## Abstract

We propose a new scheme for data encryption in the physical layer. Our scheme is based on the distribution of a broadband optical noise-like signal between Alice and Bob. The broadband signal is used for the establishment of a secret key that can be used for the secure transmission of information by using the one-time-pad method. We characterize the proposed scheme and study its applicability to the existing fiber-optics communications infrastructure.

©2008 Optical Society of America

## 1. Introduction

Optical encryption systems have attracted much interest lately. Unlike cryptosystems based on software techniques, their security does not rely only on computational complexity, but mostly on physical properties of the transmitted signal. Various schemes have been proposed and researched, covering a wide range of technologies and potential uses. Common to all these schemes is the requirement of properly constructed optical hardware in order to decipher encrypted messages. The architecture of the optical hardware can be referred to as “hard-key” while the setting of the adjustable parameters in the optical hardware can be referred to as “soft-key” so as to indicate that they can be changed dynamically in the process of operation. In order to provide secure communications, both keys are usually kept secret. Two approaches of physical layer encryption have attracted significant attention in recent years. One is based on the synchronization of two lasers operating in a chaotic regime [1],[2]. The other is based on optical code division multiple access (CDMA) [3],[4]. Each of these methods has its strengths and weaknesses. The chaotic laser scheme is fundamentally limited in data rate owing to the inherent time constants dictating laser dynamics. It typically has a small number of user adjustable parameters (low soft-key dimension) such that security relies almost entirely on the inability of an eavesdropper to obtain similar laser hardware (i.e. on the hard-key). Logistically, this can be a disadvantage, as security is controlled by the optical hardware manufacturer much more than it is controlled by the user. In the case of optical CDMA there are issues with the coexistence of multiple users and in some implementations, the simultaneous presence of many users is a prerequisite for secure transmission. In both of the above schemes the overall quality of communications is usually lower than what it could be in well optimized, conventional, unencrypted system case.

In this work we propose and characterize an alternative scheme for secure optical communications. With this scheme Alice and Bob receive identical replicas of a truly random broadband optical signal from which they both extract identical random binary sequences that they use as a secret key for encrypting and decrypting information. This scheme takes after the classic running-key cipher, in which a text, typically from a book, is used to provide a very long keystream [5]. The secrecy of the key established by Alice and Bob is provided by identical optical scramblers whose physical structure and parameter settings are not known to Eve. The proposed scheme has a number of attractive features; there is no fundamental limit to the data-rate, implying that encrypted transmission can be conducted at the usual rates of fiber optic systems. The number of adjustable parameters used as a soft-key in the transmission can in principle be made as large as desired, thereby conveniently dividing the responsibility for the reliability of encryption between the hardware manufacturer and the user. Thirdly, and perhaps most importantly, integration of the proposed method with existing communication systems is relatively simple, it is modulation format independent and it does not fundamentally impair the overall performance of the optical communication link.

The proposed scheme and its principle of operation are described in Section 2. Section 3 describes practical consideration details and section 4 presents the specific implementation of the key-establishment scheme whose performance is evaluated in section 5. Section 6 is devoted to a discussion and conclusions.

## 2. Principle of operation

A schematic description of the principle of operation of the proposed method is shown in Fig. 1. The communicating parties, Alice and Bob, receive identical copies of a truly random broadband optical signal, from which they extract a random binary sequence to be used as key for encrypted communication using the one-time pad protocol. The broadband random optical signal is obtained from the amplified spontaneous emission of an optical amplifier that is distributed to the users. Since the scheme is intended for use in wavelength division multiplexed (WDM) networks, a filter appropriately limiting the bandwidth of the random optical signal, is assumed to be present at the amplifier output. The random binary key sequence is established after both Bob and Alice photo-detect the optical signal, sample it after low-pass electrical filtering and compare the samples to a threshold. A sample that is greater than the threshold is registered as a logical one and a sample lower than the threshold is registered as a logical zero. Assuming that the clocks of both parties are properly synchronized and the absence of noise, the random binary sequences obtained by Alice and Bob will be identical. In fact, the structure and all components of the receivers are standard in fiber-optic communications. Identical optical scramblers are used by the communicating parties, prior to photo-detection, in order for the random key sequence not to be accessible to an eavesdropper.

