Finite key performance of satellite quantum key distribution under practical constraints

Global-scale quantum communication networks will require efficient long-distance distribution of quantum signals. Optical fibre communication channels have range constraints due to exponential losses in the absence of quantum memories and repeaters. Satellites enable intercontinental quantum communication by exploiting more benign inverse square free-space attenuation and long sight lines. However, the design and engineering of satellite quantum key distribution (QKD) systems are difficult and characteristic differences to terrestrial QKD networks and operations pose additional challenges. The typical approach to modelling satellite QKD (SatQKD) has been to estimate performances with a fully optimised protocol parameter space and with few payload and platform resource limitations. Here, we analyse how practical constraints affect the performance of SatQKD for the Bennett-Brassard 1984 (BB84) weak coherent pulse decoy state protocol with finite key size effects. We consider engineering limitations and trade-offs in mission design including limited in-orbit tunability, quantum random number generation rates and storage, and source intensity uncertainty. We quantify practical SatQKD performance limits to determine the long-term key generation capacity and provide important performance benchmarks to support the design of upcoming missions.

Satellites will be integral to a scalable architecture to expand the range of quantum networks to global scales, motivating the surge in recent activities in space quantum communications [14][15][16][17][18][19][20][21][22].Satellite-based quantum key distribution (SatQKD) is a precursor to long-range applications of general quantum communication [2,21].Although a general-purpose quantum network requires substantial advancements in quantum memories, multi-partite entangled state generation, routing techniques, and error correction [23], the development of SatQKD provides crucial knowledge and experience for global-scale quantum networks by developing the infrastructure and maturity of space-based long-distance quantum links.
Pioneering quantum communication demonstrations by the ∼650 kg Micius satellite showed that SatQKD and entanglement distribution is possible over record scales [15,24,25].Building upon these results, small satellite (<100 kg) missions are attractive due to lower development costs and faster development times compared with conventional large satellites.However, the limited size, weight, and power (SWaP) available on small satellites and reduced capabilities put them at a marked disadvantage versus larger satellites such as Micius.Despite this, feasibility studies for small-satellite-based QKD and in-orbit demonstration CubeSat-based pathfinder missions are promising [18,26].For low-Earth orbit (LEO) satellites, a particular challenge is the limited time window to operate a quantum channel with an optical ground station (OGS) [27,28].This limitation disproportionately constrains the volume of secure keys that can be generated due to a pronounced impact of statistical uncertainties in estimated parameters.Together with the constrained SWaP available, small-satellite missions operate under the framework of finiteresource quantum information.Understanding the impact of these constraints on SatQKD has received little attention and has both immediate and practical relevance to future satellitebased missions.Here, we fill this gap by establishing practical performance bounds on SatQKD operation under a representative set of physical resources.
The first constraint we consider is the limited practicality of reconfiguring all QKD protocol parameters in-flight and on a pass-by-pass basis.SatQKD modelling often does not consider this, optimising the secret key length (SKL) over the entire parameter space of the protocol for each pass scenario [29,30].It is more realistic to consider a number of parameters as fixed, that include the operating basis bias at the OGS and the transmitted intensities.Parameter fixing has been explored in the context of terrestrial free-space QKD [31].In SatQKD the highly variable channel losses in SatQKD with fixed parameters require more sophisticated modeling and analysis.The limited transmission times of SatQKD further make these effects more pronounced, highlighting the importance of considering limited system adaptability.We consider a second constraint from small satellite SWaP envelopes that may limit the quantum random number generation (QRNG) subsystem driving a prepare and measure source.This directly impacts the achievable SKL by limiting signal transmission.
We start with an overview of our SatQKD system modelling and the protocol optimisation in section II.Given the recent progress of SatQKD sources, we explore the effect of the repetition rate on key length in section III A. Here, we highlight the impact of finite-key effects and establish minimum source rates based on tolerance to operational losses.Given the difficulty of implementing a SatQKD system where all parameters can be reconfigured for different overpasses, section III B explores the impact of fixed parameters on the key length.In Figure 1.General satellite overpass geometry.The satellite reaches a maximum elevation of  max , corresponding to the minimum OGS ground track distance,  min .The smallest  max that generates a non-zero finite key is denoted  − max and characterises the operational SatQKD key generation footprint 2 + min .
particular, we fix the signal intensities and the receiver basis bias.In section III C, we explore SKL generation for restricted QRNG resources and illustrate the significant impact of limited random bit generation rates on the SKL.We also determine the minimum memory storage required for non-zero finite key extraction for one overpass.Section III D explores the impact of intensity uncertainties due to limited onboard monitoring accuracy.Conclusions and discussions are provided in section IV, where we provide key conclusions to help overcome these limitations for future SatQKD systems.

II. BACKGROUND AND SYSTEM MODEL
In this section, we detail our method to model channel losses, how to determine the SKL, and the optimisations considered in this work.The secret key length (SKL) achieved with the efficient BB84 protocol from a single overpass is calculated taking into account finite block size effects.

