight of the jth state. The von Neumann entropy of a density operator is the Shannon entropy of its eigenvalues. The eigenvalues of the channel density operator ρ are The overlapping of our states can be described as We therefore obtain the Holevo bound using binary Shannon entropy function h x ( ): DR S A 0 00 Now we are able to estimate the secure key generation rate K: The secret key rates as functions of channel loss are shown in Fig. 5. The parameters of the system are = T 100 ns, η = − . 10 B 0 64 , ϑ = − 10 6 , ϕ =°5 0 . We consider the ideal case and the case of the excess noise variance Ξ = 0.1. The parameters µ, µ 0 and v 0 are optimized so as to maximize the secret key rate. The value v 0 was optimized for losses at various distances. Equation (22) describes only the asymptotic case of infinitely long key sequences. In order to evaluate real keys it makes sense to carry out another estimation taking into account finite-key effects.
Secure key generation rate with finite-key effects. To estimate appropriate bound on secure key rate we consider the notation of Rényi entropies since they describe the worst case and not the average one 9,49 . We bound ε-smooth min-entropy 41,49,50 as follows: . On the error correction step both parties should check and remover the errors in their bit strings. Here we assume that Alice and Bob use low-density parity-check www.nature.com/scientificreports www.nature.com/scientificreports/ (LDPC) codes 51 . Bob randomly chooses a k bits and sends them to Alice, then Alice estimates the quantum channel parameters. It should be noted that LDPC codes succeed only if the actual error rate value Q real is less than a reference value parameterized in the code. Thus, Alice needs to consider an additional error rate fraction ΔQ. It can be estimated in order to maximize the probability of successful error correction in one round while keeping the secret key rate as high as possible. Then Alice computes the syndrome of LDPC code that corrects up to n(Q est + ΔQ) error bits. We denote the length of the syndrome as where sample size k is estimated by maximizing the key rate 41 . At privacy amplification step Alice and Bob hash their bit strings to a key of length l 41,52

S EC EC PA
At the error correction step, we have to estimate "correctness error" ε EC . From the properties of 2-universal hashing ε EC is

EC check EC
The trace distance d between the protocol output and an ideal output is bounded by ε ε ≤ + d s P A . We therefore obtain that the protocol is ε QKD -secure and correct protocol, with ε ε ε ε = + + It should be noted that in the asymptotic case → ∞ n , the Eqs. (22) and (29) converge to the same expression. The secret key rates for different values of n are presented in Fig. 6 as a function of channel loss. The parameters µ, µ 0 , k and v 0 . are optimized so as to maximize the secret key rate. The value v 0 is also optimized for losses at various distances. The considered security parameters are as follows: ε ε = = − 10 s P A 10 , ε = − 2 EC 256 .

Discussion
In this paper we proposed the implementation of CV-QKD protocol using SCW method, built a mathematical model of the proposed scheme and demonstrated the security proof technique. We calculated the secure key rate for discrete modulation CV-QKD protocol with post-selection in the asymptotic and finite-size regime. We calculated the lower bound on the secret key rate for the CV-QKD system under the assumption that the quantum channel noise is negligible compared to detector noise and Eve is restricted to collective attacks. Our calculation Figure 6. Secure key rate R dependence on channel loss in SCW CV-QKD system with discrete modulation for different number of detected quantum bits n.
www.nature.com/scientificreports www.nature.com/scientificreports/ shows that the system allows to provide a secret key for channel losses up to 9 dB in a realistic system implementation. It is important to note that our scheme also allows to implement CV-QKD with Gaussian modulation and the presented security analysis can be adopted there. Subsequent works will focus on a full security proof, as well as the experimental implementation of the proposed protocol.