Physical layer security schemes are promising technologies against security threats for optical networks. So far, various optical physical security schemes have been proposed. Specifically, Quantum communication [1], [2] promises unconditional security in principle. Chaotic communication [3], [4] employs the complex dynamics of chaos to scramble the plaintext. Quantum Noise Stream Cipher (QNSC) [5], [6], [7], [8], [9], [10], [11], [12], works with inevitable quantum noise masking, which makes ciphertext signals difficult to be correctly decrypted by eavesdroppers. However, QNSC system requires a pre-shared seed key for basis generation, and the seed key refreshment is critical to the security of a quantum noise stream cipher system to counter malicious attacks [13], [14], [15], [16], [17], [18]. In the practical application of QNSC, it is necessary to address the issues of key generation, distribution, and stream cipher expansion. At the same time, the security of the key distribution channel itself is also important. Some studies have proposed to use artificial QNSC basis modification [19], [20], [21], [22] to achieve key distribution, yet it may lead to increased algorithm complexity and performance degradation of Q-factor, SNR or BER. Therefore, it is necessary to investigate a lightweight and compatible key distribution scheme for QNSC system.

On the other hand, optical steganography also plays an important role in secure communication, such as spectrum spreading and noise modulation [23], [24], [25], [26], [27], [28], [29]. Optical steganography focuses on hiding the clue of stealth data, therefore an intruder may not even notice the existence of stealth data. In our previous work [30], we proposed an optical steganography strategy based on dither-based bias remodulation of the Mach-Zehnder modulator (MZM), and the concealing depth of the stealth signal reaches −41 dB. In most bias control techniques for MZM, a small dither signal is used to measure the bias deviation, hence the existence of dither signal is not suspicious. It creates the stealth channel without modifying the existing optical communication framework, and no additional wavelength or bandwidth is required.

In this paper, we propose a novel method for integrated key distribution by optical steganography based on dither-remodulation for MZM. The bidirectional stealth transmission supports temporary key exchange mechanism, combined with an asymmetric encryption algorithm, to achieve high security and forward/backward security for seed keys distribution. We employ a light-weight variation of Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) protocol [31], [32], [33] to periodically generate and exchange the seed key. ECDHE enables asymmetric encryption using the Elliptic Curve Cryptography (ECC). Compared to RSA, another popular asymmetric cryptography, the ECC cryptography has the following advantages [34], [35], [36]: shorter key lengths for the same level of security, faster processing speed, smaller memory requirement, and lower power consumption. ECDHE is therefore more suitable for embedded system environments in physical layer transmission equipment. We then experimentally demonstrate a QNSC transmission system along with integrated key distribution and secure transmission. Optical steganography provides additional security due to its stealth characteristic. Furthermore, it reduces the overall cost due to the lightweight mechanism and provides good compatibility with the existing optical network architecture.

We demonstrate an integrated key distribution scheme based on dither-remodulated stealth transmission in a 4-QAM(QPSK)/QNSC secure transmission system where QNSC serves as the public channel. The schematic diagram is illustrated in Fig. 1. A photograph of the experimental setup is presented in Fig. 2.

Fig. 1.

Schematic diagram of integrated key distribution scheme based on dither-remodulated stealth transmission.

Show All

Fig. 2.

The photo of the experimental setup.

Show All

In the transmitter, The QPSK modulation converts the binary plaintext to QPSK constellation running at 16 Gbaud (32 Gbps). At the same time, the ChaCha20 stream cipher expands the 256-bit seed key to QNSC bases. The QNSC algorithm maps the QPSK constellation to a two-dimensional QNSC constellation using the generated bases. The above algorithms are implemented by an off-line Tx DSP in the experiment. The width of a QNSC I/Q data is 10 bits, which includes a QPSK symbol of 1 bit per dimension and a QNSC basis of 9 bits. Therefore, a QPSK symbol of 2 × 2 constellation is mapped to a QNSC symbol of 2¹⁰ × 2¹⁰ QAM constellation. In addition, the QNSC data is sent to an AWG for conversion to RF signals. The RF signals are amplified and fed to an IQ-MZM, and then converted to an optical signal.