A. System model
We consider a satellite in a circular Sun-synchronous orbit (SSO) of altitude ℎ = 500 km implementing downlink QKD to an OGS during the night to minimise background light.The elevation and range of the satellite-OGS channel are calculated as a function of time for different satellite overpass geometries and ground track offsets,  min , and maximum satellite overpass elevations,  max (Fig. 1).Different satellite overpasses have different values for  min .This means  min can be used to characterise each overpass.In fact, for a fixed orbital altitude, the ground track offset  min and the maximum elevation angle,  max , are equivalent.The ideal overpass corresponds to the satellite passing the OGS directly overhead, or zenith ( min = 0 m,  max = 90 • ), since it provides the longest transmission time and has the lowest average channel loss.Generally, a satellite will not pass zenith but will reach a maximum elevation  max (<90 • ).We consider a minimum elevation transmission limit of  min = 10 • that reflects practicalities such as local horizon visibility and system pointing limitations.
The instantaneous link efficiency depends on the elevation  (), the range () between the satellite and OGS, and source wavelength , and is used to generate count statistics.For a fixed orbital altitude, the satellite-OGS range is implicitly defined through the satellite's elevation.The link efficiency is then defined as (in dB), where  diff ,  atm , and  int are losses from diffraction, atmospheric scattering and absorption, and a fixed 'intrinsic' system efficiency respectively.To characterise the overall system electro-optical efficiency independent of satellite overpass trajectory, we define the system loss metric,  sys loss , as the total instantaneous link efficiency at zenith.Diffraction losses are estimated using the Fraunhofer approximation to the Rayleigh-Sommerfeld diffraction integral to determine the power at the receiver,   , which is normalised by the power at the transmitter,   such that  diff = −10 log 10 (  /  ).Atmospheric absorption and scattering losses are calculated using  atm = −10 log 10   , where the transmissivity,   , is determined using MODTRAN for a given wavelength and elevation [32].The 'intrinsic' system loss,  int , accounts for: fixed losses inherently built into the system due to detector efficiency, internal losses of the receiver; pointing losses; and imperfect non-diffraction-limited beam propagation, and is conservatively set to 20 dB to model a SatQKD system with overall  sys loss = 40 dB.Different SatQKD systems with various fixed losses can be modelled by scaling the  sys loss value.See Methods 1 for more detail on loss modelling.
The link loss characterises the probability that a single photon transmitted by the satellite is detected by the OGS.A lower dB value of  link represents smaller loss due to better system electro-optical efficiency.This improvement could stem from the use of larger transmit and receive aperture diameters, better pointing accuracy, lower receiver internal losses, and higher detector efficiencies.Internal transmitter losses are not included since they can be countered by adjusting the weak coherent pulse (WCP) source to maintain the desired exit aperture intensities [33].We also do not explicitly consider time-varying transmittance, modelling the average change in channel loss due only to the change in elevation with time.For discrete variable QKD (DV-QKD) protocols, e.g.BB84, channel transmissivity fluctuations do not directly impact the secret key rate, in contrast to continuous variable QKD where this appears as excess noise leading to key reduction [34,35].
We model a small satellite QKD system, for example [36], implementing a decoy-state BB84 protocol in a downlink configuration for QKD service provision using a WCP source.We consider a source wavelength of  = 785 nm, a transmitter (receiver) aperture diameter of 8 cm (70 cm), and a Gaussian  I. beam waist of 8 cm.Our general analysis is wavelength agnostic, but we specifically analyse  = 785 nm as this is representative of several missions currently in development [26,36,37], partly due to favorable atmospheric transmission and the availability of relevant sources and detectors [33].Fig. 2 illustrates the modelled transmission loss and link efficiency for different overpass geometries.
In addition to this link loss, we include several error sources.First, after-pulsing in a photon detector can have adverse effects on the estimate of click statistics.While the after-pulsing probability is detector and operating condition dependent, we take a value of 0.1%, which is consistent with the literature [38][39][40].Second, the intrinsic quantum bit error rate, QBER I , is defined as the lumped error from source quality, receiver measurement fidelity, basis misalignment, and polarisation fluctuations [41].Finally, we define the extraneous count probability,  ec , as the sum of dark and background light count rates and is assumed constant and independent of elevation.Together, these losses and errors provide a complete characterisation of a SatQKD system and are summarised in Table I.
Before concluding this section, we note that our current analysis could be extended to model an uplink channel by using a suitable link-loss model (loss vs elevation).A groundto-satellite link will increase channel losses due to the shower  curtain effect.While turbulence is highly dependent on elevation, it generally leads to an additional 20 dB of loss compared to a downlink channel [33].

B. The protocol and secret key length
The QKD protocol we investigate is efficient Bennett-Brassard (BB84) with two decoy states, i.e. three different pulse intensities [19,38,[42][43][44][45].In this protocol, the transmitter (Alice) and the receiver (Bob) encode bits within one of two polarisation bases, denoted X and Z.We adopt the convention that the X basis is used for key bits, while the Z-basis is used to detect an eavesdropper through the phase error rate.Alice prepares bits in the X-basis with probability   X , while Bob measures within the X-basis with probability   X .It is standard to take   X =   X =  X , however, in general it is possible that   X ≠   X , particularly if one probability is fixed due to practical considerations [31].We consider phase-randomised coherent pulses where the intensity (mean photon number)   ∈ { 1 ,  2 ,  3 } is randomly chosen with probability    .There are alternative carriers to phase-randomised coherent pulses.True single-photon sources could be considered [46][47][48][49], amongst others [1], though these are at a much lower stage of maturity, for terrestrial or space applications, compared with WCP sources.
After the quantum signals are transmitted from Alice to Bob, they perform a standard reconciliation procedure to correlate detection events with transmitted pulses, basis matching, intensity announcement, and parameter estimation.Only the bits in the X-basis are used for the key, while the Z-basis bits are made public.The raw key is formed by performing error correction on the X-basis bits, which necessitates the public exchange of  EC bits in the information reconciliation phase.In practice, the value of  EC is known from the error correction communication, but for the purposes of modelling we use an estimate that varies with the block size, quantum bit error rate, and the required correctness parameter [50].This estimate generates suitable values for the error correction efficiency for SatQKD data representative of current engineering efforts and capabilities (see Methods 2 for a detailed discussion and demonstration).The results for the Z-basis are used to estimate parameters such as the number of bits from vacuum events,  X,0 , the number of bits from single photon events  X,1 , and the phase error  X .The exact formulas for these terms are provided in Ref. [29], which is based on Refs.[19,42].After privacy amplification, the final SKL, ℓ, is given by [42] where ℎ() = − log 2 () − (1 − ) log 2 (1 − ) is the binary entropy function, and  s and  c are the composable security and correctness parameters respectively [42,51].We can maximise the SKL, Eq. ( 2) by optimising over the protocol parameters   ,   , and  X for a given satellite-OGS overpass, system link efficiency, and system configuration (as in Table I).The value of  3 is set to vacuum since this helps with the estimate of the vacuum counts,  X,0 [42].The transmission time window from which the finite block is constructed is an additional important optimisation parameter to maximise the achievable finite key [29].This is because, under finitesize security analysis, higher QBER increases the minimum raw key length necessary for non-zero key length extraction due to less efficient reconciliation and post-processing overheads.However, taking the largest block size permitted by a satellite overpass is sometimes not the best strategy.This is since data from lower elevations have both smaller count rates and higher signal QBER, which increases the average channel QBER and may offset any improvements to the SKL from larger block sizes.We define the processing block transmission time window to run from −Δ to +Δ, such that the total transmission time is 2Δ with  = 0 corresponding to the time of highest elevation  max .The SKL in Eq. ( 2) is additionally optimised over discretised values for Δ, and the value for Δ chosen that yields the largest SKL.This full optimisation is performed in version 1.1 of the Satellite Quantum Modelling and Analysis (SatQuMA) software [30].For more details on the software and the numerical optimisation see Refs.[29,30].
This fully optimised scenario yields an upper bound to SatQKD performance.In practice, these bounds may be diffi-cult to achieve due to constraints and trade-offs in the mission design and operation.In the following section, we provide an overview of modifications to the optimisation problem with constraints that closely reflect operational considerations for the derivation of realistic performance bounds.

