Finite key effects in satellite quantum key distribution

Global quantum communications will enable long-distance secure data transfer, networked distributed quantum information processing, and other entanglement-enabled technologies. Satellite quantum communication overcomes optical fibre range limitations, with the first realisations of satellite quantum key distribution (SatQKD) being rapidly developed. However, limited transmission times between satellite and ground station severely constrains the amount of secret key due to finite-block size effects. Here, we analyse these effects and the implications for system design and operation, utilising published results from the Micius satellite to construct an empirically-derived channel and system model for a trusted-node downlink employing efficient Bennett-Brassard 1984 (BB84) weak coherent pulse decoy states with optimised parameters. We quantify practical SatQKD performance limits and examine the effects of link efficiency, background light, source quality, and overpass geometries to estimate long-term key generation capacity. Our results may guide design and analysis of future missions, and establish performance benchmarks for both sources and detectors.


INTRODUCTION
Quantum technologies have the potential to enhance the capability of many applications 1 such as sensing [2][3][4] , communications [5][6][7][8] , and computation 9 . Ultimately, a worldwide networked infrastructure of dedicated quantum technologies, i.e. a quantum internet 10 , could enable distributed quantum sensors [11][12][13][14] , precise timing and navigation [15][16][17] , and faster data processing through distributed quantum computing 18 . This will require the establishment of long distance quantum links at global scale. A fundamental difficulty is exponential loss in optical fibres, which limits direct transmission of quantum photonic signals to < 1000 km [19][20][21][22] . Quantum repeaters may overcome the direct transmission limit but stringent performance requirements render them impractical by themselves for scaling to the intercontinental ranges needed for global scale-up 23 . Alternatively, satellite-based free-space transmission significantly reduces the number of ground quantum repeaters required 24 .
Satellite-based quantum communication has attracted much recent research effort [23][24][25][26][27][28][29][30] following recent in-orbit demonstrations of its feasibility by the Micius satellite 31 . For low-Earth orbit (LEO) satellites, a particular challenge is the limited time window to establish and maintain a quantum channel with an optical ground station (OGS). For satellite quantum key distribution (SatQKD), this constrains the amount of secret key that can be generated due to two issues. First, the commonly assumed asymptotic resource assumption is not a good approximation for short received signal blocks. Without an arbitrarily large number of received signals, statistical uncertainties can no longer be ignored and the security of the distilled secret key requires careful treatment of the statistical fluctuations in estimated parameters [32][33][34] . Second, the trade-off between the proportion of signals used for parameter estimation and key generation becomes increasingly important to optimise. Further postprocessing operations, such as error correction, reduce the amount of extractable secret key, with small block lengths leading to additional inefficiencies over the asymptotic limit 35,36 .
Initial SatQKD studies used the observed standard deviation to estimate statistical uncertainties and derive correction terms to the secret key rate 37,38 . Analyses based on smooth entropies 32 improve finite-key bounds 39 and have been applied to free-space quantum communication experiments 40 . Recently, tight bounds 36 and small block analyses 41 further improve key lengths for finite signals. Here, we provide a detailed analysis of SatQKD secret key generation, which utilises tight finite block statistics in conjunction with system design and operational considerations.
As part of our modelling, we implement tight statistical analyses for parameter estimation and error correction to determine the optimised, finite-block, single-pass secret key length (SKL) for weak coherent pulse (WCP) efficient BB84 protocols using three signal intensities (two-decoy states). We base our nominal system model on recent experimental results reported by the Micius satellite 42 and use a simple scaling method to extrapolate performance to other SatQKD configurations. The effects of different system parameters are explored, such as varying system link efficiencies, protocol choice, background counts, source quality, and overpass geometries. We also provide a simple estimation method to determine the maximum expected long-term key volume at a particular OGS latitude. The improvement from combining data from multiple satellite passes is also examined. Our model and analysis may guide the design and specification of SatQKD systems, highlighting factors in the quantum communication link that limit secret key generation in the regime of high channel loss and limited pass duration.
We outline the system model in section 'System model', including overpass geometries and system parameters. Operational models and finite block construction are given in section 'SatQKD Operations'. We describe in section 'Finite key length analysis' our SatQKD finite key analysis and examine the dependence of the SKL on different system parameters in subsequent sections. We conclude with a discussion of our results in section 'Discussion'.
downlink QKD to an OGS at night to minimise background light. The elevation and range is calculated as a function of time for different overpass geometries representing different ground track offsets and maximum elevations for the overpass (Fig. 1a). The instantaneous link efficiency η link is calculated as a function of the elevation θ(t) and range R(t) to generate expected detector count statistics. The quantum link is restricted to be above θ min ¼ 10 .
The link loss η link ¼ À10log 10 p d (dB) is determined by the probability, p d , that a single photon transmitted by the satellite is detected by the OGS. A lower dB value of η link represents smaller loss due to better system electro-optical efficiency. This improvement could stem from the use of larger transmit and receive aperture diameters, better pointing accuracy, lower receiver internal losses, and higher detector efficiencies. Internal transmitter losses are not included since they can be countered by adjusting the WCP source to maintain the desired exit aperture intensities 37 . We also do not explicitly consider time-varying transmittance, modelling the average change in channel loss due only to the change in elevation with time. For discrete variable QKD (DV-QKD) protocols, e.g. BB84, channel transmissivity fluctuations do not directly impact the secret key rate, in contrast to continuous variable QKD where this appears as excess noise leading to key reduction 43,44 .