Meanwhile, real-time stealth data is modulated to the MZM bias dither and reflected in the optical signal by the bias controller. The stealth data operates at 1 kbps, the amplitudes of the dither signals are typically set to 100 mV, and the dither frequencies applied to the bias I and Q pins of the modulator are 7 kHz and 11.875 kHz, respectively. The stealth data includes the exchanged key and nonce for the size of 768-bit, therefore the stealth channel supports a real-time key refresh frequency above 1 Hz.

The output optical signals of the IQ MZM can be described as

View Source \begin{equation*} {{E}_o} = \ \alpha {{E}_i}\left[ {\begin{array}{c} {\cos\frac{\pi }{2}\left( {\frac{{{{V}_{bia{{s}_I}}}}}{{{{V}_{\pi bia{{s}_I}}}}} + \frac{{{{V}_{R{{F}_I}}}}}{{{{V}_{\pi R{{F}_I}}}}}} \right) + }\\ {\cos \frac{\pi }{2}\left( {\frac{{{{V}_{bia{{s}_Q}}}}}{{{{V}_{\pi bia{{s}_Q}}}}} + \frac{{{{V}_{R{{F}_Q}}}}}{{{{V}_{\pi R{{F}_Q}}}}}} \right)\exp \left(j\pi \frac{{{{V}_{bia{{s}_P}}}}}{{{{V}_{{{\pi }_P}}}}}\right)} \end{array}} \right]. \tag{1} \end{equation*}

While the modulator is working around the optimum bias points (${{V}_{bia{{s}_I}}} \approx {{V}_{\pi bia{{s}_I}}},\ {{V}_{bia{{s}_Q}}} \approx {{V}_{\pi bia{{s}_Q}}},\ 2{{V}_{bia{{s}_P}}} \approx {{V}_{{{\pi }_P}}})$, we apply the dither signals with angular frequencies of ${{\omega }_{dI}}$ and ${{\omega }_{dQ}}$ to I and Q bias ports, respectively. The dither signals ${{D}_I}( t )$ and ${{D}_Q}( t )$can be described as

View Source \begin{equation*} {{D}_k}\ \left( t \right) = {{A}_{di}}\ {{B}_{st}}\left( t \right)\text{sin}{{\omega }_{dk}}t,\left( {k\ = \ I,Q} \right). \tag{2} \end{equation*}

$$\begin{equation*} \left\{ {\begin{array}{c} {{{V}_{bia{{s}_k}}}\ \left( t \right) = {{V}_{\pi bia{{s}_k}}}\ \left[ {1 + {{D}_k}\left( t \right) + {{e}_k}} \right],\left( {k\ = \ I,Q} \right)}\\ {\ {{V}_{bia{{s}_P}}} = {{V}_{{{\pi }_P}}}\ \left( {\frac{1}{2} + {{e}_P}} \right)} \end{array}.} \right. \tag{3} \end{equation*}$$ View Source \begin{equation*} \left\{ {\begin{array}{c} {{{V}_{bia{{s}_k}}}\ \left( t \right) = {{V}_{\pi bia{{s}_k}}}\ \left[ {1 + {{D}_k}\left( t \right) + {{e}_k}} \right],\left( {k\ = \ I,Q} \right)}\\ {\ {{V}_{bia{{s}_P}}} = {{V}_{{{\pi }_P}}}\ \left( {\frac{1}{2} + {{e}_P}} \right)} \end{array}.} \right. \tag{3} \end{equation*}

Where ${{e}_I},\ {{e}_Q}$ and ${{e}_P}$ are the relative deviation errors to the optimum bias points for the bias I, Q and P values, respectively.