C. Practical optimisation of the secret key length
The original protocol parameter optimisation problem is modified to handle different numerical investigations.Though classical communication constraints are important for SatQKD operations, we do not consider these limitations (see Ref. [29] for a brief discussion).First, section III A introduces the sourcerate normalised SKL to illustrate the impact of finite-key effects on the SKL and to provide an informed decision on the source rate to consider for the remainder of the work.Second, section III B fixes the values of the signal intensity  1 , decoy intensity  2 , and the receiver basis bias   X , since it may not be practical to change these parameters on a pass-by-pass basis in an operational system.The transmitter and receiver basis biases are allowed to differ, i.e.   X ≠   X , to model a fixed OGS basis bias and adjustable transmitter bias.The SKL is then maximised over the remaining protocol parameter space defined by the set {  X ,   1 ,   2 , Δ}.The fixed values for   X ,  1 , and  2 are set to those that maximise the expected annual SKL through a procedure detailed in Methods 3. Third, section III C explores the impact of QRNG subsystem limitations that may constrain the number of signals that can be transmitted during an overpass.This is modelled using a finite-sized onboard random number memory store, corresponding to an associated transmission cutoff time, from which we determine the reduction in long-term average key generation rate.We also determine the minimum memory buffer required to generate non-zero SKL.Finally, in section III D, we consider the effect of pulse intensity uncertainties on the secure key that can be extracted taking into account reduced intensity knowledge.For this, the signal and decoy state intensities are sampled between a range that depends on the uncertainty percentage of the intended intensity values.

A. Source rate
Micius performed finite key generation with a 100 MHz source repetition rate, later upgraded in-flight to 200 MHz [39].Miniaturisation of such high-speed sources enables their use on small satellites.For example, increasing the source repetition rate leads to a larger block size that reduces statistical uncertainties in parameter estimation, hence a higher finite key rate.This expands the pass opportunities that result in non-zero secret keys, enhancing the robustness and effective key transmission footprint of a SatQKD system [29].In addition, the use of high-speed sources can help higher altitude SatQKD operation by partially compensating for increased channel losses [29].In this section, we investigate the effect Source repetition rate, f s (Hz) SKL/f s (bs) of operating source rate,   , on the robustness of SatQKD systems to channel loss in the finite key regime.
To evaluate finite key efficiency, Fig. 3 illustrates the source rate normalised SKL as a function of source rate for a zenith overpass (solid lines) and a satellite overpass with  max = 30 • (dashed lines) for three different system configurations of {QBER I ,  ec }.For a given time window Δ, the block size increases with increasing   , which improves the normalised finite SKL.This improvement indicates a critical value  crit  below which finite key effects overwhelm raw key transmission and the distillable finite SKL is zero.For   <  crit  , this key suppression region is illustrated in shaded blue for System A with QBER I = 0.1%,  ec = 1 × 10 −8 , and  max = 90 • .Above  crit  , we note the SKL scales super-linearly with the source rate due to multiple improvements in parameter estimation, error correction efficiency, and reduced overhead of the composable security parameters with increasing block length.The vertical gray line in Fig. 3 corresponds to 500 MHz, well outside the key suppression region, that we take as a representative value for a near-term small satellite source.This provides robustness against a range of typical extraneous counts and intrinsic QBERs expected in SatQKD and provides feasible finite key generation for a single satellite overpass, but is compatible with modest receiver detectors.Higher source rates, though providing larger key lengths, require lower detector timing jitter.Silicon single-photon avalanche photodiodes (Si-SPADs) typically have timing jitter in the order of ∼ 0.5 ns [52] compatible with coincidence windows of ∼ 1 ns and interpulse separations of 2 ns.Extending clock rates to the GHz range requires lower timing jitters such as provided by superconducting nanowire single-photon detectors (SNSPDs) [53] at the expense of greater SWaP and cost (SWaP-C) owing to the need for cryogenic operation and single mode coupling that raises further system design issues.Therefore, the following analysis will assume a source rate of 500 MHz unless stated otherwise given it balances the tradeoff between detector performance requirements, hence SWaP-C, and count rate.

