## Abstract

The physical-layer security of a quantum-noise randomized cipher (QNRC) system is, for the first time, quantitatively evaluated with secrecy capacity employed as the performance metric. Considering quantum noise as a channel advantage for legitimate parties over eavesdroppers, the specific wire-tap models for both channels of the key and data are built with channel outputs yielded by quantum heterodyne measurement; the general expressions of secrecy capacities for both channels are derived, where the matching codes are proved to be uniformly distributed. The maximal achievable secrecy rate of the system is proposed, under which secrecy of both the key and data is guaranteed. The influences of various system parameters on secrecy capacities are assessed in detail. The results indicate that QNRC combined with proper channel codes is a promising framework of secure communication for long distance with high speed, which can be orders of magnitude higher than the perfect secrecy rates of other encryption systems. Even if the eavesdropper intercepts more signal power than the legitimate receiver, secure communication (up to Gb/s) can still be achievable. Moreover, the secrecy of running key is found to be the main constraint to the systemic maximal secrecy rate.

© 2017 Optical Society of America

## 1. Introduction

Despite its better security than copper-wired links and wireless communications in terms of no-leakage of electromagnetic radiation, optical fiber communication (OFC) is still vulnerable to various attacks [1, 2]. Meanwhile, conventional encryption based on computation complexity is under the threat of rapidly increasing computing power of modern computers [3]. Based on quantum mechanical principles, quantum key distribution (QKD) is an effective approach to solving the aforementioned problems [4], which combined with one-time pad (OTP) encryption can provide unconditional security theoretically. Unfortunately, the attainable key generation efficiency and transmission distance of QKD are quite limited (eg., 2.38 Mbps, 70 km [5]).

Quantum-noise randomized cipher (QNRC) is an alternative quantum secure communication method [6], the well-known encryption protocol of which is Yuen 2000 (Y-00) [7]. Based on Heisenberg’s uncertainty principle, the intrinsic quantum noise protects both the data and the key from being intercepted by eavesdroppers. Since ciphertext is directly modulated onto the phase of mesoscopic coherent states, the Y-00 protocol is well compatible with the currently existing OFC infrastructure so that secure communication with high speed and long distance can be realized (eg., 100 Gbit/s, 120km [8]). Therefore, QNRC is an important direction for the practical application of high-speed quantum secure communication.

However, the security of Y-00 protocol hasn’t been proven perfectly in theory, which has been challenged in [9–11] with corresponding refutations in [12–14] by the inventors. The current security metrics of Y-00, like correct detection probability [15] and unicity distance [7], tend to be qualitative or merely focus on the eavesdropper. Ref [16]. has pointed out the applicability of wire-tap channel model [17] as the framework for consideration of Y-00 security of the key and developing secure instantiations. In the wire-tap channel theory, a well-developed theoretical system originated from Wyner [17], there exists a nonzero secrecy capacity, which is the information-theoretic limit of secure transmission rate. As the transmission rate is under secrecy capacity, there exist certain proper channel codes making eavesdropper’s acquisition useless for the knowledge of source information. So far, some specific coding strategies for certain channel models are presented to achieve secrecy capacity [18], such as schemes based on low-density parity-check codes for binary erasure/symmetric channel [19] and polar codes for binary-input symmetric discrete channel [20]. In spite of no general coding schemes, it’s doubtless that secrecy capacity is an instructive metric of security and performance. By its very nature, it is the channel advantage of legal parties over eavesdroppers, which takes into consideration both the main channel and the wire-tap channel as a whole system. Fortunately, such advantages can be provided by Y-00 protocol from the physical layer. Therefore, it’s desirable to investigate the security of Y-00 by considering quantum noise as physical-layer superiority in the wire-tap channel model.

In this paper, we focus on the quantitative security analysis of the Y-00 protocol with secrecy capacity employed as the performance metric. It turns out that QNRC is of great potential for physical-layer security, and the investigation results may contribute to setting proper system parameters for security promotion. The rest of this paper is organized as follows. In Section 2, a brief overview about Y-00 quantum-encryption protocol is provided. In Section 3, we introduce the wire-tap models for both channels of the key and data in detail and characterize their secrecy capacities respectively. Furthermore, the maximal achievable secrecy rate of the system is proposed. In Section 4, comprehensive simulation results about the influences of key system parameters and in-depth discussion about their implications are presented. Finally, we summarize our main findings.