The following conditions are met in a typical transmitter:

1. ${{V}_{\pi bia{{s}_I}}}$ and ${{V}_{\pi bia{{s}_Q}}}$of commercial IQ MZM are 9 V typically.

2. the amplitudes of the dither signals are typically set to 100 mV, deducing that ${{A}_{di}} \approx 0.011$.

3. the bias deviation errors are at the level of 10 mV, deducing that ${{e}_k} \approx 0.0011$.

4. the amplitudes of ${{V}_{R{{F}_I}}}$ and ${{V}_{R{{F}_Q}}}$ are normally set to 0.7${{V}_{\pi R{{F}_I}}}$ and 0.7${{V}_{\pi R{{F}_Q}}}$, respectively, for the consideration to both high linearity and high output power. Thus we can define that the RF normalized amplitudes as ${{A}_{RF}} = {{A}_{R{{F}_I}}}\ = {{A}_{R{{F}_Q}}}\ \approx 0.7$, and the RF signals as ${{R}_k}\ ( t ) = {{A}_{RF}}\ {{B}_k}( t )$, where ${{B}_I}( t )$ and ${{B}_Q}( t )$ are the I and Q components of the public data symbols.

Consequently, (1) can be deduced as

View Source \begin{equation*} {{E}_o} \approx - \alpha {{E}_i}\left\{ {\begin{array}{c} {\left[ {\frac{\pi }{2}{{D}_I}\left( t \right)\text{cos}\frac{\pi }{2}{{R}_I}\left( t \right) + \text{sin}\frac{\pi }{2}{{R}_I}\left( t \right)} \right]}\\ { + j\left[ {\frac{\pi }{2}{{D}_Q}\left( t \right)\text{cos}\frac{\pi }{2}{{R}_Q}\left( t \right) + \text{sin}\frac{\pi }{2}{{R}_Q}\left( t \right)} \right]} \end{array}} \right\}. \tag{4} \end{equation*}

For simply evaluating the concealing depth of the stealth transmission, we first consider QPSK for public modulation. Since the values of ${{B}_I}( t )$ and ${{B}_Q}( t )$ are +1 and −1 for QPSK, the subitems in (4) can be reduced and defined as

View Source \begin{equation*} \left\{ {\begin{array}{c} {\sin\frac{\pi }{2}{{R}_k}\ \left( t \right) = \sin\frac{{\pi {{A}_{RF}}}}{2}\cdot{{B}_k}\ \left( t \right) = {{r}_1}\ {{B}_k}\left( t \right)}\\ {\cos\frac{\pi }{2}{{R}_k}\ \left( t \right) = \cos\ \frac{{\pi {{A}_{RF}}}}{2} = {{r}_2}\ } \end{array}} \right.. \tag{5} \end{equation*}

Finally, (1) can be simplified as

View Source \begin{equation*} {{E}_o} \approx - \alpha {{r}_1}{{E}_i}\left\{ {\begin{array}{c} {\left[ {{{R}_{di}}{{B}_{st}}\left( t \right)\sin \left( {{{\omega }_{dI}}t} \right) + {{B}_I}\left( t \right)} \right]}\\ { + j\cdot\left[ {{{R}_{di}}{{B}_{st}}\left( t \right)\sin \left( {{{\omega }_{dQ}}t} \right) + {{B}_Q}\left( t \right)} \right]} \end{array}} \right\}. \tag{6} \end{equation*}

We can define the stealth/public ratio (SPR) as the signal power between the stealth dither signals to the public RF signals, which is given by $SPR( {\log } )\ = \frac{{P( {Stealth} )}}{{P( {Public} )}}\ = \ 20 \cdot \text{lo}{{\mathrm{g}}_{10}}( {{{R}_{di}}} )$. For the stealth signal, the public signal acts essentially as wideband noise, thus the stealth SNR in the transmission channel is less than and close to SPR. The stealth SNR of the transmitter output can be given as

