Operational Threat Modeling of Adversarial Noise in Continuous-Variable Quantum Communication

1. Introduction

Recent advances in quantum communication have made increasingly clear that security and integrity are shaped not only by idealized theoretical guarantees, but also by operational constraints such as finite measurement resolution, estimator tolerances, and hardware-imposed control limits. In particular, our prior work demonstrated that finite-resolution measurements can induce regions of operational indistinguishability, termed convergence vicinities, in which distinct physical models become experimentally indistinguishable without violating Bell’s theorem itself [1]. That analysis revealed a class of vulnerabilities in quantum integrity verification frameworks that rely on static thresholds or idealized measurement assumptions.

The present work extends this operational perspective to continuous-variable quantum communication (CVQC), where estimator tolerances manifest directly in phase-space quadrature statistics inferred from finite-resolution measurements. While Ref. [1] focused on discrete-variable integrity verification, CVQC systems introduce a qualitatively different attack surface: security- and performance-critical decisions are made directly from continuous-valued estimators, such as quadrature variances and covariance matrices, which are inherently subject to finite-sample uncertainty.

In CVQC systems, quantum information is encoded in the canonical quadratures of optical modes and accessed experimentally via homodyne or heterodyne detection. Rather than treating noise exclusively as an uncontrolled environmental process, we consider adversarial noise: intentional, structured disturbances designed to exploit estimator tolerances, probe system stability, or disrupt communication. Such interference need not appear as anomalously large fluctuations; instead, it may be engineered to remain within nominal operating margins while gradually biasing parameter estimation, degrading coherence, or undermining operational assumptions.

CVQC plays a central role in quantum communication and networking due to its compatibility with existing optical infrastructure and its scalability [2,3,4]. At the same time, CVQC implementations are known to be sensitive to excess noise, phase instability, and detector limitations, which can compromise inferred channel parameters and communication reliability, particularly under finite-size parameter-estimation constraints [2,5,6,7,8,9]. These sensitivities define a physical-layer attack surface in which adversarial disturbances can be shaped to interact with finite-resolution estimation and acceptance criteria [10,11].

In this work, we classify adversarial interference in CVQC into three operational regimes. Reconnaissance noise consists of low-amplitude perturbations engineered to remain within estimator tolerances while extracting information about system parameters, directly analogous to convergence-vicinity exploitation in discrete-variable systems [1]. Exploratory noise introduces moderate, structured disturbances intended to probe stability margins and reveal directional sensitivities in phase space. Finally, denial-of-service (DoS) noise corresponds to high-intensity interference that overwhelms estimation and control capabilities, forcing operational failure. Throughout this work, covariance matrices are expressed in units where the vacuum variance is normalized to unity, and proportionality constants relating energy and covariance trace are omitted for clarity.

To analyze these regimes in an implementation-relevant manner, we adopt a receiver-centric modeling perspective based on Gaussian channels acting on phase-space quadratures. Within this framework, we characterize how adversarial noise perturbs second-order quadrature moments and induces systematic degradation of state coherence and purity. We introduce an energy-deviation metric derived from the trace of the covariance matrix, providing a compact and experimentally accessible scalar observable that links adversarial disturbances to estimator degradation and operational failure thresholds under finite-sample constraints.

This manuscript is intentionally scoped to operational threat modeling. Accordingly, we do not propose or validate mitigation, control, or adaptive response mechanisms. Questions of how to detect, estimate, or actively counter adversarial perturbations through feedback, modulation, or protocol adaptation are deferred to future work, where defensive strategies can be evaluated against the threat regimes and observables defined here.

Specifically, this work makes three contributions: (i) it formalizes a taxonomy of adversarial noise regimes in CVQC grounded in operational intent and estimator visibility; (ii) it develops a Gaussian-channel modeling framework that captures adversarial interference at the level of receiver-accessible covariance statistics without assumptions about adversary capabilities; and (iii) it introduces an energy-deviation metric and finite-sample detectability analysis that connect excess noise accumulation to estimator tolerances and operational failure boundaries. Together, these results establish a structured, receiver-centric foundation for analyzing physical-layer adversarial behavior in continuous-variable quantum communication.

2. Related Work and Gap Statement

2.1. Continuous-Variable Quantum Communication and Parameter Estimation

Continuous-variable quantum communication (CVQC) protocols encode information in the amplitude and phase quadratures of optical modes and rely on statistical inference over continuous measurement outcomes to establish correctness, performance, and, where applicable, security. Homodyne and heterodyne detection schemes provide direct access to quadrature observables, making CVQC naturally compatible with Gaussian-state modeling and covariance-matrix descriptions [2,12].

A central component of CVQC operation is parameter estimation. Practical implementations infer quantities such as channel loss, excess noise, quadrature variances, and covariance structure from finite ensembles of measurement outcomes. These estimates underpin protocol decisions, including acceptance or abort conditions in quantum key distribution, calibration and stability assessment in quantum networking, and performance evaluation in sensing and verification tasks [2,9]. As a result, the reliability of CVQC systems is fundamentally tied to the statistical properties of these estimators, particularly under finite-size constraints where confidence regions and acceptance thresholds must be defined explicitly [5,6,7].

Existing analyses of parameter estimation in CVQC typically focus on environmental and device-induced noise sources, including thermal noise, detector inefficiency, phase drift, and loss [8,12]. Within this framework, excess noise is often treated as a stationary or weakly time-varying stochastic process, and security or performance guarantees are derived under assumptions of well-characterized noise statistics and asymptotic or large-sample limits.

However, in realistic operating conditions, parameter estimation is constrained by finite measurement resolution, finite sample sizes, and implementation-specific acceptance margins. These constraints introduce estimator tolerances: bounded regions in parameter space within which observed statistics are deemed consistent with nominal operation. While such tolerances are necessary for practical operation, they also create regions of operational indistinguishability, where distinct underlying disturbances produce statistically indistinguishable measurement outcomes over finite observation windows.

Recent work in discrete-variable quantum integrity verification has shown that finite-resolution effects can be systematically exploited by adversarial probing strategies that remain within estimator tolerances while biasing inferred parameters [1]. In continuous-variable systems, where security- and performance-critical decisions are made directly from continuous-valued estimators, analogous vulnerabilities can arise at the level of phase-space statistics. Nevertheless, existing CVQC literature has largely treated parameter estimation as a passive inference problem rather than as a potential attack surface shaped by estimator design and tolerance thresholds.

This gap motivates a receiver-centric, operational examination of parameter estimation in CVQC under adversarial conditions. Rather than assuming noise to be purely environmental or benign, the present work considers how structured disturbances interact with finite-resolution estimation procedures and how their impact manifests in experimentally accessible covariance statistics. This perspective reframes parameter estimation not only as a tool for system characterization, but also as a potential locus of adversarial exploitation in continuous-variable quantum communication.

2.2. Implementation Constraints: Finite Resolution, Finite Samples, and Acceptance Regions

Practical continuous-variable quantum communication (CVQC) systems operate under unavoidable implementation constraints that shape how quantum states and channels are characterized in practice. Chief among these constraints are finite measurement resolution, finite sample sizes, and the use of predefined acceptance regions for parameter estimation. Together, these factors determine the operational limits of inference and play a central role in how noise, benign or adversarial, manifests in experimentally accessible statistics.

Finite measurement resolution arises from detector noise, electronic bandwidth limitations, digitization, and coarse-graining of continuous outcomes. Homodyne and heterodyne measurements therefore yield discretized quadrature samples with nonzero uncertainty, even under idealized state preparation. As a result, small perturbations to underlying quadrature distributions may be indistinguishable from measurement-induced fluctuations, particularly over limited observation windows [9,12].

Finite sample sizes further constrain parameter estimation. In operational settings, covariance matrices and excess-noise parameters are inferred from a limited number of measurement outcomes, leading to statistical uncertainty that scales inversely with the number of samples. Confidence intervals and hypothesis tests used in protocol verification must therefore accommodate estimator variance, introducing tolerance margins that grow as sample sizes decrease or noise levels increase. These finite-size effects and confidence-region constructions are well established in continuous-variable quantum key distribution and related CV platforms [5,6,13]. These effects are well understood in benign noise models but become critical when disturbances are structured or non-stationary.