While the scrambler can be based on a variety of technologies, including the ones currently used for optical scrambling in CDMA [4], we consider a simple scrambler structure that is based on commercially available devices used for tunable optical dispersion compensation. These scramblers consist of a concatenation of several highly dispersive optical filters whose transfer functions can be controlled dynamically and that introduce long-lived distortions to the incident broadband optical signal in the time domain. The adjustable parameters of the scramblers constitute the soft-key. A detailed description of the scramblers in our particular implementation will be provided in section 4.1. At Alice’s transmitter, the established key is XOR multiplied with the original message (plaintext) thereby producing the encrypted message (the ciphertext). After XOR multiplying the ciphertext with the established key at the receiver, the plaintext is recovered by Bob.

The above described scheme can be readily deployed in a WDM setting where the same broadband signal is distributed among multiple pairs of users sharing the same fiber.

## 3. Practical considerations

#### 3.1 The use of two threshold levels, synchronization and the effective rate factor

In a realistic scenario, the assumptions of ideality regarding the identity of the two scramblers and the absence of noise are clearly invalid. Under practical operating conditions, the above described key establishment scheme is likely to produce errors whenever the value of the detected sample is close to the threshold level, such that even a very small perturbation may cause Alice and Bob to register their bits differently. In order to avoid such situations, two threshold levels are introduced instead of one; a lower threshold below which the symbol is identified as a “zero” and a higher threshold above which the symbol is identified as a “one”. When the detected sample falls between the two thresholds, the symbol identity is declared as “don’t care”. Alice and Bob must then communicate with each other in order to disclose the positions of the “don’t care” symbols, such that the final key consists of all shared symbols except for those that have been identified by one of the parties as “don’t care”. The presence of “don’t care” symbols reduces the effective key-establishment rate and requires that the clock rate used for key establishment is higher than the data-rate of the cipher-text, if the one-time-pad protocol is to be used. We show in the next section that the increase in the clock-rate that is needed for reliable operation is fairly reasonable and not unusual in optical communications. In what follows we often refer to the effective rate factor ρ which we define as the average fraction of “legal” results (i.e. ones and zeros) within the detected samples (that include zeros, ones and don’t cares). i.e. *ρ*=1-Prob(don’t care). This quantity represents the rate reduction resulting from the use of two thresholds. In order to maintain the highest security, disclosure of the positions of the don’t care symbols should be performed over the encrypted channel. Only at the stage of system initiation “don’t care” positions are shared without encryption until a sufficiently long buffer of key symbols is established. A possible variation on the above described protocol is to have only Alice disclose her “don’t care” positions to Bob. In this case, whenever Bob identifies a “don’t care” that was not in Alice’s list, he attaches to it a value of logical zero or one based on whether the detected sample was closer to the lower, or upper threshold, respectively. This modification slightly increases the effective key-establishment rate (as there are less declared “don’t care” symbols), but also increases by very little the error probability. As the overall effect of this modification is small, we will not include it in what follows.

The issue of synchronization also deserves some consideration. Since there is no inherent clock in the random broadband optical signal, a clock signal must be distributed between Alice and Bob separately. A convenient approach for synchronization would be to scale up the clock signal that is extracted by the users from the binary ciphertext so that it matches the sample rate used in key generation.