View Source \begin{equation*} SN{{R}_1} \!=\! \frac{{P\left( {Stealth} \right)}}{{P\left( {Public} \right) \!+\! P\left( {Noise} \right)}} \!\approx \! \frac{{P\left( {Stealth} \right)}}{{P\left( {Public} \right)}} \!=\! \ SPR. \tag{7} \end{equation*}

Then we can estimate that the concealing depth (stealth SNR in the public signal) in public QPSK signal for a typical transmitter is $SN{{R}_1} \approx SPR\ = \ 20 \cdot \text{lo}{{\mathrm{g}}_{10}}( {{{R}_{di}}} ) \approx - 41\,\text{dB}.$

When the number of digitized bits per dimension is $b$, the number of constellation points per dimension is ${{2}^b}$, and the I/Q coordinates of the constellation points are in the range of [−1, +1], the average power of the QAM signal can be derived as $P\ = \frac{{2( {{{2}^{2b}} - 1} )}}{{3{{{( {{{2}^b} - 1} )}}^2}}}$. For 2¹ × 2¹-QAM (QPSK), ${{P}_1} = \ 2$. For QNSC of 2¹⁰ × 2¹⁰-QAM, ${{P}_{10}} = \ 0.668$. Thus, the concealing depth of stealth signal can be introduced as $SN{{R}_{10}} \approx SN{{R}_1} + 10\text{lo}{{\mathrm{g}}_{10}}( {\frac{{{{P}_1}}}{{{{P}_{10}}}}} ) \approx - 36.2\,{\rm{dB}}$ for QNSC signal of 2¹⁰ × 2¹⁰-QAM due to the reduced average power of the public signal.

Next, the output optical signal of the MZM is sent to the standard single mode fiber (SSMF) as the transmission medium, and then the received optical signal is amplified by an Erbium-doped fiber amplifier (EDFA).

In the receiver, the received and amplified optical signal is split into two branches, one for off-line QNSC demodulation and another for the real-time stealth receiver. The first branch is fed to an Integrated Coherent Receiver (ICR) and then captured by an oscilloscope. The digitized signal is then processed by the Rx DSP with the following sequences: dispersion compensation, carrier recovery, QNSC de-mapping and QPSK demodulation. Meanwhile, the ChaCha20 algorithm expands the same seed key to QNSC bases for QNSC de-mapping.

Another branch is sent to a PD and a 20 MSa/s ADC for stealth receiving. Since the bandwidth of the second branch is low enough (<50 kHz) compared to the wide-band RF signals (>1 GHz), the RF signals could be considered as wideband white Gaussian noise. The input signal of PD can be written as

View Source \begin{equation*} {{E}_{PD}} \!\!=\! \beta {{E}_i}\!\left[ {\text{cos}\frac{\pi }{2}\frac{{{{V}_{bia{{s}_I}}}}}{{{{V}_{\pi bia{{s}_I}}}}} \!+\! \cos \frac{\pi }{2}\frac{{{{V}_{bia{{s}_Q}}}}}{{{{V}_{\pi bia{{s}_Q}}}}}\exp \left(\!\!j\pi \frac{{{{V}_{bia{{s}_P}}}}}{{{{V}_{{{\pi }_P}}}}}\right)}\! \right]\!. \tag{8} \end{equation*}