To ensure reliable operation, CVQC implementations define acceptance regions for estimated parameters, within which observed statistics are deemed consistent with nominal behavior. These regions may be specified explicitly, as in security margins for quantum key distribution, or implicitly, through calibration thresholds and performance criteria in communication and networking applications. Acceptance regions are thus an integral part of system design, translating statistical uncertainty into operational decision rules.

While acceptance regions are necessary for practical operation, they also define regions of operational indistinguishability. Distinct physical disturbances that induce parameter shifts smaller than estimator tolerances cannot be reliably discriminated by the receiver, even if they are systematic or adversarial in origin. This phenomenon has been identified in discrete-variable integrity verification as a source of exploitable structure under finite-resolution measurements [1]. In continuous-variable systems, where decisions are made directly from continuous-valued estimators, analogous indistinguishability arises naturally from finite resolution and finite data.

Existing CVQC analyses typically treat these implementation constraints as technical limitations to be mitigated through longer integration times or improved hardware. In contrast, the present work treats finite resolution, finite samples, and acceptance regions as defining features of the operational threat landscape. By explicitly incorporating these constraints into the characterization of adversarial noise, we expose how estimator tolerances shape the boundary between detectable and operationally invisible disturbances in continuous-variable quantum communication.

2.3. Physical-Layer Adversaries in Optical/CV Links: Excess Noise, Phase Perturbations, and Jamming

Physical-layer adversaries targeting optical and continuous-variable (CV) communication links have been studied primarily in the context of excess noise, phase instability, and optical jamming. In much of the existing literature, such disturbances are modeled as environmental or technical imperfections, including thermal noise, laser phase noise, imperfect synchronization, and channel loss fluctuations. These effects are typically assumed to be stationary or weakly time varying, and mitigation strategies focus on calibration, stabilization, and post-processing [2,12].

Excess noise is a central performance-limiting factor in CVQC, particularly in continuous-variable quantum key distribution (CV-QKD), where security thresholds are defined in terms of tolerable noise above the shot-noise limit [14]. Prior work has extensively analyzed how excess noise degrades key rates, limits transmission distance, and constrains security margins. However, excess noise is most often treated as an aggregate parameter arising from uncontrolled environmental processes or imperfect components, rather than as a deliberately structured disturbance shaped to exploit estimator tolerances.

Phase perturbations constitute another well-studied class of physical-layer effects in optical links. Phase noise can arise from laser linewidth, fiber fluctuations, or reference-frame misalignment, and has motivated a large body of work on phase tracking, compensation, and synchronization [15]. These studies typically assume benign drift or stochastic fluctuations and aim to restore a fixed or slowly varying phase reference. The possibility that phase perturbations may be intentionally structured, timed, or biased to probe system sensitivities or estimator robustness is rarely addressed explicitly.

Optical jamming and denial-of-service–like interference have also been considered in classical and quantum optical communication, particularly in free-space or shared-fiber scenarios [11]. In quantum settings, such interference is generally associated with overt disruption, detector saturation, or protocol abort conditions. As a result, jamming is often treated as an easily detectable failure mode rather than as part of a broader continuum of adversarial behavior that includes stealthy or sub-threshold interference.

A growing body of work has further highlighted that optical and CV quantum links are susceptible to explicitly implementation-level physical-layer attacks, including detector saturation, local-oscillator (LO) manipulation, wavelength-dependent jamming, and calibration-dependent exploits that bypass idealized security assumptions while remaining compatible with nominal parameter estimates [7,11]. These studies emphasize that adversarial control over physical-layer degrees of freedom can directly translate into estimator bias, parameter mischaracterization, or forced protocol behavior without violating abstract protocol models.

Across these bodies of work, a common implicit assumption is that physical-layer disturbances can be categorized either as benign noise to be estimated and compensated, or as catastrophic interference that immediately invalidates operation. This dichotomy obscures intermediate regimes in which disturbances are intentionally shaped to remain within accepted operating margins while extracting information, biasing inference, or mapping system robustness. Moreover, prior analyses seldom connect physical-layer perturbations directly to estimator tolerances and acceptance regions that govern operational decisions at the receiver.

The present work departs from this perspective by treating excess noise, phase perturbations, and jamming as manifestations of a broader class of adversarial interference at the physical layer. Rather than classifying disturbances solely by physical mechanism, we organize them by operational intent and by their impact on receiver-side observables relative to estimator tolerances. This receiver-centric viewpoint enables a unified treatment of stealthy probing, stress-inducing perturbations, and overt disruption within a single operational threat-modeling framework for continuous-variable quantum communication.

To situate the proposed regime taxonomy within the broader landscape of physical-layer security research, it is useful to relate the operational regimes defined here to well-known classes of implementation-level disturbances studied in optical and continuous-variable systems. Importantly, this mapping is not intended to propose, analyze, or validate specific attack implementations. Rather, it provides an interpretive bridge between mechanism-agnostic adversarial regimes, defined solely by their receiver-observable impact relative to estimator tolerances, and representative families of physical-layer interference discussed in the literature.

The associations in Table 1 should be interpreted strictly at the level of receiver-observable effects. Multiple physical mechanisms may map to the same effective disturbance in estimator space, and a single physical-layer technique may realize different adversarial regimes depending on amplitude, timing, and interaction with finite-sample tolerances. Accordingly, regime classification in this work is determined by statistical visibility and operational consequence at the receiver, not by assumptions about attacker hardware, access, or intent. This receiver-centric abstraction allows disparate physical-layer phenomena to be analyzed within a single operational framework, while remaining agnostic to specific exploitation pathways or device-level vulnerabilities.

2.4. Gap and Contributions

Despite extensive study of noise, loss, and imperfections in continuous-variable quantum communication (CVQC), a clear gap remains in how physical-layer disturbances are conceptualized and analyzed from an adversarial perspective. Existing work predominantly treats excess noise, phase instability, and jamming either as benign environmental effects to be estimated and compensated, or as catastrophic failures that immediately invalidate operation. This framing overlooks a broad intermediate regime in which disturbances are deliberately structured to exploit finite measurement resolution, finite sample sizes, and estimator tolerances without necessarily triggering protocol aborts or anomaly flags.

Relative to our prior work on discrete-variable integrity verification and convergence vicinities [1], the present study extends the notion of operational indistinguishability to continuous-variable systems by: (i) translating indistinguishability from outcome statistics to covariance and estimator space in CVQC; (ii) defining adversarial regime boundaries explicitly in terms of receiver-side tolerances and acceptance regions; and (iii) introducing an energy-deviation observable together with a finite-sample detectability analysis that quantifies regime transitions under realistic estimation constraints.

In particular, prior analyses rarely formalize how receiver-side acceptance regions and confidence thresholds shape what constitutes an operationally detectable disturbance. As a result, there is limited theoretical machinery for reasoning about stealthy probing, gradual parameter biasing, or adversarial stress-testing at the physical layer of CVQC systems. Moreover, while security and robustness are often discussed at the protocol or information-theoretic level, there is a lack of receiver-centric threat models that directly connect physical-layer interference to experimentally accessible observables such as covariance matrices and inferred energy.

This work addresses these gaps by introducing an explicitly operational threat-modeling framework for adversarial noise in CVQC. The central contributions are threefold. First, we formalize a taxonomy of adversarial noise regimes, reconnaissance, exploratory, and denial-of-service, distinguished by adversarial intent and by their observable impact relative to estimator tolerances rather than by assumed physical mechanisms. Second, we develop a Gaussian-channel modeling approach that captures adversarial interference at the level of receiver-accessible phase-space statistics, avoiding assumptions about the adversary’s internal capabilities or resources. Third, we introduce an energy-deviation metric derived from the trace of the covariance matrix, providing a compact, protocol-agnostic, and experimentally compatible scalar measure that links excess noise accumulation to estimator degradation and operational failure thresholds.

Together, these contributions establish a structured foundation for analyzing physical-layer attack surfaces in continuous-variable quantum communication. By shifting the focus from idealized noise models to receiver-observable effects under finite resolution and finite data, the framework enables systematic reasoning about how benign-appearing perturbations can escalate into destabilizing interference. This perspective complements existing security and robustness analyses and sets the stage for subsequent work on detection, mitigation, and adaptive control strategies grounded in operational observables.

3. Adversarial Noise Modelling

From a cybersecurity perspective, adversarial noise in CVQC constitutes a physical-layer attack surface, where structured perturbations exploit estimator tolerances, control assumptions, and finite-resolution effects rather than protocol-level logic.