## 2. Overview of Y-00 protocol

The operation principle of Y-00 quantum-encryption protocol is reviewed as follows [7].

- (1) Legitimate communication parties, namely Alice and Bob, share a seed key
*K*that is absolutely safe, probably from QKD key pool.^{S} - (2) With expansion function
*ENC*(•) (e.g., linear feedback shift register or AES in stream cipher mode),*S*-bit*K*is extended into a running key*U*that is divided into*n*blocks subsequently:*ENC*(*K*) =^{S}*U*= (^{N}*u*_{1},*u*_{2},…,*u*). Each subkey_{n}*u*has*l*=*N*/*n*bits with*M*=_{b}*2*values at most.^{l} - (3)
*n*-bit data ${X}^{n}=\left({x}_{1},{x}_{2},\cdots ,{x}_{n}\right)$ will be encrypted by*U*with each bit encrypted by^{N}*u*. The encryption mapping is*POL*(*u*) is 0 or 1 according to whether*u*is even or odd. - (4) Ciphertext
*m*is modulated into the phase of coherent states. Thus, the original quantum states arewhere

*α*is the coherent-state amplitude. We can find that the data bits encoded in all neighboring states are antipodal, given that*M*is odd._{b}Note that

*u*determines the basis $\left\{|\alpha {e}^{i{\theta}_{i}}\u3009,|\alpha {e}^{i\left({\theta}_{i}+\pi \right)}\u3009\right\}$, where ${\theta}_{i}={u}_{i}\pi /{M}_{b}$; then_{i}*x*is transmitted selecting one of them; and_{i}*M*is called the number of bases._{b} - (5) Bob runs an identical
*ENC*(•) function as Alice, so knowing the basis*u*, he only needs to distinguish $|\alpha {e}^{i\cdot 0}\u3009$ and $|\alpha {e}^{i\cdot \pi}\u3009$, the orthogonal states with |_{i}*α*| big enough (>>1).

On the other hand, the eavesdropper (named Eve) ignorant of the key has to discriminate 2*M _{b}* quantum states and tell the difference of neighboring states that is masked by unavoidable quantum noise. So the information Eve derives from the measurement is a seriously noisy version where key and data are both protected from the physical layer.

## 3. Wire-tap channel model and secrecy capacity for QNRC system

Three preconditions of our research are illustrated, as follows.

- (1) We consider the scenarios where the sample size of running key is bounded by
*|U|*≤2.^{S} - (2) Besides unlimited computation power and memory capacity, we assume there are two kinds of wiretappers. The ordinary one can only intercept small part of the signal from Alice. The other could get nearly full copy of signal without being detected. For example, Eve might replace ordinary fiber with ultra-low-loss fiber, so her interception could hide in the fiber loss.
- (3) We take no account of optical amplifiers that increase optical power but reduce SNR.

Figure 1 describes the situation of legal communication with an external eavesdropper. In order to obtain useful information, Eve has to intercept part of the signal from the main channel by fiber bending, beam splitting or other fiber-tapping methods. Suppose that Eve’s interception rate of received power is *r* and Bob takes a fraction *t*. Generally, *r* + *t* = 1.

Consider that Alice sends signals with initial amplitude *α* and the distances between Alice and Bob, and between Alice and Eve are *L _{B}*,

*L*respectively. Hence, the average number of photons arriving at Bob and Eve are

_{E}With the received quantum states, coherent heterodyne measurement is an indispensable step to obtain all bits of the output for each qumode [16, 21]. If the coherent state received is $|\varphi \left(m\right)\u3009=|{\alpha}_{x}{e}^{i{\theta}_{m}}\u3009$ $({\theta}_{m}={\scriptscriptstyle \frac{m}{{M}_{b}}}\pi )$, then (*r*, *θ*), the observed values of amplitude |*α _{x}*| and phase angle

*θ*, will be obtained from the constellation. With a shot noise variance σ

_{m}^{2}defined as unity, the probability density function in polar coordinates for a quantum heterodyne receiver is [21],

Based upon the two-tuples (*r*, *θ*), Eve need make a decision on the original state $|\varphi \left(m\right)\u3009$ and cipher text *m*. According to the Bayes strategy, the polar coordinate plane should be divided into M = 2*M _{b}* decision regions [21],

*m*'. Thus, symbol transition probability of cipher text in Eve’s wire-tap channel is

*α*=

_{x}*α*in

_{E}*p*(

*r*,

*θ*|

*m*).

