The security issues of passive optical networks (PONs) have always been a concern due to broadcast transmission. Physical-layer security enhancement for the coherent PON should be as significant as improving transmission performance. In this paper, we propose the advanced encryption standard (AES) algorithm and geometric constellation shaping four-level pulse amplitude modulation (GCS-PAM4) pilot-based key distribution for secure coherent PON. The first bit of the GCS-PAM4 pilot is used for the hardware-efficient carrier phase recovery (CPR), while the second bit is utilized for key distribution without occupying the additional overhead. The key bits are encoded by the polar code to ensure error-free distribution. Frequent key updates are permitted for every codeword to improve the security of coherent PON. The experimental results of the 200-Gbps secure coherent PON using digital subcarrier multiplexing with 16-ary quadrature amplitude modulation show that the GCS-PAM4 pilot-based key distribution could be error-free at upstream transmission without occupying the additional overhead and the eavesdropping would be prevented by AES algorithm at downstream transmission. Moreover, there is almost no performance penalty on the CPR using the GCS-PAM4 pilot compared to the binary phase shift keying pilot.

翻译：无源光网络（PON）的安全问题因广播传输特性始终备受关注。相干无源光网络的物理层安全增强应与传输性能提升同等重要。本文提出采用高级加密标准（AES）算法与几何星座整形四电平脉冲幅度调制（GCS-PAM4）导频进行密钥分发，以实现安全相干无源光网络。GCS-PAM4导频的第一比特用于硬件高效的载波相位恢复（CPR），第二比特则用于密钥分发且不占用额外开销。密钥比特通过极化码编码以确保无误分发。每个码字均可实现密钥频繁更新，从而增强相干无源光网络的安全性。基于数字子载波复用与16进制正交幅度调制的200 Gbps安全相干无源光网络实验结果表明：在上行传输中，GCS-PAM4导频密钥分发可在不占用额外开销时实现无误传输；下行传输中，AES算法可有效防止窃听。此外，与二进制相移键控导频相比，采用GCS-PAM4导频进行CPR几乎不产生性能代价。