Security Analysis of Continuous-Variable Measurement-Device-Independent Quantum Key Distribution Systems in Complex Communication Environments

Continuous-variable measure-device-independent quantum key distribution (CV-MDI QKD) is proposed to remove all imperfections originating from detection. However, there are still some inevitable imperfections in a practical CV-MDI QKD system. For example, there is a fluctuating channel transmittance in the complex communication environments. Here we investigate the security of the system under the effects of the fluctuating channel transmittance, where the transmittance is regarded as a fixed value related to communication distance in theory. We first discuss the parameter estimation in fluctuating channel transmittance based on these establishing of channel models, which has an obvious deviation compared with the estimated parameters in the ideal case. Then, we show the evaluated results when the channel transmittance respectively obeys the two-point distribution and the uniform distribution. In particular, the two distributions can be easily realized under the manipulation of eavesdroppers. Finally, we analyze the secret key rate of the system when the channel transmittance obeys the above distributions. The simulation analysis indicates that a slight fluctuation of the channel transmittance may seriously reduce the performance of the system, especially in the extreme asymmetric case. Furthermore, the communication between Alice, Bob and Charlie may be immediately interrupted. Therefore, eavesdroppers can manipulate the channel transmittance to complete a denial-of-service attack in a practical CV-MDI QKD system. To resist this attack, the Gaussian post-selection method can be exploited to calibrate the parameter estimation to reduce the deterioration of performance of the system.


Introduction
Quantum key distribution (QKD) offers an unconditionally secure communication scheme to establish secret keys between the sender Alice and the receiver Bob through an insecure quantum channel in the presence of potential eavesdropper Eve, where the two remote partners are authenticated [1][2][3][4][5]. The security of the scheme is guaranteed by the basic laws of quantum mechanics [6][7][8]. At present, there are two kinds of QKD protocols: discrete-variable quantum key distribution (DVQKD) and continuous-variable quantum key distribution (CVQKD). In particular, CVQKD scheme based on the Gaussian-modulated coherent states (GMCS) can be well compatible with the classical optical communication systems, which has been fully proven to be secure against general attacks (e.g., the collective and coherent attacks) based on some ideal assumptions [8][9][10][11][12]. It has been experimentally implemented by many research groups in laboratories and in field environments [13][14][15][16][17][18]. In addition, the system has also been optimized by researchers from different aspects [19][20][21][22][23][24][25]. However, practical security problems seriously hinder the commercial development of CVQKD, where this obstacle is caused by the security loopholes opened by the gaps between the theoretical model and the practical system because the behavior of real devices typically deviates from that considered in the security proofs [26,27]. This problem also limits the application of DVQKD, which has been investigated by many researchers [28][29][30].
In a practical CVQKD system, Eve can exploit the above imperfections to successfully obtain secret key information without being detected, which is an effective quantum hacking strategy. For example, Eve can control the transmitted local oscillator (LO) to perform the LO fluctuation attack [31], LO calibration attack [32], and wavelength attack [33,34]. In addition, the imperfect linearity of homodyne detector can be exploited by Eve to launch saturation attack [35] and homodyne detector blinding attack [36]. Apart from this, laser damage attack against optical attenuator and laser seeding attack in light source have been proposed [37][38][39][40][41][42]. The security loopholes involved by these attacks can be closed by the corresponding countermeasures, which makes the system complicated. Moreover, there are some unknown attacks in practical CVQKD systems, which cannot be effectively resisted by the above schemes. Therefore, the researchers propose the continuous-variable measure-device-independent quantum key distribution (CV-MDI QKD) protocol to close all loopholes opened by imperfect detection [43][44][45][46][47][48][49][50][51][52][53]. In CV-MDI QKD, the measurement is performed by an untrusted third party, which is immune to all quantum hacking on detection. The research of CV-MDI QKD can promote the application of CVQKD.