#### 3.2 Forward error-correction and privacy amplification

An important parameter in the characterization of the scheme is the bit-error-rate (BER). When used with respect to Alice and Bob, this term is defined as the fraction of symbols that they detect differently (after removing the symbols that have been identified by either one of them as “don’t care”). When the BER is mentioned with respect to Eve, it is defined as the fraction of symbols that Eve identifies differently from Alice and Bob. Proper operation requires that Alice and Bob’s BER remains close to zero, whereas Eve’s BER is as close as possible to 0.5, implying that the sequence that she acquires has no correlation with the original data. In order to achieve this situation in practice, one needs to apply privacy amplification algorithms such as the ones implemented for quantum key distribution schemes [6], in conjunction with forward error-correction (FEC) codes [7]. With privacy amplification, Alice passes the plaintext through a privacy amplification encoder prior to encrypting it and sending it to Bob. Bob decrypts the received message and then passes it through a privacy amplification decoder. If no errors occurred in the process of transmission, or decryption in Bob’s receiver, the message that he will recover after the privacy amplification decoder will be identical to the message sent by Alice originally. On the other hand, if Eve’s received and decrypted message contains errors (even few errors), the sequence that she obtains after the privacy amplification decoder will be practically uncorrelated with Alice’s original sequence, thereby giving her absolutely no information about the transmitted data. The role of FEC coding is to introduce some tolerance to errors between Alice and Bob. Such codes have the ability to eliminate errors in a received block of data, as long as their number is smaller than some value called the FEC threshold [7]. When it is greater than the threshold, the number of errors remains unchanged on average. Thus, as long as the BER between Alice and Bob remains lower than the FEC threshold, and Eve’s BER is higher than the FEC threshold, Bob will receive an error-free message while Eve’s recovered sequence will be practically uncorrelated with the original data. The higher the FEC threshold (i.e. the stronger the FEC code [7]) the more tolerant the scheme becomes to differences between Bob’s and Alice’s received signals, but at the same time resistance to eavesdropping becomes lower. The optimal FEC threshold is therefore an application specific parameter that depends on the amount of noise present in the communication process and on the required security. As a figure of merit, the strongest FEC codes used in optical communications today have a 7% overhead and their FEC threshold can be as low 10^{-3} [8].

## 4. Specific implementation

The specific implementation that we assumed in the numerical evaluation is described schematically in Fig. 2. The dashed lines represent electrical wiring whereas solid lines represent optical fibers. Since encryption and decryption are performed digitally, by XOR multiplying the plaintext with the established key, the optical data transmitter and receiver indicated in the figure are standard elements in digital optical communications. The most critical devices in the proposed scheme are the scramblers, the random signal source and the receiver used for key generation.

#### 4.1 The optical scrambler

In the following we consider a specific scrambling device that is based on Gires Tournois (GT) etalons [9]. The configuration of the GT etalon is illustrated in the inset of Fig. 3. This device is essentially a Fabry Perot interferometer operating in reflection. It has a perfectly reflecting back mirror and a partially reflecting front mirror whose reflection coefficient is denoted by *r*. The roundtrip time through the device is *T*=2*L*/*nc* with *L* being the device thickness and with *n* and *c* denoting the refractive index inside the etalon and the speed of light, respectively. The GT etalon is characterized by an infinite impulse response (IIR)

where *φ* is a frequency independent propagation phase. While the parameters *r* and *T* are fixed in the manufacturing process, the phase *φ* can be varied by controlling the etalon temperature. Thus, as is indicated by Eq. (1), the etalon generates a coherent superposition of many delayed replicas of the incident optical signal with controllable coefficients. By concatenating several GT etalons, where each can be characterized by a unique reflectivity and roundtrip delay, a more complicated superposition of delayed replicas follows, thereby generating the desired scrambling operation. A scrambler with *N* etalons has 2*N* fixed degrees of freedom (the “hard-key”) and *N* variable degrees of freedom that can be adjusted by the user (the “soft key”). The corresponding frequency response of a single etalon is conveniently expressed as
$H\left(\omega \right)=\mathrm{exp}\left[-i\underset{-\infty}{\overset{\omega}{\int}}\tau \left(\omega \prime \right)d\omega \prime \right]$
, where τ(*ω*) is the group delay spectrum

and where the frequency independent delay was omitted for simplicity. In Fig. 3 we plot the group delay spectra of four etalons used in our study. The figure shows the spectra of the individual etalons with different reflection coefficients and phases, whereas their sum (the spectrum of the concatenated etalons) is illustrated by the dashed curve. The spectra are periodic with a period (referred to as the free spectral range) equal to 1/*T* and the higher the value of *r*, the more peaked the group delay spectrum becomes. For achieving efficient scrambling, the fixed parameter values of the etalons should be selected according to the following guidelines; The achievable delays must be sufficiently greater than the key sampling period, but on the other hand, the characteristic width of the group delay spectrum must have a significant enough overlap with the bandwidth of the random optical signal. As we explain in what follows the FWHM bandwidth of the random optical signal that we use was 80GHz, and thus etalons with *T*=20ps and reflection coefficients of *r*=0.3, 0.4, 0.5 and 0.6 were used. These parameters were also chosen because they fall in the range of easily manufacturable values and because etalons with similar characteristics are used in commercial devices for tunable dispersion compensation [10]. A relevant parameter for the operation of the scrambler is the tuning time. This parameter depends on the particular scrambler assembly technology and type of control circuitry used for temperature stabilization. The overall stabilization time of the commercial tunable dispersion compensators built with this technology is of the order of 20 seconds.