B. Impact of parameter fixing
SatQKD modelling often involves optimising the operational parameter space associated with the protocol and system configuration to maximise the number of finite keys generated.However, achieving these optimised key lengths assumes all parameters can be easily changed to operate at their optimised values.It may be desirable on cost, complexity, and robustness grounds to deploy SatQKD systems with limited reconfigurability, motivating analyses where some parameters are fixed.First, the OGS basis choice is often implemented passively using a fixed beamsplitter.Thus, changing receiver basis bias by physically swapping out the beamsplitter for different optimised values on a per-pass basis may be impractical in live deployment.A variable beamsplitter could be considered but with cost, complexity, and performance considerations.Note that the transmitter basis bias can be easily adjusted in the random bit generation and processing of the data used to control the source, hence we consider this parameter to be easily varied.Second, all the operational pulse intensities   may be fixed pre-flight to avoid more complex source driving systems with increased SWaP-C and reliability concerns.Since the optimal decoy-state intensities strongly depend on the channel loss, background counts, and the satellite's orbital trajectory, fixed values may significantly impact the SKL.
In this section, we determine the impact of these engineering constraints on the finite SKL.We constrain the receiver basis bias and decoy-state intensities to certain fixed values, such that   X = {0.3,0.5, 0.7, 0.9} (commonly available beamsplitter splitting ratios) in addition to the ideal value of   X = 0.84 that corresponds to a custom beamsplitter and { 1 ,  2 ,  3 } = {0.71,0.14, 0}.The derivation of these ideal values can be seen in Methods 3 for fixed parameter optimisation that maximise the long-term average SKL.For these fixed values, Fig. 4(a) illustrates the finite SKL as a function of different satellite overpasses.Despite this restriction, we note it is possible to generate near-optimal SKLs across a wide range of elevation angles.Further, increasing the OGS bias can generate higher finite SKL.However, we observe that for a choice of   X = 0.9, it is not possible to extract a secret key at lower  max .This suggests that choosing too large an OGS bias can reduce the key generation capacity, owing to fewer overpasses opportunities that generate a non-zero key.To understand this effect, we recall that a larger receiver basis bias corresponds to a smaller portion of received bits dedicated to parameter estimation.Therefore, choosing a large OGS basis bias at larger average channel QBERs leads to less efficient parameter estimation, which generates zero secret keys.SatQKD systems should therefore carefully choose the fixed OGS bias to address the tradeoff between a maximised single pass SKL and the long-term key generation capacity.Notice that the secret key length for   X = 0.7 is approximately the same as for   X = 0.9, but with non-zero keys at lower elevations.Fig. 4(b) illustrates the optimal   X values that maximise the SKL as a function of elevation angle for each fixed value of the receiver basis bias.We first note the basis bias for the transmitter and receiver are generally different, which differs from the usual case considered in the literature.The value of   X can vary to compensate for the fixed value of   X .One can show that if both   X and   X can vary freely, then the optimal raw key length is found for   X =   X [31].From Fig. 4(b) we find that for   X = 0.3 and 0.5, we observe that   X >   X .This suggests that a small fixed receiver basis bias leads to too large a portion of signals dedicated to parameter estimation, which is compensated for by choosing a large transmitter basis bias.Equally, for   X = 0.9 we observe that   X <   X .This clearly demonstrates that when we fix   X , then choosing an equal basis bias is not optimal.However, when we are free to optimise both   X and   X , then choosing   X =   X is optimal [31].Despite the impracticality of implementing a fully optimised parameter space, we find a number of ways SatQKD missions can enhance finite key generation.This involves careful selection of   X that maximises both the single-pass SKL and the long-term key generation capacity and careful selection of the decoy-state intensities that can counter the effects of large channel losses.

C. QRNG subsystem limitations
Prepare and measure protocols require random bits for the preparation of signal states.QRNGs with the required rate to feed a high-speed source in real time may incur significant onboard processing resources and SWaP.Alternatively, the random bits can be generated at a much slower rate with less resource-hungry QRNGs prior to the overpass, assuming that the transmission time duty cycle is small compared to the total orbital time.For this latter situation, we consider limits on the amount of onboard storage for random bits to drive the source, often limited on small satellites.This constrains the amount of reconciled data established between a satellite and OGS, thus directly impacting the achievable SKL per pass.Unlike in previous sections where we assumed the source can run indefinitely, in this section, we extend our analysis to model the impact of varying memory storage limits of cryptographically secure random bits on the final SKL.
For a two decoy-state weak coherent state protocol, each pulse consumes four random bits; one for the basis choice, one for the key value, and two for the intensity choice.For the efficient BB84 decoy-state protocol, the basis choice bit and the intensity bits are biased.In general, it takes at most two unbiased bits on average to generate one biased bit [54], hence each pulse requires up to seven unbiased bits from the quantum random number generator (QRNG), though only four bits need to be stored after biasing.At 500 MHz source rate, this requires 2 Gb/s of stored random bits to drive the source.Therefore, a zenith pass with a maximum overpass duration of 444 s (accounting for a minimum elevation limit of 10 • ) requires a minimum availability of 111 GB of random bits.Current state of the art in space-validated QRNGs can achieve rates of 1-20 Mb/s [55,56], which falls short to support complete transmission, and thus necessitates a buffer.
First, we examine the effects of a limited random bit memory buffer on the finite key.An 8 GB buffer can support up to 32 s transmission time for a 500 MHz source, which is much shorter than the maximum overpass duration of 444 s.Fig. 5 (left-hand axis) shows the per-pass SKL for different memory buffers as a function of overpass geometry ( min ,  max ).A larger memory buffer permits longer transmission times, which enhances the finite SKL and extends the operational footprint of the SatQKD system.Second, we determine the minimum memory buffer required to yield non-zero finite keys for different overpasses.For a given overpass, the smallest block size that yields a nonzero finite key defines the smallest operational time window,  min , that should be supported by the onboard storage.This provides a measure of the memory buffer requirement for a SatQKD mission, given by    min /2 Bytes.The right-hand axis of Fig. 5 illustrates the minimum memory buffer required A larger memory buffer permits a longer transmission time, which extends the operational footprint of the SatQKD system.Further, a larger minimum memory buffer requirement is observed at larger ground track distances to generate non-zero finite keys.This provides an indication of SatQKD system specifications.
for different satellite overpass trajectories.The demand for larger onboard storage requirements increases with increasing ground track distances.This is because satellite overpasses with larger ground track distances require larger minimum transmitted signals to overcome the larger average channel losses and generate a non-zero finite key.
Third, to quantify the overall impact of limited memory buffers on the SKL, we estimate the annual amount of secret keys that can be generated using methods from Ref. [29].For a Sun-synchronous orbit and neglecting weather effects, the expected annual key for single overpass blocks with an OGS site situated at a particular latitude is approximated by [29] SKL year =  year orbits where SKL int is twice the integrated area under the SKL vs  min curve in Fig. 5 (units of bit metres),  year orbits is the number of orbits per year, and  lat is the longitudinal circumference along the line of latitude at the OGS location.Fig. 6 illustrates how SKL year varies as a function of the memory buffer for an OGS at a latitude of 55.9 • N (latitude of Glasgow).For our reference configuration (System D) with  sys loss = 40 dB, SKL year is 0.81 Gb (3.94 Gb) for a memory buffer of 8 GB (32 GB) respectively.For comparison, without QRNG limitations, SKL year is 6.44 Gb.Fig. 6 also shows the gains to SKL year from better performing sources and detectors.Comparing Systems B and C shows a crossover in their SKL year at around 32 GB, highlighting an important tradeoff between the operational performance of sources and receiver for fixed memory buffers.Namely, SatQKD systems operating with constrained memory buffers should focus on improving sources (minimising QBER I , System C).This is because small memory buffers Memory buffer (GB) Annual expected SKL (Gbits) can only support a short signal transmission time around the maximum elevation of a satellite's trajectory, where losses are minimised.Improving the performance of the source leads to a direct improvement of SKL year .Conversely, SatQKD systems not constrained with memory buffers have a larger operational footprint that maximises the number of overpasses that generate non-zero finite keys.Improving the key generation of these systems can be supported through improved receivers with reduce  ec (System B).
We note that a higher source rate,  s , can improve the satellite overpass opportunities that generate a non-zero finite key and reduce the required memory storage.For the number of transmitted signals enabled by a limited memory buffer, a higher rate allows signal transmission over a shorter time window around  max , where the satellite-OGS range is at its smallest, corresponding to a lower average loss.This improves both the received block length and the overall error rate.Also, the minimum amount of buffer required to generate the secret key is reduced due to more efficient transmission during the lower loss segment of an overpass.To illustrate this, consider a zenith pass with time-window of 444 seconds and a source with repetition rate of 100 MHz, which requires 22.2 GB of random bits.If the repetition rate is increased to 500 MHz, then the same data can be transmitted in 88.8 seconds, five times less.One can thus focus the transmission at higher elevation angles, which have less loss and lower errors.The raw data for the 500 MHz source leads to a greater amount of secret key.It follows that a 500MHz source could generate the same key length as a 100 MHz source, using fewer pulses and therefore fewer random bits.

