## Abstract

We consider a subcarrier wave quantum key distribution (QKD) system, where quantum encoding is carried out at weak sidebands generated around a coherent optical beam as a result of electro-optical phase modulation. We study security of two protocols, B92 and BB84, against one of the most powerful attacks for this class of systems, the collective beam-splitting attack. Our analysis includes the case of high modulation index, where the sidebands are essentially multimode. We demonstrate numerically and experimentally that a subcarrier wave QKD system with realistic parameters is capable of distributing cryptographic keys over large distances in presence of collective attacks. We also show that BB84 protocol modification with discrimination of only one state in each basis performs not worse than the original BB84 protocol in this class of QKD systems, thus significantly simplifying the development of cryptographic networks using the considered QKD technique.

© 2018 Optical Society of America under the terms of the OSA Open Access Publishing Agreement

## 1. Introduction

Growing interest to quantum key distribution (QKD) systems [1–4] in the last decades has led to emergence of a large number of experimental works dedicated to developing reliable QKD setups suitable for everyday operation in existing telecommunication networks. Among them stand subcarrier wave (SCW) QKD systems, the most valuable feature of which is exceptionally efficient use of quantum channel bandwidth and capability of signal multiplexing by adding independent sets of quantum subcarriers around the same carrier wave. It makes SCW QKD systems perfect candidates as backbone of multiuser quantum networks.

In the SCW QKD systems, a strong monochromatic wave emitted by a laser is modulated to produce weak sidebands whose phase with respect to strong coherent wave encodes quantum information. Various protocols can be implemented using this technique, including the most widely-used BB84 protocol [5], with four phase values, and the B92 protocol [6], which utilized just two phases. SCW realization of B92 protocol with phase modulation has been demonstrated by Merolla group [7,8]. BB84 protocol in the SCW scheme has been implemented by the same group using amplitude instead of phase modulators [9]. Replacement of phase modulation by more technically complicated amplitude modulation was necessary for decoding all the protocol states at the receiver side. More recently, the latter approach combined with employing several microwave frequencies in amplitude modulators (subcarrier multiplexing technique) allowed the authors of Ref. [10] to increase several times the key generation rate. It was shown in [11] that monitoring the intensity of the strong wave can improve the protocol security in SCW systems. The work implements the “strong reference” method [6] that was introduced in the early days of quantum cryptography for countering the most dangerous attacks and was later extended to provide unconditional security in QKD systems with weak coherent states [12,13]. A version of the BB84 protocol with phase modulation which allows the receiver to decode only a half of the states in each basis has recently been demonstrated by several authors of this work in [14,15].

Despite the significant experimental effort in the development of SCW QKD systems, their security analysis still requires special consideration. A general security proof for SCW QKD protocols is currently missing. Measurement-device-independent (MDI) scenarios have been proposed in the last few years for QKD protocols in order to avoid side channels at the detection stage, thus ensuring a secure communication line [16]. Unfortunately, the MDI scenario for SCW encoding appears overcomplicated due to a necessity to synchronize two carrier waves and non-orthogonality of the states that encode logical 0 and 1 in the same basis. Our approach to proving the security of SCW QKD consists in considering individual, collective and coherent attacks for the original protocols without any modifications in order to highlight their properties related to multimode structure of the quantum states in each case.

In this article we explore the security of B92 and BB84 protocols against a single very powerful attack: the collective beam-splitting (CBS) attack. We analyze this attack and calculate secure key generation rates for the given protocols in its presence. Neither strong reference [6] nor decoy states [17] techniques can block the CBS attack. Thus, the obtained result is quite general and remains valid even for strong-reference enhanced [14] or decoy-state enhanced [18] versions of the protocols. We also show that in SCW QKD systems secure key generation rate for BB84 protocol with one state decoding (BB84-OSD) is the same as in BB84 with both states decoded, as far as the known attacks are concerned, which allows the developers of SCW QKD networks to employ a relatively simple phase modulation method in the future.

Our calculation of secure key rates is based on the well-known Devetak-Winter bound [2,19], applicable to the case of collective attacks in one-way QKD protocols with independent identically distributed information carriers (the considered SCW QKD protocols belong to this family). We employ the recently developed quantum model of electro-optical phase modulation [20], which allows us to deduce the states of sidebands in the quantum channel after modulation, as well as after demodulation, before detection. This model has an advantage of applicability in the case of relatively high modulation indices, where tens of sidebands contain non-negligible amounts of photons.

This paper is organized as follows. Section 2 gives a description of the protocols implemented in the SCW QKD device and builds the quantum channel model. In Section 3 we calculate the quantum bit error rate as a function of loss in the quantum channel, which takes into consideration quantum efficiency and dark count rate of the photo-detector. In Section 4 we consider the attacks on the protocols and in Section 5 we find the secure key rate dependence on the the channel length for different sets of SCW QKD parameters. Section 6 describes experimental results confirming the validity of the theoretical model. Section 7 concludes the article.

