I Introduction
Steganography is one of the most fascinating aspects of secure communication. The word “steganography” is derived from the Greek words , meaning ‘covered’, and , meaning ‘writing’. Thus, it literally means “covered writing” and refers to the art of hiding a secret message () behind an innocuous looking text () in such a way that it can only be detected and deciphered by the intended receiver. It is different from cryptography, where the idea that secret messages are being exchanged is openly known. By contrast, in steganography we aim to hide the existence of the secret message. Steganography has been widely used throughout human history, and examples of the historical use of steganography can be found in abundance in history and also in the animal kingdom (for a short but interesting history of steganography see Ref. kahn1996history ). Specifically, in ancient Greece, the messages were marked on shaven heads of trusted messengers who were then sent on their way once the hair had regrown.
One can point out several examples of situations where steganography will be of practical use. For example, consider that Bob has decided to give Eve a surprise gift on their anniversary party, despite Eve’s challenge that she would find out the contents of the gift earlier. In order to succeed at his attempt, Bob takes the help of Alice, Eve’s sister. His only method of communicating his plans to Alice is to send an encrypted invitation. It is not enough that the message is encrypted since it may make Eve and other guests, who are unaware of the plan, suspicious. What Bob needs to save the day is steganography.
Interesting properties of steganography and its applications in providing security and privacy to internet has drawn considerable attention of the community interested in secure communication (see cox2007digital ; johnson1998exploring ; Fridrich2009Nov and references therein). In fact, classical steganography has been developed extensively in the later part of 20th century and in the beginning of the present century johnson1998exploring ; anderson1998limits ; sallee2003model ; provos2003hide ; cachin1998information ; Fridrich2009Nov . In these works, steganography was studied in view of different prospective applications ranging from digital image processing to internet security.
In a different line of research, a protocol for quantum key distribution (QKD) was proposed in 1984 by Bennett and Brassard BB84 , now known as BB84 protocol, showing that unconditional security of information can be obtained in the quantum world. This paved the way for several other protocols of QKD (see shenoy2017quantum and references therein). This evokes the natural question: Can the advantage of quantum cryptography be extended to design secure protocols of quantum steganography? Addressing this question, in 2002 GeaBanaloche GeaBanacloche2002Sep proposed the first protocol of quantum steganography. This pioneering work of GeaBanaloche has been followed by a number of studies on quantum steganography shaw2011quantum ; qu2010novel ; jiang2016lsb ; mihara2015quantum ; luo2019efficient ; csahin2018novel ; qu2019matrix ; el2012quantum ; mar . In these schemes, different strategies involving quantum resources have been used to conceal the stegotext. For example, in shaw2011quantum , the stegotext was concealed by giving it the appearance of channel noise in a codeword of a quantum errorcorrecting code; whereas in qu2010novel , the pingpong protocol for quantum secure direct communication and entanglement swapping were used to design a scheme of quantum steganography. Further, preshared entanglement and GHZ states were used as quantum resources in mihara2015quantum and in el2012quantum , respectively.
All the protocols for quantum steganography proposed in the above mentioned studies and the references therein are expected to fulfill the following requirements:

Communication: The transmitting party is able to communicate classical or quantum information to the receiving party successfully.