The ideal overpass corresponds to the satellite traversing the OGS zenith (Fig. 1b) giving the longest transmission time with lowest average channel loss. Generally, an overpass will not pass directly overhead but will reach a maximum elevation θ max ð<90 Þ. We model total losses, including pointing and atmospheric effects, using Micius in-orbit measurements (ref. 42 Extended data, Fig. 3b) to construct a representative η link vs θ curve extrapolating over the entire horizon to horizon passage time (Fig. 1c). The Micius data represent a near ideal scenario since the OGSs are situated in dark sky conditions at high altitudes of~3000 m minimising the effects of atmospheric turbulence and attenuation, other sites may perform differently. Though the link efficiency in ref. 42 is for the entanglement distribution system, not the optimised preparemeasure QKD downlink system as reported in ref. 45 , it should still be representative of downlink efficiencies and sifted key rates achievable with current technologies (Fig. 1d).
Systems with higher link losses are also considered. The system loss metric, η sys loss , is used to characterise the overall system electrooptical efficiency independent of the overpass geometry, and is defined as the η loss value at zenith, i.e. the maximum probability of detecting a single photon sent from the satellite to the OGS. Worse performing systems have a larger associated η sys loss . The baseline η sys loss value considered is 27 dB, which corresponds to the improved Micius system using a 1.2 m diameter OGS receiver at Delingha 42 . By increasing the value of this metric, we explore the performance of SatQKD systems with greater fixed losses, e.g. using a smaller OGS, but otherwise similar behaviour to the Micius system. We consider a maximum η sys loss value of 40 dB since this reflects realistic SatQKD operation using smaller OGS receiver diameters and a reduced pointing accuracy of smaller satellites. If the time-averaged ground spot is much larger than the OGS diameter D r , η sys loss scales as 20log 10 ðD r =D 0 r Þ (dB) where D 0 r ¼ 1:2 m is the reference Delingha OGS diameter.
Estimating the effect of transmitter aperture (D t ) is more complex since factors other than diffraction, such as pointing performance and turbulence, also determine the time-averaged ground spot size 46,47 . Micius, with D t of 180 mm and 300 mm and sub-μrad pointing performance, reported 10 μrad beam widths 42 which suggests the presence of non-diffraction-limited beam spreading effects that may result in a smaller dependence of η sys loss on D t . A smaller D t could result in a smaller increase in η sys loss than given by purely diffractive beam broadening, conversely using a larger D t may not significantly improve η sys loss if pointing and turbulence losses dominate. We refer the reader to detailed Fig. 1 Satellite-to-ground QKD model. a General satellite overpass geometry for circular orbit of altitude h 50 . Maximum elevation θ max reached when satellite-OGS ground track distance is at a minimum, d min . The smallest θ max , θ À max , that generates finite key defines the keygeneration footprint 2d þ min . b Zenith overpass maximises transmission time with lowest average channel loss. Quantum transmission is limited to above θ min . c Zenith overpass channel loss vs time/elevation (based on ref. 42 data). Link loss varies with range (R −2 diffraction fall-off ) and the atmospheric optical depth (attenuation and turbulence). Peak link loss η link at zenith characterises the system loss performance level, denoted η sys loss . Additional constant losses (independent of range and elevation) are modelled by constant dB offset to the link loss curve, hence also off-setting η sys loss . d Modelled sifted key rate and QBER vs time/elevation. Zenith overpass, η sys loss ¼ 27 dB, p ec = 5 × 10 −7 , and QBER I = 0.5%. BB84 WCP-DS protocol parameters: f s = 200 MHz, μ 1,2,3 = 0.5, 0.08, 0.0, p 1,2,3 = 0.72, 0.18, 0.1, with p X = 0.889, 0.9 for the transmitter and receiver basis bias, respectively, as in ref. 45 . Shaded region indicates elevation below θ min ¼ 10 .
analyses of atmospheric turbulence 48 or extinction 49 , and more recent works where their effects on SatQKD are considered 46,50,51 . We simplify our model by including several quantities in the parameters p ec and QBER I . The sum of dark and background light count rates, p ec , is assumed constant and independent of elevation. The intrinsic quantum bit error rate, QBER I , combines errors arising from source quality, receiver measurement fidelity, basis misalignment, and polarisation fluctuations 52 . Baseline system parameters are summarised in Table 1.

SatQKD Operations
A standard model of SatQKD uses large, fixed, and long-term OGSs to establish links with satellites 29 . A more demanding scenario is where the OGS may only be able to communicate sporadically with a particular satellite, limiting the amount of data that can be processed as a single large block, e.g. smaller, mobile OGS terminals may be required to generate a key from a limited number of passes, possibly only one, due to operational constraints. In contrast, fibre-based QKD can often assume a stable quantum channel able to be operated continuously until a sufficiently large block size is attained. High count rates and large block sizes, e.g. 10 12 , are generally more feasible in fibrebased QKD.
In SatQKD, often the theoretical instantaneous asymptotic key rate R 1 ðtÞ is integrated over the overpass to give the continuous secret key length (SKL) 28,29 , SKL Cont: where the quantum transmission occurs between times t start and t end . Data segments from multiple passes with identical statistics should be combined to yield an asymptotically large block for post-processing. More practically, small blocks, each having similar statistics, from different passes are combined to give the following SKL, where R j 1 is the asymptotic key rate for a small segment j, and L j its length. Operationally, this leads to considerable latency between establishing a first satellite-OGS link and the generation of secret keys after a sufficient number of subsequent overpasses. A less restrictive mode of operation is to combine data from multiple passes without segmenting into data blocks with similar statistics, and processing using asymptotically determined or assumed parameters. However, the security guarantee for this procedure requires closer examination.
