Line-of-sight quantum key distribution with differential phase shift keying

Free-space optical (FSO) links offer a practical approach to realize quantum key distribution (QKD) in a global scale. However, when one wants to further extend the distance from the geostationary orbit to the ground, currently known QKD schemes cannot realize practical key rates mainly due to the diffraction losses of a laser beam. If the facts that the FSO links are highly directional and must be used in the line-of-sight (LoS) condition are taken into account, one may impose some physical restrictions on an eavesdropping model to explore longer-distance QKD. In this paper, we propose a novel FSO secret key agreement scheme, line-of-sight QKD (LoS-QKD), based on a quantum wiretap channel. In our model, an eavesdropper can tap only a limited fraction of the FSO signal beam but perform any physically allowable operations on the tapped signals. Fading effects which are significant in the FSO links are fully taken into account. We provide a security proof for the differential phase shift (DPS) keying scheme in terms of the metric which meets the composability. We investigate numerically the performances of LoS-QKD with DPS keying, including finite-length analysis, showing that our proposed scheme can realize high-speed and long-distance secret key agreement with information-theoretic security.


Introduction
Quantum key distribution (QKD) [1][2][3] is a method for secret key agreement between two remote parties, a sender (Alice) and a receiver (Bob), connected by a quantum channel. QKD can theoretically be secure against an eavesdropper (Eve) who can launch any physically allowable attacks and have unbounded computational resources (information-theoretic security). Today QKD networks have been deployed in installed optical fibers over the metropolitan scale [4,5] and recently in the continental scale [6,7], based on the trusted nodes and key relay. Unfortunately, these fiber-based QKD networks cannot be extended to inter-continental configurations because submarine cables with optical fiber amplifiers cannot support QKD links.
To extend the distance to a global scale, satellite-based QKD is a promising solution. Several satellite-based communication experiments over the quantum-limited channels have successfully been demonstrated so far, to show the possibility of long-distance QKD [8][9][10]. The Chinese team launched the quantum science satellite in the low-earth orbit (LEO) [11] and performed a series of QKD experiments [12][13][14][15], in which a key rate of about 47.8 kbps in a passage with a distance range from 645 km to 1200 km was achieved [14] with a decoy-state BB84 scheme. be affected by the atmosphere in the LoS channel before they are received by Bob, which we treat as the main channel acting on the optical pulses. After completing optical transmission of the RBS from Alice to Bob, they perform key-distillation processing with communications over an authenticated public channel.

Protocol of LoS-QKD
We here describe our proposed protocol of LoS-QKD using the configuration in figure 1.
(1) Alice generates a coherent train of weak pulses from the laser source, and modulates each pulse by adding a phase shift 0 or π according to a random bit generated from the RNG. Alice transmits the modulated pulses to Bob over the LoS channel. (2) Bob measures the relative phase (0 or π) between adjacent pulses in the received pulse train using the one-bit-delay interferometer and the photon detectors. Whenever the detection succeeds, he records its timing and also records the measurement outcome as a bit d, where d = 0 corresponds to the relative phase 0 and d = 1 to π. He concatenates all the outcome bits from the successful timings to form a raw key d. Let N raw be the length of d. (3) Bob randomly chooses test bits from the N raw bits of the raw key d to define his test sequence κ test B . Let N test be the length of κ test B . He concatenates the remaining N sift := N raw − N test bits in d to define his sifted key κ B . (4) Bob announces the successful timings, the position of test bits, and his test sequence κ test B . (5) Using Bob's announcement and her record of the phase modulation, Alice defines her N sift -bit sifted key κ A and her N test -bit test sequence κ test A . She announces κ test A . (6) Based on κ test A and κ test B , Alice and Bob perform information reconciliation in the forward direction: Alice provides Bob with information on her sifted key κ A , and Bob computes a reconciled key κ rec B from κ B . (7) Alice and Bob determine the length N fin of the final key, and carry out privacy amplification to obtain the N fin -bit final keys κ fin A and κ fin B from κ A and κ rec B , respectively. After we provide assumptions on Alice's and Bob's devices and on the LoS channel in the next section, we will present a more specific version of the above protocol in section 4 and will prove its finite-size security.

Assumptions on devices and channels
In this section, we provide assumptions on Alice's apparatus, the quantum channel from Alice to Bob, and Bob's apparatus. At the same time, we introduce various mathematical notations, which will be used to provide more specific description of the proposed protocol in section 4. We assume that Alice sends out N pul pulses in total. In the DPS keying in which a bit is encoded in the relative phase between an adjacent pair of pulses, N tot := N pul − 1 bits are encoded on these pulses. We thus index the N pul pulses by (0, 1, . . . , N tot ). We denote the system of the ith pulse by C i (i = 0, 1, . . . , N tot ) and the whole system of the N pul pulses by C. We denote byn i the photon number operator for the ith pulse C i .

Sender's apparatus
An ideal laser source will prepare each pulse in an identical coherent state with the same mean photon number μ A and with the same phase, namely, in a coherent state | √ μ A . Although we will assume such a perfect source for computing key rates in section 5, our security proof given in section 4 relies only on a much weaker assumption on the laser source. The complex amplitudes of different pulses may differ, namely, the ith pulse may have its own value α i of its complex amplitude, as long as |α i | 2 μ A . We further allow the possibility of fluctuations and correlations in α i as long as |α i | 2 μ A holds with unit probability. These assumptions are formally stated as follows.