In continuous-variable (CV) quantum systems, quantum information is encoded in the canonical quadratures $\widehat{x}$ and $\widehat{p}$ of optical modes. These quadratures fully characterize Gaussian quantum states and form the operational foundation of CVQC systems and devices [12]. As a result, performance- and integrity-relevant information in CVQC is inferred directly from finite-resolution measurements of phase-space observables.

In this work, we define adversarial noise as intentionally engineered perturbations applied to phase-space quadratures with the objective of probing system parameters, exploiting estimator tolerances, or disrupting communication. This definition contrasts with environmental noise, which arises from uncontrolled physical processes and is typically modeled as stationary or weakly varying. Adversarial noise is instead structured, may be adaptive, and is informed by the system’s observable behavior and response.

At an operational level, adversarial noise is modeled as an effective Gaussian channel acting on the phase-space vector $\widehat{\mathbf{r}}={(\widehat{x},\widehat{p})}^{\mathsf{T}}$:

$${\widehat{\mathbf{r}}}^{\prime }=G\widehat{\mathbf{r}}+\xi ,$$

(1)

where G is a real linear transformation on phase space representing deterministic effects such as attenuation, amplification, rotation, or effective squeezing as inferred from receiver-accessible observables, and $\xi$ is a classical random vector drawn from a zero-mean Gaussian distribution with covariance matrix N. This representation should be understood as a phenomenological description of the observable impact of adversarial interference at the receiver, rather than as a claim about the physical implementation or capabilities of the adversary. In particular, G is not assumed to correspond to a physically realized or symplectic operation, and the model does not assume that the adversary performs coherent quantum operations, implements symplectic control, or possesses quantum-level access to the channel.

Figure 1. Receiver-centric operational threat surface for continuous-variable quantum communication. Adversarial actions can enter at multiple physical-layer points (e.g., phase reference manipulation, injected noise/jamming, detector/ADC saturation), while the receiver’s decision logic is based on finite-resolution measurements and estimators of first- and second-order quadrature moments (mean/covariance). This diagram provides an operational interpretation of the effective Gaussian-channel model in Eq. (1).

Figure 1. Receiver-centric operational threat surface for continuous-variable quantum communication. Adversarial actions can enter at multiple physical-layer points (e.g., phase reference manipulation, injected noise/jamming, detector/ADC saturation), while the receiver’s decision logic is based on finite-resolution measurements and estimators of first- and second-order quadrature moments (mean/covariance). This diagram provides an operational interpretation of the effective Gaussian-channel model in Eq. (1).

In this receiver-centric view, the parameters $(G,N)$ summarize the net observable impact of upstream disturbances on the statistics used by the receiver’s estimator and acceptance test.

Distinct adversarial strategies correspond to different effective choices of G and N, reflecting both the intensity and operational intent of the interference. Throughout this work, adversarial noise is therefore treated as an operationally defined disturbance characterized solely by its receiver-side statistical signatures, independent of assumptions about the adversary’s underlying physical resources or attack mechanism.

3.1. Receiver Observables and Estimator Tolerances

The operational impact of adversarial noise in continuous-variable quantum communication is determined not only by the physical disturbance applied to the channel, but by how that disturbance manifests in receiver-accessible observables. In practice, integrity assessment, calibration, and performance verification in CVQC rely on finite-sample estimates of quadrature moments derived from homodyne or heterodyne measurements with limited resolution and detector noise.

At the receiver, experimentally accessible information is typically restricted to first- and second-order moments of the quadratures, summarized by the estimated mean vector and covariance matrix. These estimates are subject to statistical uncertainty arising from finite data acquisition, detector inefficiencies, and coarse-graining effects. As a result, any verification or monitoring procedure implicitly defines estimator tolerances: bounded regions in parameter space within which observed statistics are deemed consistent with nominal operation.

Adversarial noise exploits these tolerances by shaping perturbations so that their induced changes in observable statistics remain within accepted confidence intervals, at least over limited observation windows. In this sense, the adversary interacts not with the ideal quantum state itself, but with the receiver’s statistical inference layer. This perspective mirrors the convergence-vicinity concept introduced in discrete-variable integrity verification, where finite resolution renders distinct underlying models operationally indistinguishable.

Formally, let $\widehat{V}$ denote the estimated covariance matrix obtained from a finite ensemble of measurements. Acceptance regions for nominal operation can be represented as

$$\parallel \widehat{V}-V_{\mathrm{ref}}\parallel \le {\delta }_V,$$

(2)

where $V_{\mathrm{ref}}$ is a reference covariance matrix and the norm may be interpreted operationally as a chosen matrix norm (e.g., the Frobenius norm) or, equivalently, as a set of elementwise confidence bounds on the estimated covariance entries. The tolerance ${\delta }_V$ is determined by finite sample size, measurement resolution, and the receiver’s false-alarm or confidence-level design. Adversarial perturbations that induce changes smaller than ${\delta }_V$ are operationally invisible, even if they introduce systematic bias or accumulate deleterious effects over time.

This receiver-centric viewpoint motivates the modeling choices adopted throughout this work. Rather than characterizing adversarial noise by its physical origin or implementation, we classify it by its observable impact relative to estimator tolerances. Reconnaissance, exploratory, and denial-of-service noise regimes can then be distinguished by how their induced covariance distortions relate to these acceptance regions, providing a unified operational basis for adversarial threat modeling in CVQC.

Within this framework, we classify adversarial noise in CVQC into three operational categories: reconnaissance noise, exploratory noise, and denial-of-service (DoS) noise. These categories are distinguished not only by noise intensity, but by adversarial intent and by their characteristic impact on phase-space statistics, estimator reliability, and operational stability.

In later sections, we use $\tau$ as a scalar analogue of ${\delta }_V$ for variance-based monitoring, and ${\delta }_{\mathrm{est}}$ as a generic tolerance scale when the specific estimator is not explicitly specified.

3.2. Summary of Adversarial Regimes

For clarity and implementation relevance, Table 2 summarizes the three adversarial-noise regimes considered in this work in terms of (i) operational intent, (ii) characteristic noise intensity relative to estimator tolerances, (iii) dominant observable signatures in receiver-side quadrature statistics, and (iv) expected operational consequence for continuous-variable quantum communication (CVQC). This summary emphasizes that the regimes are defined operationally by how disturbances manifest in experimentally accessible observables, rather than by assumptions about the adversary’s physical resources or internal attack mechanism.

These regime boundaries should be interpreted as receiver-defined surfaces in estimator space, determined by measurement resolution, sample size, estimator design, and acceptance criteria, rather than as intrinsic thresholds of the underlying physical disturbance. Accordingly, the regime boundaries in Table 2 are operational rather than absolute: the same physical perturbation may transition between regimes depending on device characteristics, finite-sample uncertainty, and application-specific failure thresholds. This perspective motivates the use of receiver-side covariance statistics, and in particular the energy-deviation metric introduced in Section 3, as a protocol-agnostic means of quantifying proximity to tolerance and failure boundaries.

Figure 2. Adversarial regime ladder versus tolerance ratio and receiver-observable signatures. Regimes are distinguished operationally by the magnitude of disturbance relative to estimator tolerances (e.g., $\nu /{\delta }_{\mathrm{est}}$), transitioning from acceptance-region stealth (reconnaissance) to measurable stress (exploratory) and ultimately to failure beyond operational thresholds (DoS).

Figure 2. Adversarial regime ladder versus tolerance ratio and receiver-observable signatures. Regimes are distinguished operationally by the magnitude of disturbance relative to estimator tolerances (e.g., $\nu /{\delta }_{\mathrm{est}}$), transitioning from acceptance-region stealth (reconnaissance) to measurable stress (exploratory) and ultimately to failure beyond operational thresholds (DoS).

3.3. Illustrative Example: Quadrature-Biased Excess Noise

To illustrate how the adversarial regimes defined above manifest in experimentally accessible observables, we consider a representative example of quadrature-biased excess noise. This example is not intended to model a specific attack implementation, but rather to demonstrate how structured disturbances project onto phase-space statistics and how their operational impact depends on noise intensity and estimator tolerances.