$$\begin{equation*} {{I}_{PD}} \propto {{\left| {{{E}_{PD}}} \right|}^2}\ \propto \left\{ {\begin{array}{c} {{{{\left[ {{{D}_I}\left( t \right) + {{e}_I}} \right]}}^2} + {{{\left[ {{{D}_Q}\left( t \right) + {{e}_Q}} \right]}}^2}}\\ { - 2\pi {{e}_P}\left[ {{{D}_I}\left( t \right) + {{e}_I}} \right]\left[ {{{D}_Q}\left( t \right) + {{e}_Q}} \right]} \end{array}} \right\}. \tag{9} \end{equation*}$$ View Source \begin{equation*} {{I}_{PD}} \propto {{\left| {{{E}_{PD}}} \right|}^2}\ \propto \left\{ {\begin{array}{c} {{{{\left[ {{{D}_I}\left( t \right) + {{e}_I}} \right]}}^2} + {{{\left[ {{{D}_Q}\left( t \right) + {{e}_Q}} \right]}}^2}}\\ { - 2\pi {{e}_P}\left[ {{{D}_I}\left( t \right) + {{e}_I}} \right]\left[ {{{D}_Q}\left( t \right) + {{e}_Q}} \right]} \end{array}} \right\}. \tag{9} \end{equation*}

The AC component for ${{D}_I}( t )$ and ${{D}_Q}( t )$ in ${{I}_{PD}}$ can be extracted as

View Source \begin{equation*} {{I}_{P{{D}_{AC}}}} \approx \left\{ {\begin{array}{c} {{{{\left[ {{{D}_I}\left( t \right)} \right]}}^2} + {{{\left[ {{{D}_Q}\left( t \right)} \right]}}^2} - 2\pi {{e}_P}{{D}_I}\left( t \right){{D}_Q}\left( t \right)}\\ { + 2{{e}_I}{{D}_I}\left( t \right) + 2{{e}_Q}{{D}_Q}\left( t \right)} \end{array}} \right\}. \tag{10} \end{equation*}

From (10), the stealth signals can be extracted for the subsequent data receiving. Note that the amplitudes of the fundamental dither components ${{D}_I}( t )$ and ${{D}_Q}( t )$ are relative to the bias deviation errors ${{e}_I}$ and ${{e}_Q}$. Therefore, the stealth SNR in the receiver is affected by both the bias deviation errors and the link condition.

When QNSC is also implemented in real-time, the second branch is no longer necessary and the stealth receiver can be embedded in the FPGA shared by the public QNSC receiver. Furthermore, the stealth SNR is no longer affected by the bias errors from (4).

In the experiment, the bias controller, stealth transmitter, and stealth receiver run on a board that can be referred to as a stealth terminal, with a shared FPGA (Xilinx Kintex 7 XC7K325T). The bidirectional link is formed by the forward link and the reverse link. QNSC transmission is demonstrated in the forward link, while the reverse link is theoretically equivalent. Stealth transmission with light-weight ECDHE key exchange protocol is fully implemented in the bidirectional link. The ECC encryption and decryption is performed in real-time by a PC software. The data flow of the protocol is shown in Fig. 3. At the beginning of each key exchange procedure, Alice and Bob individually generate a 256-bit private key and a 256-bit nonce, and preform ECC multiplication for their own private key and ECC base point, then generate two 512-bit public keys. The public key and nonce of 768-bit in total are exchanged over the bidirectional stealth channel. After the exchange, Alice and Bob individually preform ECC multiplication for their own private key and the received public key, then get the shared pre-master secret key. Finally, a pseudo random function (PRF) such as SHA3-256 is utilized to derive the seed key from the pre-master secret and the two nonces.

Fig. 3.

The data flow for light-weight ECDHE key exchange protocol.

Show All

We test the public SNR, public BER, stealth SNR, stealth eye diagram and QNSC detection failure probability (DFP) in various fiber lengths of 0 km (back-to-back), 20 km and 97 km. The public SNR and BER reflect the signal quality of decrypted QPSK signal. The stealth SNR and eye diagram show the signal quality of the demodulated stealth signal. DFP is defined as the probability of a QNSC constellation point being moved to a different constellation point, which is considered an error in such a condition.