Secrecy: The stegotext is completely concealed such that the eavesdropper or person in authority should be unable to detect its presence.
In addition, the requirement of security can be imposed to ensure that a third party cannot read the stegotext even if its presence is detected. Since steganography focuses only on hiding the fact that a secret message is being transmitted, it is not necessary to encrypt the message, that is why security is a separate criterion. This criterion is often fulfilled through the use of quantum cryptography. In this regard, the distinction between quantum steganography and quantum cryptography can be further emphasized by stating that while the former requires all three requirements to be satisfied, the latter requires only security as the necessary and sufficient condition. Interestingly, it was shown by Martin mar that a quantum steganographic protocol can be integrated within a cryptographic protocol to communicate a hidden classical bit successfully. Hereafter, this protocol will be referred to as Martin’s quantum steganography (MQS) protocol. Further, this protocol may be viewed as a variant of BB84 protocol for QKD BB84 with a steganographic channel. In what follows we will give specific attention to this scheme.
It would seem that if Alice and Bob are employing QKD, then they could simply employ QKD to send a secret bit, rather than use steganography. The motivation for the latter arises in the situation where Alice and Bob are prohibited by cost considerations to use intermediatesecurity QKD equipment, e.g., Noisy Intermediate Scale Quantum (NISQ) tools rather than fully deviceindependent ones. Thus, with sufficient resources, Eve can gain information about a good fraction of their messages by performing a conventional QKD cryptanalysis. Thus, to transmit top secret bits, they may resort to steganography.
A steganalysis of MQS protocol has been performed by Qu et al. stega
, who has reported certain vulnerabilities of MQS protocol and proposed a notion of steganalysis using coherent measures to detect the presence of a hidden channel in open channel. Steganalysis relies on the principle that classical steganography changes the probability distribution of the quantum states. The deviation of the detected probability distribution from the theoretical distribution can be analyzed by quantum state discrimination to achieve effective detection of steganographic communication. The attractive idea about MQS protocol is that in terms of practical implementation, it can be realized with only the elements that make up QKD. Here, we aim to build on the idea of basing steganography on QKD, but free of the vulnerabilities mentioned above.
The rest of the paper is structured as follows. In Section II, we briefly describe MQS protocol mar and its weaknesses. In Section III, the steganalysis of MQS protocol reported in the existing literature is briefly reviewed to elaborate on its vulnerabilities and the need for a new protocol for quantum steganography free from the weaknesses of MQS protocol. A new protocol for quantum steganography is proposed and analyzed in Section IV. The protocol uses reverse communication for a class of discrete modulation continuous variableQKD (CVQKD) protocols which may be realized using coherent states Namiki_2003 ; PhysRevA.74.032302 or other quantum states as quantum resource. The paper is concluded in Section V with a short discussion on the use of reverse communication in circumventing vulnerabilities of MQS protocol.
Ii Review of MQS protocol
Here, we aim to briefly review the MQS protocol proposed by Martin and discuss its security. In his protocol, Martin used BB84 QKD protocol for covert communication. Alice and Bob are two parties who wish to establish successful steganographic communication using their QKD channel. The steps of MQS protocol are as follows:
MQS1: Alice prepares a random string of qubits^{1}^{1}1In the original protocol, Martin used qubits, but it would have been more practical to use qubits to take care of the fluctuations and to ensure that with high proability qubits are obtained in Step MQS5., where the qubits are prepared randomly in or basis.
MQS2: Alice sends the string to Bob.
MQS3: After receiving the qubits, Bob measures them randomly in or basis.
MQS4: Alice announces the basis in which she originally encoded her bits.
MQS5: Bob announces the positions of bits in which his measurement basis coincides with the encoding basis and keeps the corresponding bits. The number of remaining bits is about .
MQS6: Alice decides her stego bit from the remaining bits. The value of this bit is the information that Alice wants to send to Bob. She initialises the checkbit method whereby she randomly announces check bits out of the remaining bits. The check bit is chosen such that it lies in a predecided spatial relation to the stego bit. For example, the stego bit can lie to the right of the check bit with a predecided displacement that is calculated using the key generated in the previous run of QKD.
MQS7: Alice and Bob compare the values of their check bits. If the error percentage is more than a certain threshold, then they abort the protocol.
MQS8: Alice and Bob perform classical postprocessing to distill a shorter bit string from remaining bits.
In this manner, a single stego bit can be communicated from Alice to Bob in one QKD run. Initially, Alice and Bob mutually decide initial displacement for the first QKD run and the displacement for subsequent runs can be calculated by mod +1, where bits is the previous key length and the key length in the current QKD run is bits. Other methods can also be employed for choosing a random displacement using the secret key generated. The randomness in the choice of displacement ensures that there is no correlation between the position of the check bit and the stego bit. It is to be noticed that to any third party, MQS6 raises no suspicion and the protocol looks like an innocent QKD run. Additionally, the protocol is selfsufficient as it also generates the secret key needed for the next run. Despite this, MQS protocol has some weaknesses regarding which the two main points worth highlighting are:

Direct communication: The party who wishes to share the stego bit prepares and sends the initial qubits. Also, the check bits are announced by the same party in order to communicate the stego bit. Since the classical communication is in the same direction as that of transmission of qubits, we refer it to as “direct communication” here.