While with knowledge of the key *K* and *u*, Bob only needs to judge between $|\varphi \left(m\right)\u3009$ or $|\varphi \left(m+{M}_{b}\right)\u3009$ so that the coordinate plane needs to be divided into two parts, namely,

*α*=

_{x}*α*in

_{B}*p*(

*r*,

*θ*|

*m*).

On the basis of the fundamental channel built above, the wire-tap channel models for the secret key and data can be founded concretely.

#### 3.1 Secret key part

The seed key is shared in advance between Alice and Bob. So is the extended key. However, the transmitted quantum state $|\varphi \left(m\right)\u3009$ still contains the information of the subkey *u*, which Eve can intercept so as to figure out the *K* in a further step. Hence, it’s necessary to analyze the security of running key in a wire-tap channel, as shown in Fig. 2.

We regard the running key *U* as the information source to be sent from Alice, which already has been known by Bob. In this sense, the main channel is always error-free. Actually such a decoder is non-existent. While the wire-tap channel is noisy under heterodyne measurement with serious disturbance from quantum noise. In order to make the noisy running key totally useless for Eve, *U* is encoded into *U _{c}* before selecting bases, and

*U*is then chopped into

_{c}*n*subkeys to encrypt the corresponding data.

In fact the wire-tap channel above includes: mapping *u _{ci}*→

*m*, transmission ${m}_{i}\to {\widehat{m}}_{i}$ and inverse mapping ${\widehat{m}}_{i}\to {\widehat{u}}_{ci}$. Because different subkeys are applied in different coherent states transmitting separately, the channel is discrete, memoryless channel (DMC), that is,

_{i}Due to the mapping rule of encryption, for given *u _{ci}* and ${\widehat{u}}_{ci}$, ciphertext equals only two values depending on the corresponding value of

*x*. So,

_{i}We note that ${m}_{{u}_{c}}={u}_{c}$, ${\widehat{m}}_{{\widehat{u}}_{c}}={\widehat{u}}_{c}$ for simplicity. And it is provable that $P\left({\widehat{m}}_{{\widehat{u}}_{c}}|{m}_{{u}_{c}}\right)=P\left({\widehat{m}}_{{\widehat{u}}_{c}}+{M}_{b}|{m}_{{u}_{c}}+{M}_{b}\right)$ and $P\left({\widehat{m}}_{{\widehat{u}}_{c}}|{m}_{{u}_{c}}+{M}_{b}\right)=P\left({\widehat{m}}_{{\widehat{u}}_{c}}+{M}_{b}|{m}_{{u}_{c}}\right)$. Accordingly, the transition probability of running key in wire-tap channel can be simplified as below.

An equivalent wire-tap channel model for the running key has been founded, and according to Wyner’s theory [17], its secrecy capacity is

*I*denotes the mutual information, and

*H*is the (conditional) entropy function.

We can find that the wire-tap channel with channel matrix $\left[P\left({\widehat{u}}_{c}|{u}_{c}\right)\right]$ is a symmetric discrete channel. By using Lagrange multipliers technique and taking the channel characteristics into account, we derive that $H({u}_{c}|{\widehat{u}}_{c})$ is maximal when subkeys *u _{c}* are uniformly distributed. Thus, it provides a normal demand for the encoding of

*U*. Moreover, resorting to the symmetric discrete channel matrix and matching distribution of

*u*, the applied

_{c}*C*formula for calculation is given by

_{Su}*i*can be arbitrary, and we take 0•log0 = 0 in this paper.

#### 3.2 Data bit part

Also, Eve can derive a noisy version of the original data from heterodyne measurement. Consequently, we study the physical-layer security of data *X* on the basis of wire-tap channel, as shown in Fig. 3.