D. Source intensity uncertainties
Standard analyses of WCP decoy-state BB84 protocols usually assume perfect device operation leading to idealised key rates with optimised intensities.We can consider various de- viations from ideality, such as a source with fixed and known intensities operational during the entire integration time of a satellite overpass.Active stabilisation of pulse intensities by continuous monitoring and feedback is possible [57] but may be limited by inherent power monitor measurement uncertainties.Instead, instantaneous offsets and long-term drifts in the intensity values lead to parameter uncertainties that are an important departure from the fixed operating intensity assumption, which directly impacts the security of distilled finite keys for two reasons.First, source intensity uncertainties can be exploited in general attacks [58] which may be exacerbated in SatQKD with small block sizes.Second, the estimated vacuum and single-photon yields will differ significantly from true expectation values, potentially leading to an underestimation of the required privacy amplification to ensure security.
Several recent works have looked at this general problem by accounting for the uncertainties in source intensities directly within the parameter estimation [14,[59][60][61][62].This changes the estimates of the quantities that appear in Eq. ( 2) and could also change the secret key formula itself.A different scenario has also been considered [31] where the existing formalism described in Refs.[29,42] is used, but where one assumes that the true intensities are uncertain, though not necessarily fluctuating during a transmission block.This uncertainty results either from measurement uncertainties in the power monitors or from drifts in the calibration settings.We note that in [31] the channels did not vary in time during a transmission block, in contrast to the SatQKD case that we consider here.
In this work, as in [31], we model the impact on the SKL of uncertainties in the source intensities, where we have an upper bound to on the possible deviations of   from the assumed/measured values.Our approach models the case where the fixed intensity values have a constant and unknown offset from their intended values.The intensities can vary from the intended values by a maximum fraction  of the intended values during an overpass.The probability of the intensity values exceeding the range defined by  must be less than the advertised probability of the protocol being insecure, which is determined by  s .These uncertainties are considered separately for the signal and decoy states  1 and  2 respectively, but not for the vacuum state, since any deviations in the vacuum state due to extraneous counts have already been considered.Crucially, we consider independent uncertainties for  1 and  2 for all four encoded bit values.This is a more pessimistic approach than in related works, such as [62], where it is assumed that the uncertainties for   are the same for each bit value and basis.Each intensity value is then sampled independently in the range   ±    to determine each signal state.Since the true intensity values are unknown to Bob, we take the worst-case combination of deviations that reduces the SKL as a conservative estimate while ensuring security.The range   ±    is sampled using different numbers of points, though it was found that only 3 points were sufficient to find the worstcase SKL.Fig. 7 illustrates the SKL as a function of  max for at most a 5% and 10% uncertainty in the source intensities.To quantify this reduction, a 5% and 10% uncertainty in the source intensities reduces the annual SKL by a significant factor of 2 and 43 respectively.From this reduction, it is clear that source intensity uncertainties have a profound impact on the attainable SKL that significantly reduces the SatQKD operational footprint.For large uncertainties, it is therefore likely that the SKL will be zero for many of the satellite overpass opportunities.This highlights the importance of including the effects of uncertainties in the description of the power monitors.Active stabilisation of intensities in conjunction with high-accuracy power monitoring is important to allow operation close to the desired performance.