Embedding rate: Since MQS protocol allows only one stego bit to be embedded in the QKD protocol, the protocol is not efficient. Alice may embed her stego bit in a key of shorter length to increase efficiency.
In the next section, we will discuss how, together with a high embedding rate, direct communication proves fatal to the secrecy of the hidden channel.
Iii Steganalysis of MQS protocol
The meaning of steganalysis can be easily understood from the fact that the relation between steganography and steganalysis is analogous to the relation between cryptography and cryptanalysis. Thus, steganalysis aims to prevent covert communication or steganography. It usually targets to detect the deviation from theoretical probability distribution of states without being detected, i.e., in the context of MQS protocol QKD efficiency must not decrease beyond a certain threshold. It differs from a standard attack on the QKD protocols as it only aims to detect the deviation from a uniform key while standard QKD attacks are applied in order to gain complete information about the key. If a deviation is detected in steganalysis, the eavesdropper can, then, use standard QKD attacks in order to get the stego bit with high probability. In steganalysis of MQS protocol, Qu et al. stega have applied ambiguous quantum state discrimination (QSD) attack to analyze the variation of the difference between the probability distribution of detected states from the theoretical distribution with respect to the embedding rate, using two measures of coherence.
In ambiguous QSD attack Holevo2001 ; Helstrom1969Jun , the eavesdropper Eve tries to discriminate between the random states from the ensemble where are the transmitted states with probabilities and identify the incoming state. For this purpose, in general, Eve can use positive operator valued measurement (POVM) to perform measurements. A POVM is a set of positive semidefinite matrices that satisfy the completeness pathak2013elements . If the system is in the state , the maximal success probability to identify is
(1) 
obtained by maximization over all POVMs. The corresponding minimal discrimination error probability (MDEP) is
(2) 
MDEP is maximal when the prior probabilities are equal and changes accordingly with variation in the probabilities
.For our discussion, it is convenient to define the embedding rate as the ratio of number of secret bits communicated to the total number of bits in a single QKD run (cf. stega ):
(3) 
The probability distribution of states in MQS protocol given in terms of “” is:
(4) 
where . The distribution of the classical bits ‘0’ and ‘1’ is . Equation (4) shows that as the embedding rate in the protocol changes, the probability distribution of states shows a substantial amount of change which is also reflected in the MDEP (Equation (2)). When the embedding rate is low, the MDEP changes only slightly but decreases significantly with high embedding rates, making it easier to successfully identify the quantum state. Also, the difference in the detected distribution of the transmitted states from the initial probability distribution itself raises the suspicion of covert communication between Alice and Bob, compromising the secrecy of the steganographic protocol.
Iv Reverse communication quantum steganography
Here, we propose that the above kind of steganalysis can be evaded by modifying the standard “direct communication” steganographic protocols to include “reverse communication”, while the other key features of the protocols are retained, such that no suspicion arises. To the best of our knowledge, this is the first time that this simple fix to the above steganalytic attack has been put forth. Reverse communication steganography works on the principle that if Alice wants to communicate a stego bit, she asks Bob to start the QKD run (similarly when Bob wants to communicate the stego bit, he asks Alice to start the QKD run). The classical communication is in the opposite direction, hence the name. As an example consider the case in which Alice wishes to communicate the stego bit. Then, when she receives the qubits from Bob, she announces the conclusive results with a slight variation: specifically, while announcing the positions of the conclusive results, she deliberately announces an inconclusive result as the last conclusive bit, where it has a predecided displacement (calculated by the previous QKD run) with the actual conclusive result. Another way is that Alice announces her conclusive results randomly with the condition that the announcement is the stego bit. In this manner, since Bob is aware of the scheme, he can know the stego bit.
The requirement of security comes from the QKD protocol itself while that of secrecy against steganalysis is fulfilled pertaining to the fact that Bob holds no knowledge about the stego bit Alice wishes to send, hence he would send all states with equal probabilities. Therefore, using this “reverse communication” procedure, there is no deviation of the detected distribution from the theoretical probability distribution, rendering the steganalysis attack useless. In the next section, we develop such protocols explicitly. Initially, reverse communication quantum steganography for four state protocol is proposed. Further, it is generalized to the whole class of discrete modulation CVQKD protocols using coherent states. It is also shown that the proposal can be extended to other protocols of the same class that employ different states, namely, photon added subtracted coherent states (PASCS).
iv.1 Discrete Modulation CVQKD Protocols
In CVQKD systems, quantum states with infinite dimensional Hilbert spaces are used, where the information can be encoded in the position and momentum quadratures. The difference in discrete variable (DV) and CVQKD lies in the fact that in the latter, real amplitudes are measured instead of discrete events. Instead of photon counting techniques, the protocols employ homodyne detection. There are two classes of CVQKD protocols:

Discrete modulation CVQKD protocols  The encoding is discrete in nature since the states used are simply mapped to binary bits Hirano_2017 .

Gaussian modulation CVQKD protocols  In such protocols Grosshans_2003 ; Grosshans_2002
, the key is encoded as the real values of a Gaussian distribution, from which a key can be distilled using classical postprocessing. These protocols are efficient over short ranges and can be implemented easily.
Discrete modulation CVQKD protocols can be seen as a direct analogue of standard DV protocols. Along with being experimentally feasible Hirano_2017 , they also provide security Ghorai_2019 ; Kaur_2021 ; Lin_2019 under a number of attacks similar to their discrete counterparts. For the aforementioned reasons, here, we propose a steganographic protocol that employs the use of such protocols. Majority of discrete modulation CVQKD protocols are built in such a way that the classical communication from Alice’s end is minimized to a certain extent, often eliminated completely. This inherent property provides them with a certain advantage to integrate the reverse communication steganography without any major modifications.
iv.2 Steganographic communication using coherent state protocols
iv.2.1 E4 Protocol
Originally, the four coherentstate (O4) protocol Namiki_2003 ; PhysRevA.74.032302 was introduced using phase encoded coherent states (Fig. 1a). In PhysRevA.74.032302 , a wide class of discrete modulation CVQKD using coherent states was introduced, which generalized and improved the O4 protocol. These protocols exploit the symmetries of the phase space to improve the efficiency while keeping the security same as before.
In order to understand this better, we review the “efficient” version (E4) of the four state protocol here:

Alice sends randomly one of the coherent states , , , with 0 (where is the average number of photons) to Bob.

Bob measures the position () or momentum () quadrature randomly.

Bob informs Alice of his measurement quadrature. For the state , Bob’s measurements yields a Gaussian distribution centered at in both the quadratures.
Similarly, for the state , Bob’s measurements yields a Gaussian distribution centered at in the position and in the momentum quadrature.
For , Bob’s measurements yields a Gaussian distribution centered at in both the quadratures.
For , Bob’s measurements would yield a Gaussian distribution centered at in the position quadrature and centered at in the momentum quadrature. 
Alice encodes her bit, corresponding to the measured quadrature, as depicted in Fig. 1(b).

After the measurements, Bob simply announces the coordinates of the conclusive results, according to a postselection threshold . If the quadratures give the measured values above the threshold, the results are deemed as conclusive, otherwise inconclusive. This is necessary to mitigate the bit errors that may otherwise arise due to the strong overlap of quadrature distributions below this threshold.
We define the efficiency of a protocol as the probability that the state is measured in the correct basis. Thus, of a protocol is a measure of the fraction of the measurement results that are not discarded during the execution of the protocol. Since no results are discarded in E4 protocol, its efficiency, . It is to be noticed that the initial states are prepared and sent by Alice and the conclusive results are communicated from the “reverse” direction, i.e., Bob’s end. Hence, if Bob wishes to communicate a stego bit, he asks Alice to initialize the QKD run (and vice versa), following which Steps 14 are executed. For successful steganographic communication, appropriate changes are to be made in Step 5 of the above protocol in the following manner.
5 Bob announces his conclusive results randomly with the condition that the announcement is the stego bit.
iv.2.2 Generalization to state protocols
The generalization of these protocols to state protocols has been explicitly shown in PhysRevA.74.032302 . The comparison for for has been shown in Table 1. The general coherent state protocol works as follows:

Alice sends coherent states to Bob for any state protocol.