#### 4.2 The random source and the optical receiver used for key generation

An amplifier generating spontaneous emission noise followed by an optical band-pass filter serves as the source of the random signal. Its output is accurately modeled as a zero mean Gaussian process in four dimensions; two quadratures and two polarizations. In Fig. 2, displaying the setup that we used in the numerical evaluations, we arbitrarily positioned the noise source inside of Alice’s transmitter. The central wavelength of the random signal is assumed to be in the conventional transmission band (C-band) of the optical fiber around 1550 nm. The optical bandwidth of the source must be greater than the key sampling-rate such that its correlation time is sufficiently smaller than the time interval between samples. On the other hand, an excessively large bandwidth of the random source is also undesirable, owing to spectral efficiency implications when the scheme is used in a WDM setting. Additionally, since the electrical bandwidth of the key-sampling receiver is finite, the indefinite increase of the optical bandwidth has no benefit to security. For these reasons, and also in order to facilitate the numerical evaluation we have chosen the bandwidth of the optical band-pass filter following the amplifier source to be equal to 0.65nm (FWHM) while the key sampling rate that we used was 40GSamples/s. The shape of the optical band-pass filter was modeled as second order Gaussian. The photo-receiver’s pass-band is modeled as a 3rd order Bessel filter as is often done in the modeling of optical communication systems. Its width at half maximum is assumed to be equal to 40GHz, consistent with available optical receiver technology. After sampling the electrically filtered signal we chose the upper and the lower threshold levels such that the average number of “ones” is identical to the average number of “zeros”. The separation between the two thresholds is determined by the trade-off between the immunity that one wishes to achieve from the effects of spurious noise, or imperfect matching between Bob’s and Alice’s hardware, and the reduction in the key-establishment rate that one is willing to accept.

## 5. Performance evaluation

The scrambling effect of a single etalon can be observed in the simple illustration presented in Fig. 4. The figure shows the relation between Bob’s BER and the alignment of the scrambler parameters when three of the four etalons in Bob’s receiver are set correctly, whereas the fourth etalon’s phase is offset. When the offset etalon is the one with the highest reflectivity (*r*=0.6), the BER increases rapidly with phase mismatch, but the BER never reaches the maximum value of 0.5. That is because the highest reflectivity corresponds to the narrowest group delay spectrum (see Fig. 3) and while it is characterized by the largest peak group delay, its spectral overlap with the random optical signal is the smallest. In the case of the lowest reflectivity, the group delay spectrum of the etalon is the broadest and there is a slower increase in BER. Yet, as the spectral overlap with the random signal is largest, the maximum BER value of 0.5 is reached.

Next we examine the process of key establishment in the presence of spurious noise introducing differences between the signals received by the two parties. As we explained earlier, we address this problem by introducing two threshold levels *s _{l}* and

*s*(with

_{h}*s*<

_{l}*s*) such that a “one” is declared when the detected signal sample S is greater than

_{h}*s*and a “zero” is declared when

_{h}*S*is lower than

*s*. Whenever the signal measured by either Alice or Bob falls between these two thresholds, the symbol is declared as a “don’t care” and is not included in the key that Alice and Bob establish. In appendix A we calculate the BER between Alice and Bob and relate it to the effective rate factor

_{l}*ρ*=1- Prob(don’t care). The calculation that we perform assumes that the detection process is dominated by optical noise that results from optical pre-amplification in the receivers, or from inline amplifiers. A similar and even simpler calculation follows if thermal electronic noise that is generated in the detector dominates. Figure 5 shows the raw BER as a function of the effective rate factor ρ for three typical values of optical signal to noise ration (OSNR), defined as the ratio between the power-density of the random broad-band signal used for key sharing and the power density of the additive optical noise. Note that in practice, independent optical noise contributions may be present in both Alice’s and Bob’s sides of the system. In that case the noise power in the expression for the OSNR is the sum of the noise powers in Alice’s and Bob’s receivers. As can be seen in the figure, the BER can be made as low as desired at the expense of a reduction in the key establishment rate. In fact, for reasonable values of OSNR in the vicinity of 20dB, the BER reaches values as low as 10

^{-9}with

*ρ*in the vicinity of 0.7, which is a fairly reasonable value from a practical standpoint. Recall also that proper operation is ensured as long as Bob’s BER is lower then the FEC threshold and that the commonly used FEC in optical communications can have a threshold as low as 10

^{-3}[8].