Likewise, source ${X}^{k}=\left({x}_{1},{x}_{2},\cdots ,{x}_{k}\right)$ is encoded into ${X}_{c}^{n}=\left({x}_{c1},{x}_{c2},\cdots ,{x}_{cn}\right)$ before encryption so as to make Eve’s measurement of data meaningless. Still, the wire-tap channel is noisy and output is *Z ^{n}*. However, the main channel isn’t always noiseless any more, because SNR degrades after channel transmission. Output of main channel is

*Y*. Since ${X}_{c}^{n}$ is encrypted bit by bit with subkeys from ${U}_{c}^{n}$, it’s easy to know that the main channel ${X}_{c}^{n}\to {Y}^{n}$ and wire-tap channel ${X}_{c}^{n}\to {Z}^{n}$ are both DMCs, i.e.,

^{n}*x*,

_{c}y z*a*) follows that the matrix $[P({\widehat{m}}_{E}|m)]$ is also symmetric discrete, consisting of same elements in each row, and generally we take the row of

*u*= 0. Similarly,

_{c}*b*) follows only probability items with ${\widehat{u}}_{c}={u}_{c}$ exist, given that Bob knows running key, i.e., the basis level. Further, it’s not hard to prove both channels of data communication leading to Bob and Eve are binary symmetric channels (BSC). Their crossover probabilities, namely, the respective error rates, are

*u*= 0~

_{c}*M*-1 and

_{b}*M*is odd for (c). Note that the transition probabilities in Eqs. (17) and (20) and (18) and (19) follow Eqs. (6) and (8) respectively.

_{b}The wire-tap channel model for data communication is clearly demonstrated above. The secrecy capacity of data is given by

*d*) follows that

*Y*→

*Z*could be treated as another BSC, if error rates

*P*≤

_{Be}*P*, and the entropy of output of a BSC is not less than that of its input [22], i.e.,

_{Ee}*H*(

*y*) ≤

*H*(

*z*). Further, the condition for equality is

*P*(

*x*= 0) =

_{c}*P*(

*x*= 1) = 1/2, which provides a normal demand for encoding

_{c}*X*. On this condition, the final

*C*is given bywhere

_{Sx}*h*(

*p*) = -

*p*log

_{2}

*p*-(1-

*p*)log

_{2}(1-

*p*), 0≤

*p*≤1. For further analysis, we express it as

*C*= [1-

_{Sx}*h*(

*P*)]-[1-

_{Be}*h*(

*P*)] =

_{Ee}*C*-

_{M}*C*.

_{W}#### 3.3 Maximal achievable secrecy rate of the system

Now that the transmitted quantum states contain information of both the data and the key, we need to take their secrecy restrictions into consideration at the same time for strict security of the whole system. That is to say, *R _{u}*≤

*C*and

_{Su}*R*≤

_{x}*C*, where

_{Sx}*R*,

_{u}*R*denote the respective rate. Meanwhile, each state $|\varphi (m)\u3009$ includes

_{x}*l*-bit

*u*and 1-bit

*x*, which means

*R*=

_{u}*lR*. As a result,

_{x}*C*=

_{Su0}*C*/

_{Su}*l*can be regarded as the average secrecy capacity per bit of running key. We define the maximal achievable secrecy rate of the system as

*R*= min{

_{S}*C*,

_{Sx}*C*}.

_{Su0}In addition, since *K*→*U*→*U _{c}* form a Markov-chain series channel, when Eve can acquire nothing about the running key (

*U*), the initial key (

*K*) will be more impossible to be revealed. Thus, transmission at rate up to

*R*is achievable with both key and data in perfect secrecy.

_{S}## 4. Results and discussion

The secrecy capacities derived above are dependent on key system parameters, such as the number of bases, the initial amplitude of coherent state, the signal transmission distances, the interception rate and so on. In this section, we focus on impacts of the parameters mentioned above. Moreover, comparison between *C _{Su}* and

*C*is analyzed. We try to find some meaningful results to optimize those parameters for greater secrecy capacities.

_{Sx}#### 4.1 Secrecy capacity of running key

According to the formula (13), secrecy capacity of running key *C _{Su}* is evaluated with regard to different parameters, as shown in Fig. 4-6. In Fig. 4,

*C*is considered as a function of transmission distance between Alice and Eve (

_{Su}*L*), for the case of interception ratio

_{E}*r*= {0.01,0.1,0.5,1},

*M*= 127, $\left|\alpha \right|={M}_{b}/3\pi \approx 13.5$ and fiber loss coefficient with typical value $\mu $ = 0.2

_{b}*dB*/

*km*. Evidently, secrecy capacity increases with

*L*and decreases as the interception ratio rises. When

_{E}*r*is large, it’s difficult to reach the maximum. In order to obtain more information, smart wiretappers would choose to eavesdrop as close as possible to Alice (

*L*→0) with

_{E}*r*as large as possible. Though Eve is likely to be discovered as

*r*>10

^{−2}resulting in a noticeable power reduction, to maximize Eve’s ability and consider the worst situation, we still assume Eve with strongest ability can have a full copy of signal, implying

*r*=

*t*= 1.