Here instead, we process overpass data as a single block without segmentation, incorporating finite statistics and uncertainties to maintain high levels of composable security with where fn μ k ; m μ k g denote agglomerated observed counts without partitioning into sub-segments (see 'Methods' section 'Finite key analysis for decoy-state BB84'). This is more practical for large constellations 28,53 and OGS numbers, obviating the need to track and store a combinatorially large number of link segments until each has attained a sufficiently large block size for asymptotic key extraction. Note that we have the freedom of constructing block sizes in this manner since the security of the distilled finite key remains unaffected. However, an important requirement in finite key analyses is the assumption that each block is randomly sampled at a constant and uniform rate. This requires both the protocol parameters and the fraction of X to Z bases be kept the same. We do not make any assumptions on the underlying statistics for each data block, which are not required to be the same. Instead, we require only information on the count statistics for the entire overpass.
Finite key length analysis We now quantify SatQKD system performance and SKL generation from different satellite overpasses. We employ the efficient BB84 protocol with weak coherent pulses (WCPs) 6 for which tight finitekey security bounds have been derived for one 34 and two 33 decoy states. The performance of one and two-decoy states is similar, however using two decoy states allows better vacuum yield estimation, useful in high loss operation. We optimise the twodecoy state protocol parameters and the amount of overpass data used in a block to explore the dependence of the single-pass SKL on different variables and derive an expected long term key volume.
The efficient BB84 protocol 54 encodes signals in X and Z bases with unequal probabilities p X and 1 − p X , respectively. One basis is used exclusively for key generation and the other only for parameter estimation. We choose to use the error rate of the announced sifted Z basis to bound leaked information from the sifted X basis raw key. Biased basis choice improves the sifting ratio whilst retaining security. In the asymptotic regime, the sifting ratio tends to 1, versus 0.5 for symmetric basis choice (original BB84). This sifting ratio advantage persists in the finite key regime (see section 'Protocol performance') resulting in a longer raw sifted key that reduces parameter estimation uncertainties and provides more raw key to distil.
For the two decoy-state WCP BB84 protocol, the sender randomly transmits one of three intensities μ j for j ∈ {1, 2, 3} with probabilities p j . For the purposes of the security proof, we assume the intensities satisfy μ 1 > μ 2 > μ 3 = 0. The finite block secret key length is then given by 33 , where s X,0 , s X,1 and ϕ X , are the X-basis vacuum yield, single-photon yield and phase error rates, respectively. In contrast to fibre-optic based systems, the size of the sifted X-basis data block cannot easily be fixed for satellite-based QKD. Instead the number of pulses N sent per pass is determined by the source repetition rate and the time available during a satellite overpass. In the asymptotic sample size limit (Eq. (2)), the X and Z basis data block sizes are straightforwardly determined by N, the pulse detection probability (itself a function of time), and the sifting ratio. However, finitely sized samples generate observed statistics that deviate from asymptotic expectations. Taking this into account can significantly reduce the SKL and we employ correction terms δ ± XðZÞ;k that relate the expected and observed statistics for bases X(Z) with a k-photon state, using the tight multiplicative Chernoff bound 36 (see 'Methods' 'Finite key analysis for decoy-state BB84' and ref. 55 for software details).
Error syndrome information is publicly announced to perform error correction. The number of bits thus leaked is denoted λ EC , and is accounted for during privacy amplification. In the finite key regime, this information leakage has a fundamental upper bound λ EC log jMj, where M characterises the set of syndromes in the information reconciliation stage 35 . We use an estimate of λ EC that varies with block size (Eq. (9)).
We characterise the reliability and security of the protocol by two parameters, ϵ c and ϵ s . The protocol is ε = ϵ c + ϵ s -secure if it is ϵ c -correct and ϵ s -secret 33,56 . For the numerical optimisation, we take ϵ c = 10 −15 and ϵ s = 10 −9 . Conditioned on passing the checks in the error-estimation and error-correction verification steps, an ϵ s -secret key of length ℓ can be generated that is secure against general coherent attacks and is universally composable 56 . This indicates it is not possible for a malicious party to take advantage of changes to any underlying statistics in each data block that may arise due to changes in channel losses in SatQKD.
In the following sections, we highlight constraints arising from the quantum communication link and its implications for system design. It is also important to consider the constraints arising from the classical communication link. This is particularly important for SatQKD operations. We can use our finite key optimiser to provide an estimate for the number of classical bit transmission required in SatQKD for the baseline system parameters summarised in Table 1 with η sys loss ¼40 dB (see 'Methods' section 'Classical communications for SatQKD').

Transmission time window optimisation
A satellite overpass is limited in duration and experiences highly varying channel loss, hence the expected count rates and QBER will change significantly throughout the pass. The received data obtained from lower elevations will have higher QBER compared to signals sent from higher elevations due to greater losses and the contribution of extraneous counts. This suggests that the SKL that could be extracted could be optimised by truncating poorer quality data from the beginning and end of the transmission period in some circumstances, despite resulting in a shorter raw block 57 .
Our approach is to first fix the transmission duration and optimise the protocol parameters to use during the pass, then iterate over the window duration to find the highest resulting SKL. We define the transmission time window to run from −Δt to +Δt, where t = 0 represents the time of highest elevation θ max . For each Δt, we find optimum protocol parameters that maximise the SKL extractable from the data block generated within this transmission window. We impose a minimum elevation limit that reflects practicalities such as local horizon visibility and system pointing limitations. Here we use θ min ¼ 10 which for a zenith pass limits 2Δt to less than~440 s.