In our attempt to assess the security of the propose scheme, we focus on the scenario of a brute force attack by Eve, who tries to guess the correct setting of the scrambler parameters. While this is the most basic and essential step in characterizing the scheme security, it is not the only one, as more sophisticated attacks by an eavesdropper are possible [4]. Nevertheless, in this paper we concentrate primarily on the introduction and description of the proposed physical encryption concept. A rigorous analysis of system security in a broader sense will therefore be left for a future study.

We will assume that Eve is able to gain access to the correct scrambler hardware and that she is trying to randomly guess the scrambler parameters in order to intercept the key established between Alice and Bob. Notice that with the proposed scheme Alice does not have a useful analog feedback signal to tell her how to change the setting of her scrambler. This is in contrast to the cases of CDMA and chaotic laser encryption, where upon approaching the correct soft-key parameters a clearly identifiable pulse-like optical waveform is gradually unveiled. Moreover, for Eve’s brute force attack to be meaningful, she must have some knowledge about the transmitted plaintext. Her strategy would then be to mimic Bob’s receiver with randomly picked scrambler parameters, apply the resulting key sequence to the ciphertext and see if what she obtains makes sense. As long as the fraction of errors in Eve’s key is higher than the FEC threshold, the privacy amplification algorithm will ensure that the deciphered message is uncorrelated with the correct plaintext and Eve will have to start the entire process over again and again. The highest FEC threshold available with existing FEC technologies in optical communications is of the order of 10^{-3} [8], but weaker FEC’s with a lower threshold are also commercially available. The choice of FEC threshold is a trade-off between the security of the scheme and its resilience to perturbations between the communicating parties. The desirable measure of security against a brute force attack would therefore be the probability that Eve can obtain a key with a lower BER than the FEC threshold by guessing the scrambler parameters. Unfortunately, the numerical evaluation of probabilities of achieving BER levels of 10^{-3}, or lower, requires unrealistically long computation times. Nevertheless, some insight can be gained from observing the probabilities of guessing higher BER values. The results of a Monte Carlo simulation performed with the proposed set-up are illustrated in Fig. 6(a). The horizontal axis in the figure represents the BER, whereas the vertical axis shows the probability of achieving this, or higher BER level by guessing the parameters blindly. The various curves correspond to different choices of the distance between the two thresholds and they are labeled by the effective rate factor. As is evident in the figure, and as one may intuitively expect, there is a trade-off between the security of the system and its resilience to noise. It is also evident that achieving relevant BER values would require Eve to perform a very large number of attempts. Taking into account the slow time constants associated with the thermal control of the scrambler parameters, and recalling that Alice and Bob will typically change the key periodically in order to increase security, the prospects of a brute-force attack seem unrealistic. Further increase in security can obviously be implemented by increasing the number of GT etalons in the optical scramblers. An idea of the dependence of security on the number of etalons can be obtained from Fig. 6 (b). The axes in this figure are identical to those of Fig. 6(a), but the curves were obtained with *ρ*=0.7 and for a varying number of GT etalons in the scrambler. In the case of a single etalon we used a reflectivity of 0.4, in the case of 2 etalons the reflectivity coefficients were 0.4 and 0.6, in the case of 4 etalons we used the same reflectivity values as in Fig. 6(a) (i.e. 0.3, 0.4, 0.5 and 0.6) and in the case of 8 etalons we used the same reflectivity values twice. While the choice of reflectivity values in each case was made in order to achieve good performance, it was not crucial. We preferred not to use a fixed reflectivity value many times because this would introduce a redundancy that would help Eve, as the various etalons could then compensate for one another. The strong dependence of security on the dimension of the soft-key is evident from the figure.