Figure 3 provides a phase-space visualization of the regime taxonomy using covariance ellipses (equivalently, Wigner-function contours) together with the associated energy-deviation scale $\Delta E\propto \mathrm{Tr}\left(V^{\prime }\right)-\mathrm{Tr}\left(V_0\right)$. The tolerance level ${\delta }_e$ denotes a receiver-defined energy-deviation margin (a scalar analogue of the covariance tolerance ${\delta }_V$), derived from the receiver’s finite-sample acceptance rule (e.g., Eq. (27) and the associated confidence level) and any additional resolution/calibration uncertainty. Under this interpretation, regime transitions correspond to changes in the statistical visibility of covariance distortions relative to ${\delta }_e$, rather than changes in physical mechanism.

We consider a single-mode Gaussian state with covariance matrix

$$V_0=\left(\begin{array}{cc}{\sigma }_x^2& 0\\ 0& {\sigma }_p^2\end{array}\right),$$

(3)

where ${\sigma }_x^2={\sigma }_p^2=1$ for the vacuum reference state. Adversarial interference is modeled as additive excess noise injected preferentially along the momentum-like quadrature,

$$V^{\prime }=\left(\begin{array}{cc}{\sigma }_x^2& 0\\ 0& {\sigma }_p^2+\nu \end{array}\right),$$

(4)

with $\nu \ge 0$ denoting the magnitude of the quadrature-biased disturbance.

Reconnaissance regime.

When $\nu$ is chosen such that $\nu \ll {\delta }_{\mathrm{est}}$, where ${\delta }_{\mathrm{est}}$ denotes the effective estimator tolerance imposed by finite sample size and detector resolution, the induced change in covariance remains within accepted confidence intervals. At this level, the energy deviation

$$\Delta E\propto \mathrm{Tr}\left(V^{\prime }\right)-\mathrm{Tr}\left(V_0\right),\mathrm{Tr}\left(V^{\prime }\right)-\mathrm{Tr}\left(V_0\right)=\nu .$$

(5)

is statistically indistinguishable from benign fluctuations on short timescales. Nevertheless, repeated application of such perturbations can bias inferred channel parameters, enabling adversarial probing without triggering static anomaly-detection criteria.

Exploratory regime.

For intermediate values of $\nu$, comparable to but not overwhelmingly exceeding estimator tolerances, the covariance matrix becomes measurably anisotropic. Observable consequences include elongation of the Wigner function along the p-quadrature and increased sensitivity to phase-space orientation. In this regime, phase-space rotations redistribute the excess variance between measured quadratures, producing phase-dependent changes in observed energy deviation and estimator performance. Such behavior reveals directional sensitivities and proximity to stability boundaries while preserving overall operability.

Denial-of-service regime.

When $\nu$ is increased such that $\nu \gg {\delta }_{\mathrm{est}}$ and exceeds device- or protocol-level operating limits, the excess variance dominates the covariance structure. The resulting energy deviation grows rapidly, state purity collapses, and quadrature statistics become incompatible with reliable parameter estimation or communication. In this regime, the biased-noise example transitions into denial-of-service interference, where functional breakdown occurs irrespective of phase-space orientation.

This simplified example highlights three key points. First, the same structured disturbance can realize different adversarial regimes depending solely on its magnitude relative to estimator tolerances and operational thresholds. Second, quadrature bias naturally induces phase-space anisotropy, making observable degradation strongly orientation dependent in the exploratory regime. Third, receiver-side covariance statistics, and in particular the energy-deviation metric, provide a unifying operational lens for diagnosing adversarial impact without requiring assumptions about the adversary’s physical capabilities.

3.4. Reconnaissance Noise

Reconnaissance noise consists of low-amplitude perturbations deliberately engineered to remain within estimator tolerances while extracting information about system parameters over time. This adversarial regime is characterized not by large fluctuations, but by stealth: the adversary seeks to avoid triggering integrity checks or anomaly-detection mechanisms while accumulating statistically meaningful information across repeated observations.

In continuous-variable systems, reconnaissance noise is well modeled as additive Gaussian excess noise with small variance:

$${\widehat{x}}^{\prime }=\widehat{x}+{ϵ}_x,{\widehat{p}}^{\prime }=\widehat{p}+{ϵ}_p,$$

(6)

where ${ϵ}_x,{ϵ}_p\sim \mathcal{N}(0,{\sigma }_{\mathrm{recon}}^2)$ and ${\sigma }_{\mathrm{recon}}^2$ is chosen to lie below detection thresholds imposed by finite measurement resolution and parameter-estimation uncertainty. At the level of individual measurements, such perturbations are experimentally indistinguishable from weak environmental noise. However, when applied persistently, they can introduce systematic bias into inferred system parameters.

This attack mechanism directly parallels the vulnerability identified in our prior work on quantum integrity verification, where finite-resolution measurements give rise to convergence vicinities, regions of operational indistinguishability in which classical and quantum statistical predictions coincide within experimental tolerance [1]. In the continuous-variable setting, reconnaissance noise exploits analogous estimator tolerances in phase-space measurements, enabling adversarial probing to proceed undetected so long as the induced excess noise remains within accepted confidence intervals.

Reconnaissance noise in CVQC can therefore be understood as the continuous-variable analogue of convergence-vicinity exploitation identified in discrete-variable integrity verification [1].

3.4.1. Implications for Quantum Communication Protocols and Devices

In practical continuous-variable quantum communication protocols and quantum devices, integrity and performance verification rely on parameter estimation performed with finite sample sizes, finite detector resolution, and predefined acceptance margins for noise, loss, or calibration error. Reconnaissance noise leverages these operational constraints by introducing small, structured perturbations that do not immediately violate acceptance criteria, yet gradually bias inferred system parameters.

These effects arise at the implementation level and do not contradict formal security, verification, or correctness guarantees, but instead undermine the assumptions under which parameter estimation faithfully reflects device or channel behavior. Small excess-noise contributions introduced within accepted confidence intervals may accumulate over time, shifting estimated operating points without triggering alarms or fault conditions.

Crucially, this vulnerability does not reflect a failure of quantum mechanics or abstract protocol guarantees, but rather the practical limitations of real-world implementations. As demonstrated in the discrete-variable context in [1], verification frameworks based on static thresholds can fail to detect adversarial behavior that is carefully engineered to remain within acceptable bounds. In continuous-variable quantum communication systems and devices, reconnaissance noise can similarly bias calibration, stability assessment, or performance metrics while remaining operationally invisible.

Figure 4 emphasizes that reconnaissance noise can be operationally stealthy even when individual perturbations remain below the instantaneous tolerance ${\delta }_e$ over short monitoring windows. In this regime, $\Delta E\left(t\right)$ may exhibit gradual upward drift due to repeated sub-threshold injections, causing delayed detection only when a cumulative threshold (or a long-horizon alarm criterion) is exceeded. This captures the practical distinction between per-window acceptability and long-term estimator bias: the receiver may repeatedly accept nominal behavior while the inferred operating point shifts over time.

Related long-horizon excess-noise accumulation effects under finite-size monitoring have been discussed in the context of CV-QKD parameter estimation and excess-noise tracking [6,7].

3.5. Exploratory Noise

Exploratory noise corresponds to moderate, structured perturbations intended to probe the stability limits of a quantum communication system. Unlike reconnaissance noise, which is engineered to remain strictly below detection thresholds, exploratory noise is designed to induce measurable, yet non-catastrophic, deviations in system behavior. The adversary’s objective at this stage is not immediate disruption, but rather to observe how the system responds to controlled stress, thereby identifying sensitivities, nonlinearities, and potential failure modes. Operationally, exploratory noise forms part of an attacker learning loop, in which injected perturbations are correlated with observable system responses to infer stability margins and response characteristics.

In continuous-variable systems, exploratory noise can be modeled operationally as a Gaussian channel combining moderate excess noise with phase-space distortion. At the level of quadrature operators, this is expressed as

$${\widehat{\mathbf{r}}}^{\prime }=R\left(\varphi \right)\widehat{\mathbf{r}}+{\xi }_{\exp },$$

(7)

where $R\left(\varphi \right)$ denotes a phase-space rotation by angle $\varphi$, and ${\xi }_{\exp }\sim \mathcal{N}(\mathbf{0},N_{\exp })$ represents additive Gaussian noise with covariance matrix $N_{\exp }$. The covariance $N_{\exp }$ exceeds typical environmental noise levels but remains below denial-of-service intensity. This phenomenological model captures physically realizable exploratory interference, including phase-reference perturbation and structured excess-noise injection, without assuming a specific adversarial implementation.