In Fig. 5, we evaluate the impact of number of bases under smart Eve with strongest ability, that is, |*α _{E}*| = |

*α*|. Specifically, we set

*M*= 2

_{b}*1 for*

^{l}-*l*-bit subkey. In fact, here

*C*is normalized to

_{Su}*C*, capacity of the main channel with

_{Mu}*C*= log

_{Mu}_{2}

*M*, and is approximatively the average secrecy capacity per bit of subkey. As

_{b}*M*increases with the length of subkey, there are more state levels Eve has to discriminate with more difficulties. As a result, the phase difference between adjacent quantum states diminishes and Eve will surely make more mistakes, leading to a larger

_{b}*C*.

_{Su}While the question is, Alice has to emit more photons in each coherent state so as to communicate reliably for longer distance. According to uncertainty principle, the more photons Eve receives, the smaller the uncertainty of signal phase will be, and smaller quantum phase noise results in more accurate detection leaking more information to Eve. Then, more bases in turn are needed to protect signal information from being intercepted. We observe that, when average number of photons |*α*|^{2} is large, the growth of *C _{Su}* is too slow to reach the biggest value, i.e.,

*C*. For instance, to protect merely 25 photons on average (for |

_{Mu}*α*| = 5) to 0.81

*C*, about 1023 bases are needed. It’s extremely difficult to actualize perfect

_{Mu}*C*=

_{Su}*C*in practically remote communication. Therefore, we have to set the running key rate not exceeding

_{Mu}*C*to ensure the security of key, together with proper encoding of

_{Su}*U*.

From the analyses above, we know coherent-state amplitude |*α*| is decisive to Δ*φ*, the quantum noise in phase detection, which quantitatively is $\Delta \phi =1/\sqrt{\overline{N}}=1/\left|\alpha \right|$, and the number of bases *M _{b}* is to

*δφ*, the phase difference of adjacent quantum states, which is

*δφ*= π/

*M*

_{b}. In the physical nature, it’s only when Δ

*φ*masks

*δφ*that secure QNRC becomes possible. Moreover, define the number of states masked by quantum noise as ${N}_{\sigma}=\frac{\Delta \phi}{\delta \phi}=\frac{{M}_{b}}{\pi \left|\alpha \right|}$.

Figure 6 shows the more states are masked, the better *C _{Su}* (normalized to

*C*) will be achieved for certain number of bases generally. And particularly,

_{Mu}*C*increases most rapidly in the first division of

_{Su}*N*

_{σ}, implying that more than 20 state levels need to be masked there to ensure

*C*large enough, especially for large

_{Su}*M*. Normalized

_{b}*C*will reduce when

_{Su}*M*increases proportional to |

_{b}*α*| with fixed

*N*

_{σ}. It means that

*N*

_{σ}isn’t the only decisive factor of

*C*per bit, which is more sensitive to the negative impact of |

_{Su}*α*| instead of the protection of

*M*with their proportion fixed.

_{b}#### 4.2 Secrecy capacity of data

According to the Eq. (22), secrecy capacity of data *C _{Sx}* is evaluated for different cases, as shown in Fig. 7-9. Thereinto, we regard Eve as a wiretapper smart enough to eavesdrop close to Alice (

*L*→0).

_{E}We investigate *C _{Sx}* versus the transmission distance between Alice and Bob (

*L*), for the case of transmissivity

_{B}*t*= {0.1,0.3,0.5,0.99},

*M*= 127, |

_{b}*α*| = 13.5 and $\mu $ = 0.2

*dB/km*, in Fig. 7.