An important factor in the applicability of the proposed scheme is its tolerance to link parameters; primarily, to imperfections in the compensation for chromatic dispersion and to PMD. As we focus on the linear regime of transmission, valid with current optical systems to many hundreds of kilometers, parameters related to fiber nonlinearities will not be considered. Fig. 7(a) illustrates Bob’s BER, obtained in a Monte-Carlo simulation, as a function of the uncompensated dispersion in Bob’s link. The sign of dispersion (whether it is under, or over-compensated) is immaterial and we therefore consider dispersion values between 0 and 50 ps/nm. Evidently the tolerance to dispersion is fairly low, and recalling that the FEC threshold can be as high as 10^{-3}, the allowed amount of uncompensated dispersion is of the order of 10ps/nm. While this is perhaps a relatively strict requirement, it is not inconsistent with the capabilities of dispersion compensating devices in use today [11]. This requirement can be alleviated somewhat if the effective rate factor is reduced to *ρ*=0.5, as is shown by the dashed curve in the figure.

The tolerance to PMD is examined in Fig. 7 (b), where the BER is computed in a range of DGD values. For simplicity, we have assumed only first order PMD in the computations. Notice that with *ρ*=0.7, only as little as approximately 2.5 ps of PMD can be tolerated by the system without the BER exceeding the dangerous level of 10^{-3}, constituting a fairly significant limitation. The situation is again alleviated somewhat when *ρ*=0.5, and the allowed DGD increases to approximately 3.5 ps. While remaining a significant limiting factor in practical links, with the low PMD of modern fibers and components, the above restriction still allows proper operation of the system over several hundreds of kilometers length.

One of the main advantages of the proposed scheme is the possibility of using standard, off-the-shelf optical hardware for its implementation. The most significant element in the system is the optical scrambler. For Alice and Bob to be able to communicate reliably, their optical scramblers need to be as close to identical as possible. As an example of an off-the-shelf optical device that is suitable for our purpose, we acquired two units of commercially available, tunable optical dispersion compensators (TODC) by Civcom. Those devices are based on four GT etalons with a free spectral range of 50GHz, as they were designed for a multi-channel communication environment based on the ITU grid. The resonance frequencies of the four individual etalons are independently controllable. We measured the group delay and the insertion loss spectra of the two devices while setting the control parameters to arbitrary, but identical values. An example of a group delay spectrum that we measured with the two devices is shown in Fig. 6(a). We then used the measured spectra in our simulation to calculate the expected raw BER as a function of the effective rate factor ρ. The resemblance between the group delays of the two devices is fairly good, but not perfect. Fig. 8(b) shows the raw BER that is obtained with these two devices after setting them to the same parameters, as a function of ρ. Notice that from comparison between Fig. 5 and Fig 8(b), the difference between the spectra of the two devices is equivalent to the effect of noise at an OSNR level close to 20dB. Once again, any desirable BER level can be achieved at the expense of a corresponding reduction in the effective rate factor. Note that the tested TODC devices were not designed for our purpose and no special emphasis was placed on ensuring similarity between their spectra. Nevertheless, Fig. 8 suggests that the implementation of the proposed scheme with readily available optical hardware should indeed be possible.

## 6. Discussion

We propose a new scheme for encryption that is based on the implementation of the one-time pad protocol. The key that is used for the one-time pad is generated by each pair of users from a truly random optical noise signal that is distributed among them. Each such pair of users establishes a unique secret key by sampling the random optical signal that is distributed between them after passing it through matching optical scramblers whose parameters are tuned to identical values known only to that pair of users. The proposed scheme has a number of attractive attributes that are advantageous when comparing to other existing methods of encryption in the optical layer. The most important advantage is perhaps the fact that the it can be designed into any method of digital optical communications, without affecting its properties such as modulation format, pulse-shape, bandwidth etc. Hence it does not interfere with the overall communication system performance. Although our analysis related only to the case of a single pair of users, the scheme is compatible with WDM transmission with the loss in the overall spectral efficiency being minimal. The unique method by which the key is distributed prevents certain eavesdropping attacks to which other optical encryption schemes are susceptible. In particular, the advantage is that neither the random waveform emanating from the optical scrambler, nor the digital key extracted from it, display any distinct characteristics to indicate when the scrambler parameters approach the correct values. In fact, the only way that the eavesdropper can tell that he has found the correct scrambler setting is by using the key that he obtains with the guessed setting in order to decrypt the ciphertext and see whether the output sequence is intelligible to him. Thus, the security of the scheme can be easily enhanced by applying any form of digital encryption to the original data. The complexity of intercepting the original data in this case will be the product of the complexities that would be needed in order to intercept the data if only one of the encryption methods (either digital, or the proposed physical method) is used. This is contrary to the cases of optical CDMA, or chaotic synchronization where the complexities would simply add to each other since the interception of the physical layer code can be performed independently of the digital encryption of the data. Our analysis and evaluation of the proposed scheme assumed that a commercially available tunable optical dispersion compensation device is used as the scrambler. We acquired a pair of such devices and tested their applicability to our scheme by performing the evaluation with their measured spectra. A specific optimization of such devices for use as scramblers, would emphasize their uniformity within the manufacturing process and further improve their performance. Finally, although throughout this manuscript, the key-sampling rate was assumed to be fixed at 40G samples per second, implementation of the scheme with higher sampling rates is straightforward, provided only that optical receivers with a correspondingly higher electrical bandwidth are available.