IV. DISCUSSION
Existing analyses of satellite-based QKD (SatQKD) assume an ideal, fully optimised parameter space to determine the maximum finite key rate.In practice, it is difficult to engineer the control of each parameter for different satellite overpasses.Therefore, these analyses effectively serve as an upper bound to the expected performance of SatQKD.We show that SatQKD operates with limited operating margins.It is therefore of immediate practical relevance to investigate the performance of SatQKD with a reduced parameter space optimisation to reflect restrictions on system operations and deployment, and to understand its robustness to additional losses and system imperfections.Further, the limited volumetric space, weight, and power (SWaP) available on small satellites provide limited physical resources that further depart from the ideal scenario of a fully optimised parameter space.We fill this gap by establishing practical SatQKD performance limits that reflect the nature of current engineering efforts and evaluate the impacts of limited resources on the long-term finite secret key length (SKL) generation capacity.
First, we model the impact of a fixed receiver basis bias   X and pulse intensities   on the SKL given the impracticality of their dynamic control during transmission.The SKL can be enhanced through carefully selecting the operating values of the fixed parameters.We develop a natural approach to determining the ideal fixed parameter values, based on maximising the expected annual SKL, which can be readily generalised to any parameter set.For the nominal system specifications denoted in Table I, this leads to the fixed parameter set {  X ,  1 ,  2 } = {0.84,0.71, 0.14}, corresponding to the receiver beamsplitter basis bias, and signal and decoy state intensities.Despite these fixed values, we find it is possible to generate near-optimal SKLs across a wide range of overpass maximum elevation angles.While larger   X can generate larger SKL at high elevations, it does so at the expense of zero secret key at lower elevations due to worse parameter estimation.SatQKD missions should therefore carefully choose the fixed OGS bias to address the tradeoff between a maximised single-pass SKL and the long-term key generation capacity.Our optimal fixed value of   X = 0.84 balances this tradeoff to achieve close to optimal performance with fixed intensities.The optimum set of {  X ,  1 ,  2 } will require re-evaluation for different SatQKD systems, especially in a large-scale network with several OGSs and a heterogenous space segment.Further trade-offs will have to be considered to establish a set of standard system parameters based on operational and application-specific factors.
Next, we illustrate the significant impact of limited QRNG resources that drive the source on the expected annual SKL.For the nominal system, increasing the memory buffer from 8 GB to 32 GB substantially increases the expected total annual SKL from 0.81 Gb to 3.94 Gb, corresponding to 3.16 × 10 6 and 1.54 × 10 7 AES-256 encryption keys respectively, though there are diminishing returns for larger buffers.This insight has significant implications for design trade-offs.We provide the minimum memory buffer required to yield non-zero finite keys for different overpass geometries, providing an important benchmark to support the design of upcoming SatQKD missions.For missions with higher altitudes and source rates, the QRNG subsystem for prepare-and-measure protocols will be increasingly crucial for sustained operations.High-speed QRNGs with sufficient rate for real-time driving of the source, together with ring-buffers and real-time reconciliation would obviate the need for extremely large random number stores, but will have further system design implications for SWaP-C and required communications capabilities.
Finally, we investigate the impact of uncertainties in the signal and decoy state intensities on the SKL.Maintaining fixed intensity values require perfect sources during the entire integration time of a satellite overpass.In practice, imperfect knowledge of the transmitted state intensities directly impact the security and amount of distilled finite keys whilst maintaining security.We find that these uncertainties have a profound impact on the SKL and highlight the importance of the accuracy of power monitors.Actively stabilising the intensities close to their intended values is also important to approach the optimal performances as modelled.
This study opens up a number of interesting open problems that would extend the scope and applicability of this work.First, a more comprehensive quantum channel model that includes elevation and azimuthal-dependent background light distributions, cloud cover, seasonal weather effects, and other location-dependent effects would provide a more representative performance analysis for detailed OGS siting studies.
Second, different orbits and altitudes could also be modelled, the optimum altitude to maximise the integrated key generation footprint, hence its expected annual SKL, could be derived in particular.Third, implementing error correction and privacy amplification can be demanding for SatQKD.While these steps do not have to occur during the quantum transmission phase (the limited overpass time and quantum optical channel is the main bottleneck we consider in this work), modelling any inefficiencies would warrant an analysis in its own right.In particular, exploring the impact of limited resources to efficiently implement and measure error syndromes could impact the security and correctness of finite keys.Finally, an interesting extension toward the aim of establishing a global quantum network would be in exploring additional cost and performance trade-offs to reveal deeper insights into performance bottlenecks in SatQKD.

Loss modelling
In this section, we introduce the notation and the underlying loss model.In particular, we provide details on our model for the elevation and wavelength-dependent losses for any satellite overpass geometry.Recall that to determine the finite key, we need to determine the expected detector count statistics as a function of time and the operational source wavelength .Therefore, we first determine the instantaneous link efficiency as a function of elevation  (), range (), and source wavelength , which captures all systematic and channel losses.Our method to determine the link efficiency differs from our approach in Ref. [29] where we used empirical results published by Micius.In this work, we use a more physically motivated approach that will allow greater flexibility in the analysis and applications that can be considered, such as the effects of OGS positioning.Despite this change, the results of the two methods closely match for elevations above 10 • which provides confidence in the new approach.
We write the link efficiency as in units of decibels (dB) and where we have three distinct loss contributors.The first term  diff defines losses from diffraction effects,  atm from atmosphere effects that include scattering and absorption, and  int defines a fixed elevation-independent intrinsic system efficiency corresponding to internal losses, and beam misalignment.Eq. ( 4) provides a general approach to modelling losses for any SatQKD system.Once a satellite overpass trajectory is defined, we use Eq. ( 4) to determine the loss for every second of the overpass to estimate the total count statistics.A single block is then constructed from the entire overpass data, and finite statistics incorporated to maintain composable security.Details for each loss contributor are provided below.

a. Diffraction losses
A dominant contribution to loss is diffraction, which broadens the beam after the signal propagates through the satellite's transmitter aperture,  X .The amount of beam broadening depends on a number of factors, including the channel range (),  X , and the source wavelength .Here, we take a standard approach to estimate diffraction losses by calculating the far-field Fraunhofer diffraction of a initial truncated Gaussian field distribution with a beam waist of  0 at the transmission aperture.We calculate the probability that a single photon exiting the transmit aperture is collected by the receiver aperture from the ratio of the integrated power density across the transmitter aperture,   , and the receiver aperture,   , Since we are using a weak coherent pulse (WCP), there is no optimal beam waist provided there is no constraint on beam power [33].For a downlink configuration with a WCP source, it is optimal to have the beam waist be as large as possible to achieve close to ideal far-field diffraction.However, practical constraints on the source power will impose a limit to flatness of the Gaussian across the transmission aperture.Therefore, we set the beam waist to be in the order of the transmitter aperture diameter,  0 =  X /2.The impact of a central beam obscuration due to secondary mirrors typical of Cassegraintype reflecting telescopes could be considered [33] but has no significant impact on the analysis.