In contrast to reconnaissance noise, exploratory perturbations produce observable distortions in quadrature statistics and state covariance. These deviations remain compatible with continued system operation, allowing repeated observation of system behavior under stress. From an adversarial perspective, this regime enables systematic probing of how observable quantities respond to controlled perturbations across different operating conditions.

3.5.1. Impact on System Stability

Exploratory noise impacts system stability in several operationally significant ways:

1.

Phase-Space Asymmetry. Moderate phase rotations and excess noise introduce asymmetric distortions in the covariance matrix, revealing directional sensitivities in phase space and dependence on specific operating points.

2.

Dynamic Response Characteristics. Observable changes in quadrature statistics under exploratory perturbations expose characteristic response times, relaxation behavior, and transient dynamics of the system.

3.

Stability Margin Identification. By varying the magnitude and structure of injected perturbations, exploratory noise enables identification of regions in parameter space where performance degradation accelerates, signaling proximity to instability or failure thresholds.

These effects allow an adversary to construct an empirical map of system robustness, analogous to stress-testing and vulnerability discovery in classical engineered systems, translated here into the phase-space dynamics of continuous-variable quantum devices.

3.5.2. Exploratory Noise as a Precursor to Escalation

Exploratory noise serves as an intermediate stage between stealthy reconnaissance and overt denial-of-service interference. Information extracted during this phase, including sensitivity to phase distortions, tolerance to excess noise, and the onset of nonlinear or unstable behavior, can inform the design of subsequent, higher-intensity perturbations.

As such, exploratory noise plays a critical role in adversarial escalation strategies. It bridges low-amplitude, covert probing and overt disruption by enabling targeted refinement of attack parameters based on observed system behavior. In continuous-variable quantum communication systems, this progression highlights the importance of understanding not only failure modes, but also the structured pathways through which adversarial interference can evolve from benign-appearing perturbations into destabilizing attacks.

3.6. Denial-of-Service (DoS) Noise

Denial-of-service (DoS) noise represents the most severe class of adversarial interference considered in this work. It is characterized by high-intensity perturbations that overwhelm the quantum communication channel and render reliable transmission impossible. Unlike reconnaissance or exploratory noise, which aim to extract information or probe system stability while preserving operability, DoS noise is explicitly disruptive and seeks to force operational failure. In this regime, the primary effect of interest is not gradual performance degradation, but the rapid breakdown of state integrity and communication viability.

In continuous-variable quantum communication systems, DoS interference can be modeled operationally as a Gaussian channel with large excess noise and/or strong phase diffusion. At the quadrature level, this is expressed as

$${\widehat{\mathbf{r}}}^{\prime }=R\left(\varphi \right)\widehat{\mathbf{r}}+{\xi }_{\mathrm{DoS}},$$

(8)

where the phase parameter $\varphi$ may fluctuate rapidly over a wide range, and ${\xi }_{\mathrm{DoS}}\sim \mathcal{N}(\mathbf{0},N_{\mathrm{DoS}})$ is a Gaussian noise term with covariance matrix $N_{\mathrm{DoS}}$ far exceeding nominal operating limits. This phenomenological model captures intense optical jamming, severe phase-reference destabilization, or broadband noise injection, without assuming a specific adversarial mechanism or implementation.

3.6.1. Impact on Quantum State Coherence

DoS noise rapidly degrades quantum state coherence by dramatically inflating quadrature variances and distorting the phase-space distribution. The covariance matrix V of the state transforms as

$$V^{\prime }=R\left(\varphi \right)V{R}^{\mathsf{T}}\left(\varphi \right)+N_{\mathrm{DoS}},$$

(9)

leading to a substantial increase in $\mathrm{Tr}\left(V\right)$. Because the trace of the covariance matrix is directly proportional to the mean photon number, this corresponds to rapid growth in state energy.

In phase space, this manifests as extensive spreading of the Wigner function, accompanied by loss of Gaussian localization and severe reduction in state purity. Nonclassical correlations and phase-sensitive structure required for quantum communication and information-processing tasks are rapidly destroyed, rendering the quantum state unsuitable for reliable transmission, verification, or further processing.

3.6.2. Energy Deviation and Failure Thresholds

To quantify the severity of DoS interference in an implementation-relevant manner, state degradation is characterized using an energy-deviation metric derived from the covariance matrix:

$$\Delta E_{\mathrm{DoS}}\propto \mathrm{Tr}\left(V^{\prime }\right)-\mathrm{Tr}\left(V_0\right),$$

(10)

where $V_0$ denotes the covariance matrix of the unperturbed reference state. As excess noise accumulates, $\Delta E_{\mathrm{DoS}}$ grows rapidly, reflecting both increased quadrature variance and loss of state structure.

Operational failure occurs once the energy deviation exceeds a system-dependent threshold $\Delta E_{\mathrm{th}}$, determined by factors such as detector saturation, estimator breakdown, numerical instability, or loss of protocol validity:

$$\Delta E_{\mathrm{DoS}}\gg \Delta E_{\mathrm{th}}.$$

(11)

Crossing this threshold marks a transition from degraded performance to functional failure, beyond which meaningful quantum communication or device operation cannot be maintained.

3.6.3. Observability and Operational Consequences

Because DoS noise produces large-amplitude and rapidly varying deviations in quadrature statistics, it is typically straightforward to distinguish from lower-intensity adversarial regimes. However, the defining characteristic of DoS interference is speed: the rapid escalation of excess noise can destabilize the system on timescales shorter than those required for detailed diagnosis or corrective action.

From an operational perspective, DoS noise delineates the ultimate boundary of adversarial tolerance in continuous-variable quantum systems. It defines the regime in which physical-layer interference directly translates into loss of functionality, underscoring the importance of characterizing failure thresholds and the pathways through which adversarial perturbations drive systems from degraded operation into complete breakdown.

3.7. Operational Signatures in Covariance Statistics

Adversarial noise affects continuous-variable quantum states in ways that depend on both its intensity and its operational intent. While all adversarial strategies perturb the underlying phase-space distribution, their impact on state energy, coherence, and purity differs systematically across reconnaissance, exploratory, and denial-of-service regimes. These effects directly determine the reliability, integrity, and operational stability of continuous-variable quantum communication systems and devices.

Table 3 summarizes how different receiver-accessible observables map to specific estimators, dominant failure modes, and adversarial regime sensitivity under finite-sample and finite-resolution constraints.

3.7.1. Energy Deviation as an Operational Metric

To quantify the impact of adversarial noise in a manner compatible with experimental continuous-variable platforms, state degradation is characterized using an energy-deviation metric derived from second-order quadrature moments. For a single-mode Gaussian state with covariance matrix V, the mean energy (up to a constant offset set by normalization) is proportional to the trace of the covariance matrix, a standard result in Gaussian quantum optics and continuous-variable quantum information [12].

$$\langle E\rangle \propto \mathrm{Tr}\left(V\right).$$

(12)

Remark 1

(Trace energy relation under the vacuum-normalized convention). Throughout this paper we adopt the common shot-noise-unit normalization in which the vacuum covariance is $V_{\mathrm{vac}}=I_{2m}$ for an m-mode system. Let $\widehat{\mathbf{r}}={({\widehat{x}}_1,{\widehat{p}}_1,\dots ,{\widehat{x}}_m,{\widehat{p}}_m)}^{\mathsf{T}}$ and define the covariance matrix by $V_{ij}:=\frac{1}{2}\langle \{\Delta {\widehat{r}}_i,\Delta {\widehat{r}}_j\}\rangle$. Under this convention, the total mean photon number satisfies the affine relation

$$\langle \widehat{N}\rangle =\sum _{k=1}^m\langle {\widehat{n}}_k\rangle ={\displaystyle \frac{\mathrm{Tr}\left(V\right)+{\parallel \mathbf{d}\parallel }^2-2m}{4}},$$

(13)

where $\mathbf{d}:=\langle \widehat{\mathbf{r}}\rangle$ is the displacement vector. In particular, for zero-mean (or mean-subtracted) statistics ($\mathbf{d}=\mathbf{0}$), $\langle \widehat{N}\rangle =\left(\mathrm{Tr}\left(V\right)-2m\right)/4$. Therefore, anyenergy deviationinduced by excess noise can be taken proportional to $\Delta \mathrm{Tr}\left(V\right)$ up to a fixed constant factor (and vacuum offset), so we use $\Delta E\propto \mathrm{Tr}\left(V^{\prime }\right)-\mathrm{Tr}\left(V_0\right)$ as an operational scalar metric.