## 2. Operation principles of SCW QKD

#### 2.1. Setup and protocols

We consider two SCW QKD protocols sharing the same experimental setup, which is schematically shown in Fig. 1. The laser source produces a coherent monochromatic light beam with optical frequency *ω*, serving as a carrier wave in the setup. The sender (Alice) modulates this beam in a single-tone traveling-wave phase modulator [21] with the frequency of the microwave field Ω and its phase *φ _{A}*. As a result of phase modulation, the field at the modulator output acquires sidebands at frequencies

*ω*=

_{k}*ω*+

*k*Ω. We limit our consideration to 2

*S*sidebands and let the integer

*k*run between the limits −

*S*≤

*k*≤

*S*. Modulation index and intensity of the carrier wave are chosen so that the total number of photons in the sidebands is less than unity, thus providing non-orthogonality of the chosen set of states, required by the no-cloning theorem that lies in the heart of QKD security. The phase

*φ*is constant in a transmission window with duration

_{A}*T*, but changes randomly within a predefined set in the next window. This value defines the relative phase between the sidebands and the carrier wave, and thus encodes the bit sent by Alice. In this article we consider two protocols that differ in the phase sets used by Alice. The B92 protocol [6] employs only two non-orthogonal states with

*φ*∈ {0,

_{A}*π*} encoding logical 0 and 1, respectively. The BB84 protocol [5] (as well as its variant BB84-OSD) uses four states split into two bases:

*φ*∈ {0,

_{A}*π*} is basis 0 and

*φ*∈ {

_{A}*π*/2, 3

*π*/2} is basis 1, the first state in each basis encodes logical 0 while the second encodes logical 1. In both protocols the carrier wave propagates together with the sidebands and can serve as the “strong reference”, which was suggested for the B92 protocol by Bennett [6] and can be extended to the BB84 protocol by analogy. Monitoring the power of the strong reference helps uncover the attacks that employ measuring quantum states in the channel and suppressing them in the case of unfavorable outcomes, as in the photon number splitting (PNS) attack and the unambiguous state discrimination (USD) attack [2]. However, in this article we do not consider additional security enhancement provided by the strong reference method, leaving it for a separate study.

The encoded states together with the carrier wave are sent to the receiver (Bob) who applies similar phase modulation to the incoming beam with the microwave phase *φ _{B}* in each transmission window, then filters out the carrier wave and directs all sidebands to a single-photon detector (SPD). The set of phases used by Bob is the same as that of Alice in both protocols. Decoding is based on the fact that each time Alice and Bob use different phases from the same basis {0,

*π*} or {

*π*/2, 3

*π*/2}, so that

*φ*−

_{A}*φ*= ±

_{B}*π*, sidebands after Bob’s modulator are in the vacuum state and SPD produces no click, except for dark counts. In the B92 protocol Bob decodes bits in the transmission windows where his SPD clicks, and these values correspond to his phases

*φ*. In the BB84-OSD protocol Bob waits for Alice to announce the bases used for each bit through a public channel and then decodes the bit values in transmission windows where he used the same bases and his SPD clicked, these values again corresponding to his phase choices

_{B}*φ*. In this protocol Bob decodes only one state of the basis. For example, if Alice uses

_{B}*φ*= 0, Bob decodes this bit only if he applies

_{A}*φ*= 0. Phase

_{B}*φ*=

_{B}*π*, even though it belongs to the same basis, does not result (in the ideal case) in a click at Bob’s detector. We show in Sec. 5 that this modification of BB84 protocol does not affect the secure key generation rate for sufficiently small modulation indices.

#### 2.2. Secure key generation rate

The protocols described above belong to the class of one-way QKD protocols with independent identically distributed information carriers [2]. Secure key generation rate *K* for the protocols of this class in the presence of collective attacks is lower bounded by the Devetak-Winter bound [2,19]:

*ν*is the repetition rate, in our case

_{S}*ν*=

_{S}*T*

^{−1};

*P*is the probability of successful decoding and accepting a bit in a single transmission window;

_{B}*Q*is the quantum bit error rate (QBER), the probability that a bit accepted by Bob is erroneous; leak

*(*

_{EC}*Q*) is the amount of information revealed by Alice through the public channel for the sake of error correction, which depends on QBER and is limited by the Shannon bound: leak

*(*

_{EC}*Q*) ≥

*h*(

*Q*) where

*h*(

*Q*) = −

*Q*log

_{2}

*Q*− (1 −

*Q*) log

_{2}(1 −

*Q*) is the binary Shannon entropy.

Quantity *χ*(*A: E*) in Eq. (1) is the Holevo information [22], giving an upper bound for amount of information accessible to eavesdropper Eve in a given collective attack. In this class of attacks Eve performs interaction of her ancilla with each information carrier in the quantum channel (light in each transmission window in our case), stores her ancillae for the entire transmitted block in her quantum memory, and waits until Alice and Bob finish the post-processing of their key. Afterwards Eve collectively measures all ancillae in the block taking into account all information collected from the public channel. The best measurement cannot give her more information (per bit) than

*k*enumerates the possible states in the quantum channel,

*ρ*is the ancilla state under condition that

_{k}*k*th state was attacked,

*p*is the weight of the

_{k}*k*th state, $\rho ={\sum}_{k}{p}_{k}{\rho}_{k}$ is the unconditional state of ancilla, and

*S*(

*ρ*) = − Tr{

*ρ*log

_{2}

*ρ*} is the von Neumann entropy. Accessible information in Eq. (1) is maximized over all possible attacks by Eve, which is almost impossible to achieve by considering various attacks one by one. A different approach to finding secure key rate is connected to considering an equivalent protocol of entanglement distillation [23], and thus proving the unconditional security of the given protocol. Unfortunately, this approach has not yet been applied to the SCW QKD without strong reference. In Sec. 4 we calculate the information quantity given by Eq. (2) for an important case of CBS attack.