b. Atmospheric attenuation
The second contributor to the instantaneous link efficiency arises from atmospheric attenuation from absorption and scat-tering from molecules and particulate matter.The magnitude of these atmospheric losses depends on the wavelength and the satellite's elevation, which determines the length of the quantum channel through the atmosphere.We use MODTRAN to model atmospheric propagation and determine the transmissivity,   (), for a given wavelength as a function of elevation.MODTRAN is a software that solves the radiative transfer equation to provide a standard atmospheric band model [32].
The atmospheric loss contribution is then calculated from the transmissivity,  atm (, ) = −10 log 10 (  ()) , where the wavelength and elevation dependence is made clear.

c. 'Intrinsic' system loss
The final loss contributor is denoted the 'intrinsic' system loss  int that combines several sources.We simplify the analysis by taking this to be fixed, i.e. elevation/time independent.Within our loss budget, the intrinsic system loss combines two distinct loss contributors.First, we conservatively assign a fixed loss of 12 dB to the overall electro-optical inefficiency of the OGS system, which is comprised of 3 dB each from, 1. photon detection efficiency Si-SPAD, 2. quantum receiver optics, 3. collection telescope, 4. interface and adaptive/tip-tilt optics between telescope and quantum receiver.
We also lump together losses due to an imperfect, nondiffraction limited, beam (beam quality parameter  2 > 1), turbulence induce beam wander and spreading, and transmitter pointing errors.For simplicity, we assign a fixed and conservative value of 8 dB to such non-ideal beam propagation induced losses.Therefore, in this work, we set which brings the total minimum loss at zenith to  sys loss = 40 dB.Elevation dependence of the turbulence-induced losses has been considered in other works but is neglected for the moment in this work.More detailed modelling of turbulence and pointing losses can be found in [63] and references therein.Under-estimation of these losses is compensated in part by conservative estimates made elsewhere in  int .
Note that these are conservative estimates that may be more indicative of practical SatQKD systems.If we are able to engineer better performances and achieve highly optimised operation, then we can further reduce the receiver and transmitter apertures for increased portability, while maintaining the values of  sys loss analysed here.These losses are consistent with the recent mobile OGS designed for the Micius mission [64].

Error correction for one-way information reconciliation
An important step for any QKD protocol is error correction, which identifies and corrects errors due to vacuum events and transmission errors.For this step, Alice and Bob publicly announce  EC bits that are assumed known to Eve through a round of classical communication.The number of bits  EC depends on the error rate, which is a practical implementation we estimate during the parameter estimation stage.For our simulation, we use an estimate of  EC that varies with the quantum bit error rate (QBER), , and the data block size,  X .A common approach to modelling the number of error correction bits required during information reconciliation is through  EC  X ℎ(), where  EC is the reconciliation factor efficiency and we recall that ℎ() is the binary entropy function.The value for  EC is crucially larger than unity, and often chosen within the range 1.05 to 1.2, to account for inefficiencies in the error correction protocol.While this approach is well-suited to determining the optimal secret key length, it is assumed that the reconciliation factor efficiency is independent of ,  X , and the required correctness  c .Since SatQKD operates within the finite-key regime, these parameters can vary significantly, however.An improved estimate of the reconciliation factor efficiency would enable a higher SKL under finite statistics.
The amount of information leaked to the eavesdropper during information reconciliation is usually impossible to determine exactly.Therefore it is often upper bounded by log|M |, where M denotes the error syndrome.For one-way reconciliation, the size of this error syndrome (in bits) has the following tight lower bound [50]  EC =  X ℎ() +  X (1 − ) log where  −1 is the inverse of the cumulative distribution function of the binomial distribution.We use this estimate for the number of error correction bits to determine the optimised SKL.We note that for large block sizes lim such that  ∞ EC =  X ℎ(), which is the minimum possible bits allowed by information theory.This suggests that the information reconciliation (IR) factor efficiency tends towards unity  EC = 1, which is optimistic even for optimised lowdensity parity-check (LDPC) codes that can achieve high reconciliation efficiencies and require few rounds of communications [65].For application in SatQKD, the IR efficiency does not approach this asymptotic limit over QBERs and data block sizes typical of realistic operation.To demonstrate this, we investigate how the IR efficiency estimate varies for the different memory buffers considered in Section III C. Specifically, the finite-size estimate for the IR efficiency provided by Eq. ( 8) can be determined from the ratio  est EC =  EC / X ℎ().Fig. 9 illustrates this ratio as a function of satellite overpasses with maximum elevation angle  max for different memory buffers   .Note that the data block sizes increase with an increasing memory buffer, leading to better  est EC that approaches unity.We observe that the estimated efficiency dips below the lower quoted value of 1.05 in the literature [50], which is indicated by the gray region.Recall from section III C, that a memory buffer of 64 GB achieves near-optimal performance corresponding to the highly optimised scenario.Therefore, the correction estimate in Eq. ( 9) does not approach the asymptotic limit of unit efficiency for SatQKD data representative of current engineering efforts and capabilities and is well suited to explore the engineering constraints that are the focus in this work.
Before concluding, we make two observations.First, a simple remedy to the error correction estimate that would hold for any data block size would be to switch to an updated model whenever the reconciliation efficiency estimated by Eq. ( 9) falls below 1.05.That is, we can estimate the number of error correction bits required from where  EC takes values that reflect achievable efficiencies, whenever  EC < 1.05 X ℎ().Second, here we do not consider bi-directional error correction information reconciliation for SatQKD such as CASCADE [66].Although it may lead to improved reconciliation efficiencies, the complexity of classical communication protocols and operations, and demands for on-board data processing are significantly greater.Hence, it may be more practical to implement one-way IR in SatQKD to simplify operations and reduce system cost and complexity using schemes such as low-density parity check (LDPC) codes [67].