Bob measures the position () or momentum () quadrature randomly.

Classical Communication: Bob announces his measurement basis.

Classical Communication: Alice confirms whether the measurement basis is correct or not.

Classical Communication: Bob announces the conclusive results.
The above steps reveal the inherent symmetry and provide a general structure of the similar protocols, which in turn allows one to develop other such protocols for different number of states, with different values of .
Protocol   state  O4  E4  Threestate  Sixstate  Eightstate 

Efficiency,  1/2  1  2/3  2/3  3/4 
Although there is classical communication from Alice’s end in Step 4, the information of the correct measurement basis cannot be used by the eavesdropper to gain additional information about the states, which is evident from the facts that the encoding subsets in any state protocol have common states and these protocols are secure against standard beam splitter attacks. Therefore, it is secure against standard QKD attacks and more importantly, does not interfere with successful steganographic communication. Assuming that Bob is the party communicating the stego bit, for achieving the same, Step 5 is modified slightly as follows.
5 Bob announces his conclusive results randomly with the condition that the announcement is the stego bit.
iv.3 Extension to CVB92 protocol
In Borelli_2015 , it was shown that discrete modulation CVQKD is possible using single PASCS. The nonclassicality of PASCS can be exploited for improving QKD performance compared to coherent states.
A single PASCS is obtained by simply adding, then subtracting a photon from a coherent state. It is defined as
(5) 
where is the initial coherent state with 0 and the mean photon number , and are the corresponding annihilation and creation operators and is the normalization constant which is defined as . can be written as a superposition of a coherent state (Gaussian component) and a photon added coherent state (nonGaussian component), i.e.,
(6) 
This protocol, which we refer to as CVBB84 protocol here simply replaces the coherent states in O4 protocol with corresponding single PASCS , respectively. The () represents bit ‘1’ and () represents bit ‘0’.
Recently, a protocol that uses PASCS states and can be seen as a CV counterpart of the B92 protocol was also proposed Srikara2020Oct . It eliminates the need for postprotocol classical communication from Alice’s side completely.
The protocol can be described as follows:

Alice randomly sends , corresponding to ‘0’ or , corresponding to ‘1’.

Bob measures the position (), corresponding to ‘0’ or momentum () quadrature, corresponding to ‘1’ randomly.

Bob encodes his bit as
where is the postselection threshold which implies that the result is conclusice if and only if the measured value of (or ) is less than .