Assumption 1 (laser source).
Let μ A > 0 be a constant. The sender's laser source can be equivalently replaced by the following procedure. Generate N pul -tuple of complex numbers α := (α 0 , α 1 , . . . , α N tot ) with a probability Pr(α) satisfying According to α, prepare N pul pulses in state where |α i C i is a coherent state with amplitude α i .
In the actual protocol of LoS-QKD, there is no need for Alice to know the value of α or the distribution Pr(α). The only parameter she has to know is μ A , which is used in determining the amount of privacy amplification. Note that assumption 1 is stronger than merely requiring that the state of system C is given by a density operator ρ(α) = α Pr(α)|α α|. Assumption 1 may not hold if the optical pulses have quantum correlations to other systems that Alice does not possess. A sufficient condition for assumption 1 is that system C is in state ρ(α) and is decoupled from any other system.
As for the phase modulator, we assume that it works ideally. Given α i , the ith pulse leaves Alice either in state |α i or in state | − α i .

Channel model
As explained in subsection 2.1, we assume that the wiretapper channel is modeled by a BS. When the open input port is in the vacuum, the action of a BS with reflectivity η is described by an isometryÛ (η) BS satisfying the following property. For an input pulse in a coherent state |α C with complex amplitude α, we havê where the pulse E is received by Eve. The action of the BS on the N pul input pulses is then given by a CPTP (completely-positive trace preserving) map Using this notation, we describe the assumption on the LoS channel as follows.
Assumption 2 (wiretap channel model). The channel between Alice and Bob is modeled by E (η E ) wtp , which is a wiretapper channel composed of a BS with reflectivity η E , followed by a main channel E main , as shown in figure 2.
As for the main channel E main , we do not assume a specific model but only assume a weak assumption. This allows our security proof to cover a wide range of unknown and time-varying properties of the atmosphere across which LoS-QKD is carried out. To describe our assumption, which we call phase insensitivity, we introduce a general operation of optical phase shifts on N pul pulses. Application of an optical phase shift θ i on the ith pulse for i = 0, 1, . . . , N tot is represented by a CPTP map E (θ) ps (ρ) :=Û (θ) ps ρÛ (θ) † ps (4) with θ := (θ 0 , θ 1 , . . . , θ N tot ) andÛ (θ) The assumption of phase insensitivity implies that the main channel depends on neither the absolute phases nor the relative phases of the optical pulses, which is formally stated in terms of the map E (θ) ps as follows. Assumption 3 (channel phase insensitivity). The CPTP map E main on system C of N pul pulses satisfies for arbitrary θ.
Note that this assumption allows the transmittance to vary for each pulse, or even to be affected by the presence of photons in the preceding pulses, as long as such correlations are insensitive to the optical phases of the input pulses. We believe that the phase insensitivity is very unlikely to be violated by natural causes in the case of DPS keying. To break phase insensitivity, the oscillating dipoles of particles in the atmosphere must memorize the phase of a pulse and affect the subsequent pulses accordingly. It implies that the dephasing time must be longer than the pulse interval (e.g. 1 ns for 1 GHz of pulse repetition rate), which normally requires a resonance of a similar bandwidth (∼1 GHz). It is unlikely that such a sharp resonance coincides with the frequency of the laser used in the LoS-QKD, which makes the phase insensitivity condition reasonable for LoS-QKD with DPS keying.

Receiver's apparatus
Since the optical pulses received by Bob are very weak, the measurement of the phase difference between an adjacent pair of pulses often fails, which happens when neither of the detectors reports the arrival of photons at the designated timing. Bob publicly announces the positions of such detection failure (or equivalently the positions of success) so that Alice and Bob can agree to generate sifted keys only from the pairs for which Bob's detection has succeeded. Let us label adjacent pairs in such a way that the jth pair consists of the (j − 1)th and the jth pulses, for j = 1, . . . , N tot . Define a detection index set D ⊂ {1, . . . , N tot } as the set of the indices of the pairs for which Bob's detection has succeeded. Bob's announcement of the successful timings in step 4 of the protocol in subsection 2.2 is equivalent to announcing the set D.
Our security proof in this paper assumes that the statistics of detection pattern D is independent of the optical phases of the N pul = N tot + 1 pulses (system C) received by Bob. To formally describe this property, we represent Bob's measurement by POVM (positive operator-valued measure) {E D } D⊂{1,...,N tot } such that, when the state of the received N pul pulses is ρ, the probability of outcome D is given by Pr(D) = Tr(E D ρ).
Our assumption on Bob's apparatus is now stated as follows.

Assumption 4 (detection phase insensitivity).
For any state ρ of system C, Bob's measurement for arbitrary θ.
This assumption holds true if the following two conditions are simultaneously met: (a) the two on/off detectors have the same detection efficiency, and (b) a double-click event, where both detectors report the arrival of photons, is regarded as a successful detection.

Security proof
In this section, we give a security proof of the proposed LoS-QKD protocol in the finite-size regime. We first clarify the goal of the security proof in subsections 4.1 and 4.2. In subsection 4.1, we refine the protocol in subsection 2.2 to be more specific by using the mathematical notations introduced in the previous section. We call it actual protocol to distinguish it from other protocols introduced in subsequent subsections. In subsection 4.2, we explain the security criteria in the finite-size regime, which are widely used for QKD protocols. Subsection 4.3 focuses on the property of the sender's phase encoding in the protocol, and explain the basic idea used in the security proof based on complementarity. The security proof begins with subsection 4.4, which shows that the security statement of actual protocol is reduced to that of another protocol which we call virtual protocol. It is then further reduced to a condition on classical random variables defined in yet another protocol called estimation protocol in subsection 4.5. The statistics of the random variables are analyzed in subsection 4.6, which completes the security proof and gives a formula for the finite-size final key length for a given security parameter. Technical details will be available in appendix A through appendix C.
Throughout this section, we use the following notations for defining an indexed series of variables:

Formal description of the LoS-QKD protocol
Here we give a specific version of the LoS-QKD protocol in subsection 2.2 such that we are able to discuss its security in the finite-size regime. We first list the protocol parameters which are shared in public by Alice and Bob prior to the run of the protocol. Let μ A be the bound on the mean photon number of a pulse from the laser source, which appears in assumption 1. Let N pul = N tot + 1 be the total number of pulses transmitted from Alice to Bob, and p test ∈ [0, 1] be the fraction of test bits. Let η E be the reflectivity of the BS in the WTCh model. In addition, we define Pr(C PA |N 1 , N 2 ) as the probability over N 1 × N 2 binary matrices C PA used in the privacy amplification, and N IR (κ test A , κ test B ) as a function to determine the length of communication used for information reconciliation from test bits κ test A and κ test B . The description of the refined protocol, which we call actual protocol, is now given as follows. Actual protocol (1) Using the laser source, Alice prepares system C = (C i ) N tot i=0 of N pul optical pulses in state ρ C . She generates an N pul -bit uniformly random bit sequence a := (a i ) N tot i=0 using the RNG. She modulates the optical pulses by adding π phase shift to the ith pulse if a i = 1 for i = 0, . . . , N tot , such that the state of system C becomes Alice transmits the modulated pulses to Bob over the LoS channel. (2) Bob performs DPS measurement on the received pulses. According to the measurement outcomes for the N tot adjacent pairs, he determines a detection index set D ⊂ {1, . . . , N tot } and a raw key d := (d j ) j∈D by the following rule. For the jth pair, j / ∈ D if neither of the detectors clicks, and j ∈ D otherwise. If only one of the detectors clicks, d j is set to be the index of that detector (i.e. 0 or 1). If both detectors click, d j is randomly set to 0 or 1.
(3) Bob generates a test-bit index set D test by performing Bernoulli sampling with sampling rate p test on D.
He defines a sifted-key index set D sift := D\D test , his sifted key κ B := (d j ) j∈D sift with a length of N sift := |D sift |, and his test sequence κ test B := (d j ) j∈D test with a length of N test := |D test |. (4) Bob announces D sift , D test , and κ test B . (5) Alice defines her N sift -bit sifted key κ A := (κ j ) j∈D sift and her N test -bit test sequence κ test A := (κ j ) j∈D test from a by the relation κ j := a j ⊕ a j−1 . She announces κ test A . (6) (Information reconciliation). By using encrypted communication consuming N IR (κ test A , κ test B ) bits of preshared key (i.e. via Vernam's one-time pad [37]), Alice provides Bob with information on her sifted key κ A . Bob then computes a reconciled key κ rec B from κ B . (7) (Privacy amplification). Alice and Bob determine the length N fin of the final key based on μ A , η E , D sift , and D test . Alice chooses a N sift × N fin binary matrix C PA with the probability Pr(C PA |N sift , N fin ) and announces it. Alice and Bob then obtain the final keys κ fin A := κ A C PA and κ fin B := κ rec B C PA , respectively. After the run of the protocol, Alice and Bob share N fin -bit final keys, while they consume N IR bits of a preshared key during the protocol. The net key gain G is thus given by

Security criteria
We define the security of our protocol using a criterion that is widely used for conventional QKD and satisfies the universal composability [38]. Given an attack strategy by Eve, we can define the probability Pr(N fin ) of the final key length and the quantum state ρ fin ABE|N fin , which is the final state over Alice's and Bob's final keys and Eve's quantum system conditioned on N fin . The state ρ fin ABE|N fin is generally written as From the above state, we define a quantum state representing the ideal final key by The security of a protocol is stated in terms of the distance between the actual state and the ideal state. We say the protocol is ε sec -secure if holds regardless of Eve's attack. Here, σ denotes the trace norm of operator σ.
It is convenient to decompose the above condition into two separate conditions. We say a protocol is holds regardless of Eve's attack. We say a protocol is ε X -secret if holds regardless of Eve's attack, where ρ fin AE|N fin := Tr B (ρ fin ABE|N fin ) and ρ ideal AE|N ideal := Tr B (ρ ideal ABE|N fin ). When a protocol is ε Z -correct and ε X -secret, it can be shown that it is (ε Z + ε X )-secure. In this paper, we assume that the information reconciliation in the actual protocol guarantees the ε Z -correctness of the protocol, and focus on proving ε X -secrecy in the subsequent subsections.