We show the SKL as a function of Δt for different η sys loss values in Fig. 2. For small η sys loss , the QBER at low elevations does not rise greatly above QBER I and it is better to construct keys from the greatest amount of data where Δt reaches the maximum allowed by θ min . Conversely, for large η sys loss , utilising only data from near zenith leads to a longer SKL due to the better average QBER countering both the smaller raw key length and larger statistical uncertainties.

SKL system parameter dependence
We now determine the dependence of the SKL on different system parameters, including extraneous counts p ec , intrinsic quantum bit errors QBER I , and the source repetition rate f s . The optimised SKL is then determined for different η sys loss that model alternative SatQKD systems that differ from the baseline configuration (Table 1)  We first consider how the SKL is affected by p ec , which includes both detector dark counts and background light. For DV-QKD, silicon single photon avalanche photodiodes (Si-SPADs) are typically used for visible or near infrared wavelengths and can achieve a dark count rate of a few counts per second with thermoelectric cooling and temporal filtering 58 . Superconducting nanowire single photon detectors (SNSPDs) 59 can offer superior wavelength sensitivity (particularly beyond 1 μm), dark count rate (less than 1 cps), and timing jitter, though at the expense of greater cost, size, weight, and power (SWaP), owing to the need for cryogenic operation. Background light, due to light pollution and celestial bodies (most notably the Moon) is the main constraint to minimising p ec 60 . We have used a simplified model which does not include elevation dependent background light levels (which is highly site dependent). The impact of varying p ec on the single overpass (solid), two-pass normalised (dashed), and normalised block asymptotic (dotted) finite SKLs (see 'Methods' section 'Asymptotic key length per pass') is shown in Fig. 3a. For the finite variants, the SKL is determined using Eq. (3), where data from either one (solid lines) or two (dashed lines) zenith overpasses are processed as a single block. Multiple-pass SKLs are normalised by the number of passes to maintain a fair comparison with the single pass SKL. For each scenario, while extraneous counts increase the vacuum yield s X;0 , any addition to the SKL is offset by reductions from worse phase error rates and error correction terms. For example, a factor of 10 increase in p ec results in a 40% net reduction to the SKL for η sys loss ¼ 27 dB. The effect of extraneous counts is further compounded for large η sys loss values and can result in zero SKL due to an excessive QBER.
The QBER also suffers from effects such as non-ideal signals, satellite-OGS reference frame misalignment, or imperfect projective measurements by the OGS. We characterise these by an intrinsic system error, QBER I , which is independent of the count rate or channel loss. Figure 3b illustrates the effect of different QBER I on the SKL. We observe that the finite key length is not as susceptible to changes in the QBER I as compared with p ec . The relative effects of both p ec and QBER I on the SKL is illustrated in Fig. 4 (see also  Fig. 2 Secret key length and QBER vs transmission duration. Zenith overpass with different η sys loss (solid lines), QBER I = 0.5%, and p ec = 5 × 10 −7 . Dashed lines represent truncated block QBERs. For each Δt, the SKL extractable from received data within −Δt to +Δt is optimised over protocol parameters. For the better η sys loss values, increasing Δt beyond 200 s leads to minor SKL improvement. For larger η sys loss , including data from low elevations is detrimental to the SKL as seen by an increase in the truncated block averaged QBER. The non-smooth QBER appears since it is not the objective function of the optimisation. The shaded region indicates the time when the satellite elevation is lower than θ min ¼ 10 . Supplementary Fig. 1). The SKL varies greatly along the p ec direction, with zero finite key returned for large p ec irrespective of improvements to QBER I . This indicates that improvements to background light suppression and detector dark count over source fidelities and satellite alignment should be prioritised.
We can estimate the effect of increasing the source rate f s by incorporating a correction factor to η sys loss for the current results. Since the SKL is a function of fn μ k ; m μ k g, these only depend on the integrated product of the source rate and the link efficiency, with all other system parameters kept the same. Therefore, a 100 MHz source at a given η sys loss provides the same amount of raw key as a 1 GHz source with a 10 dB larger system loss metric, e.g. corresponding to a three times smaller OGS receiver diameter ( Supplementary Fig. 2). This approximation, however, neglects extraneous counts and the resultant instantaneous QBER which is unaffected by the source rate but does depend on η sys loss . Nevertheless, the above heuristic holds provided the contribution of p ec to QBER is small and thus SKL is mostly constrained by raw key length and statistical uncertainties.
Practically, the amount of raw key that could be transmitted during an overpass may be limited by the amount of available stored random bits, irrespective of increases in f s . Real-time quantum random number generation can overcome this though at the expense of increased SWaP, which is often constrained on smaller satellites. Even with limits on the amount of raw key available, increasing f s can still be advantageous by compressing the transmission into a smaller duration around θ max , which decreases the average loss per transmitted block.
Protocol parameters that affect the SKL include signal intensities μ j , their probabilities p j , and basis bias p X . The optimum values of these system parameters generally depend on η sys loss and the overpass geometry. The optimal key generation basis choice probability p X decreases with increasing η sys loss . As the OGS detects fewer photons with increasing loss, leading to worse parameter estimation of s X,0 , s X,1 and ϕ X due to greater statistical fluctuations, to compensate we need to collect more Z basis events by increasing 1 − p X . The reduced number of key generation events is outweighed by better bounds on the key length parameters. This implies that the uncertainties in the parameter estimation from finite statistics dominates the SKL compared with raw key length when η sys loss is large (Supplementary Fig. 3).