The energy deviation induced by adversarial noise is therefore defined as

$$\Delta E\propto \mathrm{Tr}\left(V^{\prime }\right)-\mathrm{Tr}\left(V_0\right),$$

(14)

$$\Delta E:={\displaystyle \frac{\mathrm{Tr}\left(V^{\prime }\right)-\mathrm{Tr}\left(V_0\right)}{4}},$$

(15)

where $V_0$ denotes the covariance matrix of the unperturbed reference state and $V^{\prime }$ that of the perturbed state. Here we use ${\delta }_e$ to denote a receiver-defined energy-deviation tolerance (a scalar analogue of ${\delta }_V$), i.e., the maximum $\Delta E$ typically accepted as nominal over a monitoring window at the chosen confidence level, as determined by finite-sample uncertainty, detector resolution, and false-alarm design. Here and throughout this work, covariance matrices are expressed in normalized units where the vacuum variance of each quadrature is set to unity. The proportionality is understood to apply to zero-mean states or to covariance matrices computed after subtraction of estimated first moments, so that $\mathrm{Tr}\left(V\right)$ captures excess variance due solely to noise rather than coherent displacement. This definition avoids reliance on idealized Hamiltonian ground states or full state tomography and instead reflects experimentally accessible quantities such as quadrature variances or mean photon number.

Energy deviation serves as a practical, protocol-agnostic metric because it directly captures excess noise accumulation, estimator degradation, and proximity to operational failure thresholds. It applies equally to communication, verification, and sensing tasks in continuous-variable systems. Different classes of adversarial noise correspond to distinct regimes of energy deviation:

1.

Reconnaissance Noise. Low-amplitude excess noise produces only a small increase in $\mathrm{Tr}\left(V\right)$, yielding $\Delta E$ values that typically remain within estimator confidence intervals. Although energetically subtle, such deviations can accumulate over time, biasing inferred system parameters and enabling information leakage without triggering conventional anomaly detection.

2.

Exploratory Noise. Moderate, structured perturbations lead to observable increases in $\Delta E$ as quadrature variances become asymmetric or inflated. These deviations are constrained below catastrophic levels, allowing repeated observation of system behavior while revealing sensitivity to controlled stress.

3.

Denial-of-Service (DoS) Noise. High-intensity excess noise causes a rapid and large increase in $\mathrm{Tr}\left(V\right)$, driving $\Delta E$ well beyond operational thresholds. In this regime, energy growth correlates with estimator breakdown, detector saturation, and loss of functional viability.

3.7.2. Coherence Loss and State Purity

Beyond energy deviation, adversarial noise degrades quantum coherence and state purity, both of which are critical for reliable quantum information processing. These effects are naturally visualized in phase space via the Wigner function and quantified through changes in the covariance matrix.

1.

Reconnaissance Noise. Because reconnaissance noise remains energetically small, the Wigner function retains an approximately Gaussian and localized form over short timescales, and state purity is largely preserved. However, repeated low-level perturbations can accumulate, gradually degrading coherence and revealing information about system parameters without overt disruption.

2.

Exploratory Noise. Exploratory perturbations distort the covariance matrix more noticeably, producing elongation, rotation, or anisotropic spreading of the Wigner function in phase space. This reflects partial loss of coherence and moderate purity degradation, indicating proximity to stability boundaries.

3.

Denial-of-Service (DoS) Noise. Under DoS conditions, large excess noise rapidly spreads the Wigner function, yielding a highly mixed state with severely reduced purity. Nonclassical correlations and phase-sensitive structure are destroyed, rendering the quantum state unsuitable for communication, verification, or further processing.

From an operational perspective, these regimes define a structured progression of state degradation: from subtle parameter biasing, to stress-induced instability, to complete functional breakdown. This progression provides a unified framework for characterizing how adversarial interference manifests at the quantum-state level across increasing noise intensity.

3.7.3. Normalization and Multi-Mode Generalization

Throughout this work, covariance matrices are expressed in normalized units where the vacuum variance of each quadrature is set to unity. This convention is standard in continuous-variable quantum optics and simplifies comparison across devices, protocols, and operating regimes by eliminating system-dependent scaling factors. Under this normalization, excess noise, estimator tolerances, and energy deviation can be interpreted directly in terms of deviations from the vacuum reference, without explicit dependence on absolute optical power or Hamiltonian parameters.

The energy-deviation metric introduced in this paper inherits this normalization naturally. For a single-mode Gaussian state with covariance matrix V, the quantity $\mathrm{Tr}\left(V\right)$ provides a dimensionless measure of total quadrature variance relative to vacuum. As a result, energy deviation captures excess noise accumulation in a manner that is both experimentally accessible and independent of specific detector calibrations, provided consistent normalization is maintained.

Although the analysis presented here focuses primarily on single-mode qumodes for clarity, the framework extends straightforwardly to multi-mode continuous-variable systems. For an m-mode Gaussian state with covariance matrix $V\in {\mathbb{R}}^{2m\times 2m}$, the total energy deviation generalizes to

$$\Delta E\propto \mathrm{Tr}\left(V^{\prime }\right)-\mathrm{Tr}\left(V_0\right),$$

(16)

where $V_0$ denotes the reference covariance matrix of the unperturbed multi-mode state. In this setting, $\mathrm{Tr}\left(V\right)$ aggregates excess variance across all modes and quadratures, capturing both local noise accumulation and correlated disturbances arising from mode coupling or shared noise sources.

Importantly, the adversarial-noise taxonomy introduced in this work remains applicable in the multi-mode case. Reconnaissance noise corresponds to low-amplitude, potentially correlated perturbations that remain within joint estimator tolerances across modes; exploratory noise induces structured distortions revealing inter-mode sensitivities and stability margins; and denial-of-service noise drives global variance growth that overwhelms estimation and control capabilities. While multi-mode systems introduce additional structure through correlations and entanglement, the receiver-centric, covariance-based perspective adopted here provides a consistent operational basis for analyzing adversarial interference at scale.

These considerations highlight that the present single-mode treatment should be viewed as a minimal setting for exposition rather than a fundamental limitation. The normalization conventions and energy-deviation framework developed here are compatible with multi-mode extensions and networked architectures, supporting future work on adversarial robustness in large-scale continuous-variable quantum communication systems.

3.7.4. Why the Covariance Trace

A central design choice in this work is the use of the trace of the covariance matrix as the primary scalar observable for quantifying adversarial impact. This choice is motivated by a combination of physical relevance, experimental accessibility, and robustness under realistic implementation constraints.

First, for Gaussian continuous-variable states, the trace of the covariance matrix,

$$\mathrm{Tr}\left(V\right)=\langle {\widehat{x}}^2\rangle +\langle {\widehat{p}}^2\rangle ,$$

(17)

is directly proportional (up to a constant offset set by normalization) to the mean energy or mean photon number of the mode for zero-mean states or for covariance matrices computed after subtraction of first moments. As such, increases in $\mathrm{Tr}\left(V\right)$ provide a physically meaningful measure of excess noise accumulation that is independent of phase-space orientation. This makes the trace a natural indicator of how strongly adversarial perturbations inflate quadrature variance and drive the system toward operational failure.

Second, the trace is invariant under ideal symplectic rotations. This invariance is critical in adversarial settings, where structured noise may project differently onto measured quadratures depending on phase-space orientation. By using $\mathrm{Tr}\left(V\right)$, we obtain a metric that captures total variance growth without being confounded by purely geometric redistribution of noise between quadratures. Orientation-dependent effects are still observable through the full covariance structure, but the trace provides a compact summary of overall disturbance severity.

Third, from an experimental standpoint, the trace is exceptionally well matched to receiver-accessible observables. It depends only on second-order quadrature moments, which can be estimated reliably using homodyne or heterodyne detection with finite resolution and without full state tomography. In contrast, alternative quantities such as symplectic eigenvalues, entropic measures, or fidelity metrics typically require stronger assumptions, higher-order statistics, or significantly larger data sets, making them less suitable for real-time or implementation-level monitoring.