## 7. Appendix

In this appendix, we calculate the BER between Alice and Bob and relate it to the effective rate factor *ρ* which we have defined as the average fraction of “legal” results (i.e. ones and zeros) within the detected samples (that include zeros, ones and don’t cares). In order to reduce the complexity of notation, we initially perform the calculation for the case of scalar fields. The final results are, as we comment later, unchanged when the signal and noise are treated as unpolarized thermal radiation fields. Let *E*(*t*) denote the wide-band optical field produced by Alice and let *n*(*t*) denote the additive noise in the channel. Since we have assumed that the detection process is dominated by optical noise that results from optical pre-amplification in the receivers, or from inline amplifiers, we model *E*(*t*) and *n*(*t*) as statistically independent circular Gaussian noise processes, of the same optical bandwidth *B* that is determined by the optical filter at the receivers. Alice’s detector is subjected to the signal *E*(*t*) whereas Bob’s detector receives *E*(*t*)+*n*(*t*). The electronic signals generated by Alice’s and Bob’s detectors are proportional to

and

respectively. Alice’s receiver decides upon the identity of a symbol according to the electronic signal *S _{A}* that is generated by the photo-detector and filtered by the electrical low pass filter (LPF) of the receiver:

where *h*(*t*) is the impulse response of the LPF. In a similar manner, on Bob’s side the electronic signal is:

For reasonable values of SNR, one can approximate *s _{B}*(

*t*)=|

*E*(

*t*)|

^{2}+2Re[

*E*(

*t*)

*n*

^{*}(

*t*)]. In this case,

*S*can be expressed in terms of

_{B}*S*and an additive noise component,

_{A}*N*,

where

If we condition on the value of the field *E*, then *N* is a zero mean Gaussian variable whose variance is

where *N _{0}* is defined through

The error probability is composed from the probabilities of two events: Either Alice decides ‘1’ and Bob decides ‘0’, or the other way around. The BER therefore takes the following form:

$$\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}\phantom{\rule{.2em}{0ex}}0.5\left[\begin{array}{c}{\int}_{0}^{{s}_{l}}Q\left(\frac{{s}_{h}-{S}_{A}}{\sqrt{\mathrm{VAR}\left(N\mid E\right)}}\right)f\left({S}_{A}\right)d{S}_{A}\\ +{\int}_{{s}_{h}}^{\infty}Q\left(\frac{{S}_{A}-{s}_{l}}{\sqrt{\mathrm{VAR}\left(N\mid E\right)}}\right)f\left({S}_{A}\right)d{S}_{A}\end{array}\right],$$

If we assume for simplicity an integrate and dump receiver, the impulse response of the LPF is square and *VAR*(*N*|*E*)=2*N _{0}S_{A}*. Assuming also a square optical filter, the distribution of

*S*is

_{A}*χ*

^{2}with

*M*degrees of freedom, i.e.

where *M*=*2BT*, with *T* denoting the integration time of the LPF. The statistical average of *S _{A}* is

*Mσ*

^{2}

_{E}, where

*σ*

^{2}

_{E}is the variance of each degree of freedom in

*E*(

*t*). Assuming that the additive noise has a rectangular power spectrum with bandwidth