SKL and overpass geometry
A typical satellite overpass will not go directly over zenith but will pass within some minimum ground track offset d min of the OGS, reaching a maximum elevation θ max ð<90 Þ (Fig. 1a). To maximise the number of overpass opportunities that can generate a secret key, a SatQKD system should be able to operate with as low a maximum elevation θ max as possible. The SKL per pass as a function of d min is shown in Fig. 5 for different η sys loss values. As expected, overpasses with smaller θ max deliver smaller SKLs due to shorter transmission times and lower count rates from large average η link at lower elevations and longer ranges. The SKL vanishes once θ max is below a critical elevation angle θ À max when the small block size leads to excessive statistical uncertainties or the average QBER becomes too high.
We now can estimate the long-term average amount of secret key that can be generated using single overpass blocks with an OGS site situated at a particular latitude. We first integrate the area under the SKL vs d min curve, where d þ min is the maximum OGS ground track offset that generates key. Assuming a sun synchronous orbit, we then estimate the expected annual key from (neglecting weather), where N year orbits is the number of orbits per year, and L lat is the longitudinal circumference along the line of latitude at a single OGS location (see Methods section 'Expected annual SKL'). This estimate assumes that d min is evenly distributed (unless in an Earth synchronous orbit 28 ) and the OGS is not close to the poles where the orbital inclination (~97°) invalidates the approximation of even   Table 2, we summarise the expected yearly secret finite key lengths attainable for various η sys loss at latitude 55. 9 ∘ N.

Multiple satellite passes
Disregarding latency of key generation, data from several overpasses can be combined to improve SKL generation. Figure 3 displays finite and asymptotic SKLs for a single zenith overpass. The overpass-normalised asymptotic SKL corresponds to multiple overpasses where the block sizes used for key rate determination tend to infinity. Instead of Eq. (2), we aggregate data from separate overpasses (with the same geometry and protocol parameters) into a single processing block without segmented instantaneous asymptotic key rates, only assuming asymptotically ascertained combined block parameters. The process of taking the block size to infinity requires care due to the limited amount of data per pass (see 'Methods' section 'Asymptotic key length per pass'). The per-pass SKL increases significantly as the block asymptotic regime is approached. Systems with zero single-overpass SKL can generate positive key by accumulating signals from several overpasses (Fig. 6). If ℓ M is the total SKL generated from M identical satellite passes, then ℓ M ≥ Mℓ 1 with diminishing improvement ℓ M+1 − ℓ M with increasing M, with the largest jump going from M = 1 to 2. Averaging over several identical passes does not improve the underlying block averaged signal parameters such as QBER, hence the per-pass SKL improvement is mainly due to smaller estimation uncertainties from increased sample size, with better error correction efficiency and reduced λ EC also contributing. This shows that finite statistical fluctuations are the principle limitation to the SKL that can be generated with a limited number of overpasses.
Practically, employing multiple passes to improve SKL generation should be balanced against greater latency and potential security vulnerabilities in storing large amounts of raw data for a longer period between passes. This will depend on the assumed security model and anticipated attack surfaces of the encryption keys at rest 61 .

Protocol performance
The choice of QKD protocol can also significantly affect the SKL due to finite block size statistics. This is illustrated by comparing two BB84 variants: efficient BB84 (considered thus far) 54 and standard BB84 62 . The main difference is the basis choice bias, with standard BB84 choosing both X and Z bases with equal (symmetric) probability, while efficient BB84 allows biased (asymmetric) basis choice. Standard BB84 also uses both bases to generate key, hence requires parameter estimation of both. Efficient BB84 uses only one basis for key generation and the other for parameter estimation. We refer to the two protocols as s-BB84 and a-BB84, respectively.
In general a-BB84 produces higher SKL for all system loss metrics, can tolerate larger η sys loss , and operate with lower θ max (Supplementary Fig. 4). The expected annual SKL (as in section 'SKL and overpass geometry') with a-BB84 and s-BB84 for the baseline system parameters (Table 1) is obtainable from Fig. 7. For η sys loss ¼ 33 dB and 40 dB, a-BB84 generates 70% and 182% times more key on average, respectively. The advantage increases with larger η sys loss due to several reasons. First, the better sifting ratio of a-BB84 results in more raw bits that also allows for better parameter estimation. Second, a-BB84 uses all events in one basis to estimate the vacuum and single photon yields in the other. In contrast, s-BB84 reveals an optimally sized random sample of results for each basis to separately estimate signal parameters. Hence only half the revealed results are used for each basis estimation, leading to worse statistical uncertainties.
A tangential advantage is that a-BB84 requires less classical communication than s-BB84. In a-BB84 the choice of bits for public comparison for QBER estimation is implicit in the basis choice and automatically revealed during sifting. A minor disadvantage to For h = 500 km, N year orbits $ 5500, and at 55.9 ∘ N (latitude of Glasgow) L 55:9 N $ 2: 25 10 7 m, the expected annual key volume SKL year ¼ 2:44 10 À4 SKL int m À1 . We assume θ min ¼ 10 , p ec = 5 × 10 −7 , and QBER I = 0.5%.  The key generation footprint is given by the maximum d min with non-zero SKL. Solid lines correspond to imposing θ min ¼ 10 (indicated by dark grey region on the right) and dashed lines to no elevation limit. The shaded areas under the curves determine the expected annual SKL for different η sys loss . Imposing θ min ¼ 10 reduces the area, and hence the expected annual SKL, by 18.82%, 13.37%, and 3.58% at 27 dB, 30 dB, and 33 dB, respectively.
a-BB84 is the extra overhead in generating biased basis probabilities 63 , but the advantage of s-BB84 in this regard is relatively small taking into account all the biased probabilities required for both decoy-state variants.