#### 2.3. Quantum channel

The information channel between Alice and Bob includes quantum encoding, transmission via quantum channel, and quantum decoding. For each choice of basis it has two input values, Alice’s bits *x* = 0, 1, and three output values: Bob’s bits *y* = 0, 1 and an inconclusive result *y* = 2 (or *y* =?) when Bob’s detector does not click. Absence of a click is caused by the vacuum component in the sideband states or by the destructive interference occurring in case Bob guesses the basis but not the state in BB84-OSD. The channel is completely determined by the matrix *P*(*y*|*x*), the conditional probability of Bob’s outcome being *y* when Alice sends *x*. We accept that Alice’s bit is random and its two values are equiprobable, which is known to maximize the data transmission rate.

When the probabilities of error and loss are independent of the input values a channel is referred as the binary symmetric error and erasure (BSEE) channel [24]. For such a channel we can write *E* = *P*(0|1) = *P*(1|0), *G* = *P*(2|0) = *P*(2|1), and these two parameters completely determine the channel. The diagram of this channel is shown in Fig. 2(a). Its capacity is

It should be noted that the “error probability” *E* of the BSEE channel is not the QBER value *Q* used in Eq. (1), because *Q* defines the probability of error under condition of conclusive measurement outcome. To find the QBER value, we divide the BSEE channel into two cascaded channels [24]: a symmetric binary channel with the error probability *Q* and an erasure channel with the erasure probability *G′*, see Fig. 2(b). It is easy to find that the two representations are equivalent, i.e, have the same matrix *P*(*y*|*x*) if *G′* = *G* and *Q*(1 − *G*) = *E*. The capacity of the channel, given by Eq. (3), can be rewritten as *C* = *C*_{1}*C*_{2}, where *C*_{1} = 1 − *h*(*Q*) is the capacity of the symmetric binary channel, and *C*_{2} = 1 − *G* is the capacity of the erasure channel. In the following section we calculate the *E* and *G* values, and consequently QBER, from the explicit expressions for the quantum states used in the SCW QKD system.

## 3. Quantum bit error rate

Multimode optical field states at the quantum channel entrance can be determined using the quantum model of electro-optical phase modulator developed in Ref. [20]. This model takes into consideration 2*S* + 1 modes of the optical field with frequencies *ω* + *k*Ω, where integer *k* satisfies −*S* ≤ *k* ≤ *S*. The input state at Alice’s modulator is ${|\sqrt{{\mu}_{0}}\u3009}_{0}\otimes {|\text{vac}\u3009}_{\mathit{SB}}$, where |vac〉* _{SB}* is the vacuum state of the sidebands and ${|\sqrt{{\mu}_{0}}\u3009}_{0}$ is the coherent state of the carrier wave with the amplitude $\sqrt{{\mu}_{0}}$ determined by the average number of photons in a transmission window:

*μ*

_{0}=

*PT*/(

*ħω*),

*P*being the power of the laser beam. The carrier wave phase is accepted to be zero and all other phases are calculated with respect to it. Electro-optical phase modulator rearranges the energy between the interacting modes, so that the state of the field at the modulator output is a multimode coherent state:

*θ*

_{1}is a constant phase and ${d}_{nk}^{S}(\beta )$ is the Wigner d-function that appears in the quantum theory of angular momentum [25]. Argument of the d-function

*β*is determined by the modulation index

*m*, disregarding the modulator medium dispersion this dependence can be written as [20]: A remarkable property of the d-function is its asymptotic form [25] where

*J*(

_{n}*x*) is the Bessel function of the first kind. The asymptotic form corresponds to a conventional description of phase modulation with an infinite number of sidebands. However, unlike the conventional description, in the quantum case it does not lead to unphysical results such as appearance of negative frequencies (see discussion in Ref. [26]). Another important property of the chosen modulator model is that if we apply higher modulation index (

*m*≫ 1), at some

*m*we shall observe complete energy return to the carrier mode [20], while there is no such effect in case of infinite number of interacting modes. Knowing the so-called “point of return” for the modulation index, one can estimate the number of interacting modes precisely. However, in practice this may require an unacceptably high voltage applied to the crystal leading to its destruction. It is commonly believed that standard fiber phase modulators (for example, Thorlabs LN53S-FC) have considerably large S. In the practical implementations of SCW QKD rather low modulation indices (

*m*< 1) are employed, in this case both approaches provide almost identical results.

After passing the distance *L* in the quantum channel (optical fiber), states of all spectral components become attenuated. Transmission coefficient of the quantum channel is *η*(*L*) = 10^{−ξL/10}, where *ξ* is the fiber loss per length unit. Optical field state in a single transmission window at the entrance to Bob’s module is

The microwave field in Bob’s phase modulator has the same frequency Ω as in the Alice’s one, but a different phase *φ*. In this modulator, additional field is generated on the same sidebands *ω* + *k*Ω, which interferes with the field already present on these frequencies. The resulting state of the field is a multimode coherent state [20]

*θ*

_{2}and

*φ*

_{0}are some phases determined by the construction of the phase modulator [20]. Equation (11) shows that in order to achieve constructive interference on the sidebands, Bob should use

*φ*

_{0}as an offset for his phase and apply in his modulator the microwave phase

*φ*=

*φ*

_{0}+

*φ*. Then for

_{B}*φ*−

_{A}*φ*= 0 the argument of d-function doubles:

_{B}*β′*= 2

*β*while for

*φ*−

_{A}*φ*= ±

_{B}*π*it vanishes:

*β′*= 0. Since ${d}_{0k}^{S}(0)={\delta}_{0k}$, a zero argument corresponds to the presence of photons only on the carrier frequency, with all the sidebands being in the vacuum state.