General approach optimisation of fixed parameter values
The fully optimised finite SKL is difficult to achieve since it requires active control of the entire parameter space, which may be difficult to engineer.In section III B we explored the impact of fixing the receiver basis bias   X , and the two intensity values  1 and  2 that are particularly challenging to change.This naturally raises the question what fixed values should a SatQKD system implement?Here, we outline a general method to determine fixed values for the set F ∈ {  X ,  1 ,  2 }.Our method follows from maximising SKL year , which is proportional to the integrated area under the SKL vs ground track distance curves, SKL int [29].We first establish the fully optimised SKL as a function of  min , corresponding to optimising the full parameter space.For each point  along the optimised curve, we extract the set, F opt  min (  ) , of the optimal values for   X ,  1 , and  2 for  min ( ) (in units of 10 6 m).Now fixing F opt  min (  ) , we optimise the SKL over the remaining parameter space to determine the SKL as a function  min ( ), hence SKL int .This procedure is repeated for each optimised point .We then choose the fixed set F opt  min ( ) that maximises SKL int as the best compromise of fixed parameters.This procedure is summarised in Fig. 10.
Fig. 11 illustrates this procedure for choosing the ideal fixed set F opt  min ( ) that optimises SKL year .In Fig. 11(a), the optimal SKL is illustrated in black.Three illustrative fixed sets F  min (  ) are sampled to correspond to the maximum, median, and minimum non-zero SKLs values and are shown in dashed blue, dashed red, and dashed green respectively.We first note that fixing the values for F has little impact on the SKL over the entire range of satellite overpass trajectories.This reassuringly demonstrates that SatQKD systems operating with a fixed subset of parameters F do not lead to a large departure from the optimal performance with only a small observed impact on the SKL generation performance.Second, it is possible to improve the SKL by carefully choosing the fixed values for F .The ground track distanced furthest away from the sampled point  along the optimal curve deviates most from the optimal performance.This suggests that the fixed parameter set should be chosen closer to the centre of the curve, since this would maximise the robustness of the SatQKD systems to the widest variety of satellite overpasses leading to the largest annual expected SKL.This specific dependence on the fixed parameter set and the annual SKL is illustrated in Fig. 11(b).The peak annual SKL corresponds to the ideal fixed set F opt 0.43 = {0.841,0.709, 0.139}.This establishes the fixed values used in section III B. Our method is general and can be extended to determining the ideal values for any alternative subset of fixed parameter sets.Finally, we reassuringly find that despite the constrained parameter space, the estimated annual SKL with these fixed parameters is close to the fully optimised case, shown with the dashed horizontal line in (b).
We note that there is the possibility that a greater SKL year could be achieved with a parameter set outside of the per-pass optima but as the presented procedure closely approaches the upper bound, a search for such values may not be worthwhile.

Figure 3 .
Figure 3. Finite key efficiency vs source rate.Source rate normalised SKL as a function of   for overpasses with  max = 90 • (solid lines) and 30 • (dashed lines), for three system configurations {QBER I ,  ec }: A = {0.1%,1×10 −8 }, B = {0.5%,1×10 −8 }, and D = {0.5%, 1 × 10 −7 }.The critical  s value corresponds to the transition of zero and non-zero finite SKL.The shaded blue region illustrates the key suppression region for System A with  max = 90 • where statistical fluctuations in estimated parameters overwhelm key generation due to finite available statistics.The vertical line is at   = 500 MHz, which we consider for the remainder of the paper.

9 Figure 4 .
Figure 4. Impact of fixed receiver basis bias and source intensities.All curves are for  1 = 0.71,  2 = 0.14,  3 = 0,  ec = 10 −7 and QBER I = 0.005.(a) SKL as a function of  max for a fixed   X and fixed pulse intensities.For reference, the black solid line represents the optimal SKL maximised over   X and   X with the same fixed intensity values.(b) Plots of optimised values for   X as a function of  max for a fixed basis   X and fixed pulse intensities.The black solid line represents the optimal basis bias   X with the same fixed intensity values.

Figure 5 .
Figure 5. Overpass and memory buffer effects.SKL (left axis) and minimum memory buffer (right axis) as a function of ground track distance.We consider  sys loss = 40 dB,  s = 500 MHz, QBER I = 0.5%, and  ec = 1 × 10 −7 .A larger memory buffer permits a longer transmission time, which extends the operational footprint of the SatQKD system.Further, a larger minimum memory buffer requirement is observed at larger ground track distances to generate non-zero finite keys.This provides an indication of SatQKD system specifications.

Figure 7 .
Figure 7. Impact of source intensity uncertainty.The signal and decoy state intensity values may independently deviate from their assumed values   by fraction  .The per-pass SKL taking into account these intensity uncertainties for  = 0%, 5%, 10% are shown for different overpass geometries.

Figure 8 .
Figure 8. Link efficiency as a function of elevation.Each contributor to the total loss is illustrated for  = 785 nm.Both diffraction and atmospheric losses vary with elevation and increase with decreasing elevations.The solid black line illustrates the total link efficiency.The loss axis is truncated at 60 dB, with the worst link efficiency being  785 = 87 dB at 0 • .The loss values in the gray region, where the elevation falls below 10 • are not used in the key length simulations.

1 Figure 10 .Figure 11 .
Figure 10.Pseudocode to determine the ideal fixed parameter set.We denote F opt  min ( ) = {  X (),  1 (),  2 ()} as that which maximises the performance of a SatQKD system through the expected annual SKL, which is determined from the parameter set F opt  min (  ) that are sampled from the fully optimised SKL vs  min plot.The list   is used to generate the plots in this work.This algorithm can be generalised to determining the ideal values for any fixed parameter set.

Table I . Reference system parameters. Transmitter
, receiver, and source properties determine range and elevation-dependent loss.The system loss metric,

One-way information reconciliation efficiency.
We estimate f est EC as a function of satellite overpasses with maximum elevation angle  max for different memory buffers   .For data representative of current engineering efforts,  est EC remains larger than 1.05, which is the lowest quoted achievable efficiency in the literature and is illustrated by the gray region corresponding to optimistic efficiencies.