DISCUSSION
Important differences with fibre-based QKD mean that small sample statistical uncertainties have a significant impact on the performance of satellite QKD. The restricted overpass time of a LEO satellite constrains the amount of sifted key that can be established with an optical ground station. Operationally, a secret key may need to be generated from a single pass, thus statistical uncertainties will significantly impact performance in practical scenarios. Our study examines the severity of finite-key effects for representative space-ground quantum channel link efficiencies as indicated by the in-orbit demonstration of Micius.
Our results highlight the influence of system and protocol parameters on the secret key length that can be generated from a single overpass. For the range of system loss metrics considered (η sys loss ¼ 27 to 42 dB), the strongest dependence comes from the degree by which extraneous counts (p ec ) can be suppressed, with a much weaker dependence on the intrinsic signal/measurement quality (QBER I ) of the system. There is also a minimal effect of imposing a minimum elevation limit for quantum signal transmission. This suggests that SatQKD systems should prioritise background light suppression over higher intrinsic quantum signal visibilities or extending transmission closer to the horizon.
The dominance of finite-key effects is highlighted by the comparison between efficient (asymmetric basis bias) BB84 with conventional (symmetric basis bias) BB84. The much greater secret key length of efficient BB84 stems from a better sifting ratio and longer raw key length as well as obviating the need to perform parameter estimation for two bases that would further compound the finite statistical uncertainty. This greater performance translates into a higher secret key length for a given overpass geometry and also extends the satellite ground footprint within which secret key can be established with a ground station. Overall, improvements in system performance, whether through better protocols, smaller system loss metrics, or higher source rates, can significantly expand expected annual secret key volumes, e.g. a reduction of 3 dB in the system loss metric from 40 dB to 37 dB improves the expected annual key volume by a factor of 7.6. Should operations allow, secret key extraction efficiency can also be enhanced by combining data blocks from several passes, especially if no secret is possible from a single overpass.
This preliminary study of SatQKD finite-key effects can be extended to remove some simplifications and approximations.
An immediate extension would include a more comprehensive time and elevation dependent quantum channel model incorporating scattering, turbulence, and anisotropic background light distributions. Site dependent scenarios could include local horizon limits, light pollution, and seasonal weather effects. We can constrain the optimisation of the protocol parameters to reflect additional restrictions on system operations and deployment in practice. Ultimately, design and optimisation of SatQKD systems should incorporate orbital modelling of constellations and ground stations geographic diversity together with cost/performance trade-off studies.

Finite key analysis for decoy-state BB84
The Bennett-Brassard 1984 (BB84) quantum key distribution (QKD) protocol is widely implemented owing to its simplicity, overall performance and provable security 62 . However, practical implementations of BB84 depart from the use of idealised single-photon sources. Instead, weak pulsed laser sources are used given their wide availability and relative ease of implementation. This improves repetition rates over current single photon sources, but leaves the BB84 protocol vulnerable to photonnumber-splitting (PNS) attacks that exploit the multi-photon pulse fraction present in emitted laser pulses 64 .
Decoy-state protocols circumvent PNS attacks and improve tolerance to high channel losses, with minimal modification to BB84 implementations. These protocols employ multiple phase randomised coherent states with differing intensities that replace signal pulses. This modification permits better characterisation of the photon number distribution of transmitted pulses associated with detection events 65 , which reliably detect the presence of PNS attacks in the quantum channel. Decoy-state BB84 protocols also allow better estimation of the secure fraction of the sifted raw key (vacuum and single photon yields), which makes them a secure and practical implementation of QKD.
The security of decoy-state QKD was initially developed assuming the asymptotic-key regime 66,67 . For applications with finite statistics, uncertainties in the channel parameters cannot be ignored [68][69][70] . Early approaches in handling these finite key statistics used Gaussian assumptions to bound the difference between the asymptotic and finite results 71 . This restricts the security to collective and coherent attacks. Security analyses for more general attacks have also been developed 72 . The multiplicative Chernoff bound 39,71 and Hoeffding's inequality 33 can be used to bound the fluctuations between the observed values and the true expectation value. Recently, a more complete finite-key analysis for decoystate based BB84, with composable security, has been presented in ref. 36 , which uses the multiplicative Chernoff bound to derive simple analytic expressions that are tight.