Property of the sender's encoding and basic idea behind the security proof
Consider an entangled state between a qubit A and an optical pulse C, given by where {|0 A , |1 A } is an orthonormal basis of qubit A, which we call the Z-basis, and |α C is the coherent state with complex amplitude α. Suppose that qubit A is measured on the Z-basis to produce an outcome a ∈ {0, 1}. With probability 1/2, a = 0 and the optical pulse is in state |α C . With probability 1/2, a = 1 and the optical pulse is in state | − α C . This is exactly the same as the procedure of choosing a i and modulating the ith pulse in step 1 of actual protocol. To be more comprehensive, consider a quantum register of N pul qubits A : Under assumption 1 on the laser source, step 1 of actual protocol is equivalent to choosing α, preparing state |Ψ(α) AC , and measuring the N pul qubits A on the Z-basis to determine a. This property will be used in constructing a virtual protocol in the next subsection.
Our security proof is based on the complementarity approach [39], in which the secrecy of an observable is assessed from the uncertainty of a complementary observable. To explain the basic idea, let us go back to the simple example of state |ψ(α) AC . Instead of measuring qubit A on the Z-basis to obtain bit a, suppose that one measures it on a complementary basis 2)}, which we call the X-basis, to obtain a bit x ∈ {0, 1} as an outcome. For determining statistics of x, it is convenient to consider the parity of the photon number, which is an observable complementary to the optical phases of 0 and π. Let us define the projection operators onto the even-(b = 0) and the odd-(b = 1) photon-number subspaces by wheren C is the photon number operator for pulse C. We also rewrite |ψ(α) AC using the relation Then the probability of bit x is computed as Especially The function p ph (μ) represents the probability of the photon number to be odd when it follows the Poisson distribution with mean μ, and will also appear in the formula for the secure key length later. The value of Pr(x = 1) is related to how secure the Z-basis outcome a is from someone having access to the optical pulse C. In particular, Pr(x = 1) = 0 if |α = 0|, in which case the pulse is in the vacuum and thus carries no information on bit a. The secrecy of a can also be understood from the fact that qubit A is exactly in state |0 A before the Z-basis measurement, which means no one should be able to predict the outcome a. In the opposite limit of |α| → ∞, the bit a is fully leaked through the pulse, while Pr(x = 1) approaches 1/2, implying that we are completely uncertain about the value of x. In the general case with 0 < Pr(x = 1) < 1/2, we may expect that this value somehow quantifies the amount of leaked information, and hence is eventually used for determining an appropriate amount of privacy amplification to make a protocol secure.
In LoS-QKD, we assume that only a fraction of the emitted pulse energy is received by Eve. After a wiretapper channel, the whole state may become Of course, the application ofÛ (η) BS does not change the statistics of bit x, namely, . But when we want to evaluate the secrecy of bit a from Eve, we may argue that the optical pulse C, which is beyond Eve's reach, can be used to reduce the uncertainty in bit x. For the convenience of constructing a virtual protocol in the next subsection, here we define a measurement for extracting useful information from pulse C with a minimal disturbance on its state as follows.

Definition 1 (parity measurement).
A parity measurement on an optical pulse C produces an outcome x ∈ {0, 1} corresponding to the parity of the photon number. Let σ C be the state of C before the measurement, and ρ [x =b] C (b = 0, 1) be the state of C after the parity measurement on condition that x = b. Then it holds that and Let C be the state after the measurement averaged over the outcome b. It satisfies Suppose that, for the state |φ(α, η) ACE , X-basis measurement is performed on qubit A and parity measurement is on pulse C to produce outcomes x and x , respectively. Their distribution is computed from equation (24) as (30) and hence which is also expected from the property that the BS preserves the total number of photons. We thus obtain which implies that the uncertainty in x given x is related to the mean photon number received by Eve.
In a rigorous proof of security, the property of equation (33) turns out to be inadequate because a bit a is adopted only when the corresponding optical pulse C leads to a successful detection in Bob's measurement. In general, such conditioning could distort the statistics, and a conditional probability of x = x might not be bounded by p ph (η|α| 2 ) as in equation (33). Fortunately, we can prove that there is no such worry. As shown in appendix A, x ⊕ x is independent of any random variable W generated by accessing the pulse C, namely,

Virtual protocol
In this subsection, we present a virtual protocol, which is helpful in proving the ε X -secrecy, equation (16), of actual protocol. The virtual protocol is constructed in such a way that, as far as the final state of Alice's key and Eve's quantum system are concerned, it is equivalent to actual protocol. Bob's final key, which is irrelevant to the ε X -secrecy, is not generated in the virtual protocol. Instead, Bob's action is designed for making it easier to prove the ε X -secrecy condition by using the complementarity of quantum mechanics.
In what follows, we present the detailed flow of the virtual protocol. In addition to the protocol parameters for actual protocol, we define a probability Pr(C PA |N 1 , N 2 ) over N 1 × N 1 full-rank binary matricesC PA . Construction of a set T ph ⊂ {0, 1} N sift will be given in the subsequent subsections. Probability Pr(α) appearing in assumption 1 is also used.
Virtual protocol (1) Alice generates N pul -tuple of complex numbers α := (α 0 , α 1 , . . . , α N tot ) with probability Pr(α) and prepares quantum register A of N pul qubits and system C of N pul optical pulses in state |Ψ(α) AC defined in equation (18). She then sends system C to the wiretapper channel E (η E ) wtp , while keeping quantum register A.
(3) After the wiretapper channel E (η E ) wtp , Bob performs the parity measurement (definition 1) on the ith pulse whenever i / ∈ P test, all to obtain an outcome x i . He then sends all the (N tot + 1) pulses to the main channel E main . (4) Bob performs DPS measurement on the received pulses after the main channel E main . According to the measurement outcomes for the N tot adjacent pairs, he determines a detection index set D ⊂ {1, . . . , N tot } and a raw key d := (d j ) j∈D by the following rule. For the jth pair, j / ∈ D if neither of the detectors clicks, and j ∈ D otherwise. If only one of the detectors clicks, d j is set to be the index of that detector (i.e. 0 or 1). If both detectors click, d j is randomly set to 0 or 1.
Alice applies a CNOT gate operation on A j−1 and A j , in which A j−1 is a control and A j is a target, in descending order of j ∈ D sift . She then defines a sifted key register as A sift := (A j ) j∈D sift , which consists of N sift := |D sift | qubits. Alice renames the indices to (1, 2, . . |N 1 , N 2 ), we can show that actual protocol and virtual protocol leave Alice's final key and Eve's quantum system in the same state. More precisely, suppose that an attack strategy by Eve to actual protocol leads to a probability Pr(N fin ) and final states ρ fin AE|N fin . Since all the announcements (D sift , D test , κ test B , κ test A , C PA ) in actual protocol are also made in virtual protocol, Eve can apply the same attack strategy to virtual protocol. Note that she ignores any other announcements that are only made in virtual protocol. Then, as shown in appendix B, virtual protocol also leads to the same probability Pr(N fin ) and the same final states ρ fin AE|N fin . It then follows that ε X -secrecy of virtual protocol implies ε X -secrecy of actual protocol.
A crucial advantage in introducing virtual protocol is that it is much easier to prove its ε X -secrecy. Let σ fin be the state of the N fin qubits A fin after step 11. Let |0 bet the state vector for A fin where every qubit is in state |0 . If σ fin = |0 0 | strictly held, the Z-basis measurement in step 12 would result in ρ fin AE|N fin = ρ ideal AE|N fin . We thus expect that, if σ fin is close to |0 0 |, the final state ρ fin AE|N fin will also be close to ρ ideal AE|N fin . In fact, it is known [40] that if holds for δ > 0, we have 1 2 The implication established in this subsection is thus the following. If we can prove equation (39) holds in virtual protocol regardless of Eve's attack strategy, actual protocol is √ 2δ-secret.