Optical losses in Bob’s module can be described by the transmittance coefficient *η _{B}*. These losses can be taken into account by replacing the amplitudes determined by Eq. (10) with the following ones:

Spectral filtering in Bob’s module aims at removing the relatively strong carrier wave. Unfortunately, in a practical SCW QKD system this wave can only be attenuated by a factor *ϑ* ≪ 1, resulting in replacement ${\overline{\alpha}}_{0}({\phi}_{A},{\phi}_{B})\to \sqrt{\vartheta}{\overline{\alpha}}_{0}({\phi}_{A},{\phi}_{B})$.

Thus, the average number of photons arriving at Bob’s detector in the transmission window *T* is given by the average total number of photons at all spectral components

For the values *n _{ph}* ≪ 1, typical for a long-distance QKD line, probability for SPD to produce a click in the window

*T*is [27]

*η*is the detector quantum efficiency,

_{D}*γ*is the dark count rate and Δ

_{dark}*t*=

*T*for continuous operation of the detector, however if gating time shorter than

*T*is used then Δ

*t*is the gating time of the detector.

Now we can calculate the parameters of the BSEE channel between Alice and Bob. These parameters are the same for both B92 and BB84-OSD protocols and are given by the following relations

where the phase Δ*φ*describes slight phase instability caused, for instance, by jitter or phase mismatch due to imperfect synchronization. Equations (16) and (17) can be understood from simple considerations. Let Alice choose

*φ*= 0. Bob obtains an error if he (i) chooses the wrong phase

_{A}*φ*=

_{B}*π*and (ii) obtains a click. Equation (16) gives the product of the corresponding probabilities. Similarly, Bob obtains a correct bit value if he (i) chooses the proper phase

*φ*= 0 and (ii) obtains a click; Eq. (17) gives the product of these probabilities.

_{B}The QBER *Q* = *E*/(1 − *G*) is obtained from Eqs. (11), (13), (15)–(17) as

*ζ*(

*L*) =

*γ*/(

_{dark}T*η*

_{D}μ_{0}

*η*(

*L*)

*η*) and cos

_{B}*β*

_{0,1}= cos

^{2}

*β*± sin

^{2}

*β*cos (Δ

*φ*). The calculation of

*Q*(

*L*) can be simplified by considering the limit

*S*→ ∞ given by Eq. (7), i.e. by transition from the d-functions to the Bessel functions. We note that

*S*determines the maximal number of sidebands, while their effective number is determined by the modulation index

*m*. The difference between ${d}_{00}^{S}(\beta )$ and the corresponding Bessel function

*J*

_{0}(

*m*), where

*m*is related to

*β*via Eq. (6), is less than 1 percent for

*S*> 3 and modulation index

*m*= 0.319 used in our numerical study below. Thus, increasing

*S*above 3 does not significantly affect QBER value. Numerical values for QBER obtained from Eq. (18) with any

*S*> 3 are almost the same as those calculated with the d-function replaced by the corresponding Bessel function.

For calculations we use experimental parameters from one of the regimes used in Ref. [14], which are close the implemented during experimental verification of our model, see Sec. 6: *T* = 10 ns, *ν _{S}* = 100 MHz,

*m*= 0.319,

*μ*

_{0}= 4, Δ

*φ*= 5°,

*η*= 10

_{B}^{−0.64},

*ϑ*= 10

^{−3}. Symbol

*ϑ*denotes the fraction of the carrier transmitted through the filter. It can be measured experimentally and/or compared with the values given by the manufacturer in the data sheet of the optical filter. For the experiment described in Sec. 6 we use fiber Bragg grating filters PWS-NLS-1550.12-99.9-CM with 30 dB average transmission rate at the carrier wavelength. The contribution of the transmitted carrier is demonstrated by the first summand in the right hand side of Eq. (13). Two different detectors are considered in the model: a superconducting nanowire single-photon detector (SNSPD) with

*η*= 0.2,

_{D}*γ*= 20 Hz operating in the continuous regime, and an avalanche photodiode (APD) with

_{dark}*η*= 0.125,

_{D}*γ*= 400 Hz operating in the gated mode with the gating time Δ

_{dark}*t*= 4 ns. We use two different types of detectors because SNSPD has higher performance but needs cryo-temperatures for its operation which are available mostly in laboratory environment, while APD has lower parameters but does not require any special temperature regime. Also APDs are much more accessible in terms of cost and can be easily implemented in field QKD lines.

In Fig. 3 we show the dependence of QBER calculated from Eq. (13) and Eqs. (15) – (17) on the optical channel loss *ξL* for the two considered detectors. For relatively low loss, while the counting rate well surpasses the dark count rate, QBER is mainly determined by the phase instability and imperfect filtering of the carrier wave. Loss may be considered maximal for a given QKD system when signal becomes comparable to *γ _{dark}*, because above this value the QBER increases rapidly, reaching values not suitable for error correction.

It should be noted that for a more accurate QBER estimation one could consider more advanced models of the quantum channel, for instance, including partial loss of coherence between the sidebands propagating in the fibre, and more advanced models of the photocounting process that take into account the afterpulsing effect in the photodetector [1,28]. However, the influence of these effects on QBER is expected to be inferior to the impact of the ones considered here [2]. The experiment, described in Sec. 6, confirms that the model presented above works fairly well for a practical SCW QKD system.