*C*decreases along with the growth of

_{Sx}*L*and reduction of

_{B}*t*. While under this case,

*C*, the capacity of wire-tap channel, remains constant 0 irrelevant to

_{W}*L*or

_{B}*t*, since

*N*

_{σ}= 3 states are masked at source. It indicates Eve could derive nothing useful from her interception, as long as data is protected at source. Actually, the decrease of

*C*here results from the reduction of main channel capacity,

_{Sx}*C*. After long distance transmission, the coherent states are pulled closer to the vacuum states, with the phase uncertainty so large that even Bob’s measurement is affected with errors. If

_{M}*N*

_{σ}<1, nonzero

*C*shall decrease with

_{W}*t*= 1

*-r*. Anyway, transmission distance unavailable for the honest parties is a relative advantage that Eve could utilize.

Next, we illustrate the influence of coherent-state amplitude. Figure 8 (a) and (b) plot *C _{Sx}* versus |

*α*| in the presence of eavesdroppers with normal ability (

*r*= 0.01,

*t*= 0.99) and strongest power (

*r*=

*t*= 1), respectively, at the length of 100

*km*. And Fig. 8 (c) and (d) plot the corresponding

*C*and

_{W}*C*versus $\left|\alpha \right|$ for further analysis. It’s obvious that the scenario with strongest Eve, which is the worst case, degenerates the security performance seriously. Taking

_{M}*M*= 15 as an example,

_{b}*C*in the case against normal Eve attains the maximum 1 with |

_{Sx}*α*| ranging 41~45; in contrast,

*C*against the strongest Eve can only reach 0.24 at most with |

_{Sx}*α*| = 10.

Curves in both Fig. 8(a) and 8(b) show the trend that increases in the beginning, keeps the peak value at some point or for an interval in the middle and then decreases. According to Fig. 8(c) and 8(d), we can make an explanation correspondingly. We note that *C _{M}*, which increases from the very beginning, is related to |

*α*| but irrelevant to

*M*. While

_{b}*C*starts rising only when signal is intensive enough to overcome the disturbance of Δ

_{W}*φ*. In other words, as |

*α*| is small,

*C*= 0 or its increment speed is slower than

_{W}*C*. Thus,

_{M}*C*=

_{Sx}*C*-

_{M}*C*keeps increasing up to the maximum before

_{W}*C*increases faster than

_{W}*C*. If

_{M}*C*saturates before

_{Sx}*C*starts increasing for certain interval, there will be a corresponding interval where

_{W}*C*holds the peak value.

_{Sx}From the analyses above, we infer that to achieve the maximal *C _{Sx}*, |

*α*| is supposed to satisfy the constraint given below,

*α*,

_{B}*α*are from Eq. (3) and

_{E}*α*

_{B}_{0}corresponds to the minimum of average number of photons for correct heterodyne detection in PSK scheme. Typically, to ensure

*P*≈10

_{Be}^{−9}, ${\left|{\alpha}_{B0}\right|}^{2}$≈18 at least. The second inequality ensures that accurate measurement is impossible for Eve. The final in Eq. (24) is of significance to set proper values of $\left|\alpha \right|$ and

*M*to maximize

_{b}*C*, for given length from Alice to Bob. The intervals meeting the inequation conform to Fig. 8(a), 8(c) and 8(b) for

_{Sx}*M*= 255, approximatively. Otherwise, for given

_{b}*L*and

_{B}*M*, if the interval meeting the inequation doesn’t exist,

_{b}*C*will not achieve the theoretical maximum 1, as shown in Fig. 8(b), 8(d) for

_{Sx}*M*= {15, 31, 63}.

_{b}Further, according to in Eq. (24), as *L _{B}* is quite long,

*M*needs to be sufficiently large against the strongest Eve. For instance, as

_{b}*L*= 300

_{B}*km*,

*M*needs to be more than 10

_{b}^{4}, of which the realization is quite a trouble. We suggest designing the parameters for secure QNRC based on different requirements of security. For those vital communication applications requiring absolute safety, we adopt the conservative designing strategy, imagining Eve most powerful and taking

*r*= 1; while in ordinary scenarios with general demands for security, designing against Eve with normal ability (i.e.,

*r*= 0.01) is safe enough, and it’s easier to be realized.