Estimation protocol
Here we introduce yet another protocol in order to prove equation (39) by analyzing properties of classical random variables rather than directly dealing with quantum theory. Suppose that, after step 11 of the virtual protocol, one measures the N fin qubits of A fin on X basis to obtain a N fin -bit sequence x * . The left-hand side of equation (39) is then equal to Pr(N fin 1, x * = 0). We now construct a protocol in which the qubits are measured on X basis at an earlier step, and the subsequent quantum operations are replaced by classical computation to faithfully simulate the statistics of x * . We call it estimation protocol and it is defined as follows. Estimation protocol Steps 1 through 7 are the same as those of virtual protocol.
(8) Alice measures qubits (A i ) i∈D sift on X basis to obtain a bit sequence (x i ) i∈D sift . She computes a bit sequence e := (e i ) i∈D sift by the following relations: (9) Alice computes a bit sequence e ph := (e ph,j ) j∈D sift by using the following relations in the descending order of j ∈ D sift . e ph,j := By comparing steps 8 through 11 to the corresponding steps in virtual protocol, it is easy to see that the x * are generated in the same way in both protocols. Our goal is thus to prove an inequality of the form which then implies that actual protocol is √ 2δ-secret.

Completion of proof and formula for final key length
The remaining task of the security proof is to determine a final key length N fin such that equation (44) holds true. Here we provide a sketch of the proof, and leave technical details to appendix C. Suppose that we find a set T ph such that e ph ∈ T ph holds with a probability close to unity. We may choose a final key length to satisfy N fin N sift − log 2 |T ph | − s with s > 0, so that the length (N sift − N fin ) of the bit sequence e ph H T is slightly larger than log 2 |T ph |. Then, with a high probability, the sequence e ph H T is unique to e ph , namely, there is no other element e ph ∈ T ph (e ph = e ph ) that satisfies e ph H T = e ph H T . This leads to equation (44) with a small δ. Obviously, the final key length will be larger if the size of the set T ph is smaller.
Instead of directly finding a set T ph , it is much easier to find a set T such that e ∈ T holds with a probability close to unity, because the sequence e follows simpler statistics. Once we find such a set T , choosing a final key length to satisfy N fin N sift − log 2 |T | − s leads to equation (44). To see this, notice that at step 9 of estimation protocol, e ph is uniquely determined if e is given. Let us denote this functional dependence by e ph = f sif (e), and define T ph := f sif (T ). Since |T ph | |T |, we have N fin N sift − log 2 |T ph | − s. Since e ∈ T implies e ph ∈ T ph , the latter also holds with a probability close to unity, leading to equation (44).
To analyze the behavior of the sequence e := (e i ) i∈D sift defined in equation (41) of step 8, let us divide the set D sift into two disjoint subsets as D sift = D 0 ∪ D 0 with D 0 := D sift ∩ P test, all and D 0 := D sift \P test, all . The sequence e is also divided into two parts, e := (e i ) i∈D 0 and e := (e i ) i∈D 0 .
From equations (33) and (44) with assumptions 1 and 2, we see that, for i ∈ D 0 , the probability of e i = 1 is at most p ph (η E μ A ). The number of 1's in the sequence e is thus expected to be at most |D 0 |(p ph (η E μ A ) + Δ), where a parameter Δ > 0 allows for statistical fluctuations. For the sequence e of length |D 0 | = N sift − |D 0 |, we have no condition to restrict its behavior. We may thus expect that there exists a good set T with its size satisfying Hence, the target condition of equation (44) is expected to be fulfilled if the final key length is chosen to satisfy A rigorous proof along this line is given in appendix C, in which the fluctuations in the right-hand side of equation (47) are analyzed in detail to determine a formula for N fin and find quantitative relation to δ in equation (44). The derived key length formula is given by where which guarantees Pr(N fin 1, Hence, we conclude that the actual protocol is √ 2(2 + 2 −s )-secret with the choice of the final key length according to equation (48).