After the measurements, Bob simply announces the coordinates of the conclusive results. Since Bob’s bit values is exactly anticorrelated to Alice’s encoding, he flips his bits in order to obtain the common mutual secure key.
The absence of direct communication makes perfect recipe for successful reverse steganographic communication. This can be achieved by the following modification in Step 4:
4 Bob announces his conclusive results randomly with the condition that the announcement is the stego bit.
V Conclusion
Motivated by the vulnerabilities of the MQS protocol based on QKD, we discuss a general procedure to extend a QKD protocol into one for steganography in a way that eliminates this weakness. The basic, simple idea is that the party communicating the steganographic information is in the reverse direction of the party sending the initial quantum states. Further, the latter itself is camouflaged as if it is part of the classical reconciliation required for the QKD. This is demonstrated through a number of example protocols. As CVQKD has been experimentally demonstrated jouguet2013experimental ; zhang2020long , our proposed scheme is feasible with current quantum technology. Our work is an attempt to explore the possibilities for steganography using QKD and we indicate a few new directions that it opens up for future exploration.
First is the question of the possibility of our proposal being adapted for protocols for secure direct communication yadav2014two ; lucamarini2005secure , which normally eliminate or minimize classical information being sent by Alice. Another is to explore other forms of reverse communication that may be used by Bob that can improve secrecy or classical efficiency. Lastly, our work is hoped to open up various possibilities for experimentalists.
Acknowledgment
RJ, AG, RS and AP acknowledge the support from the QUEST scheme of Interdisciplinary Cyber Physical Systems (ICPS) program of the Department of Science and Technology (DST), India (Grant No.: DST/ICPS/QuST/Theme1/2019/14 (Q80)). KT acknowledges GA CR (project No. 1822102S) and support from ERDF/ESF project ‘Nanotechnologies for Future’ (CZ.02.1.01/0.0/0.0/16 019/0000754). RS also acknowledges the support of DST, India, Grant No. MTR/2019/001516.
References
 [1] David Kahn. The history of steganography. In International Workshop on Information Hiding, pages 1–5. Springer, 1996.
 [2] Ingemar Cox, Matthew Miller, Jeffrey Bloom, Jessica Fridrich, and Ton Kalker. Digital watermarking and steganography. Morgan kaufmann, 2007.
 [3] Neil F Johnson and Sushil Jajodia. Exploring steganography: Seeing the unseen. Computer, 31(2):26–34, 1998.
 [4] Jessica Fridrich. Steganography in Digital Media: Principles, Algorithms, and Applications. Cambridge University Press, Cambridge, England, UK, 2009.
 [5] Ross J Anderson and Fabien AP Petitcolas. On the limits of steganography. IEEE J. Selected Areas Commun., 16(4):474–481, 1998.
 [6] Phil Sallee. Modelbased steganography. In International Workshop on Digital Watermarking, pages 154–167. Springer, 2003.
 [7] Niels Provos and Peter Honeyman. Hide and seek: An introduction to steganography. IEEE Security & Privacy, 1(3):32–44, 2003.
 [8] Christian Cachin. An informationtheoretic model for steganography. In International Workshop on Information Hiding, pages 306–318. Springer, 1998.
 [9] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, pages 175–179, Bangalore, 1984.
 [10] Akshata ShenoyHejamadi, Anirban Pathak, and Srikanth Radhakrishna. Quantum cryptography: key distribution and beyond. Quanta, 6(1):1–47, 2017.
 [11] Julio GeaBanacloche. Hiding messages in quantum data. J. Math. Phys., 43(9):4531–4536, 2002.
 [12] Bilal A Shaw and Todd A Brun. Quantum steganography with noisy quantum channels. Phys. Rev. A, 83(2):022310, 2011.
 [13] ZhiGuo Qu, XiuBo Chen, XinJie Zhou, XinXin Niu, and YiXian Yang. Novel quantum steganography with large payload. Opt. Commun., 283(23):4782–4786, 2010.
 [14] Nan Jiang, Na Zhao, and Luo Wang. LSB based quantum image steganography algorithm. Int. J. Theor. Phys., 55(1):107–123, 2016.
 [15] Takashi Mihara. Quantum steganography using prior entanglement. Phys. Lett. A, 379(1213):952–955, 2015.
 [16] Gaofeng Luo, RiGui Zhou, and WenWen Hu. Efficient quantum steganography scheme using inverted pattern approach. Quant. Infor. Proc., 18(7):222, 2019.
 [17] Engin Şahin and İhsan Yilmaz. A novel quantum steganography algorithm based on LSBq for multiwavelength quantum images. Quant. Infor. Proc., 17(11):319, 2018.
 [18] Zhiguo Qu, Zhenwen Cheng, and Xiaojun Wang. Matrix codingbased quantum image steganography algorithm. IEEE Access, 7:35684–35698, 2019.
 [19] A El Allati, MB Ould Medeni, and Y Hassouni. Quantum steganography via GreenbergerHorneZeilinger GHZ state. Commun. Theor. Phys., 57(4):577, 2012.
 [20] Keye Martin. Steganographic communication with quantum information. In Teddy Furon, François Cayre, Gwenaël Doërr, and Patrick Bas, editors, Information Hiding, pages 32–49, Berlin, Heidelberg, 2007. Springer Berlin Heidelberg.
 [21] Zhiguo Qu, Yiming Huang, and Min Zheng. A novel coherencebased quantum steganalysis protocol. Quant. Infor. Proc., 19:362, 2020.
 [22] Ryo Namiki and Takuya Hirano. Security of quantum cryptography using balanced homodyne detection. Phys. Rev. A, 67(2), 2003.
 [23] Ryo Namiki and Takuya Hirano. Efficientphaseencoding protocols for continuousvariable quantum key distribution using coherent states and postselection. Phys. Rev. A, 74:032302, 2006.
 [24] Alexander S. Holevo. Statistical Structure of Quantum Theory. SpringerVerlag, Berlin, Germany, 2001.