*B*, the average power of the detected noise is

*N*

_{0}

*BT*=

*N*

_{0}

*M*/2 such that the OSNR is

*OSNR*=2

*σ*

^{2}

_{E}/

*N*

_{0}, or

*N*

_{0}=2

*σ*

^{2}

_{E}/

*OSNR*. Thus we find that

which can be substituted into equation (A.9) for the BER. The effective rate factor is equal to 1 minus the probability that either Alice or Bob detect a signal that is between the two thresholds. This is given by a simple, but cumbersome expression:

$$+{\int}_{0}^{{s}_{l}}\left[Q\left(\frac{{s}_{l}-{S}_{A}}{\sqrt{\mathrm{VAR}\left(N\mid E\right)}}\right)-Q\left(\frac{{s}_{h}-{S}_{A}}{\sqrt{\mathrm{VAR}\left(N\mid E\right)}}\right)\right]f\left({S}_{A}\right){\mathrm{dS}}_{A}+$$

$$+{\int}_{{s}_{h}}^{\infty}\left[Q\left(\frac{{S}_{A}-{s}_{h}}{\sqrt{\mathrm{VAR}\left(N\mid E\right)}}\right)-Q\left(\frac{{S}_{A}-{s}_{l}}{\sqrt{\mathrm{VAR}\left(N\mid E\right)}}\right)\right]f\left({S}_{A}\right){\mathrm{dS}}_{A}$$

the first line of which represents the probability of a “don’t care” on Alices side, whereas the last two lines represent the probability of a don’t care on Bob’s side provided that Alice detected a legitimate symbol (“zero” or “one”). When both polarizations are included, the effect is equivalent to that of doubling the number of degrees of freedom from *M*=*2BT* to *M*=*4BT*.

## Acknowledgement

The authors are grateful to Efraim Roif and to Civcom for providing the tunable dispersion compensation devices. The authors are also pleased to acknowledge the advice of Gerard Cohen and Simon Litsyn and their help in understanding the operation of privacy amplification protocols.

## References and links

**1
. **G. D. VanWiggeren and R. Roy, “Communication with Chaotic Lasers,” Science **279**, 1198–1200 (1998). [CrossRef] [PubMed]

**2
. **A. Argyris, D. Syvridis, L. Larger, V. Annovazzi-Lodi, P. Colet, I. Fischer, J. Garcia-Ojalvo, C. R. Mirasso, L. Pesquera, and K. A. Shore, “Chaos-based communications at high bit rates using commercial fibre-optic links,” Nature **438**, 343–346 (2005). [CrossRef] [PubMed]

**3
. **L. Tancevski, I. Andonovic, and J. Budin, “Secure optical network architectures utilizing wavelength hopping/time spreading codes,” IEEE Photon. Technol. Lett. **7**, 573–575 (1995). [CrossRef]

**4
. **T. H. Shake, “Security performance of optical CDMA against eavesdropping,” J. of Lightwave Technol. **23**, 655–670 (2005). [CrossRef]

**5
. **R. Anderson, *Security engineering : a guide to building dependable distributed systems*. New York: Wiley, 2001.

**6. **C. H. Bennett, G. Brassard, C. Crepeau, and U. M. Maurer, “Generalized privacy amplification,”, *IEEE* Trans. Inf. Theory **41**, 1915–1923 (1995). [CrossRef]

**7
. **G. C. Clark and J. B. Cain, *Error-correction coding for digital communications*. New York: Plenum Press, 1981.

**8
. **
See for example “ITU-T Recommendation G.975.1,” I. T. Union, Ed., 2004.

**9
. **C. K. Madsen and J. H. Zhao, *Optical filter design and analysis: A signal processing approach*, Wiley Interscience, 1999.

**10
. **G. Shabtay, D. Mendlovic, and Y. Itzhar, “Optical single channel dispersion compensation devices and their application,” European Conference on Optical Communication, Paper WE1. 2.1, ECOC Glasgow, 2005.

**11
. **A. E. Willner and B. Hoanca, “Fixed and tunable management of fiber chromatic dispersion,” *in Optical fiber telecommunications IVB : systems and impairments*, I. P. Kaminow and T. Li, Eds. San Diego, Calif.; London: Academic Press, 2002