Due to limited transmission times, satellite-based quantum communications are strongly affected by finite statistics. To model different SatQKD systems, we improve the analysis in ref. 33 with recent developments in modelling statistical fluctuations arising from finite statistics. This improvement leads to a more robust SKL and is imprinted through the finite statistic correction terms δ ± XðZÞ;k , which we define using the inverse multiplicative Chernoff bound 36,71 . Specifically, let Y denote a sum of M independent Bernoulli samples, which need not be identical. Denote y ∞ as the expectation value of Y, with y the observed value for Y from a single experimental run. The magnitude of difference between the observed and expected values depends on the statistics available. To quantify this deviation, we determine the probability that y y 1 þ δ þ Y is less than a fixed positive constant ε > 0, and the probability that y ! y 1 À δ À Y is less that ε. This is achieved through setting where β ¼ lnð1=εÞ 36 for the number of events and errors respectively in the X(Z) basis. From this, we define the vacuum and single photon yields, and the phase error rate of single-photon events using ref. 33 (see also pseudocode 1 in Fig. 8) that determines the finite key length. An important step in any QKD protocol is error correction. This necessitates classical communication, of λ EC bits, which are assumed known to Eve. This must be taken account of in the privacy amplification stage. While λ EC is known for practical implementations of the protocol, it must be estimated for the finite key optimisation. An overly conservative estimate would yield no key in a region of the parameter space where one should be viable. Conversely, an overly optimistic value for λ EC leads to spurious results. This highlights the importance of choosing a good estimate. It is standard to model the channel as a bit-flip channel 33,35 . This leads to λ EC ¼ f EC n X h 2 ðQÞ, where Q is the QBER and f EC the reconciliation factor. The value for f EC is chosen slightly above unity, e.g. 1.16. The use of a constant reconciliation factor is a simple way of accounting for inefficiency in the error correction protocol. This approach is normally sufficient when determining the optimal secret key length. However, for satellite QKD, one operates with high losses that are at the limit of where one can extract a key. As such, it is beneficial to use a more refined estimate of λ EC .
A better estimate for λ EC is given in ref. 35 . In this approach, the correction to n X hðQÞ depends on the data block size. In particular, λ EC ¼ n X hðQÞ þ n X ð1 À QÞ log ð1ÀQÞ where n X is the data block size, Q is the QBER and F −1 is the inverse of the cumulative distribution function of the binomial distribution. We utilise this definition to estimate the information leaked during error correction in the finite key regime. These post-processing terms define the attainable finite key, subject to rigorous statistical analyses. The key length is a function of the basis encoding probability, p X , the source intensities and their probabilities, {μ j , p j } for j ∈ {1, 2, 3}, and the transmission time window, Δt, used to construct block data for a satellite pass. Without loss of generality, we set the second decoy state intensity as the vacuum μ 3 = 0. For a defined SatQKD system, we generate an optimised finite key length by optimising over the parameter space of the six variables: {p X , μ 1 , μ 2 , p 1 , p 2 , Δt}. A baseline for system performance used in this work is detailed in Table 1 in the main text. This procedure can be generalised for any satellite trajectory. Fig. 8 illustrates a pseudocode of our numerical optimiser, which is available as open source software 55 .

Asymptotic key length per pass
In this section, we provide an operational definition for the asymptotic key length per pass and explain how it can be determined by adapting the finite key optimiser. Data is combined from multiple satellite passes. The optimisation over the protocol parameters is then performed on the combined results and a secret key is extracted. For the following, we assume that each satellite pass has the same trajectory. With minimal modification, this can be extended to varying satellite trajectories for each pass.
Denoting ℓ M as the SKL attained from M satellite passes, we saw in Fig. 6 that ℓ M ≠ Mℓ 1 . We also saw that the improvement to the SKL decreased with increasing number of satellite passes. This leads to a natural question: what is the largest attainable SKL per pass? This is given by the asymptotic secret key length ℓ 1 ¼ lim The key length, ℓ M , is found using equation (4), and the quantity ℓ ∞ is determined by examining the asymptotic scaling of ℓ M /M.
The estimate for the vacuum counts per pass is 33 , where n X,k is the number of sifted counts in the X-basis, from pulses of intensity k, τ 0 is averaged probability that a vacuum state is transmitted by the laser, Γ k ¼ expðμ k Þ=p k and δ ± X;k are correction terms that account for the finite statistics. In ref. 33 , δ ± X;k is derived from Hoeffding's inequality. A higher SKL is attained by instead deriving these correction terms from the multiplicative Chernoff bound 36 . The asymptotic scaling of these correction terms are Oð ffiffiffiffiffi n X p Þ. This scaling is independent of whether the Hoeffding and Chernoff bounds are used. This scaling implies that the scaling with the number of satellite passes is Oð ffiffiffiffi M p Þ. Hence, δ ± X;k =M scales Oð1= ffiffiffiffi M p Þ and thus tends to zero as M → ∞. The finite statistics correction terms thus go to zero, as expected.
Since each satellite pass is assumed to have the same orbit, the total number of counts accumulated n X;k is equal to M times the corresponding number of counts for a single pass, n ð1Þ X;k . From this, we obtain lim M!1 where s 1 X;0 is the asymptotic estimate of the vacuum counts for a single pass, which we define formally in the next paragraph. By following a similar process for each term in ℓ M /M, we obtain where ϕ 1 X ¼ ν 1 Z;1 =s 1 Z;1 is the phase error rate, s 1 X;1 , s 1 Z;1 and ν 1 Z;1 are the single pass asymptotic estimates for: the single photon counts in the X basis, the Z basis, and the single photon errors in the Z basis, respectively.
The asymptotic quantities: ν 1 Z;1 , s 1 X;0 and s 1 XðZÞ;1 , correspond to averaging the single pass quantities over infinitely many passes. More formally, let u 2 fϕ X ; ν Z;1 ; s XðZÞ;0 ; s XðZÞ;1 ; λ EC g, and let u (M) denote the quantity estimated using the full data from M passes. The asymptotic quantity is then defined as A refined estimate of λ EC and its upper bound on the asymptotic behaviour is provided in ref. 35 . From this, we determine that X hðQÞ, where Q is the QBER for a single pass. When running the finite key optimiser for the asymptotic key length per pass, we define Fig. 8 Pseudocode for the optimised finite key length. We consider a pulse repetition rate f s , M satellite passes in the plane offset by angle ξ from the zenith plane, and time dependent losses L. An elevation constraint of θ min ¼ 10 imposes realistic local constraints of establishing an optical link between the OGS and satellite. The key length is optimised over all protocol parameters and a transmission time window Δt over which the raw key is acquired. The correction terms δ ± XðZÞ;k for bases X(Z) and the intensities μ k are determined from the multiplicative Chernoff bound that account for finite statistics 36 .