[25]
Carl W. Helstrom.
Quantum detection and estimation theory.
J. Stat. Phys., 1(2):231–252, 1969.  [26] Anirban Pathak. Elements of quantum computation and quantum communication. CRC Press Boca Raton, 2013.
 [27] Takuya Hirano, Tsubasa Ichikawa, Takuto Matsubara, Motoharu Ono, Yusuke Oguri, Ryo Namiki, Kenta Kasai, Ryutaroh Matsumoto, and Toyohiro Tsurumaru. Implementation of continuousvariable quantum key distribution with discrete modulation. Quant. Sc. Tech., 2(2):024010, 2017.
 [28] Frédéric Grosshans, Gilles Van Assche, Jérôme Wenger, Rosa Brouri, Nicolas J. Cerf, and Philippe Grangier. Quantum key distribution using Gaussianmodulated coherent states. Nature, 421(6920):238–241, 2003.
 [29] Frédéric Grosshans and Philippe Grangier. Continuous variable quantum cryptography using coherent states. Phys. Rev. Lett., 88(5):057902, 2002.
 [30] Shouvik Ghorai, Philippe Grangier, Eleni Diamanti, and Anthony Leverrier. Asymptotic security of continuousvariable quantum key distribution with a discrete modulation. Phys. Rev. X, 9(2), 2019.
 [31] Eneet Kaur, Saikat Guha, and Mark M. Wilde. Asymptotic security of discretemodulation protocols for continuousvariable quantum key distribution. Phys. Rev. A, 103(1), 2021.
 [32] Jie Lin, Twesh Upadhyaya, and Norbert Lütkenhaus. Asymptotic security analysis of discretemodulated continuousvariable quantum key distribution. Phys. Rev. X, 9(4), 2019.
 [33] L. F. M. Borelli, L. S. Aguiar, J. A. Roversi, and A. VidiellaBarranco. Quantum key distribution using continuousvariable nonGaussian states. Quant. Infor. Proc., 15(2):893–904, 2015.
 [34] S. Srikara, Kishore Thapliyal, and Anirban Pathak. Continuous variable B92 quantum key distribution protocol using single photon added and subtracted coherent states. Quant. Infor. Proc., 19(10):371, 2020.
 [35] Paul Jouguet, Sébastien KunzJacques, Anthony Leverrier, Philippe Grangier, and Eleni Diamanti. Experimental demonstration of longdistance continuousvariable quantum key distribution. Nature Photonics, 7(5):378–381, 2013.
 [36] Yichen Zhang, Ziyang Chen, Stefano Pirandola, Xiangyu Wang, Chao Zhou, Binjie Chu, Yijia Zhao, Bingjie Xu, Song Yu, and Hong Guo. Longdistance continuousvariable quantum key distribution over 202.81 km of fiber. Phys. Rev. Lett., 125(1):010502, 2020.
 [37] Preeti Yadav, R Srikanth, and Anirban Pathak. Twostep orthogonalstatebased protocol of quantum secure direct communication with the help of orderrearrangement technique. Quant. Infor. Proc., 13(12):2731–2743, 2014.
 [38] Marco Lucamarini and Stefano Mancini. Secure deterministic communication without entanglement. Phys. Rev. Lett., 94(14):140501, 2005.