According to the framework of CV-MDI QKD, the source and channel become the final battlefield between the authorized communication parties and Eve. Recently, the imperfections on source in practical CV-MDI QKD systems have been gradually researched [54][55][56]. In particular, the channel transmittance in theoretical model is considered to be a fixed value, which can be acquired based on the communication distance. However, practical communication environments are complex, which may result in the time-varying transmittance. In this work, we investigate the effects of the fluctuating channel transmittance for the security of practical CV-MDI QKD systems. Specifically, CV-MDI QKD in fluctuating channel transmittance is first described. Based on the model, we then show the difference of parameter estimation between this case and the stable channel case. To clearly quantify this difference, we discuss the specific parameter estimation when the channel transmittance respectively obeys the two-point distribution and the uniform distribution. Here, Eve can easily manipulate the channel to make the transmittance obey the above distributions. Subsequently, we analyze the secret key rate of the system based on the estimated parameter in different channel distributions. We observe that the fluctuating channel transmittance make the performance of the system deteriorated obviously, which may make communication interrupted. This impact is even greater in the extreme asymmetric case. These analyses indicate that the channel transmittance can be easily manipulated by Eve to launch a denialservice attack in a practical CV-MDI QKD system, which is different from the quantum hacking attack originating from security loopholes. Finally, the Gaussian post-selection technology can be exploited to calibrate the estimated parameters to prevent this attack.
The paper is organized as follows. In Section 2, parameter estimation in complex communication environments is shown for a practical CV-MDI QKD system, where these two theoretical channel models are established. Then, based on these models, we analyze the security of the system in the fluctuating channel transmittance when the channel transmittance respectively obeys the two-point distribution and the uniform distribution in Section 3. Finally, conclusions are presented in Section 4. Figure 1 shows the entanglement-based (EB) model of a GMCS CV-MDI-QKD protocol, which is fully equivalent to the standard prepare and measure (PM) model [45,46]. It is important to note that this equivalence is the core of security proofs for GMCS CVQKD protocols. In the EB model, one two-mode squeezed state with variance V A + 1(V B + 1) is first prepared by Alice (Bob), where the mode A 1 (B 1 ) is measured by a heterodyne detector and the other mode A 2 (B 2 ) is sent to an unauthenticated third party, Charlie, through the quantum channel. The channel distance between Alice (Bob) and Charlie is L AC (L BC ), and the total transmission distance L AB should be L AC + L BC . Subsequently, Charlie interferes the received modes A and B at a beam splitter (BS) and obtains two output modes C and D. Then, two homodyne detectors are exploited by Charlie to measure the quadrature variable x C of mode C and quadrature variable p D of mode D, and the detection results x C , p D are immediately announced through a public channel. Finally, the mode B 1 is modified to B 1 by Bob through displacement operation D(β). Here β = g m (x C + ip D ), and g m indicates the gain of the displacement operation. It is believed that the mode A 1 and B 1 become entangled after through these above steps. Therefore, Alice and Bob will share a group correlated vectors

Channel Models and Parameter Estimation in Complex Communication Environments
These data can be used to estimate the channel transmittance T AC (T BC ) and the excess noise ε AC (ε BC ). In addition, key reconciliation and privacy amplification are exploited to further guarantee the security of the system. Here, channel transmittance T AC and T BC are modeled to obey a certain distribution, which may be easily controlled by Eve.
According to the above analysis, there are two quantum channels in a practical CV-MDI-QKD system, i.e., C AC and C BC , which are assumed to be a normal linear model with the following relations: , z AC and z BC indicate the total noises in the aforementioned quantum channels. Here, z AC and z BC respectively obey two centered normal distributions with variance σ 2 AC = T AC ξ AC + N 0 and and N 0 is the shot-noise variance. Therefore, t AC and σ 2 AC can be calculated as It is no doubt that t AC and σ 2 AC can also be acquired using p A and p A . In addition, t BC and σ 2 BC can be similarly calculated. In the following analysis, we only discuss the relevant calculation about channel C AC . Based on the Eqs. (1) and (2), T AC and ε AC can be expressed by In security proofs, the channel transmittance is assumed to be stable. Therefore, it is reasonably regarded as a fixed value related to transmission distance. However, practical communication environments are complex, which may result in a time-varying transmittance. In particular, the potential Eve may