Finally, the covariance trace provides a protocol-agnostic link between adversarial interference and operational thresholds. Estimator breakdown, detector saturation, numerical instability, and protocol abort conditions are all naturally associated with excessive variance growth rather than with specific geometric features of the state. By framing adversarial impact in terms of $\mathrm{Tr}\left(V\right)$, the resulting energy-deviation metric directly reflects proximity to such failure modes across communication, verification, and sensing applications.

For these reasons, the covariance trace serves as an effective compromise between physical interpretability, experimental feasibility, and adversarial robustness. It enables a unified, receiver-centric characterization of disturbance severity while remaining compatible with finite-resolution measurements, finite-sample estimation, and multi-mode generalizations.

3.8. Finite-Sample Detectability: A Minimal Quantitative Demonstration

3.8.1. Setup: Estimating Excess Noise from Quadrature Samples

We provide a minimal quantitative demonstration of how finite sample size and finite-resolution estimation induce an operational detectability threshold for weak adversarial excess noise. The goal is not to propose a complete detector or security proof, but to make explicit the statistical mechanism that underlies the reconnaissance/exploratory regime boundary, below a sample-limited threshold, injected excess noise is statistically indistinguishable from nominal operation within typical confidence requirements. This behavior mirrors finite-size parameter-estimation effects analyzed in CV-QKD, where excess noise below estimator confidence bounds remains operationally invisible despite being systematic [5,6,7]. Importantly, the qualitative regime structure discussed below does not depend on the Gaussian approximation itself; the same $1/\sqrt{n}$ scaling and soft detectability boundary follow directly from the exact ${\chi }^2$ distribution.

Consider a receiver performing homodyne measurements of a single quadrature (without loss of generality, the p-quadrature) on n independent state preparations. Let ${\left\{p_i\right\}}_{i=1}^n$ denote the recorded outcomes. Under nominal operation, assume a zero-mean Gaussian model

$$p_i\sim \mathcal{N}(0,{\sigma }_0^2),$$

(18)

where ${\sigma }_0^2$ represents the reference quadrature variance, including trusted receiver noise contributions. Under adversarial excess-noise injection, the observed variance becomes

$${\sigma }_1^2={\sigma }_0^2+\nu ,$$

(19)

where $\nu \ge 0$ is the excess-noise magnitude to be detected.

A natural estimator for the quadrature variance is the sample variance

$${\widehat{\sigma }}^2:={\displaystyle \frac{1}{n}}\sum _{i=1}^n{p}_i^2,$$

(20)

where the mean is taken to be 0 for simplicity, consistent with symmetric modulation or calibrated offset removal. More generally, the standard estimator ${\displaystyle \frac{1}{n}}{\sum }_{i=1}^n{(p_i-\overline{p})}^2$ yields the same scaling of estimator uncertainty with sample size, and the zero-mean form is adopted here for notational clarity. For Gaussian samples, ${\widehat{\sigma }}^2$ is an unbiased estimator with

$$\mathbb{E}\left[{\widehat{\sigma }}^2\right]={\sigma }^2,\mathrm{Var}\left({\widehat{\sigma }}^2\right)={\displaystyle \frac{2{\sigma }^4}{n}}.$$

(21)

Thus, under nominal operation (${\sigma }^2={\sigma }_0^2$), the standard deviation of the variance estimator scales as

$$\mathrm{Std}\left({\widehat{\sigma }}^2\right)=\sqrt{{\displaystyle \frac{2}{n}}}{\sigma }_0^2.$$

(22)

To connect to operational acceptance regions, suppose the receiver uses a one-sided threshold test of the form

$${\widehat{\sigma }}^2\le {\sigma }_0^2+\tau ,$$

(23)

where $\tau$ encodes an estimator tolerance determined by the target false-alarm probability (confidence level), finite-resolution effects, and additional trusted uncertainty margins. In practice, $\tau$ can be interpreted as the upper tolerance margin of a one-sided acceptance region for variance-based monitoring.

Exact finite-sample distribution (Gaussian case).

For Gaussian quadrature samples $p_i\sim \mathcal{N}(0,{\sigma }^2)$ with known (or pre-subtracted) mean, the variance estimator ${\widehat{\sigma }}^2={\displaystyle \frac{1}{n}}{\sum }_{i=1}^n{p}_i^2$ admits the exact finite-sample law

$${\displaystyle \frac{n{\widehat{\sigma }}^2}{{\sigma }^2}}\sim {\chi }_n^2.$$

(24)

If instead one uses the usual sample-mean-corrected estimator $s^2={\displaystyle \frac{1}{n-1}}{\sum }_{i=1}^n{(p_i-\overline{p})}^2$, then

$${\displaystyle \frac{(n-1)s^2}{{\sigma }^2}}\sim {\chi }_{n-1}^2.$$

(25)

In what follows we use a normal (Gaussian) approximation to this ${\chi }^2$-based sampling distribution in the large-n regime, which yields the simple $1/\sqrt{n}$ detectability scaling used for the operational threshold discussion.

In the large-n regime, a normal approximation yields an operational detectability condition:

$$\nu \gtrsim z_{\alpha }\sqrt{{\displaystyle \frac{2}{n}}}{\sigma }_0^2,$$

(26)

where $z_{\alpha }$ is the one-sided normal quantile associated with the desired significance level (e.g., $\alpha =0.05$). Equation (26) makes explicit the finite-sample scaling: the minimum excess noise that can be reliably resolved decreases only as $1/\sqrt{n}$ and grows with the baseline variance scale ${\sigma }_0^2$.

This quantitative scaling underpins the operational interpretation adopted throughout the paper: reconnaissance noise corresponds to $\nu$ values that remain below (or comparable to) the finite-sample detectability scale in Eq. (26) over typical monitoring windows, while exploratory noise corresponds to $\nu$ values that exceed it and therefore produce statistically resolvable distortions in receiver-side covariance statistics.

3.8.2. Tolerance Regions and Missed-Detection Probability

We now make explicit how estimator tolerances translate into a nonzero probability of missed detection for weak adversarial excess noise. This connects the abstract notion of acceptance regions directly to operational risk in finite-sample monitoring.

Let the receiver adopt a variance-based acceptance test of the form

$${\widehat{\sigma }}^2\le {\sigma }_0^2+\tau ,$$

(27)

where ${\sigma }_0^2$ is the reference variance under nominal operation and $\tau >0$ defines the tolerance margin. Any realization satisfying Eq. (27) is deemed consistent with normal operation.

Related finite-size missed-detection and confidence-region effects are well known in CV-QKD parameter estimation, where excess noise can evade detection with nonzero probability under finite sampling, even when security margins are formally satisfied [5,7].

Under adversarial excess-noise injection, the true variance is ${\sigma }_1^2={\sigma }_0^2+\nu$. The probability of missed detection (Type-II error) is therefore

$$P_{\mathrm{miss}}\left(\nu \right)=Pr\left({\widehat{\sigma }}^2\le {\sigma }_0^2+\tau |{\sigma }^2={\sigma }_0^2+\nu \right).$$

(28)

Using the Gaussian approximation for the sampling distribution of ${\widehat{\sigma }}^2$ in the large-n regime,

$${\widehat{\sigma }}^2\sim \mathcal{N}\left({\sigma }_1^2,{\displaystyle \frac{2{\sigma }_1^4}{n}}\right),$$

(29)

the missed-detection probability can be written explicitly as

$$P_{\mathrm{miss}}\left(\nu \right)=\Phi \left({\displaystyle \frac{{\sigma }_0^2+\tau -({\sigma }_0^2+\nu )}{\sqrt{2}{\sigma }_1^2/\sqrt{n}}}\right)=\Phi \left({\displaystyle \frac{\tau -\nu }{\sqrt{2}{\sigma }_1^2/\sqrt{n}}}\right),$$

(30)

where $\Phi (·)$ denotes the cumulative distribution function of the standard normal distribution.

Equation (30) makes several operational features explicit. First, for $\nu \ll \tau$, the argument of $\Phi (·)$ is positive and large, yielding $P_{\mathrm{miss}}\approx 1$: adversarial excess noise is almost certainly accepted as nominal. Second, the transition from high to low missed-detection probability occurs over a finite interval of $\nu$ whose width scales as ${\sigma }_1^2/\sqrt{n}$ and reduces to $\mathcal{O}({\sigma }_0^2/\sqrt{n})$ in the weak-perturbation regime. This interval defines a soft detectability boundary, rather than a sharp threshold.