Numerical calculation of secure key rate
In this section, we present numerical calculations on the performances of LoS-QKD for the asymptotic and the finite-length regimes. Although the security proof in the previous section covers the general case of the LoS channel including non-iid channels, we here use a simplified model of the linear lossy bosonic channel as described in figure 3, and show potential performances of LoS-QKD for high-speed and long-distance secret key agreement. We also assume that the laser source prepares each pulse in | √ μ A , where the parameter μ A is to be optimized for maximizing the key rate.
The main channel is modeled by the BS with reflectivity η env , which corresponds to the total optical loss to the environment due to the laser beam divergence and the absorption in the atmosphere and the receiver. For simplicity, we include the common quantum efficiency of the detectors to η env . We also define the total transmittance of the channel between Alice and Bob as η B : In what follows, T and ν d denotes the pulse interval and the dark count rate of Bob's on/off detectors. We set T = 1 ns (the pulse repetition rate of 1 GHz) and ν d = 1000 cps (counts per second), which are typical values in the current technology level.  [42] schemes, respectively. We note that Mizutani's scheme uses photon number resolving detectors and the QBER is set to 0.02. The green dotted line is for decoy-state BB84 scheme. Parameters: ν d = 1000 cps, T = 1 ns.

Asymptotic key rate
We refer to the key rate in the asymptotic regime as the asymptotic key rate R K,A , and define it as In the asymptotic regime where N tot is infinitely long, Hereafter, we simply write p ph (η E μ A ) as p ph and call this quantity the phase error rate. In addition, Alice and Bob can use the error correction code achieving the Shannon limit, namely, where p bit denotes the quantum bit error rate (QBER), and is given as as explained in appendix D. Hence, we obtain where p det := N sift /N tot is the photon detection rate at Bob, and given as as explained in appendix D. Then, the asymptotic key rate R K,A in equation (56) turns into We plot the asymptotic key rate R K,A as a function of the channel loss η −1 B in figure 4 (red solid lines). For η E = 10 −6 , R K,A remains 1 Gbps at around η −1 B = 50 dB (the flat region), then starts to decrease as η −1 B increases (the decreasing region), and finally drops to zero (the outage point) when η −1 B goes beyond 100 dB. The outage point corresponds to the channel loss at which the photon detection rate at Bob becomes comparable with the dark count rate of his on/off detectors. The asymptotic key rate R K,A still attains 1 kbps even at η −1 B = 100 dB, which can cover a sufficient link budget for GEO-satellite-to-ground links assuming currently available technologies of optical antenna and PAT (pointing, tracking, and acquisition) system.
The asymptotic key rate R K,A deteriorates as η E increases. For η E = 10 −4 , the flat region becomes narrower. For η E = 10 −2 or higher, the flat region disappears. The outage point in η −1 B also becomes smaller accordingly. The curve for η E = 1 − η B is for the case where Eve can collect all photons Bob loses.
For comparison, we also plot the curves for known DPS-QKD (Waks' scheme [41] and Mizutani's scheme [42]), and decoy-state BB84 with the same link and noise conditions. Mizutani's scheme is secure against the coherent attack (the most general attack in QKD), but its key rate decreases rapidly (blue one-dotted line). Waks' scheme is secure against a limited family of attacks, i.e. the individual attack, and can reach 40 dB (blue dashed line). This curve shows almost the same performance as LoS-QKD with η E = 1 − η B . Decoy-state BB84 can reach 50 dB which corresponds to a maximum link budget of LEO-satellite-to-ground communication (green dotted line). Unfortunately, these three schemes cannot cover a range of GEO-satellite-to-ground links, which should correspond to a channel loss of 60 dB or hopefully 80 dB (see the last paragraph in subsection 5.2). In appendix F, we also compare the asymptotic key rates of LoS-QKD and PLS scheme over FSO links (FSO-PLS) with DPS keying to show how the assumption on Eve affects the performances. Now we discuss characteristic features of the LoS-QKD performances and the mechanisms behind. The crossover behavior from the flat region to the decreasing region is the common characteristic of secure transmission rates in PLS schemes, i.e. secrecy message rates in reference [16] and key rates in references [33,34]. For example, the curves of the secrecy message rate versus the channel loss also consist of the flat region and the decreasing region as shown in figure 7 of reference [16]. The flat region and the decreasing regions in the R K,A − η −1 B curve are particularly referred to as 'the loss-independent region' and 'the noise-limited regions', respectively. In the loss-independent region, the received signal power is large enough compared to the noise power, and hence the signal can be discriminated in an error-free manner. In the noise-limited region, on the other hand, the received signal power becomes comparable with or less than the noise power, and hence the discrimination of the signal suffers from errors due to the noises, resulting in the monotonic decrease of the rate R K,A as the channel loss η −1 B increases. The observed behavior in the LoS-QKD is explained in a similar manner, if we ascribe the hardness in discrimination to the indistinguishability of quantum signals, which is often interpreted as quantum noise or shot noise inherent in a set of non-orthogonal quantum states. Figure 5(a) presents the optimized mean photon number μ A at Alice versus the channel loss η −1 B . The optimized μ A monotonically increases in the loss-independent region, and then reaches a plateau in the noise-limited region. This very fact that Alice can increase μ A in the loss-independent region is a striking difference from the conventional QKD schemes in which the signal intensity at Alice must be at the single photon level. This is brought by the strong assumption on Eve that she can tap only the limited fraction η E of the signal via the BS. Figure 5(b) shows the received mean photon number μ B := η B μ A at Bob versus the channel loss η −1 B . The curve of μ B gradually decreases in the loss-independent region, and then decreases more rapidly in the noise-limited region. In the loss-independent region, μ B is greater than the single photon level, and hence Bob's detection almost always succeeds. The crossover occurs when μ B reaches the single photon level. For η E = 10 −6 , for example, the crossover point is at around η −1 B = 50 dB. Once η −1 B goes beyond the crossover point, μ B becomes smaller than the single photon level, and Bob's detection succeeds less frequently. Alice cannot increase the mean photon number μ A further in this region because the signal leaked to Eve is already strong, as seen in figure 5(c). The crossover point can also be expressed by the relation η −1 B ∼ 10η −1 E , where Eve's received mean photon number μ E = η E μ A reaches 0.1 photons, and the information leakage to Eve becomes a matter. Finally, when η −1 B is close to the outage point, Bob's receiver becomes dark-count-noise limited, namely, the received count rate becomes comparable with the dark count rate, and the QBER increases. In this region, the optimized strategy is not to increase μ A to reduce QBER, but to suppress μ A to reduce the wiretapping risk. So, the optimized μ A drops at the end of each curve in figure 5(a). These behaviors are closely related to QBER p bit and the phase error rate p ph (see appendix E).