Similarly, we study the impact of *N*_{σ}, the number of states masked by quantum noise, on data secrecy capacity in Fig. 9. Here consider Eve as an optimal wiretapper. The variation trend of *C _{Sx}* also includes rising, holding or not, and dropping. We observe that for given

*M*, it is unnecessary or harmful to set

_{b}*N*

_{σ}too big value and some value of ${N}_{\sigma}\le 1$ is sufficient to attain the maximum of

*C*. Moreover, as

_{Sx}*N*

_{σ}keeps constant,

*C*is much larger with more bases, implying the protection of

_{Sx}*M*

_{b}prevails over the negative impact of |

*α*| in data communication part when they increase proportionally. In comparison, normalized

*C*in Fig. 6 reaches the maximum with much higher

_{Su}*N*

_{σ}. Though the data are indeed protected as long as the adjacent quantum states are masked by quantum noise, the states within the standard deviation of phase uncertainty are likely to have several bits in common, which reveals partial information of the key to Eve. Therefore, it’s harder for the running key to be completely secure by contrast with data on equal conditions. An effective way to improve security of the key is devising more disordered mappers.

#### 4.3 Comparison between C_{Su} and C_{Sx}

According to Eq. (23), the comparison between *C _{Sx}* and

*C*for different cases is shown in Fig. 10. In particular, the strict maximal secrecy rate

_{Su0}*R*is pointed out. Generally,

_{S}*C*<

_{Sx}*C*as |

_{Su0}*α*| is small, implying

*R*is limited to

_{S}*C*there; when |

_{Sx}*α*| becomes large enough,

*C*>

_{Sx}*C*, during which time

_{Su0}*C*is the restriction of

_{Su0}*R*. From the practical viewpoint, the region limited to

_{S}*C*with larger |

_{Su0}*α*| is of more significance. Although the peak value of

*R*moves higher with bigger

_{S}*M*, the great gain in

_{b}*C*doesn’t make much difference, unfortunately. Therefore, more attention should be paid to the restriction from

_{Sx}*C*, and improving the secrecy of running key is the key point to achieve a strict maximal secrecy rate much higher.

_{Su0}Meanwhile, Fig. 10(d)-10(f) indicate that *R _{S}* and

*C*degrade drastically with long distance transmission, where much more bases are needed. However, even for transmission of 200

_{Sx}*km*with merely 127 bases against the optimal Eve, we can still obtain a maximal secrecy rate up to

*R*= 0.16, i.e., 16% of the maximal transmission bit rate of the main channel. If capacity of the main channel is

_{S}*C*= 100 Gb/s as reported in [8], secure bit rate on the scale of Gb/s can be yielded with both the key and data in perfect secrecy. We remark here that the framework of QNRC + QKD combined with Wyner’s theory can achieve perfectly secure bit rate orders of magnitude higher than that of OTP + QKD. It’s quite a promising direction of secure communication since

_{Mt}*R*can be greatly improved by increasing both

_{S}*C*and

_{Su0}*C*.

_{Mt}## 5. Conclusion

The QNRC system with inevitable quantum noise suffered by eavesdroppers can provide a great channel advantage for the legal users, which shows a huge potential for the physical-layer security. This kind of security is quantitatively investigated with secrecy capacity as the performance metric for the first time. Moreover, considering the secrecy constraints of both the key and data, the maximal achievable secrecy rate of the system (i.e., *R _{S}*) is proposed. The results show that QNRC can potentially provide physical-layer security at data rates orders of magnitude higher than the perfect secrecy rate of QKD. Also, even if the eavesdropper intercepts much more signal power than the legitimate receiver, a considerable secrecy capacity can still exist. Furthermore, it is found that the secrecy capacity of running key per bit is the main constraint to

*R*, which suggests the critical importance of improving the running key secrecy.

_{S}By analyzing the security of QNRC via taking both the legitimate and wire-tap channels into account as a whole system, we believe that these results can provide effective instructions for the system configuration according to specific security requirements. Moreover, the design of secure encoding schemes is a potential research area in the next step, where we have proved the matching codes must be uniformly distributed.

## Funding

National Natural Science Foundation of China (NSFC) (61475193 and 61504170); Natural Science Foundation of Jiangsu Province (BK20140069).

## References and links

**1. **K. Shaneman and S. Gray, “Optical network security: Technical analysis of fiber tapping mechanisms and methods for detection prevention,” in Proc. IEEE MILCOM (IEEE, 2004), pp. 711–716. [CrossRef]

**2. **K. Guan, A. Tulino, P. Winzer, and E. Soljanin, “Secrecy capacities in space-division multiplexed fiber optic communication systems,” IEEE T Inf. Foren. Sec **10**(7), 1325–1335 (2015).