## 4. Analysis of the CBS attack

#### 4.1. Possible attacks

After Alice and Bob successfully generate a block of shared bits of length *N* containing some errors (raw key), they perform error correction by disclosing *N* · leak* _{EC}*(

*Q*) bits. This number depends on their particular error-correcting protocol, but is lower limited by

*N*·

*h*(

*Q*). After having corrected all the errors they perform privacy amplification by shortening their block using a hash function in order to eliminate almost entirely any potential Eve’s knowledge of the shorter block (final key). The block should be shortened as shown in Eq. (1), where the second term in the square brackets corresponds to the information disclosed during the error correction stage, and the third term in the square brackets corresponds to the upper estimate of potential Eve’s information about the key.

To obtain a good upper bound of Eve’s information, one needs to consider explicitly various attacks on the QKD line. A general scenario of the attack is following: Eve replaces the quantum channel characterized by the error rate *Q*_{0} and loss *η* by a perfect errorless and lossless channel and employs an eavesdropping procedure on the information carriers, introducing the same amount of error and loss as before the replacement. She thus hides her intrusion from the legitimate users who monitor the error rate and loss in the channel. Here *Q*_{0} ≤ *Q* represents only the errors appearing in the quantum channel, but not on Bob’s side. Attacks suitable for modelling can be individual or collective, depending on the number of information carriers attacked at once. The most important individual attacks are the intercept-resend (IR) attack, which introduces errors, but no loss [1], and three zero-error attacks that introduce loss but no errors [2]: the PNS attack, the USD attack, and the individual beam-splitting (IBS) attack. The most important collective attacks include the CBS attack, being a quantum-memory-enhanced version of the IBS attack, and the asymmetric cloning (AC) attack consisting in entangling an ancillary system to the information carrier by means of an asymmetric cloning machine [29] or an asymmetric universal entangling machine [30] with a subsequent measurement of the ancilla. The AC attack introduces errors but no loss.

Analysis in the previous section shows that in the SCW QKD system almost no error is caused by the transmission line, so that *Q*_{0} ≈ 0. In the “calibrated devices” approach to the security analysis [2] we accept that Bob’s module is calibrated in terms of errors and loss, and Eve has no access to its performance. Then the IR and AC attacks, which introduce errors, can be rather easily detected due to enhancement of the measured QBER value. The zero-error PNS and USD attacks require a suppression of the signal and carrier wave in case of unsuccessful measurement outcome, and can be countered by monitoring the power of the carrier wave, which is the essence of the “strong reference” method [6,12,13]. The CBS attack always outperforms the IBS attack, which is its particular case. Therefore we consider the CBS attack, in no way detectable, to be the most important one for the security analysis of the SCW QKD systems, serving as the point of reference for all other attacks.

#### 4.2. CBS attack

In course of CBS attack, Eve inserts a beam splitter with transmittance *η*(*L*) to the very beginning of the quantum channel. She sends the transmitted light to Bob via a lossless line and keeps the reflected light in her quantum memory, writing the signals from each window with duration *T* to a separate memory cell. After the announcement of bases (in BB84-OSD) and error correction performed by the legitimate users for each block of bits, she discards (in BB84-OSD) the memory cells corresponding to instances where the bases used by Alice and Bob did not coincide and does a collective measurement of the rest of the cells. Below, in Eq. (2), we calculate the Holevo information for the state of information carriers in the quantum channel of an SCW QKD system.

As follows from the quantum consideration of a beam splitter [31], the state of the transmitted beam in the window *T* is given by Eq. (8). It is identical to the one which should arrive at Bob’s module in the absence of eavesdropping, while the state of the reflected beam in the same window is

*η̄*(

*L*) = 1 −

*η*(

*L*) and phase

*φ*is a random member of the set corresponding to the protocol used.

_{A}In the B92 protocol Eve needs to distinguish only two states in each cell, |*ψ _{E}*(0)〉 and |

*ψ*(

_{E}*π*)〉. In the BB84-OSD protocol for the cells corresponding to Alice’s choice of basis {

*π*/2, 3

*π*/2} Eve shifts the phase of the

*k*th sideband by

*πk*/2v using a unitary rotation of state given in Eq. (19) by an evolution operator

*a*is the photon annihilation operator for the

_{k}*k*th sideband. The unitary rotation does not change the accessible information, thus Eve needs to distinguish the same two states as in the B92 protocol case.

Since the two states to be distinguished are pure, the Holevo information, Eq. (2) is given by the von Neumann entropy of a mixed state

The von Neumann entropy of a density operator is the Shannon entropy of its eigenvalues. The eigenvalues of the operator *ρ* are

*I*(

*φ*

_{1},

*φ*

_{2}) is calculated as

*β*

_{−}is determined by relation

*φ*

_{1}−

*φ*

_{2}= ±

*π*we need to substitute

*β*

_{−}= 2

*β*.

Therefore, for both B92 and BB84-OSD protocols we obtain the Holevo information as the Shannon entropy of the eigenvalues defined by Eq. (22):

## 5. Secure key rate

#### 5.1. Rate dependence on loss

Now we have all the necessary dependencies to calculate the secure key rate determined by Eq. (1). Probability *P _{B}* for decoding and accepting a bit is

*P*= (1 −

_{B}*G*)

*f*, where

*f*is the fraction of data where Bob guesses the basis correctly, given by $\frac{1}{2}$ for the BB84-OSD protocol and being unity for the B92 protocol, and 1−

*G*is the probability of photodetection in the window

*T*determined by Eqs. (16) and (17). As we have seen in the previous sections, all functions entering the right hand side of Eq. (1) are the same for the BB84-OSD and B92 protocols, except for

*f*. Thus, the secure key rate for B92 protocol is always two times higher than for BB84-OSD protocol, as far as we restrict our analysis to the CBS attack. For this reason, here we illustrate only the latter protocol. For simplicity we also accept leak

*(*

_{EC}*Q*) =

*h*(

*Q*). Thus, we rewrite Eq. (1) as follows

*G*,

*E*are defined in Eqs. (16) and (17). Here we have replaced ${d}_{00}^{S}(2\beta )$ by its asymptotic value

*J*

_{0}(2

*m*).