Finite-length key rate
We refer to the secure key rate in the finite-length regime as the finite-length key rate R K,F , and define it as for a fixed N tot . To evaluate N fin , we set N sift , N sif−tes , and N cand as respectively. In addition, we set where f EC 1 denotes the error correction efficiency. Figure 6 shows the finite-length key rate R K,F as a function of channel loss η −1 B . For each η E , we calculate R K,F with four values of N tot , 10 9 (solid line), 10 8 (dashed line), 10 7 (chain line), and 10 6 (dotted line), as well as the asymptotic key rate R K,A (blue solid line) for comparison. Here remember that N tot is the number of optical pulses at Alice used for generating the final key. We choose p test = 0.06, which is the same as the previous experiments of FSO-PLS scheme [28,34]. We set the security parameter ε X as 10 −11 . To ensure the relation ε X := √ 2( + 2 −s ) holds, we set We set f EC = 1.1.
In the loss-independent region, the finite-length key rates R K,F are slightly smaller than the asymptotic key rate R K,A . This reduction is due to spending the test bits and the finite error correction efficiency. In the noise-limited region, the gap between R K,F and R K,A gets larger as η −1 B increases, and the outage point moves to the lower loss side as N tot decreases. Roughly speaking, the outage point decreases by about 20 dB when N tot decreases from 10 9 to 10 6 . Now a typical link budget between GEO-satellite-to-ground links is 80 dB. Practical link budgets between the satellite and the ground usually vary by 10 dB to 20 dB in the time scale of minutes due to atmospheric fading. Then the results of figure 6 imply that LoS-QKD for GEO-satellite-to-ground links is possible in the case of η E = 10 −6 , by taking N tot larger than 10 8 . The key rate of 1 Mbps could be achieved in the best condition in principle. Technical challenge is to implement key-distillation processing for N tot 10 8 with limited computing resources in satellite. This task could be feasible by careful modification of current architectures of software-based key-distillation processing, combined with advanced space-qualified CPUs and memories.

Conclusion
In this paper, we proposed the novel QKD scheme, LoS-QKD with DPS keying, for the FSO link modeled by the quantum WTCh. Eve can tap only the limited fraction of the FSO signal beam, as modeled by the BS with the reflectivity η E in front of Alice's transmitter, but can perform any physically allowable operations on the tapped signals. The main channel between Alice and Bob may be affected by atmospheric fading effects. Thanks to the complementarity approach, we proved the composable security of LoS-QKD.
We numerically evaluated the performances of LoS-QKD based on the asymptotic and finite-length analyses. We also compared the asymptotic key rates with existing schemes, DPS-QKD and FSO-PLS (SKA). We showed how key agreement performances can be improved as Eve's wiretapping ability is weakened. If we can assume that Eve's wiretapping ratio η E can be as small as η E = 10 −4 ∼ 10 −6 , LoS-QKD can potentially realize GEO-satellite-to-ground secret key agreement under the practical conditions (i.e. total number of transmitted pulses, security parameter, error correction efficiency, and fraction of test bits) available in current technology. It would be an interesting open problem how to extend the concept of LoS-QKD to other protocols, such as measurement-assisted relaying schemes with a satellite, including measurement-device-independent QKD [43], and twin-field QKD [44].
A big remaining question is how one can certify the assumption that Eve's wiretapping ability can be restricted to the BS model. It should be an involved task in practice. One should employ channel estimation techniques with signal and beacon beams as well as additional channel surveillance apparatuses (e.g. camera, RADAR, LIDAR). Unfortunately, there might be no single strong physical mechanism to certify our WTCh model, but various physical mechanisms accompanied with the highly directional nature and LoS of the FSO links need to be employed.
Nevertheless, our results, at least, imply a way how to relate cryptographic schemes with information-theoretic security to each other, providing a unified design chart as the tradeoff relation between security level (adversarial assumptions) and usability (performances of key rate and distance). Based on our results, one can select appropriate schemes according to the use cases, the performance and security requirements: for higher security even against the active attack, DPS-QKD should be only the solution; for longer transmission distance and higher secure key rate, LoS-QKD or FSO-PLS could be an option. We believe that such a hybrid secret key agreement system is possible because these secret key agreement schemes can be implemented with almost the same technological platform.

Data availability statement
No new data were created or analysed in this study.

Appendix A. Independence of variable x ⊕ x
Consider the state of pulse C after the X-basis and the parity measurement on the condition that x ⊕ x = c, and denote it by ρ [x⊕x =c] C for c = 0, 1. This conditional state is written as This implies that the random variable x ⊕ x is independent of the state of the optical pulse C, and hence of any random variable W generated by accessing the pulse C.