control the channel transmittance. To analyze the effects of the deviation, based on the phase space, x A and x A can be written as where |α A | is the amplitude of the coherent states prepared by Alice, θ A is the phase of these states, ∆ϕ is the phase shift caused by complex channel environments. In particular, x ε AC and x N 0 are the additional values of quadratures variable x A , which are caused by the channel excess noise ε AC and shot-noise N 0 , respectively. We can further obtain where V x A = V A N 0 , V A is the modulation variance at Alice's side. It is important to note that T AC , |α A | cos θ A , N 0 and ξ AC are totally independent. In addition, it is reasonable that ∆ϕ is approximated to zero in the above analyses, because the phase noise can be extremely constrained by the high-precision phase compensation technique. Eventually, based on Equations (3) and (5), the estimated channel parametersT AC andε AC in fluctuating channel transmittance should satisfŷ Similarly, the estimated channel parametersT BC andε BC in fluctuating channel transmittance also obey the above relations. There are some clear deviations between the estimated channel parameters in fluctuating channel transmittance and ideal values, which is closely related to the distribution of the fluctuating channel transmittance. Therefore, we need to quantify the distribution to analyze the effects of the fluctuating channel transmittance. However, the channel transmittance may irregularly change, which cannot be described using a specific formula. In particular, Eve may actively control the channel to disturb the transmittance. According to Ref. [57], the channel transmittance may be easily manipulated by Eve to obey the two-point distribution or the uniform distribution. Then, we discuss the estimated channel parameters when the channel transmittance obeys the two distributions. Figure 2 describes the probability density function when the channel transmittance obeys the two-point distribution, where the channel transmittance can vary between 0 and T 0 under the control of Eve. Therefore, T AC /T 0 ∼ (1, P), where T 0 = 10 −0.02L AC represents the ideal channel transmittance and L AC is the transmission distance between Alice and Charlie. Correspondingly, we can obtain E(T AC ) = PT 0 , E( √ T AC ) = P √ T 0 . Eventually, based on Equation (6), the channel parameters can be evaluated aŝ where P is the probability when the channel transmittance T AC equals to T 0 , ε AC is the true channel excess noise, the number 1 indicates the two-point distribution. It is no doubt that the estimated channel parametersT BC,1 andε BC,1 also satisfy Equation (7).  Figure 3 shows the probability density function of the channel transmittance when it obeys the uniform distribution. Here, T AC is a uniform distributed random number between gT 0 (0 < g < 1) and T 0 , i.e., T AC ∼ U(gT 0 , T 0 ), where T 0 also represents the ideal channel transmittance. Therefore, E(T AC ) and E( √ T AC ) can be calculated as  According to Equations (6) and (8), the estimated values of the channel parameters can be expressed aŝ where ε AC also represents the true excess noise, the number 2 indicates the uniform distribution. Similarly,T BC,2 andε BC,2 also obey Equation (9). In the following analysis, the two-point and uniform distributions are considered to be common channel distribution models to investigate the effects of the fluctuating channel transmittance. In addition, fiber dispersion and imperfect polarization compensation in a practical system may affect the accuracy of measurement, which makes the estimated channel parameters deviate from the practical values. Therefore, these imperfections can indirectly lead to the fluctuation of the channel transmittance. Here, this variation may be not regular, which is difficulty expressed by a mathematical formula. However, according to the above analysis, Eve may actively control channel to disturb the communication environments. She can easily manipulate the channel to make it obeys the above distributions. To facilitate security analysis, the two-point distribution and the uniform distribution can be considered to be common channel distribution models, which does not affect our conclusion.

Security Analysis
Secret key rate is a key parameter for the security and performance of a practical CV-MDI-QKD system. Here, we focus on the secret key rate of the system under one-mode collective Gaussian attack, where reverse reconciliation is performed by Bob. It is important to note that the one-mode attack is not the optimal strategy. At present, the two-mode attack has been proven to be optimal. To be specific, the correlated two-mode coherent Gaussian attack are performed on two quantum channels, where the interactions of the two channels are used by Eve. However, in practical CV-MDI-QKD systems, the above correlation can become very weak when these channels come from different directions. Therefore, to facilitate analysis, the quantum channels of CV-MDI-QKD can be reduced to one-mode channel, where the one-mode attack can be efficiently performed. In particular, this simplification does not affect the results of the analysis of this article.