Mean photon number on all the sidebands at the quantum channel entrance is an important parameter commonly used for characterizing the mode of a QKD system [1,2]. It can be found from Eq. (5) as follows:

Higher values of *μ* correspond to higher counting rates on Bob’s detector and are very attractive from the practical point of view. However, information available to Eve is also growing with *μ*, reaching 100 % in the limit where *μ* ≫ 1 and the sideband states corresponding to different values of *φ _{A}* become almost orthogonal. Hence optimal mean photon number on the sidebands

*μ*(

*L*) can be found by maximizing the key rate

*K*in Eq. (29) at a given distance. More specifically, since

*μ*is not directly present in the expression for

*K*, one should determine the values of

*μ*

_{0}(

*L*) and

*m*(

*L*) which maximize

*K*(

*μ*

_{0},

*m*,

*L*) for a given

*L*and then substitute them into Eq. (30). In this way

*μ*(

*L*) can be computed numerically. The results of such calculation are presented in Fig. 4 for the same experimental setup with two different detectors as discussed in Sec. 3.

We can see that a practical value for a long-distance QKD with SNSPD is about *μ* = 0.2, and higher values of mean photon number considered in the theoretical security analysis [11, 32] either lead to sub-optimal key generation rates or are completely insecure against the CBS attack.

Secure key rate with *μ* optimized for each value of loss is shown in Fig. 5 as a function of channel loss *ξL*. Corresponding distance can be easily calculated using *ξ* = 0.18 dB/km typical for modern telecommunication fibers.

We note that even for comparably low repetition rate, *ν _{S}* = 100 MHz, we can achieve rather high values of maximal distances and secure key rates. In spite of lower secure distances with the APD, it still remains a viable solution for fiber lines up to 100 km long thanks to easier maintenance compared to the SNSPD.

#### 5.2. Secure key rate of BB84 versus BB84-OSD

Demodulation process in Bob’s module can be described by a demodulation operator *D*(*φ _{B}*) that maps the arriving state from Eq. (8) to the state given by Eq. (9). In case

*φ*= 0 and the basis is guessed correctly, this mapping is

_{B}*μ*〉

_{s}_{+}and |

*μ*〉

_{s}_{−}are multimode coherent states of upper and lower sidebands, respectively, with equal mean photon numbers

*μ*, defined as

_{s}*μ̄*〉

_{c}_{0}and |

*μ̄*〉

_{0}are coherent states of the carrier wave with mean photon numbers

*μ̄*= |

_{c}*α′*

_{0}(0,

*φ*

_{0})|

^{2}and

*μ̄*= |

*α′*

_{0}(

*π*,

*φ*

_{0})|

^{2}, respectively. From Eq. (10) we can obtain

*μ̄*=

*μ̄*+ 2

_{c}*μ*which has a simple physical meaning: demodulation process preserves the total number of photons.

_{s}Let us now consider a modification of the BB84-OSD protocol where the receiver has two detectors: one for the upper sidebands and one for the lower ones. Bob applies a demodulation operator *D′*(*φ _{B}*) to the state arriving to his module, which is given by Eq. (8), hence directing the photons either to the upper or to the lower sideband depending on the phase

*φ*(if he uses the same basis as Alice). Here we consider only operators resulting in a linear transformation of the field and therefore mapping coherent states onto coherent ones. When

_{B}*φ*= 0 this demodulation mapping is as follows:

_{B}*φ*= 0 and

_{A}*φ*=

_{A}*π*by observing a click on the corresponding detector, similar to the BB84 protocol implementation. Let us now calculate the corresponding counting rate.

From the unitarity of operators *D*(*φ _{B}*) and

*D′*(

*φ*) we have

_{B}*μ*/

_{s}*μ̄*≪ 1, the average number of photons on the sidebands for the BB84 protocol is almost the same as for BB84-OSD,

*μ′*≈

_{s}*μ*. It means that in the BB84 protocol two Bob’s detectors click with the rates

_{s}*η*, while in the BB84-OSD protocol (with a perfect suppression of the carrier wave) the only detector clicks with the rate 2

_{B}μ′_{s}*η*, hence the total count rate is the same for the two protocols.

_{B}μ_{s}There are two important issues for future research in this direction. The first is proving that detection of just one state adds no loopholes to the BB84-OSD protocol. Since BB84-OSD uses the same states as BB84 and the detected state is chosen randomly, all known attacks on BB84, including the CBS, PNS and USD attacks, give the same amount of intercepted information, and therefore the security analysis for both protocols coincides. However, a possibility of a specially designed attack targeting the non-detection of the second state cannot be neglected without special consideration. Secondly, it would be interesting and practically important to study the influence of increased number of phase states in each basis [33] or the total number of bases [34] on the secure key rate.

