The security issues of passive optical networks (PONs) have always been a concern due to broadcast transmission. Physical-layer security enhancement for the coherent PON should be as significant as improving transmission performance. In this paper, we propose the advanced encryption standard (AES) algorithm and geometric constellation shaping four-level pulse amplitude modulation (GCS-PAM4) pilot-based key distribution for secure coherent PON. The first bit of the GCS-PAM4 pilot is used for the hardware-efficient carrier phase recovery (CPR), while the second bit is utilized for key distribution without occupying the additional overhead. The key bits are encoded by the polar code to ensure error-free distribution. Frequent key updates are permitted for every codeword to improve the security of coherent PON. The experimental results of the 200-Gbps secure coherent PON using digital subcarrier multiplexing show that the GCS-PAM4 pilot-based key distribution could be error-free at upstream transmission without occupying the additional overhead and the eavesdropping would be prevented by AES algorithm at downstream transmission. Moreover, there is almost no performance penalty on the CPR using the GCS-PAM4 pilot compared to the binary phase shift keying pilot.

翻译：无源光网络因其广播传输特性，其安全问题始终备受关注。在相干无源光网络中，物理层安全增强与传输性能提升同等重要。本文提出基于高级加密标准（AES）算法和几何星座整形四电平脉冲幅度调制（GCS-PAM4）导频的密钥分发方案，用于安全相干无源光网络。GCS-PAM4导频的第一比特用于硬件高效的载波相位恢复（CPR），第二比特用于密钥分发，且无需占用额外开销。密钥比特采用极化码编码以确保无误分发。允许每个码字进行频繁密钥更新，以增强相干无源光网络的安全性。采用数字子载波复用的200 Gbps安全相干无源光网络实验结果表明，基于GCS-PAM4导频的密钥分发在上行传输中可在不占用额外开销的情况下实现无误传输，且下行传输中AES算法能够有效防止窃听。此外，与二进制相移键控导频相比，采用GCS-PAM4导频进行CPR时几乎未引入性能损失。