**3. **P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIMA. J. Comput. (Taipei) **26**(5), 1484–1509 (1997).

**4. **V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. **81**(3), 1301–1350 (2009). [CrossRef]

**5. **K. Patel, J. Dynes, M. Lucamarini, I. Choi, A. Sharpe, Z. L. Yuan, R. Penty, and A. Shields, “Quantum key distribution for 10 Gb/s dense wavelength division multiplexing networks,” Appl. Phys. Lett. **104**(5), 051123 (2014). [CrossRef]

**6. **G. S. Kanter, D. Reilly, and N. Smith, “Practical physical-layer encryption: The marriage of optical noise with traditional cryptography,” IEEE Commun. Mag. **47**(11), 74–81 (2009). [CrossRef]

**7. **R. Nair, H. P. Yuen, E. Corndorf, T. Eguchi, and P. Kumar, “Quantum-noise randomized ciphers,” Phys. Rev. A **74**(5), 052309 (2006). [CrossRef]

**8. **F. Futami and O. Hirota, “100 Gbit/s (10 x 10 Gbit/s) Y-00 cipher transmission over 120 km for secure optical communication between data centers,” in *Proc. OECC/ACOFT**2014*, pp.4–6.

**9. **T. Nishioka, T. Hasegawa, H. Ishizuka, K. Imafuku, and H. Imai, “How much security does Y-00 protocol provide us?” Phys. Lett. A **327**(1), 28–32 (2004). [CrossRef]

**10. **T. Nishioka, T. Hasegawa, H. Ishizuka, K. Imafuku, and H. Imai, “Reply to: Comment on: How much security does Y-00 protocol provide us?” Phys. Lett. A **346**(1–3), 7–16 (2005). [CrossRef]

**11. **Z. L. Yuan and A. J. Shields, “Comment on “Secure Communication using Mesoscopic coherent states”,” Phys. Rev. Lett. **94**(4), 048901 (2005). [CrossRef] [PubMed]

**12. **H. P. Yuen, P. Kumar, E. Corndorf, and R. Nair, “Comment on: How much security does Y-00 protocol provide us?” Phys. Lett. A **346**(1–3), 1–6 (2005). [CrossRef]

**13. **R. Nair, H. P. Yuen, E. Corndorf, and P. Kumar, “Reply to: Reply to: Comment on: How much security does Y-00 protocol provide us?” arXiv preprint quant-ph/ 0509092.

**14. **H. Yuen, E. Corndorf, G. Barbosa, and P. Kumar, “Reply to Comment on Secure Communication using mesoscopic coherent states,” Phys. Rev. Lett. **94**(4), 048902 (2005). [CrossRef]

**15. **O. Hirota, “Practical security analysis of a quantum stream cipher by the Yuen 2000 protocol,” Phys. Rev. A **76**(3), 032307 (2007). [CrossRef]

**16. **M. J. Mihaljević, “Generic framework for the secure Yuen 2000 quantum-encryption protocol employing the wire-tap channel approach,” Phys. Rev. A **75**(5), 052334 (2007). [CrossRef]

**17. **A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J. **54**(8), 1355–1387 (1975). [CrossRef]

**18. **W. K. Harrison, J. Almeida, M. R. Bloch, S. W. McLaughlin, and J. Barros, “Coding for secrecy: an overview of error-control coding techniques for physical-layer security,” IEEE Signal Process. Mag. **30**(5), 41–50 (2013). [CrossRef]

**19. **A. Thangaraj, D. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J. M. Merolla, “Applications of LDPC codes to the wiretap channel,” IEEE Trans. Inf. Theory **53**(8), 2933–2945 (2007). [CrossRef]

**20. **H. Mahdavifar and A. Vardy, “Achieving the secrecy capacity of wiretap channels using polar codes,” IEEE Trans. Inf. Theory **57**(10), 6428–6443 (2011). [CrossRef]

**21. **S. Donnet, A. Thangaraj, M. Bloch, J. Cussey, J. M. Merolla, and L. Larger, “Security of Y-00 under heterodyne measurement and fast correlation attack,” Phys. Lett. A **356**(6), 406–410 (2006). [CrossRef]

**22. **A. D. Wyner and J. Ziv, “A theorem on the entropy of certain binary sequences and applications: part I,” IEEE Trans. Inf. Theory **IT-19**(6), 769–772 (1973). [CrossRef]