We conclude that, unless more effective attacks are discovered, in low modulation index regime there is no reason to install the second detector and employ sophisticated modulation/demodulation techniques for decoding both states at the same basis. In relation to any known attacks, in SCW QKD system the BB84-OSD protocol performs not worse than BB84 and is technically significantly simpler.

## 6. Experimental results

In this section we present experimental data confirming the validity of the assumptions made in our theoretical model. Main results of the experimental verification for the developed theory are shown in Figs. 6 and 7 which include the sifted key rate *R* = *ν _{S}P_{B}*, the QBER, and the secure key rate, with the corresponding standard deviations marked.

In the experiment we used the SCW QKD system described in Ref. [14,15] with the following parameters: *T* = 10 ns, *ν _{S}* = 100 MHz,

*m*= 0.212,

*μ*

_{0}= 9, Δ

*φ*= 5°,

*η*= 10

_{B}^{−0.64},

*ϑ*= 10

^{−2.5}. The latter value is equivalent to −25 dB which is higher compared to the declared −30 dB of carrier wave transmission through the filter given by the manufacturer. This increase is caused by an additional amount of background light, unmodulated fraction of the pulses, polarization extinction and other features which cannot be easily measured separately. However, they influence the quantum signal in the same manner as the transmitted fraction of the carrier wave and thus can be simply considered as additional 5 dB of illumination. The employed detector is an APD with the following parameters:

*η*= 0.1,

_{D}*γ*= 100 Hz, operating in the gated mode with the effective gating time Δ

_{dark}*t*= 1.3 ns.

Both Fig. 6 and Fig. 7 demonstrate good correspondence between the experiment and our model. We would like to mention that our system has been running for considerably long time and we have randomly chosen up to 100 keys for statistical analysis.

## 7. Conclusions

In this work we have calculated the secure key generation rate for two SCW QKD protocols in the presence of the CBS attack and have shown that SCW QKD systems allow secure distribution of cryptographic key over long distances. It was shown that the optimal mean photon number value in the system is *μ* ≈ 0.2, and the main limiting factors for longer distance communication are photodetector dark counts and imperfect filtering of the carrier frequency. The theoretical model of errors has been verified experimentally and corresponds very well with the obtained results.

We have shown that at low modulation depth the version of BB84 protocol with detection of just one of the states in each basis has performance not worse than the full BB84 protocol in SCW QKD, in respect to known attacks. We have also demonstrated that the SCW QKD key generation rate of the B92 protocol is doubled in respect to the BB84 protocol, as long as the analysis is limited to the CBS attack. It is possible that other attacks, like the USD attack, are more successful against B92, which uses fewer states, than against BB84. Individual attacks on the SCW QKD system will be a subject of a separate study.

The obtained results are important for constructing long-distance QKD links and multiuser quantum networks by exploiting mayor SCW QKD properties: possibility of harnessing ultra-high QKD bandwidth and compatibility with the existing optical communication infrastructure.

## Funding

Ministry of Education and Science of Russian Federation (contract 03.G25.31.0229); Belarusian Republican Foundation for Fundamental Research.

## Acknowledgments

This work was financially supported by the Ministry of Education and Science of Russian Federation (contract 03.G25.31.0229) and by the Belarusian Republican Foundation for Fundamental Research. Also we are very grateful to Oleg Bannik and Vladimir Egorov for inestimable help with the experiment and the manuscript preparation.

## References and links

**1. **N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys , **74**, 145–195 (2002). [CrossRef]

**2. **V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dusek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys , **81**, 1301 (2009). [CrossRef]

**3. **M. Sasaki, M. Fujiwara, R.-B. Jin, M. Takeoka, T. S. Han, H. Endo, K.-I. Yoshino, T. Ochi, S. Asami, and A. Tajima, “Quantum photonic network: concept, basic tools, and future issues,” IEEE J. Sel. Top. Quantum Electron. **21**, 6400313 (2015). [CrossRef]

**4. **E. Diamanti, H.-K. Lo, B. Qi, and Z. Yuan, “Practical challenges in quantum key distribution,” NPJ Quantum. Inf. **2**, 16025 (2016). [CrossRef]

**5. **C. H. Bennett, F. Bessette, G. Brassard, and L. Savail, “Experimental quantum cryptography,” J. Cryptol. **5**, 3–28 (1992). [CrossRef]

**6. **C. H. Bennett, “Quantum cryptography using any two nonorthogonal states,” Phys. Rev. Lett. **68**, 3121 (1992). [CrossRef] [PubMed]

**7. **J.-M. Merolla, Y. Mazurenko, J.-P. Goedgebuer, and W. T. Rhodes, “Single-photon interference in sidebands of phase-modulated light for quantum cryptography,” Phys. Rev. Lett. **82**, 1656 (1999). [CrossRef]

**8. **J.-M. Merolla, Y. Mazurenko, J.-P. Goedgebuer, L. Duraffourg, H. Porte, and W. T. Rhodes, “Quantum cryptographic device using single-photon phase modulation,” Phys. Rev. A: At. Mol. Opt. Phys. **60**, 1899 (1999). [CrossRef]

**9. **J.-M. Merolla, L. Duraffourg, J.-P. Goedgebuer, A. Soujaeff, F. Patois, and W. T. Rhodes, “Integrated quantum key distribution system using single sideband detection,” Eur. Phys. J. D **18**, 141–146 (2002). [CrossRef]

**10. **J. Mora, W. Amaya, A. Ruiz-Alba, A. Martinez, D. Calvo, V. Garcia Munoz, and J. Capmany, “Simultaneous transmission of 20x2 WDM/SCM-QKD and 4 bidirectional classical channels over a PON,” Opt. Express **20**, 16358–16365 (2012). [CrossRef]