In this sense, estimator tolerances induce a continuous acceptance region in variance space, not a binary security boundary. Reconnaissance noise corresponds to operating points where $\nu$ lies deep inside the high-$P_{\mathrm{miss}}$ region, while exploratory noise occupies the intermediate regime where detection becomes probabilistic and phase-space anisotropies or temporal correlations may provide additional observable leverage.

Finally, Eq. (30) highlights why purely static thresholds are intrinsically vulnerable under finite-sample constraints. For any fixed tolerance $\tau$ and sample size n, there exists a nontrivial range of excess-noise amplitudes that are statistically likely to evade detection, even though they induce systematic bias and energy accumulation over time. This quantitative fact underlies the operational regime taxonomy developed in this work and motivates the use of covariance-based metrics that track cumulative degradation rather than instantaneous threshold violations.

3.8.3. Operational Boundary Between Reconnaissance and Exploratory Regimes

The transition between reconnaissance and exploratory adversarial regimes can be formalized operationally using the finite-sample detectability analysis developed above. Rather than being defined by a sharp noise-amplitude threshold, this boundary emerges from the interplay between excess-noise magnitude, estimator tolerances, and available sample size.

Using the missed-detection probability in Eq. (30), an operational boundary can be defined by selecting a reference confidence level $P_{\mathrm{miss}}^{*}\in (0,1)$ that separates statistically invisible perturbations from those that are likely to be detected within a monitoring window. Solving

$$P_{\mathrm{miss}}\left({\nu }^{*}\right)=P_{\mathrm{miss}}^{*}$$

(31)

gives the following boundary condition, illustrated in Fig. Figure 5.

Figure 5 provides a concrete numerical illustration of Eq. (30), showing how finite sample size transforms the fixed tolerance test in Eq. (27) into a soft, probabilistic detectability boundary.

For the excess-noise amplitude ${\nu }^{*}$ yields

$${\nu }^{*}=\tau -\sqrt{2}({\sigma }_0^2+{\nu }^{*}){\displaystyle \frac{{\Phi }^{-1}\left(P_{\mathrm{miss}}^{*}\right)}{\sqrt{n}}},$$

(32)

where ${\Phi }^{-1}(·)$ is the inverse standard normal cumulative distribution function.

Equation (32) defines a finite-sample operational boundary between adversarial regimes:

1.

For $\nu \ll {\nu }^{*}$, missed-detection probability remains close to unity, and excess noise is statistically indistinguishable from nominal fluctuations over the observation window. This corresponds to the reconnaissance regime, in which adversarial probing can proceed stealthily while gradually biasing inferred parameters.

2.

For $\nu \gtrsim {\nu }^{*}$, missed-detection probability decreases appreciably, and excess noise becomes intermittently or consistently observable in receiver-side statistics. This marks the onset of the exploratory regime, where structured perturbations induce detectable stress without yet forcing system failure.

Several features of this boundary are noteworthy. First, ${\nu }^{*}$ depends explicitly on the sample size n: increasing data acquisition narrows the reconnaissance regime, but does not eliminate it entirely for finite n. Second, the boundary depends on the chosen tolerance $\tau$, which is itself an operational design parameter reflecting acceptable false-alarm rates, calibration uncertainty, and detector limitations. Third, because the estimator variance depends on the total variance ${\sigma }_0^2+\nu$, the boundary shifts dynamically as excess noise accumulates, producing feedback between adversarial action and statistical detectability.

Importantly, this boundary is probabilistic rather than absolute. There exists a finite interval of $\nu$ values for which the system alternates between apparent nominal behavior and detectable deviation across successive observation windows. This gray zone is precisely where exploratory adversarial strategies are most informative: injected perturbations are large enough to elicit observable responses, yet small enough to preserve overall operability.

From an operational standpoint, the reconnaissance–exploratory boundary therefore represents a transition in statistical visibility, not in physical noise mechanism. This reinforces the central theme of this work: adversarial regimes in continuous-variable quantum communication are most meaningfully defined by their interaction with finite-resolution estimation and acceptance regions, rather than by idealized noise models or static thresholds alone.

4. Limitations and Scope

The framework developed in this work is intentionally scoped to operational characterization rather than mitigation or defense. Several limitations therefore delineate the regime of validity and interpretation of the results.

First, the analysis is restricted to receiver-side observables, primarily first- and second-order quadrature statistics summarized by covariance matrices. While this choice reflects what is experimentally accessible in most continuous-variable quantum communication (CVQC) platforms, it does not capture higher-order moments, non-Gaussian features, or full state-tomographic information. Adversarial strategies that primarily affect such higher-order structure may therefore evade characterization within the present framework.

Second, the modeling of adversarial noise is phenomenological and Gaussian at the level of observables. This does not imply that adversaries are limited to Gaussian physical processes, but rather that their impact is analyzed through the lens of finite-resolution estimation. Non-Gaussian attacks that nevertheless manifest as effective excess variance at the receiver are captured by the framework, whereas attacks whose signatures lie entirely outside covariance-level statistics are not.

Third, the finite-sample detectability analysis assumes independent and identically distributed quadrature samples and stationary estimator tolerances over the observation window. In realistic systems, temporal correlations, drifting calibration parameters, or adaptive monitoring strategies may modify detectability boundaries. The results should therefore be interpreted as defining baseline operational limits rather than exhaustive detection guarantees.

Fourth, the work focuses on single-mode states and single-link communication scenarios. While the covariance-trace and energy-deviation concepts generalize naturally to multi-mode systems, correlated noise, mode coupling, and network-level effects introduce additional structure that is not explicitly analyzed here. Extending the framework to multi-mode and networked settings is a necessary step for full-scale deployment scenarios.

Finally, this paper does not propose concrete countermeasures, adaptive controls, or protocol-level defenses. While the taxonomy and quantitative boundaries introduced here are intended to inform such strategies, their design and validation lie outside the scope of the present study. In particular, questions of optimal monitoring, adaptive thresholding, feedback control, or integration with quantum error correction and verification protocols are deferred to future work.

Within these bounds, the contribution of this paper is to provide a clear operational lens through which adversarial interference in CVQC can be classified, quantified, and compared. The scope is therefore complementary to, rather than competitive with, work on mitigation, control, and security proofs, supplying the threat-modeling substrate upon which such defenses can be systematically evaluated.

5. Conclusion

This work developed an operational framework for characterizing adversarial interference in continuous-variable quantum communication (CVQC) under implementation-realistic constraints, including finite measurement resolution, estimator tolerances, and limited control capabilities. Rather than treating noise as purely environmental and stationary, adversarial interference was modeled as structured, intent-driven disturbances that can be engineered to remain operationally inconspicuous, probe system stability, or rapidly disrupt functionality.

Within a receiver-side Gaussian-channel representation, we introduced a three-regime taxonomy of adversarial noise. Reconnaissance noise consists of low-amplitude perturbations designed to evade detection while gradually biasing parameter estimation. Exploratory noise introduces moderate, structured disturbances that induce observable stress, revealing directional sensitivities and stability margins. Denial-of-service (DoS) noise corresponds to high-intensity interference that overwhelms the system, driving rapid loss of state integrity and operational breakdown. To quantify these regimes in a protocol-agnostic and experimentally accessible manner, we defined an energy-deviation metric based on changes in the trace of the covariance matrix, providing a compact scalar measure of excess variance accumulation and proximity to operational failure thresholds.

Together, the proposed taxonomy and energy-deviation metric establish a structured threat-modeling foundation for analyzing physical-layer attack surfaces in CVQC. By directly linking adversarial intent to observable phase-space statistics, this framework enables systematic analysis of how seemingly benign perturbations can escalate into destabilizing interference. More broadly, it provides a common operational language for connecting physical-layer disturbances to estimator degradation, loss of coherence, and system-level performance limits.

The framework developed here naturally motivates future work focused on mitigation and resilience rather than characterization alone. In particular, adaptive control and modulation strategies can be evaluated against the adversarial regimes and observables defined in this study, enabling quantitative assessment of robustness under non-stationary and adversarial conditions. Extensions to multi-mode and networked systems, incorporation of real-time feedback, and integration with higher-level verification and error-correction mechanisms represent promising directions toward resilient continuous-variable quantum communication and information-processing platforms.

To our knowledge, this is the first receiver-centric framework that explicitly links estimator tolerances, finite-sample statistics, and adversarial intent into a unified operational taxonomy for CV quantum communication.