According to Ref. [45],the CV-MDI-QKD protocols are equivalent to the one-way CVQKD schemes using coherent states and heterodyne detection when the EPR states prepared by Bob and the displacement operation are assumed to be untrusted, which indicates that the calculation of the secret key rate of CV-MDI-QKD is the same with the standard one-way GMCS CVQKD. In the following analysis, the heterodyne detection is assumed to be perfect, and the finite-size effect is not considered. First, the Shannon mutual information between Alice and Bob can be calculated as [45,46,48] where Then, the covariance matrix Γ m AB between Alice and Bob can be written as where Here, In particular, k = 2V B T BC (V B +2) is adopted to minimize ε m . Based on this condition, we can obtain In the following simulation analysis, these above channel parameters should be replaced by the estimated values in Equations (7) or (9). Then, the Holevo bound can be calculated as Here, where Finally, the secret key rate of the system can be acquired as Based on Equations (7), (9)- (11) and (15)- (19), the secret key rate of a CV-MDI-QKD system can be analyzed when the channel transmittance obeys the two-point distribution or the uniform distribution. Figure 4 describes the secret key rate versus transmission distance in the symmetric case when the channel transmittance obeys the two-point distribution. Here, the fixed parameters for the simulation are set as β = 0.95, V A = V B = 40, and ε AC = ε BC = 0.05. The simulation results show that the fluctuating channel make the performance of the system dramatically, where P = 1 represents the ideal case. It is important to note that even though the secure transmission distance is limited compared with a standard one-way CVQKD system, the demand of high-efficiency homodyne detection is removed.   Figure 5 reveals the secret key rate of the system as a function of the transmission distance from Alice to Bob in the extreme asymmetric case when the channel transmittance obeys the two-point distribution. The fixed parameters for simulation are the same as the symmetric case. It is obvious that the performance of the system also deteriorate under the effects of the fluctuating channel transmittance. In particular, the deterioration in the extreme asymmetric case is even worse than the symmetric case.  Figure 6 shows the secret key rate of the system versus transmission distance in the symmetric case when the channel transmittance obeys the uniform distribution, where g reflects the degree of channel jitter. Here, the fixed simulation parameters remain unchanged. We observe that the deterioration of the performance of the system increases with the degree of channel jitter. Figure 7 depicts the secret key rate of the system as a function of the transmission distance from Alice to Bob in the extreme asymmetric case when the channel transmittance obeys the uniform distribution. The fixed parameters for simulation analysis also remain unchanged. It is clear that the dynamic trend of the performance of the system is consistent with the results shown in Figure 5.
These above simulation analyses indicate that the fluctuating channel transmittance may introduce an extra excess noise that can seriously deteriorate the performance of the practical CV-MDI-QKD systems. Correspondingly, the communication service between Alice, Bob and Charlie may be interrupted. Therefore, in a practical CV-MDI QKD systems, the potential Eve can launch a denial-service attack by manipulating the channel transmittance. To resist this attack, the Gaussian post-selection technology can be used to effectively improve the performance of the system. Specifically, Charlie first judge whether the x A and x B meet the Gaussian distribution. If the channel transmittance is manipulated, the normal linear model of the channel is destroyed. Therefore, Charlie can then extract a set of (almost) Gaussian-distributed data among the raw measurement data to calibrate the estimated values of these channel parameters to improve the performance of the system [35,57]. For example, if the channel transmittance obeys the two-point distribution, Charlie can first filter out the data when the transmittance is zero, and then complete parameter estimation. If the channel transmittance obeys the uniform distribution, Charlie can extract a set of Gaussian-distributed data when the transmittance is the low bound gT 0 to complete parameter estimation [57].

Conclusions
We have investigated the security of a practical CV-MDI-QKD system under the effects of the fluctuating channel transmittance caused by complex communication environments. We first model the fluctuating channel transmittance based on the EB scheme, and revel the deviation of parameter estimation between the fluctuating channel case and the ideal case. Furthermore, we show the parameter estimation when the channel transmittance respectively obey the two-point distribution and the uniform distribution. Based on the estimated parameters, we analyze the practical performance of the system. We observe that there is an obvious decline for the performance of the system under the impact of the fluctuating channel transmittance, especially in the extreme asymmetric case. The simulation results indicate that the fluctuating channel transmittance can produce an extra excess noise to deteriorate the system performance, which may interrupt the communication service between Alice, Bob and Charlie. This impact is more profound in the extreme asymmetric case. Therefore, a denial-service attack can be launched by Eve through manipulating the channel transmittance. To prevent this attack, the Gaussian post-selection technology is exploited to improve the performance of the system.