**11. **O. Guerreau, F. J. Malassenet, S. W. McLaughlin, and J.-M. Merolla, “Quantum key distribution without a single-photon source using a strong reference,” IEEE Photonics Technol. Lett. **17**, 1755–1757 (2005). [CrossRef]

**12. **M. Koashi, “Unconditional security of coherent-state quantum key distribution with a strong phase-reference pulse,” Phys. Rev. Lett. **93**, 120501 (2004). [CrossRef] [PubMed]

**13. **K. Tamaki, N. Lütkenhaus, M. Koashi, and J. Batuwantudawe, “Unconditional security of the Bennett 1992 quantum-key-distribution scheme with a strong reference pulse,” Phys. Rev. A: At. Mol. Opt. Phys. **80**, 032302 (2009). [CrossRef]

**14. **A. V. Gleim, V. I. Egorov, Yu. V. Nazarov, S. V. Smirnov, V. V. Chistyakov, O. I. Bannik, A. A. Anisimov, S. M. Kynev, A. E. Ivanova, R. J. Collins, S. A. Kozlov, and G. S. Buller, “Secure polarization-independent subcarrier quantum key distribution in optical fiber channel using BB84 protocol with a strong reference,” Opt. Express **24**, 2619–2633 (2016). [CrossRef] [PubMed]

**15. **A. V. Gleim, V. V. Chistyakov, O. I. Bannik, V. I. Egorov, N. V. Buldakov, A. B. Vasilev, A. A. Gaidash, A. V. Kozubov, S. V. Smirnov, S. M. Kynev, S. E. Khoruzhnikov, S. A. Kozlov, and V. N. Vasilev, “Sideband quantum communication at 1 Mbit/s on a metropolitan area network,” J. Opt. Technol. **84**(6), 362–367 (2017). [CrossRef]

**16. **H.-K. Lo, M. Curty, and B. Qi, “Measurement-Device-Independent quantum key distribution,” Phys. Rev. Lett. **108**, 130503 (2012). [CrossRef] [PubMed]

**17. **H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. **94**, 230504 (2005). [CrossRef] [PubMed]

**18. **A. Gaidash, A. Kozubov, V. Egorov, and A. Gleim, “Implementation of decoy states in a subcarrier wave quantum key distribution system,” J. Phys. Conf. Ser. **741**, 012090 (2016). [CrossRef]

**19. **I. Devetak and A. Winter, “Distillation of secret key and entanglement from quantum states,” Proc. R. Soc. London, Ser. A **461**, 207–235 (2005). [CrossRef]

**20. **G. P. Miroshnichenko, A. D. Kiselev, A. I. Trifanov, and A. V. Gleim, “Algebraic approach to electro-optic modulation of light: Exactly solvable multimode quantum model,” J. Opt. Soc. Am. B: Opt. Phys. , **34**, pp. 1177–1190 (2017). [CrossRef]

**21. **A. Yariv and P. Yeh, *Optical Waves in Crystals* (Wiley, New-York, 1984).

**22. **A. S. Holevo, *Probabilistic and Statistical Aspects of Quantum Theory*, (North-Holland, Amsterdam, 1982).

**23. **P. W. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol,” Phys. Rev. Lett. **85**, 441 (2000). [CrossRef] [PubMed]

**24. **T. M. Cover and J. A. Thomas, *Elements of Information Theory* (Wiley, New-York, 1991). [CrossRef]

**25. **D. A. Varshalovich, A. N. Moskalev, and V.K. Khersonsky, *Quantum Theory of Angular Momentum*, (World Scientific, Singapore, 1988). [CrossRef]

**26. **J. Capmany and C. R. Fernandez-Pousa, “Quantum model for electro-optical phase modulation,” J. Opt. Soc. Am. B: Opt. Phys. **27**, A119–A129 (2010). [CrossRef]

**27. **L. Mandel and E. Wolf, *Optical coherence and quantum optics*, (Cambridge University, 1995). [CrossRef]

**28. **D. B. Horoshko, V. N. Chizhevsky, and S. Ya. Kilin, “Afterpulsing model based on the quasi-continuous distribution of deep levels in single-photon avalanche diodes,” J. Mod. Opt. **64**, 191–195 (2017). [CrossRef]

**29. **N. J. Cerf, “Asymmetric quantum cloning in any dimension,” J. Mod. Opt. **47**, 187–2009 (2000). [CrossRef]

**30. **D. Horoshko, S. Kilin, and M. Kolobov, “Asymmetric universal entangling machine,” Opt. Spectrosc. **103**, 153–164 (2007). [CrossRef]

**31. **M. O. Scully and M. S. Zubairy, *Quantum Optics* (Cambridge University, 1997). [CrossRef]

**32. **A. N. Klimov, S. P. Kulik, S. N. Molotkov, and T. A. Potapova, “On a simple attack, limiting the range transmission of secret keys in a system of quantum cryptography based on coding in a sub-carrier frequency,” Laser Phys. Lett. **14**, 035201 (2017). [CrossRef]

**33. **D. B. Horoshko and S. Ya. Kilin, “Optimal dimensionality for quantum cryptography,” Opt. Spectrosc. **94**, 691–694 (2003). [CrossRef]

**34. **D. Bruss, “Optimal eavesdropping in quantum cryptography with six states,” Phys. Rev. Lett. **81**, 3018 (1998). [CrossRef]