Fig. 4 shows Bob's received public signals after dispersion compensation and carrier recovery in the conditions of fiber lengths of 0 km, 20 km and 97 km. Fig. 4(a) illustrates decrypted QPSK SNR, which values are greater than 8 dB. Fig. 4(b) shows the decrypted QPSK BER. The BER results are less than 1e-2, which is below the limit of 3/4 Soft Defined Forward Error Correction (SD-FEC). Fig. 4(c)–​(e) displays the constellations of QNSC before de-mapping for various fiber lengths of 0 km, 20 km and 97 km, respectively. Fig. 4(f)–​(h) show the constellations of decrypted QPSK for various fiber lengths.

Fig. 4.

The receiver performance of public channel for Bob. (a)--(b) The public QPSK SNR and BER after QNSC decryption. (c)--(e) The constellations of QNSC for various fiber lengths of 0 km, 20 km and 97 km, respectively. (f)--(h) The constellations of decrypted QPSK for various fiber lengths.

Show All

Fig. 5 shows Bob's received stealth signals after demodulation for various fiber lengths. Fig. 5(a) displays the demodulated stealth SNR in the receiver. The SNR values are above 24 dB, indicating that the demodulated stealth signals are of high quality. The SNR differences of 1 dB are caused by both the bias deviation errors and link condition. Fig. 5(b)–​(d) show the stealth eye diagrams with good eye openings for various fiber lengths.

Fig. 5.

The receiver performance of stealth channel for Bob. (a) The stealth SNR for various fiber lengths. (b)--(d) The stealth signal eye diagrams for various fiber lengths of 0 km, 20 km and 97 km, respectively.

Show All

Fig. 6 shows Eve's received public signals. Fig. 6(a) displays that the measures of DFP are very near to 1, indicating that Eve with wrong key will not be able to recover any meaningful information. For the eavesdropper with wrong seed key, the Rx QNSC bases cannot match the Tx bases, thus the public BER values are very close to 0.5, which means that no effective information has been recovered, as shown in Fig. 6(b). The decrypted constellations with wrong key are shown in Fig. 6(c)–​(e). Notably, there are no QPSK constellation points present.

Fig. 6.

The receiver performance of public channel for eve. (a) The DFP for QNSC. (b) The public QPSK BER after QNSC decryption with wrong seed key. (c)--(e) The constellations of decrypted QPSK with wrong seed key for various fiber lengths.

Show All

Screenshots of the real-time running software for the light- weight ECDHE key exchange protocol are shown in Fig. 7. Fig. 7(a) and (b) are the snapshots of the same cycle for Alice and Bob respectively. The software periodically generates ephemeral private keys and then performs elliptic curve multiplication to generate public keys. The public keys are exchanged between Alice and Bob through the bidirectional stealth channel. Then the received public keys are multiplied by the local private keys to obtain the shared pre-master secret and further generate the same ephemeral seed keys.

Fig. 7.

The screenshots of real-time running software for the ECDHE key exchange. (a) The screenshot for Alice. (b) The screenshot for Bob.

Show All

We experimentally demonstrate physical layer integrated key distribution using optical steganography over a 97 km fiber length for a public QNSC transmission at a rate of 32 Gbps. The real-time bidirectional stealth data rate is 1 kbps, which supports 768-bit ephemeral key exchange with a seed key refresh frequency above 1 Hz. The concealing depth of the stealth signal reaches −36.2 dB. In the proposed scheme, the stealth transmission supports a data channel in the physical layer, provides enhanced security by its stealthy characteristic, and does not require any additional wavelength or bandwidth resources. Therefore, the stealth transmission for key exchange presents the following advantages: 1) the key exchange is achieved in the physical layer, no need for upper-level protocol participation, 2) the steganographic effect provides enhanced security, 3) the existing optical coherent system can be easily upgraded for higher security due to the full compatibility. In most key exchange applications, the public keys are exchanged between the terminals, thus a bidirectional link is required for complete security. The proposed scheme is suitable for most key exchange scenarios for higher security with asymmetric encryption and forward/backward security.