X hðQÞ, which accounts for inefficient error correction even in the asymptotic limit.
Rather than looking at the key length per pass, it is also common to consider the key rate, i.e. the number of secret key bits per transmitted pulse. Let N be the total number of pulses transmitted by the satellite during a single pass. The key rate for M passes is just SKR M = ℓ M /(MN). In the limit of infinitely many passes, the asymptotic key rate is given by Notice that our analysis of the asymptotic secret key rate, SKR ∞ differs from the route often taken in the literature. Specifically, the asymptotic key rate can be determined as a function of different elevation angles. The data is then combined according to Eq. (1). While such an approach is possible if we extract keys for each angle of elevation, it is not appropriate for the current analysis, where we group all the data for a pass and then extract a key from the combined data.

Classical communications for SatQKD
In traditional fibre-based QKD, the cost of classical communications is often overlooked given the availability of the internet backbone. However, in SatQKD classical radio communications is often constrained due to restrictions in antenna size and power, and thus could possibly represent a bottleneck in the reconciliation process.
We estimate the classical communication capacity required for secret key generation in SatQKD. Using the baseline system parameters from Micius summarised in Table 1, we consider a system loss metric of η sys loss ¼ 40 dB for a zenith pass. For BB84 there are five stages requiring four distinct rounds of classical communication between the satellite (Alice) and the OGS (Bob) to process a block: 1. Alice to Bob: Prior to any classical transmission, Alice first encodes information in the polarisation basis of WCPs that are transmitted to Bob. Based on our finite key optimiser, the optimal time window for η sys loss ¼ 40 dB is a total of 200 s centred at zenith (Δt = 100 s) with signal parameters of μ 1 = 0.697364, p 1 = 0.738668, μ 2 = 0.159325, p 2 = 0.189355, μ 3 = 0, p 3 = 0.0720, and a basis encoding probability P X = 0.725313. This results in the expected detections by Bob of n X ¼ 536038 and n Z ¼ 203006 in the X and Z bases, respectively. 2. Bob to Alice: Bob needs to report to Alice the time-slot positions and basis values for each detection event. To specify a time-slot position requires a maximum of dlog 2 ð2Δtf s Þe ¼ 36 bits with a naïve encoding. Bob detected n B ¼ n X þ n Z ¼ 739044 events and uses 36 + 1 bits per event in his bit string which is < 27 Mb. 3. Alice to Bob: Alice confirms to Bob the time-slot of the detected events for which the bases matched. She also transmits along with each reconciled event the intensity of the pulse (2 bits), and if sent in the Z basis (1 bit), the sent bit value. After basis reconciliation there are on average n X = 388795, n Z = 55763 events in the X and Z bases, respectively. Alice reports n A = n X + n Z = 444558 events and uses at most 36 + 2 + 1 bits per event in her bit string which results in < 20 Mb data to be downlinked. 4. Bob to Alice: Bob now calculates the phase and bit error rates using Alice's reconciliation data and then transmits to Alice the parameters for the error correction code to use, e.g. which preagreed set of low density parity check (LDPC) codes to use, as well as the dimensions of the privacy amplification matrix, which require bit strings of size ≪ 1 kb. 5. Alice to Bob: Alice calculates the specified error correction syndromes and transmits the results to Bob who then performs the error correction on his side. We estimate the amount of syndrome data to be transmitted by the amount of leaked information, λ EC = 55360 bits, hence Alice sends < 60 kb down to Bob in this step. The total classical communication required in the above steps is less than 50 Mb (6.25 MB), of which~27 Mb is uplinked and~20 Mb is downlinked.
Note for the classical communication exchange in satellite QKD, steps two and three can start as soon as Bob starts receiving counts. However, steps four and five can only occur after Bob receives the final counts that make up the block, but the amount of data in these steps is minimal. This indicates that the bulk of the classical communication exchange can occur in parallel to the quantum transmission.

Expected annual SKL
We can estimate the expected annual secret key length from SKL vs ground track offset relation. Consider a satellite in sun synchronous orbit (SSO) at an inclination of~98 ∘ . For OGS latitudes below 60 ∘ , this can be approximated by a polar orbit (Fig. 9). The precession period of a SSO is one year, during which time the satellite makes~5500 orbits.
The striped purple ground path below the satellite is the key generation footprint. As the Earth rotates daily under the orbit of the satellite, the key generation footprint intercepts the line of latitude uniformly on average throughout the year. Note, this is under the assumption that the orbital period is not rationally related to the length of the solar day, i.e. not for a simultaneous SSO and Earth synchronous orbit. Since at low latitudes the distance around the line of latitude is greater than for higher latitudes, the key generation footprint represents a smaller fraction of the longitudinal circumference. Hence, on average, the satellite is more likely to pass close to the OGS at higher latitudes.

DATA AVAILABILITY
The data that support the findings of this study are available from the corresponding authors upon reasonable request. Fig. 9 Satellite key generation footprint. We consider a satellite in SSO with inclination 98°. The width of the striped purple arrow underneath the satellite orbit in the longitudinal direction defines the operational key generation footprint for a SatQKD system. For a near polar orbit, the density of satellite overpasses over high latitude locations is larger and hence the annual SKL is enhanced.