Appendix B. Relation between actual protocol and virtual protocol
We assume that the probability Pr(C PA |N 1 , N 2 ) is related to the probability Pr(C PA |N 1 , N 2 ) in actual protocol by where I N denotes the identity matrix of order N and O denotes the N 2 × (N 1 − N 2 ) zero matrix. This ensures that, given N sift and N fin , the announcement of C PA in actual protocol and that in virtual protocol are equivalent. We then focus on virtual protocol and analyze Alice's procedure of emitting optical pulses, receiving (D sift , D test ) from Bob, announcing (κ test A , C PA ), and creating the final key κ fin A . Since the Z-rotations in step 11 do not affect the Z-basis measurement in step 12, step 11 is redundant. Since the CNOT gates in step 9 and the unitary operation in step 10 are permutations in the Z-basis, step 8 is also redundant. Then, by comparing steps 1, 7, 9, 10, and 12 of virtual protocol and steps 1, 5, and 7 of actual protocol under assumption 1 and the source equivalence discussed in subsection 4.3, it is easy to see that Alice's procedure is the same in the two protocols.
We next investigate the equivalence of Bob's procedure of announcing (D sift , D test , κ test B ). Since step 8 is already found to be redundant, the outcome x i of parity measurement can be discarded. Then, action of the parity measurement on the optical pulse is equivalent to random phase modulation (0 or π) as shown in equation (28). Assumption 3 on phase insensitivity of the main channel further implies that we may assume the random phase modulation is applied after the main channel E main . This has two implications. One is that the parity measurements do not affect the detection pattern D, thanks to assumption 4 on the detection phase insensitivity. It is also easy to confirm that D test can be regarded as a Bernoulli sampling from D. Thus, D sift and D test are equivalent in the two protocols. Another implication is that the parity measurements do not affect the pulses for P test, all . Since κ test B is generated from measurements only involving the pulses for P test, all , κ test B is also equivalent in the two protocols. From the above, we conclude that virtual protocol leads to the same probability Pr(N fin ) and the same final states ρ fin AE|N fin as actual protocol, which is true for any attack strategy to actual protocol.

Appendix C. Rigorous analysis of statistics in estimation protocol
As can be seen from steps 7 and 8 of estimation protocol, the statistics of various bits in e := (e i ) i∈D sift are quite different for i ∈ P test, all and for i / ∈ P test, all . Our first goal is thus to find a lower bound on the size of set in terms of variables available also in actual protocol. Since |D 0 | = N sift − |D 0 | with we focus on the size of D 0 . Since D sift ∩ D test, all = ∅, we see from equation (35) that We also define a shifted version of D 0 by It is obvious that |D 0 | = |D 0 |. A subset D sift ∩ D test ⊂ D 0 implies two consecutive successful detection events with the earlier one assigned to D sift and the other one to D test . This subset is available in actual protocol and its size is We thus only need to estimate the number of the remaining elements in D 0 , namely, the size of Since D test = D ∩ D test, all , we can rewrite D 1 as and its size N cand := |D sift \D| (C. 10) are available in actual protocol.
To derive a bound on |D 1 |, notice that D cand is uniquely determined from D and D test . We denote that relation as D cand = f (D, D test ). Then, for any sets S 0 , S 1 and S 2 with S 0 = f(S 1 , S 2 ), we have Since The set T ph in virtual protocol and estimation protocol is constructed as follows. A set D rec with |D rec | = N L rec is chosen such that D rec ⊂ D 0 if N L rec |D 0 |, and D rec ⊂ D sift otherwise. From this set, we define a weight of an N sift -bit sequence s = (s i ) i∈D sift by w(s; D rec ) := i∈D rec s i . (C.20) From the property of the source given in equation (34)   Also, in the information reconciliation step of the key-distillation processing, we adopt the reverse reconciliation where Bob provides Alice with information on his sifted key κ B via the authenticated public channel. Therefore, the asymptotic key rate formula for FSO-PLS is given as where I(·; ·) denotes the Shannon mutual information, and X, Y, and Z are the random variables at Alice, Bob, and Eve, respectively. The first term of equation (F.1) corresponds to the information rate shared by Alice and Bob after the reconciliation and the second term of equation (F.1) corresponds to the information rate leaked to Eve in the reverse reconciliation [33]. .

(F.2)
In the equation, P X (x) denotes the input probability of Alice's bit, and P X (0) = P X (1) = 1/2 since Alice sends a random bit sequence. Also, W B (y|x) denotes the transition probability of the main channel. Since the bit detection failure and the bit error occur in the main channel, the main channel is modeled into the where P Y (y) denotes the probability of Bob's bit and W EB (z|y) denotes the transition probability of the channel from Bob to Eve. Since Bob's bits are output of the main channel which takes Alice's bit as an input, P Y (y) is given as The channel from Bob to Eve is the concatenation of the channel from Bob to Alice and the wiretapper channel, as shown in figure F2(b). The channel from Bob to Alice is the reverse version of the main channel, and its transition probabilities W AB (x|y) are calculated as Now, we compare the asymptotic key rate of two schemes. Figures F3(a) and (b) show the asymptotic key rates R K,A and the mean photon number μ A of the input pulses for LoS-QKD (red lines) and FSO-PLS (blue lines), respectively. The asymptotic key rate of the FSO-PLS is also characterized by the loss-independent and noise-limited regions. Actually, the behaviors of the optimized mean photon number μ A are almost the same between these schemes. However, the plateau of the loss-independent region of FSO-PLS is wider than that of LoS-QKD. This is because μ A can be larger in FSO-PLS than in LoS-QKD owing to the additional assumption that Eve's apparatus is explicitly specified. Moreover, R K,A of the PLS (SKA) monotonically decreases and never drops as opposed to LoS-QKD, because the PLS (SKA) adopts the reverse reconciliation scheme.
Thus by specifying Eve's detection strategy as the similar kind as Bob's one, we can further improve the performances in the noise-limited region. If, however, users should worry about possibilities of store-now-and-decrypt-later attacks using future quantum technologies including quantum memory and so on, then LoS-QKD is recommended.